This time I decided to check SolidState CTF prepared by ch33z_plz. Below you will find the details...
Thanks to VulnHub you can find this CTF shared here. We will start here:
When machine was ready to check it I used nmap to scan for open ports. After a while we should be somewhere here:
For HTTP port I used webuster.sh (small and simple bash script created to automate 'dirbusting' a little bit). Like this:
After a while I saw (raw) results in webuster_logs (where webuster.sh will grep in the end to look for "Status" string in log files (generated by gobuster, but you can prepare your own script, for example using dirb or your own created tools):
So we should be somewhere here now:
Nothing fancy... Let's get back to our nmap log file. I was wondering if there are any public exploits already available for those ports:
So I started to dig a little bit deeper.
...and this is how I found this proof-of-concept ;)
Using hints available there I was able to proceed:
As you can see we can do few things as root, for example listusers. Let's do that:
Great, we found new users. Let's try to use another cool functionality - setpassword command:
We can change other users passwords:
Let's try to use our new credentials (for all users ;))
Nothing. Next user...
Ok, this is "something" ;] Checking for more:
Great! Looks promising. Let's verify the access:
Ok. We are here:
I wasn't able to run 'any commands' so I decided to reconnect using one old trick:
Then I was able to run vim :)
The most interesting part in the namefile? Of course permissions. So my idea was to overwrite tmp.py file with my own - edited a bit:
Yeah, yeah, "the bug" ;D So, once again:
So - no. So I restarted my netcat and after a while I saw new connection:
We got it!
I must say that it was cool CTF, thanks to the author for preparing this game. Also big thanks goes to VulnHub Team for sharing all of those VMs.
See you next time!