HIH | HAC_CTF

In this post, I demonstrate the steps I took to fully compromise the host provided in the CTF challenge by the Hackers Improve Here community.
In: CTF, Attack, Home Lab

Nmap Results

# Nmap 7.92 scan initiated Mon Jul 18 12:13:43 2022 as: nmap -T5 -p- -oA scan hacctf.local
Nmap scan report for hacctf.local (10.9.9.49)
Host is up (0.00031s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
10250/tcp open  unknown
10257/tcp open  unknown
10259/tcp open  unknown
16443/tcp open  unknown
25000/tcp open  icl-twobase1

# Nmap done at Mon Jul 18 12:13:45 2022 -- 1 IP address (1 host up) scanned in 2.43 seconds





Service Enumeration

TCP/80

As part of the challenge, the CTF creator instructed participants to add hacctf.local to their local hosts file. After adding the hosts entry and evaluating the nmap results, I decide to zero in on TCP/80 , since that's usually a reliable entry point.

Gobuster Enumeration

gobuster dir -u http://hacctf.local -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -o gobuster-enum.txt

/.htaccess            (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/assets               (Status: 301) [Size: 313] [--> http://hacctf.local/assets/]
/index.html           (Status: 200) [Size: 1156]                                 
/robots.txt           (Status: 200) [Size: 31]                                   
/server-status        (Status: 403) [Size: 277]                                  
/wordpress            (Status: 301) [Size: 316] [--> http://hacctf.local/wordpress/]

curl -s http://hacctf.local/robots.txt

/creds.html
/supersecret.html
Hmm... redirect to YouTube
Another redirect to YouTube?





Wordpress

Seems like there should be some place to download this app and analyze it. Let's take a look at the /assets folder discovered above in the Gobuster enumeration.

Download the APK file and decompile it for inspection.

Try a case-insensitive search for the keyword password in the decompile directory.

The file ./res/values/strings.xml looks most interesting to me, since it seems like it could contain a hard-coded value left there by the developer.

If I had to guess, this is likely the logon password for the WordPress installation. The username for the WordPress installation should match the article author – admin. Let's see if I can log into the WordPress admin panel at http://hacctf.local/wp-admin .

I'm in.

I take a look around and initially look at the plugins to see if there is a writable plugin where I can insert a PHP reverse shell, but it doesn't look like the files are writable.

Next, I take a look at the posts and find a draft post.





Exploit

An in-development Android application – exposed in a publicly available web directory – yielded a hard-coded password. Due to credential re-use, this exposed the admin interface of the local WordPress installation, which contained a user credential for SSH access.

I should be able to SSH as hailey .

ssh hailey@hacctf.local





Post-Exploit Enumeration

Run /bin/bash to get a better shell.

Operating Environment

OS & Kernel

hailey@hac-ctf:~$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
hailey@hac-ctf:~$ uname -a
Linux hac-ctf 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Current User

$ id
uid=1002(hailey) gid=1002(hailey) groups=1002(hailey)
$ groups
hailey
$ sudo -v
Sorry, user hailey may not run sudo on hac-ctf.



Users and Groups

Local Users

hailey@hac-ctf:~$ cat /etc/passwd | grep -E '100\w'
hac:x:1000:1000:hac:/home/hac:/bin/bash
ftpuser:x:1001:1001::/home/ftpuser:/bin/sh
hailey:x:1002:1002::/home/hailey:/bin/sh
zara:x:1003:1003::/home/zara:/bin/sh

Local Groups

hailey@hac-ctf:~$ cat /etc/group | grep -E '100\w'
hac:x:1000:
ftpuser:x:1001:
hailey:x:1002:
zara:x:1003:



Network Configurations

Interfaces

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 3a:9b:bf:76:73:50 brd ff:ff:ff:ff:ff:ff

Open Ports

ss -tanup | grep -i listen | grep 127\.0\.0\.1
tcp   LISTEN    0      70              127.0.0.1:33060            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10248            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10249            0.0.0.0:*
tcp   LISTEN    0      151             127.0.0.1:3306             0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10256            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:19001            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:39385            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:1338             0.0.0.0:*



Interesting Files

/var/www/html/wordpress/wp-config.php
/** MySQL database username */
define( 'DB_USER', 'hac' );

/** MySQL database password */
define( 'DB_PASSWORD', 'supersecurepassword' );





Privilege Escalation

World-readable WordPress configuration file has the credentials of the database administrator account. This user also happens to be the system administrator, and due to credential re-use, I am able to switch user and achieve passwordless sudo.





Flags

Hailey

hac{4NDr01D_4ND_w0RdPr355_801_1337}

Root

hac{w3lL_doN3_Ama21N9_h3K3r_aNDRo1D_n_LUA_fuN}

Judging by the flag, I achieved root via an uninteded path (seems like Lua script should have been used somewhere). Oh well, root is root.

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.