Nmap Results
# Nmap 7.92 scan initiated Mon Jul 18 12:13:43 2022 as: nmap -T5 -p- -oA scan hacctf.local
Nmap scan report for hacctf.local (10.9.9.49)
Host is up (0.00031s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10250/tcp open unknown
10257/tcp open unknown
10259/tcp open unknown
16443/tcp open unknown
25000/tcp open icl-twobase1
# Nmap done at Mon Jul 18 12:13:45 2022 -- 1 IP address (1 host up) scanned in 2.43 seconds
Service Enumeration
TCP/80
As part of the challenge, the CTF creator instructed participants to add hacctf.local to their local hosts file. After adding the hosts entry and evaluating the nmap results, I decide to zero in on TCP/80 , since that's usually a reliable entry point.
Gobuster Enumeration
gobuster dir -u http://hacctf.local -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -o gobuster-enum.txt/.htaccess (Status: 403) [Size: 277]
/.htaccess.php (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess.html (Status: 403) [Size: 277]
/.htpasswd.php (Status: 403) [Size: 277]
/.htpasswd.html (Status: 403) [Size: 277]
/assets (Status: 301) [Size: 313] [--> http://hacctf.local/assets/]
/index.html (Status: 200) [Size: 1156]
/robots.txt (Status: 200) [Size: 31]
/server-status (Status: 403) [Size: 277]
/wordpress (Status: 301) [Size: 316] [--> http://hacctf.local/wordpress/]curl -s http://hacctf.local/robots.txt/creds.html
/supersecret.html
Wordpress
Seems like there should be some place to download this app and analyze it. Let's take a look at the /assets folder discovered above in the Gobuster enumeration.
Download the APK file and decompile it for inspection.
Try a case-insensitive search for the keyword password in the decompile directory.
The file ./res/values/strings.xml looks most interesting to me, since it seems like it could contain a hard-coded value left there by the developer.
If I had to guess, this is likely the logon password for the WordPress installation. The username for the WordPress installation should match the article author – admin. Let's see if I can log into the WordPress admin panel at http://hacctf.local/wp-admin .
I take a look around and initially look at the plugins to see if there is a writable plugin where I can insert a PHP reverse shell, but it doesn't look like the files are writable.
Next, I take a look at the posts and find a draft post.
Exploit
An in-development Android application – exposed in a publicly available web directory – yielded a hard-coded password. Due to credential re-use, this exposed the admin interface of the local WordPress installation, which contained a user credential for SSH access.
I should be able to SSH as hailey .
ssh hailey@hacctf.local
Post-Exploit Enumeration
Run /bin/bash to get a better shell.
Current User
Click to expand
$ id
uid=1002(hailey) gid=1002(hailey) groups=1002(hailey)
$ groups
hailey
$ sudo -v
Sorry, user hailey may not run sudo on hac-ctf.
OS & Kernel
Click to expand
hailey@hac-ctf:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
hailey@hac-ctf:~$ uname -a
Linux hac-ctf 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Users
Click to expand
hailey@hac-ctf:~$ cat /etc/passwd | grep -E '100\w'
hac:x:1000:1000:hac:/home/hac:/bin/bash
ftpuser:x:1001:1001::/home/ftpuser:/bin/sh
hailey:x:1002:1002::/home/hailey:/bin/sh
zara:x:1003:1003::/home/zara:/bin/sh
Groups
Click to expand
hailey@hac-ctf:~$ cat /etc/group | grep -E '100\w'
hac:x:1000:
ftpuser:x:1001:
hailey:x:1002:
zara:x:1003:
Network
Interfaces
ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 3a:9b:bf:76:73:50 brd ff:ff:ff:ff:ff:ff
ARP Table
N/A
Routes
N/A
Open Ports
ss -tanup | grep -i listen | grep 127\.0\.0\.1
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:10248 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:10249 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:10256 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:19001 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:39385 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:1338 0.0.0.0:*
Ping Sweep
N/A
Processes
Click to expand
root 722 0.0 0.3 239292 5920 ? Ssl 16:12 0:00 /usr/lib/accountsservice/accounts-daemon
root 728 0.0 0.1 6812 2620 ? Ss 16:12 0:00 /usr/sbin/cron -f
root 734 0.0 0.1 81824 3232 ? Ssl 16:12 0:00 /usr/sbin/irqbalance --foreground
root 738 0.0 0.6 29656 12640 ? Ss 16:12 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 740 0.0 0.2 236436 5596 ? Ssl 16:12 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 746 0.0 0.1 7500 3348 ? Ss 16:12 0:02 /bin/bash /snap/microk8s/3272/apiservice-kicker
root 748 0.0 0.1 6972 3028 ? Ss 16:12 0:00 /bin/bash /snap/microk8s/3272/run-cluster-agent-with-args
root 749 0.5 1.0 1495428 19932 ? Ssl 16:12 0:14 /snap/microk8s/3272/bin/containerd --config /var/snap/microk8s/3272/args/containerd.toml --root /var/snap/microk8s/common/var/lib/containerd --state /var/snap/microk8s/common/run/containerd --address /var/snap/microk8s/common/run/containerd.sock
root 754 3.4 11.2 1776280 217396 ? Ssl 16:12 1:34 /snap/microk8s/3272/bin/k8s-dqlite --storage-dir=/var/snap/microk8s/3272/var/kubernetes/backend/ --listen=unix:///var/snap/microk8s/3272/var/kubernetes/backend/kine.sock:12379
root 758 8.1 20.7 2384368 400448 ? Ssl 16:12 3:45 /snap/microk8s/3272/kubelite --scheduler-args-file=/var/snap/microk8s/3272/args/kube-scheduler --controller-manager-args-file=/var/snap/microk8s/3272/args/kube-controller-manager --proxy-args-file=/var/snap/microk8s/3272/args/kube-proxy --kubelet-args-file=/var/snap/microk8s/3272/args/kubelet --apiserver-args-file=/var/snap/microk8s/3272/args/kube-apiserver --kubeconfig-file=/var/snap/microk8s/3272/credentials/client.config --start-control-plane=true
root 763 0.0 0.0 4644 112 ? Ss 16:12 0:00 /bin/sh /snap/nextcloud/31033/bin/delay-on-failure mdns-publisher nextcloud
root 764 0.0 0.0 4644 1104 ? Ss 16:12 0:00 /bin/sh -e /snap/nextcloud/31033/bin/start_mysql
root 765 0.0 0.0 4644 964 ? Ss 16:12 0:00 /bin/sh /snap/nextcloud/31033/bin/nextcloud-cron
root 766 0.0 0.0 4644 1088 ? Ss 16:12 0:00 /bin/sh -e /snap/nextcloud/31033/bin/nextcloud-fixer
root 767 0.0 0.0 4644 1004 ? Ss 16:12 0:00 /bin/sh /snap/nextcloud/31033/bin/start-php-fpm
root 768 0.0 0.0 4644 836 ? Ss 16:12 0:00 /bin/sh /snap/nextcloud/31033/bin/start-redis-server
root 769 0.0 0.0 4644 1052 ? Ss 16:12 0:00 /bin/sh /snap/nextcloud/31033/bin/renew-certs
root 770 0.2 1.2 948284 23372 ? Ssl 16:12 0:07 /usr/lib/snapd/snapd
root 772 0.0 0.3 16612 7260 ? Ss 16:12 0:00 /lib/systemd/systemd-logind
root 774 0.0 0.4 394880 7956 ? Ssl 16:12 0:00 /usr/lib/udisks2/udisksd
root 786 0.0 0.0 0 0 ? I 16:12 0:00 [kworker/0:4-kdmflush]
root 807 0.0 0.0 5828 1628 tty1 Ss+ 16:12 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 885 0.0 0.2 12172 5736 ? Ss 16:12 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 934 0.0 0.2 314456 5336 ? Ssl 16:12 0:00 /usr/sbin/ModemManager
root 953 0.0 0.6 107912 11932 ? Ssl 16:12 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root 1094 0.0 0.8 228224 15668 ? Ss 16:12 0:00 /usr/sbin/apache2 -k start
root 1314 0.0 0.2 1101752 4740 ? Sl 16:12 0:00 /snap/microk8s/3272/bin/cluster-agent --bind 0.0.0.0:25000 --keyfile /var/snap/microk8s/3272/certs/server.key --certfile /var/snap/microk8s/3272/certs/server.crt --timeout 240
root 1399 0.0 0.1 1080108 3624 ? Sl 16:12 0:00 mdns-publisher nextcloud
root 1520 0.1 0.1 59844 3148 ? Sl 16:12 0:04 redis-server unixsocket:/tmp/sockets/redis.sock
root 1647 0.0 0.0 2488 580 ? S 16:12 0:00 bpfilter_umh
root 1917 0.0 0.0 4644 804 ? S 16:12 0:00 /bin/sh /snap/nextcloud/31033/bin/mysqld_safe --defaults-file=/snap/nextcloud/31033/my.cnf --datadir=/var/snap/nextcloud/31033/mysql --pid-file=/tmp/pids/mysql.pid --lc-messages-dir=/snap/nextcloud/31033/share --socket=/tmp/sockets/mysql.sock
root 2176 0.2 6.1 1555768 117772 ? Sl 16:12 0:06 /snap/nextcloud/31033/bin/mysqld --defaults-file=/snap/nextcloud/31033/my.cnf --basedir=/snap/nextcloud/31033 --datadir=/var/snap/nextcloud/31033/mysql --plugin-dir=/snap/nextcloud/31033/lib/plugin --lc-messages-dir=/snap/nextcloud/31033/share --log-error=../logs/mysql_errors.log --pid-file=/tmp/pids/mysql.pid --socket=/tmp/sockets/mysql.sock
root 2187 0.0 0.0 0 0 ? I< 16:12 0:00 [dio/dm-0]
root 2249 0.0 0.0 4548 632 ? S 16:12 0:00 sleep 1d
root 2343 0.0 0.8 341208 17188 ? Ss 16:12 0:00 php-fpm: master process (/snap/nextcloud/31033/config/php/php-fpm.conf)
root 30452 0.0 0.0 0 0 ? I 16:42 0:00 [kworker/u4:2-events_unbound]
root 31651 0.0 0.0 0 0 ? I 16:44 0:00 [kworker/0:0-events]
root 34058 0.0 0.0 0 0 ? I 16:48 0:00 [kworker/u4:1-events_power_efficient]
root 35097 0.0 0.4 13924 8700 ? Ss 16:49 0:00 sshd: hailey [priv]
hailey 35119 0.0 0.4 18500 9012 ? Ss 16:49 0:00 /lib/systemd/systemd --user
root 35122 0.0 0.0 0 0 ? I 16:49 0:00 [kworker/1:0-events]
hailey 35124 0.0 0.1 169012 3592 ? S 16:49 0:00 (sd-pam)
hailey 35280 0.0 0.2 13924 5664 ? S 16:49 0:00 sshd: hailey@pts/0
hailey 35281 0.0 0.0 2608 1668 pts/0 Ss 16:49 0:00 -sh
hailey 36235 0.0 0.2 8524 5340 pts/0 S 16:51 0:00 /bin/bash
root 38730 0.0 0.0 0 0 ? I 16:54 0:00 [kworker/0:1-kdmflush]
root 39617 0.0 0.0 0 0 ? I 16:56 0:00 [kworker/1:1]
root 40881 0.0 0.0 4548 828 ? S 16:58 0:00 sleep 5m
root 40913 0.0 0.0 0 0 ? I 16:58 0:00 [kworker/u4:0-events_unbound]
root 41427 0.0 0.0 7520 240 ? S 16:58 0:00 sleep 5
root 41435 0.0 0.0 4548 836 ? S 16:58 0:00 sleep 1
root 41436 0.0 0.0 4548 836 ? S 16:58 0:00 sleep 1
hailey 41437 0.0 0.1 8888 3180 pts/0 R+ 16:58 0:00 ps aux
Scheduled Tasks
Click to expand
None
Interesting Files
/var/www/html/wordpress/wp-config.php
/** MySQL database username */
define( 'DB_USER', 'hac' );
/** MySQL database password */
define( 'DB_PASSWORD', 'supersecurepassword' );
Privilege Escalation
World-readable WordPress configuration file has the credentials of the database administrator account. This user also happens to be the system administrator, and due to credential re-use, I am able to switch user and achieve passwordless sudo.
Persistence
N/A
Flags
Hailey
hac{4NDr01D_4ND_w0RdPr355_801_1337}
Root
hac{w3lL_doN3_Ama21N9_h3K3r_aNDRo1D_n_LUA_fuN}
Judging by the flag, I achieved root via an uninteded path (seems like Lua script should have been used somewhere). Oh well, root is root.
