Intro
Hello! Welcome to my first CTF writeup. Keeping it breezy we are going to tackle an easy box today, TryHackMe’s “Basic Pentesting” CTF. As this is the first in a series of CTF writeups I will be a little more verbose then you might expect.
Basic Enumeration
Starting a basic nmap scan we get a few juicy services to check out.
nmap -sV --open [target IP]-sV: This switch enables version detection. It attempts to determine the version of the services running on open ports by interrogating them.--open: This switch is used to show only open (or possibly open) ports. It filters and displays only the ports that are found to be open during the scan.
SMB
Typically when I start a box I immediately load up the web server it’s hosting but today I felt this SMB service was too interesting to pass up. Though we don’t have any credentials just yet, let’s run smbmap to see if we can find any shares.
smbmap -H [target IP]
Great! We found a share we can access. Let’s run smbclient using guest credentials to see what’s inside.
smbclient //[target IP]/[sharename] -U %
After connecting we can list the files with ls and download anything of interest with get. In this case we find a text file letting other staff members know not to upload non-work-related items to the share. While this isn’t very promising information we can also learn the names of two users in this file. This will be useful later so note them down.
Web Enumeration
Looking at the webpage out target is hosting there doesn’t appear to be anything of interest. Checking briefly for a robots.txt file to no avail I took a quick stop into the source code of the page and found this comment.
<!-- Check our dev note section if you need to know what to work on. -->Hmm, they claim to have a dev section but I couldn’t find anything under /dev/. I might have persisted a little longer but wanting to expedite things I began to run my web enumeration tool of choice and found the site directory the comment was talking about. While you could use dirbuster I wanted to try out a new tool called feroxbuster today. Here’s how you use it!
feroxbuster -u http://[target IP]
Getting a Foothold
Looking into the directory we revealed with our enumeration, we can find two text files. One of them appears to be a message from “K” to “J” about “J” having a weak password. We can already guess who these two are based on the two usernames we snagged earlier. Let’s go ahead and start hydra to chip away at the supposed weak password “J” is using. I’ll start it using the famous rockyou.txt for our password list.
hydra -l [username] -P [password list] ssh://[target IP]The other text file appears to be a changelog. There looks to be a vulnerable version of struts installed but this seems to be a rabbithole as I was unable to get an exploit working before my hydra instance returned a hit.
Logging into the account we cracked via ssh we can immediately see that there is another user, presumably “K”, on this machine. Peeking at his home directory reveals a pass.bak file that we don’t have read access to. This definitely has the credentials we need.
Privilege Escalation
After uploading (via a python http server) and running the enumeration script of our choice, being lse in my case, we can see that there is an installation of the text editor vim on this machine with the Setuid bit set. This is important because it means that when we run this installation of vim it will run with root privileges!
From here all we need to do is run the vim binary opening our elusive pass.bak file and we have “K’s” credentials. That’s all we need to finish this CTF but it would be a shame not to gain root access regardless. Rather then logging in as “K” we can use the same vim binary to edit /etc/sudoers and grant ourselves permission to use sudo.
All that’s left to do is run bash as sudo and BOOM! We’re in!
sudo /bin/bash
Thanks for reading my writeup! There are more to come in the future so if you have any suggestions or comments about how I do these please let me know. Until next time!
Just a test message.
The test worked!