Different CTF Writeup
Different CTF link
Enumeration
Running an nmap scan we can see we have 2 ports open, 21(ftp) and 80(http), lets start off by taking a quick look at the webserver and see what we have.
Looks like we have a wordpress website running, lets do some exploring and see what's on this site.
Clicking on one of the links tries to redirect us to adana.thm, so lets quickly create a entry in our /etc/hosts file for this so that we can, A, properly view the site and B, click on any of the links to view the content a little easier.
Clicking on one of the links tries to redirect us to adana.thm, so lets quickly create a entry in our /etc/hosts file for this so that we can, A, properly view the site and B, click on any of the links to view the content a little easier.
Taking a quick look at the gobuster results we can see that we have a couple interesting directories, the first one being /announcements/ which we'll definitely need to take a look at and the second being /phpmyadmin/ which tells us that the backend is running mysql server, which confirms what wappalyzer found.
Running exiftool on the image seems to reveal that there is Baseline DCT, Huffman coding, so it appears something may be hidden in the image file, lets run steghide on it and see if we can get anything.
Hmmm we need the passphrase. We have a wordlist that when opened appears to be a bunch of passwords so let's try using that with stegcracker and see if we can extract whatever is hidden in the image.
Looks like stegcracker was successful in finding the password and extracting the file, let's take a look at what it found.
Running the file command we can see that it's a ASCII text file which means we can just run cat on it and get the data out.
Looking at what cat returned we can see we have what appears to be a base64 string, so lets decode it and see what we get.
Looking at what cat returned we can see we have what appears to be a base64 string, so lets decode it and see what we get.
Looks like we have some ftp credentials, lets use these to take a look at what's on the ftp server.
Taking a look at the directory it appears the ftp server is accessing the webserver files.
Initial Access
Let's upload a php reverse shell and see if we can get access to the machine.
Looks like our file uploaded, but only has the rw permissions for the ftp user which is not going to be the same user running the webserver, lets see if we can use chmod to change the file permissions to make sure the webserver can read the file.
Looks like that didn't work, lets see if we can gain access another way, lets start by downloading the wp-config.php file and see if we can extract the credentials for phpmyadmin.
And just like that, we were able to get the credentials for logging into phpmyadmin.
Initially we can see that their seems to be two DB's, one named phpmyadmin and the other phpmyadmin1, as we can see in the wp-config.php file the db name in use is phpmyadmin1, we were also not able to access our reverse shell file we uploaded, I'd assume in this case that the ftp server is possibly accessing a dev version of the webserver rather than the prod version.
Initially we can see that their seems to be two DB's, one named phpmyadmin and the other phpmyadmin1, as we can see in the wp-config.php file the db name in use is phpmyadmin1, we were also not able to access our reverse shell file we uploaded, I'd assume in this case that the ftp server is possibly accessing a dev version of the webserver rather than the prod version.
Navigating to the phpmyadmin database lets edit the password on the hakanbey01 user so that we can login.
Clicking edit on the user, then setting the user_pass function to md5 and entering in our new password updates the pass of the hakanbey01 user, so we should now be able to sign in.
And after signing into /wp-admin with our newly created admin password we have access to the portal.
Looking at the above we can see that we are definitely running wordpress 5.6 and also we're running the twenty nineteen theme.
Lets go and modify the 404 page of the theme so that we can trigger a reverse shell.
Looking at the above we can see that we are definitely running wordpress 5.6 and also we're running the twenty nineteen theme.
Lets go and modify the 404 page of the theme so that we can trigger a reverse shell.
Rats, looks like we don't have write access to the theme, looking at the other two themes also it seems we don't have write access. Taking a further look it doesn't look like we have any way of exploiting this due to write restrictions, we know we can write to that dev environment for wordpress.
Going back into phpmyadmin and taking a look at the phpmyadmin1 db, under the wp_options table we can see there's a siteurl and home url, lets add this to our /etc/hosts file and see if we can access the dev environment, we should hopefully be able to access the php revereshell we uploaded as well.
And sure enough, we have access! Now we can go grab that web flag.
Now that we have access to the machine we need to gain access to the user account and then root, first lets start off by uploading socat so that we can gain a stable shell.PrivEsc
After uploading socat and getting a reverse shell we can now explore the machine, lets quickly do some manual enumeration and then if we don't find anything nice and easy we'll upload linpeas and see if we can get a quick win.
And nothing, manual enumeration and using linpeas didn't reveal anything of any help.
And nothing, manual enumeration and using linpeas didn't reveal anything of any help.
Looking back at the information we know, we know that the ftp password started with 123adana and so did the stego password, it's possible then that hakanbey's user pass would also start with this, we can test this using the wordlist we download and sucrack, but first we should just append 123adana to all the words in the wordlist.
Now that we have a password list together lets download sucrack and see if we can hopefully get a password for hakanbey.
Transferring the sucrack deb file over and the password list we made we just need to install/extract sucrack first using dpkg-deb -x and then we should be up and running.
The command I used to run sucrack is slightly cut off but whilst still in the /var/tmp directory I ran ./sucrack/usr/bin/sucrack -a -w 20 -s 10 -u hakanbey ./passlist.txt and just for clarification around the command, -a will give you the pretty ascii view so you can keep track of how far sucrack is through its testing, -w sets how many workers sucrack use, I chose 20, you could probably use more, -s sets the interval that sucrack will update the ascii view in seconds and then -u is obviously the user.
I'd highly recommend you don't try run sucrack without at least setting -w, otherwise you'll be waiting hours due to only 1 worker being active.
Also another side note, using -a did break socat for me, I could no longer see what I was typing but could see the response back from the terminal, I decided to close socat and rerun it to fix this.
Now we can go ahead and switch to the hakanbey user with the new pass and grab the user flag!
Taking a look at the binary with strings we can see it seems to expect a string to be entered which if that string is correct we end up getting given a hint and possibly a image file copied to our home directory?
Lets look at the file with ltrace and see what it's doing when we run it.
Lets look at the file with ltrace and see what it's doing when we run it.
Taking a look at the binary running we can see that it seems to be concatenating some strings together, entering that string in we can see it opens /root/hint.txt, lets try running the binary without ltrace and enter in the correct string.
Looks like it worked, seems we have a hint here, lets try following the hint and see what we get, we'll also take a quick look at the image file left in the hakanbey home directory.
Downloading the image to our machine and taking a look at it with exiftool it seems we have another file with steganography, I'd assume that the hint will probably get us the password for the file, lets see where we get with that.
Taking a look at the file in hexedit and looking at the line given in the hint we can then copy that into cyberchef and convert it, I took a look at the hint on the flag submission for this one as I dont think there's anyway to get what you're meant to convert it to otherwise.
Taking a look at the file in hexedit and looking at the line given in the hint we can then copy that into cyberchef and convert it, I took a look at the hint on the flag submission for this one as I dont think there's anyway to get what you're meant to convert it to otherwise.
Looking at the result of converting it from hex to base85 it looks like we get credentials for root, lets try them and see if we can get into the root account.
Looks like it worked, now we can go and grab the root flag!
Comments
Post a Comment