Walkthrough Waldo

Drx

CTF Walkthrough: Waldo

Introduction

The following writeup shows the process I used to capture the user and root flags on waldo machine at @ 10.10.10.87

This document contains my field notes I took when I was working through the box.

HTB machine infos

Weakness

  • LFI
  • GetCap and SetCap

Contents

  • Target OS: Linux
  • Services: SSH; HTTP
  • IP address: 10.10.10.87
  • Difficulty: Medium

My way of thinking

The first step consists of the reconnaissance phase as ports scanning, banner grabbing, misconfigurations and so on. The second one to find the weakness, then, the attack itself, finally the privileges escalation called “post exploitation phase”.

Info about Waldo

Waldo is a game-book where the reader must find the Charlie’s character inside a picture.

Network configuration

Before doing some investigation, we configured our network like this:

Network configuration

Ports scanning: Recon

During this steep we are going to identify the target to see what we have behind the IP address.

BTW, the results are above:

The nmap output

Explanations

  • The remote system is a Linux
  • On the system we have a webserver under Nginx 1.12.2
  • A remote access SSH: OpenSSH 7.5

For more clarity, we are going to make a summary in MSF.

Summary in MSF

Enumeration

In this step, we are going to go more deeply on our findings above.

Step 1. The SSH Service

The result of our SSH’s test.

The Nmap’s output

We can confirm that the SSH service is working.

Step 2. The web service

  1. The check in our Browser
The browser’s answer

The result shows us the webpage of Waldo’s game. We can also see a list manager that allows to the player to had or delete some lists.

We are going to know more about the technology used by the webserver.

The Waldo’s technologies

For this test, we have a good idea about the webserver of our Waldo game.

The next step will be to dig more on the webserver. That allow us to find the weakness.

  1. The source code of the page

We would like to know if there is or are some leak in the source code

The source codes

We can’t see some leak in it. Just the basic of the page in HTML

Further enumeration

During this step, we are going to analyze more in deep the website. We are surly find the weakness during the process.

To manage it, we are going to use a proxy called BURP. So, let’s go ;)

At first, we would like to find the web site tree in order to have more idea about the functionalities.

The waldo webpage is found by the crawler of BURP.

The tree

The result shows us some very interesting tasks. We know now that the website works with 2 main functions:

  • dirRead and fileRead

Let’s continue our road by analyzing the both functions more in deep.

BURP : List

The list.html

Nothing interesting for us in this code. Let’s go to the 2 main functions

We are going to investigate at first on dirRead function.

  1. The dirRead function

Let’s ding into “list manager” of the website.

The dirRead function

We can see that we have the request, then the response. We also see in the response side the formatted response in JSON.

Let’s try to go under the directory of the server in playing with the request. I will just modify it by adding “. /”

The modification of the request

We added ./ to the path for the request.

First modification

We can see that we are at the root directory of the website.

We have 4 PHP files (dirRead.php / fileDelete.php / fileRead.php / fileWrite.php).

Let’s dig into the 2 main functions of the website to know “ FileRead and DirRead”.

The others are not very important for the rest of the challenge.

  1. The FileRead
The fileRead

We changed the request into ./fileRead.php in order to see what is it on it.

The result is a huge plaintext file.

So, the next step is to bypass the system traversal filter to find some critical data.

We are going to test if we can catch the /etc/passwd

Searching for the passwd file

/etc/passwd

Ok, we have a nice result. At the end of the file, we can notice that we have a username with his home ;) it’s nobody

So now, we have a nice hint and let’s continue to the home directory of the user to find his private key of SSH.

To do this, we have to change the directory to dirRead function.

2. DirRead function

The user’s directory

Ok, we have now a huge info file called “monitor” of the user. So, let’s catch his RSA Key on “ FileRead function”.

The RSA key of the user nobody

Wawa, we have caught the RSA key of the user nobody. That’s pretty nice.

  • The next step is to format it and connect to the box.

After a formatting, the RSA key looks like that:

The RSA key formatted

Next, we have to give the rights on the file like this:

The rights on the file

The Weakness

In this part, we are going to talk about the weakness to get into the box.

That’s the entry point of the intrusion.

In other word, the vulnerability is the LFI (Local File Inclusion)

For more details about it, I invite you to read these articles at the addresses:

https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

Exploitation: Houston, We Have a Shell

With all information we’ve got, we can make our intrusion on the remote system. We are going to enter by SSH.

We have:

  • The user: nobody
  • The private KEY:
  • The IP
  • Port: 22

So, let’s screw up the box ;)

The Intrusion on the box
The ID after the intrusion

The next step is to catch the user flag.

We are in, that’s great ;)

Privilege Escalation

Once in we had to find some flags. The first one was the user flag, and the second one, the root flag of the machine.

- The user flag was not easy because we were under jail ! So, we had to escape first.

- The root flag (system admin), more complex!

Always know where you are and where you want to go!!

Ok, so we wanna just browse the user (nobody) directory to catch his flag.

The user flag

In this last part we gonna see how to get root. Let’s talk about this topic.

The first thing we can do, is to connect in local SSH using .monitor private key.

The command as localhost
We are under Waldo

As soon as we are in, we cannot type any commands at all, WTF is that hell!

We are stuck on the remote machine !

Shellcatraz or RBASH

I made a documentation of what the problem was.

Restricted bash (RBASH in our case)
Links for info

So, the question is: how to escape from here?

I’ve tried any commands I know and the simpler one is the escape. It was SSH ;) So, I exit from the internal ssh and came back to the original one.

I’ve changed my command of SSH with a little option — noprofile

Bypass Rbash

Ok, now we bypassed the jail, we can continue our road to the root.

Let’s configure the PATH in order to be able to type commands.

Export the path

Then, see where we are!! We are under monitor ID.

Monitor ID

OK. Next, I would to see the capabilities of the directories. That’s mean the binaries are able to not control the permission (root or user). So, in this configuration, we can read any file we want without to be root .

So, let’s test it with this command:

Getcap

As you can see on the capture we can notice on the binary “tac”. That helps us for the end of the challenge.

The binary is at /usr/bin/tac

Info : The tac command is like “cat” but in the reverse.

Catch the root flag

Drx

Written by

Drx

Pentester |#WhiteHat | |#Pentester | #Pentesting |#Cybersecurity |#Linux | |#debian | |#kalilinux |#infosec | |#GNU | drx51@protonmail.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade