Intro
Hi, after the CTF I thought I'd do another one. The CTF I'm doing a WriteUp on now is Sikly CTF-1. I have deliberately chosen this CTF, because this is also a CTF-VM, which is also used in the OSCP in one of the labs.
The VM is available on Vulnhub. Ok, let's go. After everything is set up and all settings are done, the CTF starts.
Discovery
To find the VM, I used the infamous Netdiscover tool again.
Ok, we now know the IP address of the VM and can see what services or ports are open.
We see 2 ports here. Once port 22 where SSH is running and port 80 where an Apache2 is running behind. We also see here some annotations from Nmap regarding robots.txt or notes.txt. We'll take a closer look at those later. Let's go first, with the browser on the VM. Ok not much exciting, just a standard Apache page.
Let's have a look at robots.txt. Here we see two user agents unknown to me but the last line is very interesting. Here it refers to the notes.txt, which must not be indexed by any bot.
That's looks interessting! Here we get the hint that the admin wants to take his password from his site but luckily 2 characters are missing in his password. Ok now we have to search further.
Text is written in german language
I have checked with DirBuster what else is on the web server, except the manual there is nothing more. I have set up an Apache in another VM and called the default page. My idea is to compare both with a Difftool. And in fact there are 2 differences, once a javascript is included and the name of the administrator also appears there.
Initial access
Next, let's take a look at the script. Ok here is not shown much only the password, which was pointed out.
Ok according to the admin, the last 2 characters of the password are missing there. So we have to find that out. For this I created a small python script, which adds all possible characters to the password. The result is a wordlist which we need later.
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import string
passwd = 's1lKy'
chars = string.ascii_lowercase + string.ascii_uppercase + string.digits + string.punctuation
f = open('possible-silky-passwords.txt', 'a')
for char_1 in chars:
for char_2 in chars:
f.write(passwd + char_1 + char_2 + '\n')
f.close()
My next thought is to perform a user enumeration on the SSH port. For this I used the module ssh_enumusers from Metasploit and simply entered the username and all other information. Bingo, the user exists.
Then we can start a dictionaryattack now. For this we take the program Hydra and set everything necessary. Set username to silky, wordlist, host, port, which protocol. Now we have to wait. After a few minutes, we have the password.
Sweet, now we know the username and password, and can log in.
After we have logged in, it is first look around, what is there here so everything. Maybe there are still notes from the admin. In the file .bash_history
I find more hints. Here a flag.txt was created and a file sky.c
. Seems like the admin forgot to delete his history.
After I have searched everything in the home directory, it is called enumeration without end. Means, which SUID/GUID files are there? Which cronjobs are running etc...
Escalating privileges
After listing all SUID/GUID files I didn't have to look any further, because one file in particular caught my eye, the file /usr/bin/sky
. We had seen the file in the history once.
Let's run it.
Text is written in german language
The output also looks quite interesting, "Drawn root". Ok let's do a little reverse engineering. With Objdump and Strings we see that system commands are executed here.
Text is written in german language
Rooting
Now the question is, how can we get the program to drop us a rootshell? The answer is a bit tricky. We have to change the environment variable PATH. Because here, when you want to execute a command, a list of paths is processed one after the other. If the command or program is found in one of the paths, the search stops and it is executed. This is exactly what we can exploit. We simply make sure that the program is searched for in the temp directory first.
export PATH=/tmp:$PATH
We have to create a small file in the temp directory now, which spawns us a bash/sh shell. After that we can run the /usr/bin/sky program again and, we get a rootshell.
echo "/bin/sh" > /tmp/whoami
chmod +x /tmp/whoami
/usr/bin/sky
Now we can search for the flag file and read it.
The flag.txt is in the root user's home directory. Let's read the file. We get our flag.
With this, the CTF is already over.
Flag : 489ca3ccb71640cce1a618a5dea48c25
All files and solutions for this VM are also available on Github.
For those who also want to do the OSCP later on, I will put together a list of VM which will provide a good preparation.
I hope you enjoyed it, and see you next time 😄