Break this secured system and grab the flags, if you can
Hello everyone , this is the official writeup of my first ctf challenge
this challenge is inspired by many ctf’s i solved on different platforms like THM , HTB and VULNHUB etc…
i would evaluate it as a medium challenge because it has some tasks that may be difficult for beginners , but it really depends on your skills and knowledge.
hope you try to to solve it before checking this detailed solution
and let’s dive in.
ENUMERATION
Starting up with our usual nmap scan
we discover two open tcp ports
as you can see we have ssh and http open:
22/tcp ssh
80/tcp http
Next i scanned those two services with aggressive mode
This scan tells us that the target system is a Debian 11 using:
OPENSSH version 8.4p1 which is probably secure
HTTP : apache2 version 2.4.56 and confirms operating system Debian
I checked the http webpage
we see the apache2 default page
i viewed the source code of it but i found Nothing.
website technologies
Checking Wappalyzer which is an extension used to view website technologies i found this!
we can see that the website is using Wordpress 6.2.2 (latest version)
PHP and MySQL which is obvious.
FUZZING
I used ffuf (fuzzer) tool to see what files and directories are in this server
ffuf -u URL/FUZZ -w WORDLIST -e EXTENSIONS
i found this
Wordpress directory and manual page of apache2
wordpress pages
i visited wordpress and found an interesting Breakme page
it seems there’s nothing in here so i tried to login as admin
user admin is actualy found
then i used wpscan (wordpress scanning tool) to get more info
wpscan -u WP-URL
and i found some interesting stuff
Wordpress is using an outdated plguin called WP-DATA-ACCESS 5.3.5
i did some googling and discovered this CVE here
as you can see it’s a privilege escalation vuln , which allows to change user roles in wordpress by updating profile then changing wpda_role[] parameter with Enable role management setting on.
So i re-used wpscan to enumerate wordpress users, themes, plugins …
wpscan -u WP-URL — enumerate u at ap cb dbe
and found two users admin and bob
So my next my thoughts were like this:
we brute force bob’s (or admin) password , login , use the CVE to upgrade to administrator , get a foothold on the system
I tried to brute force bob and admin passwords using wpscan and i found bob’s password
wpscan -u WP-URL -U usenames-list -P passwords-list
And i logged as bob
as we can see bob is just an Subscribe so i thought it’s time to exploit that CVE
CVE-2023–1847
all what i had to do really was to setup burp intercept on , update the profile , add the wpda_role parameter to the POST request and forward the request
after forwarding the request bob’s account will change , and you’ll get and administrator panel
NOW it’s time to get a foothold on this machine
FOOTHOLD
first i changed wordpress theme to “twentytwentyone” from Appearance
then i went to theme
then you’ll notice that the Appearance slide changes.
went to theme editor and on the right side i chose to edit 404.php file
as you can see i pasted my own reverse shell ( you must change IP and PORT to what suits you) found here
and setup a netcat listener
nc -lnvp PORT
and browsed to 404.php
finally got a foothold
PRIVILEGES ESCALATION
user1 : john
Doing some basic checks i found three users: john and youcef
cat /etc/passwd
visiting their home directories
i wasn’t able to list youcef’s home
and john had an interesting folder “internal”
then i checked wp-config.php file
but that password wasn’t valid on any user.
so i decided to run linpeas
LINPEAS
uploading it to the target machine , you can find it here
at first nothing seemed out of ordinary except an internal service on port 9999 which gives a hint that it is launched from john’s internal folder
so i used socat to port forward it , you can find it here
PORT FORWARDING
get socat uploaded on the target and forward the service
./socat TCP-LISTEN:YOUR-PORT,fork,reuseaddr TCP:127.0.0.1:SRVC-PORT
then i ran nmap on the service and found that it’s a php server
i checked the url and found
it was an http service, looks like a user tools
checking the source code , nothing interesting there
so i start playing around with this inputs
Check Target
it seems it’s using ping command with a -c 2 flag
Check User
didn’t really gave me a hint on what command is executing
Check File
like check user , and it says invalid filename.
I ran some basic command injection checks like “;id” “&&id” “||id” ….etc
i found that it is filtering the inputs so tried bunch of characters to see which will survive on all three inputs and i got this in Check User
so i ran the following input since | is allowd
i guessed that it worked but it isn’t giving us the result
so it’s like a blind command injection
then i tried to connect a netcat listener
but it seems that “-” and spaces are filtered too
so i replaced space with “${IFS}” which is just an alternative
and it worked!
Now how can we use this to get a shell , i thought of uploading a php file using wget to avoid the filters
and it is confirmed
then i ran this reverse shell and entered as john
i grabbed the first flag
user 2: youcef
i tried some basic command like sudo -l … nothing much
then checking youcef home directory i found this binary file and .ssh folder
it allows to read files content and it has SUID bit on so we can read files as youcef , i ran it
then test it on /etc/passwd
as you can see this is a hint to read id_rsa file with this binary
i couldn’t , i ran strings on readfile and get this
as you see , it’s using usleep function and we can’t read flag or id_rsa files
i tried to create a sym link to id_rsa and readit but couldn’t
so i started the race.
RACE CONDITION
I wrote two simple python scripts which automate things for me
exp.py
#!/usr/bin/python3
import os,time
i=0
while(i<1000):
os.system("touch fakefile")
time.sleep(0.002)
os.system("ln -sf /home/youcef/.ssh/id_rsa fakefile")
time.sleep(0.002)
os.system("rm fakefile")
i+=1
exp2.py
#!/usr/bin/python3
import os,time
i=0
while(i<1000):
os.system("/home/youcef/readfile fakefile>>/tmp/result")
i+=1
exp.py creates a fakefile , link it to id_rsa , and then delete it and does the same process again with sleeping for a 0.002 sec between commnds
exp2.py runs readfile binary on our fakefile and redirects the output to /tmp/result
i ran exp.py in background and quickly ran exp2.py (to avoid openning another session as john)
and it worked!
then copied ssh private key and started decrypting it
got the second flag
ROOT FLAG
now looking around to get root access, i ran sudo -l and found this
PYTHON JAIL ESCAPE
youcef can run this jail.py script as root with no password
running it , and testing some inputs
After trying multiple input, it was filtered against malicious commands
googling on how to escape this type of jails i found this writeup
i tested these commands but non worked
So i started testing which python instruction is detected as Illegal Input
after some tests it seems lower() is also filtered
i searched for a replacement , and found one here
method casefolds() can be used as an alternative
I tried it instead of lower() in the previous input
Still it outputs that Illegal Input
I tried those basic commands and more but non worked for me , then found this yorick program in /usr/bin/
googling yorick gave me this
it’s an interpreted programming language used for scientific stuff
and the good this is it has a system function which allows to run commands on the target
/usr/bin/yorick didn’t work for (it’s a symbolic link) so i tested the real path of the binary
running yorick , then executing commands with system function allowed me to get root shell and fully compromise the machine and get the final flag.
Conclusion
Finally, i hope you enjoyed this challenge and learned some new things , if you ever faced any problem or found a way in other than the intended way please contact me here
HAPPY HACKING!