Post

Walkthrough1

Posted Updated
By Tshering Phuntsho 3 min read

Remember, hacking is more than just a crime. It’s a survival trait.

cover

Room Information

  • Room Name: U.A. High School
  • Difficulty Level: Easy
  • Room type: Challenges(CTF)

cover

Reconnaissance

let’s run nmap and check what ports are open cover I discovered 2 open ports: 22 and 80,. Since port 80 is open, let’s check the website.

cover It is just a normal high school website.

So let’s check for any other hidden directories using dirsearch. cover cover I found that there is a hidden directory (/assets). Let’s check /assets. cover

The directory is simply a blank page. Let’s proceed further by finding the subdirectory. cover cover I found the index.php subdirectory. So there is the possibility of command injection. cover Let’s begin the command injection cover Oh, I got the base64. Let’s crack it using cyberchef. cover I already knew there were subdirectories like images, index.php, or styles.css. So this confirms that we can perform command injection. Let’s Try with the cat passwd cover

Again base64, let’s crack it using cyberchef. cover deku:x:1000:1000:deku:/home/deku:/bin/bash From the last line, I got the user(deku).

Now Let’s get to the User.

cover

To log in using ssh, I try to brute force Deku’s password using the hydra command and I try to file that contains passwords. I could not found in the first file and rockyou.txt took lots of time to complete. So let’s do using the reverse shell.

Let’s get a reverse connection using Netcat Start netcat listener cover

Go to https://www.revshells.com/ and generate the reverse shell as below. cover

Click on copy and then paste it into the URL after cmd= cover cover

Wow, I received the connection. cover Run command: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ to use /bin/bash

Inside the images directory, there are 2 images.

Let’s Transfer these files from the Victim’s machine to the attacker’s system using Netcat. cover We send files like this. And in another terminal, we receive like this; cover

Let’s check if I received it or not cover

upon further inspection found that the file uses the extension .jpg but is in data format. So we are going to Change the incorrect jpg file headers.

Opening the file using Hexedit. Command: hexedit oneforall.jpg cover Change the initial header to FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01. This is the correct signature for the jpeg file. Save the file. cover Now it is showing the correct extension for the image and I can also view the image. cover

Now using this file we can use stegnography to check file contents Using steghide to extract the files inside the file cover

Oh, we need to enter the passphrase, earlier I found the hidden file and it contains the base64 code. cover cover So the passphrase is AllmightForEver!!! cover wow, finally I got the password for Deku.

Using the password that I got, I can easily log in to Duke using ssh. cover

There is a user.txt file. I got the user flag.

Privilege Escalation

The next task is to get the root.txt flag. It isn’t as easy as I thought. I can’t get into root just with the command sudo su. cover

I need to check for sudo privileges. Command: sudo -l cover

User deku can run (ALL) /opt/NewComponent/feedback.sh. Let’s do what user deku is allowed to do. cover Deku can give feedback. Let’s try to give malicious feedback. The malicious feedback is ‘Deku ALL=NOPASSWD: ALL » /etc/sudoers’ cover It works and now I got the root access. cover Finally, I also got the root.txt

Flag Captured

  • user.txt flag: THM{W3lC0m3_D3kU_1A_0n3f0rAll??}

  • root.txt flag: THM{Y0U_4r3_7h3_NUm83r_1_H3r0}

CTF, CTF_walkthrough
CTF
This post is licensed under CC BY 4.0 by the author.

Trending Tags

SWS101 DBS101 CTF SWS202 WEB