HIH | HAC_CTF

0xBEN -

Nmap Results

# Nmap 7.92 scan initiated Mon Jul 18 12:13:43 2022 as: nmap -T5 -p- -oA scan hacctf.local
Nmap scan report for hacctf.local (10.9.9.49)
Host is up (0.00031s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
10250/tcp open  unknown
10257/tcp open  unknown
10259/tcp open  unknown
16443/tcp open  unknown
25000/tcp open  icl-twobase1

# Nmap done at Mon Jul 18 12:13:45 2022 -- 1 IP address (1 host up) scanned in 2.43 seconds





Service Enumeration

TCP/80

As part of the challenge, the CTF creator instructed participants to add hacctf.local to their local hosts file. After adding the hosts entry and evaluating the nmap results, I decide to zero in on TCP/80 , since that's usually a reliable entry point.

Gobuster Enumeration

gobuster dir -u http://hacctf.local -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -o gobuster-enum.txt

/.htaccess            (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/assets               (Status: 301) [Size: 313] [--> http://hacctf.local/assets/]
/index.html           (Status: 200) [Size: 1156]                                 
/robots.txt           (Status: 200) [Size: 31]                                   
/server-status        (Status: 403) [Size: 277]                                  
/wordpress            (Status: 301) [Size: 316] [--> http://hacctf.local/wordpress/]

curl -s http://hacctf.local/robots.txt

/creds.html
/supersecret.html
Hmm... redirect to YouTube
Another redirect to YouTube?





Wordpress

Seems like there should be some place to download this app and analyze it. Let's take a look at the /assets folder discovered above in the Gobuster enumeration.

Download the APK file and decompile it for inspection.

Try a case-insensitive search for the keyword password in the decompile directory.

The file ./res/values/strings.xml looks most interesting to me, since it seems like it could contain a hard-coded value left there by the developer.

If I had to guess, this is likely the logon password for the WordPress installation. The username for the WordPress installation should match the article author – admin. Let's see if I can log into the WordPress admin panel at http://hacctf.local/wp-admin .

I'm in.

I take a look around and initially look at the plugins to see if there is a writable plugin where I can insert a PHP reverse shell, but it doesn't look like the files are writable.

Next, I take a look at the posts and find a draft post.





Exploit

An in-development Android application – exposed in a publicly available web directory – yielded a hard-coded password. Due to credential re-use, this exposed the admin interface of the local WordPress installation, which contained a user credential for SSH access.

I should be able to SSH as hailey .

ssh hailey@hacctf.local





Post-Exploit Enumeration

Run /bin/bash to get a better shell.

Operating Environment

OS & Kernel

hailey@hac-ctf:~$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
hailey@hac-ctf:~$ uname -a
Linux hac-ctf 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Current User

$ id
uid=1002(hailey) gid=1002(hailey) groups=1002(hailey)
$ groups
hailey
$ sudo -v
Sorry, user hailey may not run sudo on hac-ctf.



Users and Groups

Local Users

hailey@hac-ctf:~$ cat /etc/passwd | grep -E '100\w'
hac:x:1000:1000:hac:/home/hac:/bin/bash
ftpuser:x:1001:1001::/home/ftpuser:/bin/sh
hailey:x:1002:1002::/home/hailey:/bin/sh
zara:x:1003:1003::/home/zara:/bin/sh

Local Groups

hailey@hac-ctf:~$ cat /etc/group | grep -E '100\w'
hac:x:1000:
ftpuser:x:1001:
hailey:x:1002:
zara:x:1003:



Network Configurations

Interfaces

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 3a:9b:bf:76:73:50 brd ff:ff:ff:ff:ff:ff

Open Ports

ss -tanup | grep -i listen | grep 127\.0\.0\.1
tcp   LISTEN    0      70              127.0.0.1:33060            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10248            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10249            0.0.0.0:*
tcp   LISTEN    0      151             127.0.0.1:3306             0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:10256            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:19001            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:39385            0.0.0.0:*
tcp   LISTEN    0      4096            127.0.0.1:1338             0.0.0.0:*



Interesting Files

/var/www/html/wordpress/wp-config.php 
/** MySQL database username */
define( 'DB_USER', 'hac' );

/** MySQL database password */
define( 'DB_PASSWORD', 'supersecurepassword' );





Privilege Escalation

World-readable WordPress configuration file has the credentials of the database administrator account. This user also happens to be the system administrator, and due to credential re-use, I am able to switch user and achieve passwordless sudo.





Flags

Hailey

hac{4NDr01D_4ND_w0RdPr355_801_1337}

Root

hac{w3lL_doN3_Ama21N9_h3K3r_aNDRo1D_n_LUA_fuN}

Judging by the flag, I achieved root via an uninteded path (seems like Lua script should have been used somewhere). Oh well, root is root.