Hey folks, Today we have an amazing machine in 0xL4ugh CTF competition
I’ve solved this machine with my friend Mohamed Saleh, Let’s get started…
Nmap Scan
We will start our scan with nmap scan
nmap -p- -T4 -A <ip>
we have 3 open ports 22/80/11211
HTTP Enumeration
After opening the website over port 80
We have found that it contain the default page of the server
after using gobuster to discover the directories
gobuster dir -u <ip> -w /path/to/wordlist
We have /robots.txt and after checking its content
we have /note.txt
It contains username and the method which the passwords were hashed, okay nice
for the /hidden directory
Let’s move to the next port
Memcached Enumeration
The third port is not familiar with us, it has a service called memcache and after searching about it we’ve found this definition from Wikipedia
And after searching for how to attack it, we’ve found this amazing resource
We’ve followed him and use memc tools, and I’ve found this file SuperSecureHiddenPassword and I dumped its content as you can see
We’ve tried to crack it using hashcat/john by using wordlist rockyou.txt and we’ve found that it will take a long time with no results, so we searched about the method which we’ve found before in the /note directory and discovered this amazing resource
We’ve created our wordlist and use it with john to crack the hash and it works
The password is wertyuytyu and we have a username from the note also
We can login with these credentials phoenix : wertyuytyu
We have 3 users and file which doesn’t have any useful information
Let’s try to escalate our privileges
I’ve found that I can execute a command as a jett without asking me for a password
We’ve tried to copy our id_rsa key into /home/jett/.ssh/authorized_keys but it fails
After checking the config file we’ve found this line
The file which should contain the rsa public key called UsePAM
So, we have tried to copy our id_rsa to home/jett/UsePAM
And then accessing the server with our private key
It works ❤
with the same method we can execute a command as brimstorm
The command is npm and after searching for what’s npm and how can it be dangerous, we’ve found this repo
We will try to escalate our privileges with the same way, copy our id_rsa to the brimstorm directory
We’ve downloaded the files and edited the evil command, and then run it as brimstorm
Let’s try to login using ssh
At the first I tried to decrypt this string, and it fails and after asking the support, they inform me that it’s the flag, and it was a trick :(
