CTF Walkthrough: Waldo
Introduction
The following writeup shows the process I used to capture the user and root flags on waldo machine at @ 10.10.10.87
This document contains my field notes I took when I was working through the box.
Weakness
- LFI
- GetCap and SetCap
Contents
- Target OS: Linux
- Services: SSH; HTTP
- IP address: 10.10.10.87
- Difficulty: Medium
My way of thinking
The first step consists of the reconnaissance phase as ports scanning, banner grabbing, misconfigurations and so on. The second one to find the weakness, then, the attack itself, finally the privileges escalation called “post exploitation phase”.
Info about Waldo
Waldo is a game-book where the reader must find the Charlie’s character inside a picture.
Network configuration
Before doing some investigation, we configured our network like this:
Ports scanning: Recon
During this steep we are going to identify the target to see what we have behind the IP address.
BTW, the results are above:
Explanations
- The remote system is a Linux
- On the system we have a webserver under Nginx 1.12.2
- A remote access SSH: OpenSSH 7.5
For more clarity, we are going to make a summary in MSF.
Enumeration
In this step, we are going to go more deeply on our findings above.
Step 1. The SSH Service
The result of our SSH’s test.
We can confirm that the SSH service is working.
Step 2. The web service
- The check in our Browser
The result shows us the webpage of Waldo’s game. We can also see a list manager that allows to the player to had or delete some lists.
We are going to know more about the technology used by the webserver.
For this test, we have a good idea about the webserver of our Waldo game.
The next step will be to dig more on the webserver. That allow us to find the weakness.
- The source code of the page
We would like to know if there is or are some leak in the source code
We can’t see some leak in it. Just the basic of the page in HTML
Further enumeration
During this step, we are going to analyze more in deep the website. We are surly find the weakness during the process.
To manage it, we are going to use a proxy called BURP. So, let’s go ;)
At first, we would like to find the web site tree in order to have more idea about the functionalities.
The waldo webpage is found by the crawler of BURP.
The result shows us some very interesting tasks. We know now that the website works with 2 main functions:
- dirRead and fileRead
Let’s continue our road by analyzing the both functions more in deep.
BURP : List
Nothing interesting for us in this code. Let’s go to the 2 main functions
We are going to investigate at first on dirRead function.
- The dirRead function
Let’s ding into “list manager” of the website.
We can see that we have the request, then the response. We also see in the response side the formatted response in JSON.
Let’s try to go under the directory of the server in playing with the request. I will just modify it by adding “. /”
The modification of the request
We added ./ to the path for the request.
We can see that we are at the root directory of the website.
We have 4 PHP files (dirRead.php / fileDelete.php / fileRead.php / fileWrite.php).
Let’s dig into the 2 main functions of the website to know “ FileRead and DirRead”.
The others are not very important for the rest of the challenge.
- The FileRead
We changed the request into ./fileRead.php in order to see what is it on it.
The result is a huge plaintext file.
So, the next step is to bypass the system traversal filter to find some critical data.
We are going to test if we can catch the /etc/passwd
Searching for the passwd file
/etc/passwd
Ok, we have a nice result. At the end of the file, we can notice that we have a username with his home ;) it’s nobody
So now, we have a nice hint and let’s continue to the home directory of the user to find his private key of SSH.
To do this, we have to change the directory to dirRead function.
2. DirRead function
Ok, we have now a huge info file called “monitor” of the user. So, let’s catch his RSA Key on “ FileRead function”.
Wawa, we have caught the RSA key of the user nobody. That’s pretty nice.
- The next step is to format it and connect to the box.
After a formatting, the RSA key looks like that:
Next, we have to give the rights on the file like this:
The Weakness
In this part, we are going to talk about the weakness to get into the box.
That’s the entry point of the intrusion.
In other word, the vulnerability is the LFI (Local File Inclusion)
For more details about it, I invite you to read these articles at the addresses:
https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
Exploitation: Houston, We Have a Shell
With all information we’ve got, we can make our intrusion on the remote system. We are going to enter by SSH.
We have:
- The user: nobody
- The private KEY:
- The IP
- Port: 22
So, let’s screw up the box ;)
The next step is to catch the user flag.
We are in, that’s great ;)
Privilege Escalation
Once in we had to find some flags. The first one was the user flag, and the second one, the root flag of the machine.
- The user flag was not easy because we were under jail ! So, we had to escape first.
- The root flag (system admin), more complex!
Always know where you are and where you want to go!!
Ok, so we wanna just browse the user (nobody) directory to catch his flag.
In this last part we gonna see how to get root. Let’s talk about this topic.
The first thing we can do, is to connect in local SSH using .monitor private key.
As soon as we are in, we cannot type any commands at all, WTF is that hell!
We are stuck on the remote machine !
I made a documentation of what the problem was.
So, the question is: how to escape from here?
I’ve tried any commands I know and the simpler one is the escape. It was SSH ;) So, I exit from the internal ssh and came back to the original one.
I’ve changed my command of SSH with a little option — noprofile
Ok, now we bypassed the jail, we can continue our road to the root.
Let’s configure the PATH in order to be able to type commands.
Then, see where we are!! We are under monitor ID.
OK. Next, I would to see the capabilities of the directories. That’s mean the binaries are able to not control the permission (root or user). So, in this configuration, we can read any file we want without to be root .
So, let’s test it with this command:
As you can see on the capture we can notice on the binary “tac”. That helps us for the end of the challenge.
The binary is at /usr/bin/tac
Info : The tac command is like “cat” but in the reverse.