Nmap Results
# Nmap 7.92 scan initiated Mon Jul 18 12:13:43 2022 as: nmap -T5 -p- -oA scan hacctf.local
Nmap scan report for hacctf.local (10.9.9.49)
Host is up (0.00031s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10250/tcp open unknown
10257/tcp open unknown
10259/tcp open unknown
16443/tcp open unknown
25000/tcp open icl-twobase1
# Nmap done at Mon Jul 18 12:13:45 2022 -- 1 IP address (1 host up) scanned in 2.43 seconds
Service Enumeration
TCP/80
As part of the challenge, the CTF creator instructed participants to add hacctf.local
to their local hosts file. After adding the hosts entry and evaluating the nmap
results, I decide to zero in on TCP/80
, since that's usually a reliable entry point.
Gobuster Enumeration
gobuster dir -u http://hacctf.local -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -o gobuster-enum.txt
/.htaccess (Status: 403) [Size: 277]
/.htaccess.php (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess.html (Status: 403) [Size: 277]
/.htpasswd.php (Status: 403) [Size: 277]
/.htpasswd.html (Status: 403) [Size: 277]
/assets (Status: 301) [Size: 313] [--> http://hacctf.local/assets/]
/index.html (Status: 200) [Size: 1156]
/robots.txt (Status: 200) [Size: 31]
/server-status (Status: 403) [Size: 277]
/wordpress (Status: 301) [Size: 316] [--> http://hacctf.local/wordpress/]
curl -s http://hacctf.local/robots.txt
/creds.html
/supersecret.html
Wordpress
Seems like there should be some place to download this app and analyze it. Let's take a look at the /assets
folder discovered above in the Gobuster enumeration.
Download the APK file and decompile it for inspection.
Try a case-insensitive search for the keyword password
in the decompile directory.
The file ./res/values/strings.xml
looks most interesting to me, since it seems like it could contain a hard-coded value left there by the developer.
If I had to guess, this is likely the logon password for the WordPress installation. The username for the WordPress installation should match the article author – admin. Let's see if I can log into the WordPress admin panel at http://hacctf.local/wp-admin
.
I take a look around and initially look at the plugins to see if there is a writable plugin where I can insert a PHP reverse shell, but it doesn't look like the files are writable.
Next, I take a look at the posts and find a draft post.
Exploit
An in-development Android application – exposed in a publicly available web directory – yielded a hard-coded password. Due to credential re-use, this exposed the admin interface of the local WordPress installation, which contained a user credential for SSH access.
I should be able to SSH as hailey
.
ssh hailey@hacctf.local
Post-Exploit Enumeration
Run /bin/bash
to get a better shell.
Operating Environment
OS & Kernel
hailey@hac-ctf:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
hailey@hac-ctf:~$ uname -a
Linux hac-ctf 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Current User
$ id
uid=1002(hailey) gid=1002(hailey) groups=1002(hailey)
$ groups
hailey
$ sudo -v
Sorry, user hailey may not run sudo on hac-ctf.
Users and Groups
Local Users
hailey@hac-ctf:~$ cat /etc/passwd | grep -E '100\w'
hac:x:1000:1000:hac:/home/hac:/bin/bash
ftpuser:x:1001:1001::/home/ftpuser:/bin/sh
hailey:x:1002:1002::/home/hailey:/bin/sh
zara:x:1003:1003::/home/zara:/bin/sh
Local Groups
hailey@hac-ctf:~$ cat /etc/group | grep -E '100\w'
hac:x:1000:
ftpuser:x:1001:
hailey:x:1002:
zara:x:1003:
Network Configurations
Interfaces
ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 3a:9b:bf:76:73:50 brd ff:ff:ff:ff:ff:ff
Open Ports
ss -tanup | grep -i listen | grep 127\.0\.0\.1
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:10248 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:10249 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:10256 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:19001 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:39385 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:1338 0.0.0.0:*
Interesting Files
/var/www/html/wordpress/wp-config.php
/** MySQL database username */
define( 'DB_USER', 'hac' );
/** MySQL database password */
define( 'DB_PASSWORD', 'supersecurepassword' );
Privilege Escalation
World-readable WordPress configuration file has the credentials of the database administrator account. This user also happens to be the system administrator, and due to credential re-use, I am able to switch user and achieve passwordless sudo
.
Flags
Hailey
hac{4NDr01D_4ND_w0RdPr355_801_1337}
Root
hac{w3lL_doN3_Ama21N9_h3K3r_aNDRo1D_n_LUA_fuN}
Judging by the flag, I achieved root via an uninteded path (seems like Lua script should have been used somewhere). Oh well, root is root.