niedziela, 4 marca 2018

Gibson CTF

Last time when I was looking for the job 'HR' told me that "I'm not good enouh" to hack their planet. Well. This time we will try the Gibson CTF (prepared like before by knightmare). "We will show them Lucy...!" ;]

Here we go - machine is ready:

Let's try their WWW:

Hm. Very interesting content. Is there anything more?

Of course. :] Checking:

I love you Margo :* (almost...) so what's next?

Let's some what's inside eugene's directory:

At this stage I couldn't find anythine 'more interesting' so I decided to check if there is any sudo (bug;]). I found that margo can use sudo with convert... as far as I'm concerne it reminds me the bug in ImageMagic... let's go this way:

Ok, you should see it now but just to be sure:

So yes, we can be root for a moment... :| what should we do now (to get more stable root-access)?

As you can see below I tried few things... ;]


Maybe this way...

Still no. I wasn't sure what to do next.

Then I realized that I'm a root-user (but with one shot as a command). Ok, I can run netcat and send /etc/shadow (root will have access to that file, right?) to the listening port. Ok, then I connected to that port from Kali (and shadow was grabbed), see below:

So "you wanna one of those Gibson's baby?" :>

Great, we've found new passwords!

When you will check new accounts, you will quickly see that there is also some sudo setting for eugene. Let's try to "use" it (to escalate to root):

I assume that you remember that you can run shell commands from programs like nmap, vi, gdb and so on... It's good to know that because in case of so called 'restricted shells' (for example during CTF's competitons) you can sometimes use 'the trick' and grab the flag/shell anyway. Like I did below:

(sudo visudo and :sh <enter> ;))

Checking /root:

Not much. Checking ps, netstat and so on to grab some more details about the OS:

Oh, and what's qemu doing there?


Let's findout where are the files for our ftpserv:

Looking deeper:

I was playing a little bit with the IMG file

(and during one mounting I overwrited sda so after the restart I saw the picture presented below):

Yeah. :] So? Again!

This time I decided to download IMG file to Kali - just in case of another damage with mount ;)

Let's use Desktop:

That's nice.

So it looks like we don't need to crash sda ;] just use desktop environment. Here we are:

"Now the proof Lucy!"


Maybe binwalk will help us:


(By the way, did you saw davinci.c code?


I'll read it later for sure. ;) )

Let's try to open our GPG file:

I didn't know the password so I decided to go back to our hint.txt. We will find 2 links to 2 movies with the same actor - zerok00l ;)

Here's Johny..

(According to our hint then) next step was to prepare a good password list to crack that gpg. I used crunch described here:

Here we are: creating one of the pass-file:

...and just like before, after a while ...

... we should be able to read the content of the file:

"Homerun!" ;]

This was very nice CTF. Big thanks goes (again) to the knightmare.

If you are looking for more CTF-machines - check the VulnHub resources.

See you next time...


Brak komentarzy:

Prześlij komentarz