środa, 21 listopada 2018

Matrix - CTF

Last time I got a pleasure to check one of the latest CTF VMs shared by Vulnhub, called Matrix. So let's see if there is no spoon... ;) Here we go...
VM booting in VirtualBox should quickly present 2 ports: 80 and 31337. Let's try the first one:


 Ok, let's follow... to the source. ;) To do that I used Developer Tools (available in Firefox - [F12]):


As you can see there is a little bunny in the traffic... I thought that the name of the image will be some kind of a hint to actually check that 2nd found port (31337), so (after quick nmap):



So I decided to simply connect to the ports with telnet and/or netcat:


So we found another HTTP port. Cool. When I was reading the source presented in response I found some string "similar to base64".



To 'decode' the string I used Burp Proxy:

Then I found an interesting hint:


...and decided that this dirb with rockyou.txt in the background window is pointless. ;]

In the meantime - maybe you remember, there was a case [1, 2] that maybe we can probably use this time to our 3rd open port - 22 (ssh) - so CVE-2018-15473. Before I tried some p0c's - in case that this is a Matrix CTF ;) - I decided to go first to the "movie's-webpage" and grab some usernames:


Preparing users ;]


Ok, so we need to trust Trinity. ;] We will get back to that later.

So - our echo command - I was wondering if there is an output file (from that echo "..."), checking:


An old friend... ;]

Anyway... I decided to find some cool online place where I can check what's behind this brainfuck code. That's how I found this page:


Ok, so far so good. We have a part of the password and we know some hint to guess it.

To crack it I used crunch:


First guess (only with digits) was not the best


... so I decided to add some letters :)


... ok. All letters. ;] Checking:


Ok, good. Verifying:


We're in. Next thing was to get some details about the target machine:


Ok, there is rbash (not bash) prepared as our default shell, "not so good"... but after a moment I realized that maybe there are some 'wrong permissions' in the target machine (like during few cases in other CTFs I had a pleasure to play).

First guess for tools like nmap or tar or scp... and we should be somewhere here:


Next, few hints from passwd file (which user(s) we should look for):


Well:


Next thing was:
- open file with vi ($ vim a)
- type: $ :!/bin/sh

Now we can add PATH ($ export PATH=/usr/bin, and so on...) to get a cool working shell.

Checking, what to do now:


Interestingly we can go via sudo -l directly to the root user (but that's "probably" not the case ;)). Checking:


Cool.

Next:



So, checking the python file:


After a while I decided to:
- sudo to root again
- su to trinity ;)
- run strace against python



After few ctrl+c/d/z I found that we are here:


Unfortunately I was not able to find the Oracle... ;]

"Upgrades" ;)

I decided to sudo to root again, then to trinity, then move ./python to ./oracle, and then try to run the binary ;) See below for the details:


So:




Cheers

Brak komentarzy:

Prześlij komentarz