Hello everyone.Today i will explain how you can hack the “Uranium CTF” machine.Let’s start hack this machine.
I want to look given twitter account.
As you can see he shared web site domain also he said “Everyone can send me application files (filename: “application”) from my mail account. I open and review all applications one by one in the terminal.” so i can do a phishing attack but how?Let’s enumerate open ports and add domain to /etc/hosts file.
nmap -sN -sV <ip>
Awesome!SMTP service is running so i can do my phishing scenario.I want to use sendEmail tool for send email because sendEmail is got a basicly usage.
sendEmail -h for see parameters
First i must to create a bash reverse shell because victim uses bash script.
I used “application” for file name because he want to “application” for file name.
Nice job but i need more powerful shell.
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm
ctrl^z
stty raw -echo && fg
<enter>
stty <your rows and columns value>
I found “user_1.txt” and “chat_with_kral4” i want to execute this file.
I need a password.I will use linpeas.sh for enumerate this machine.
I downloaded linpeas.sh from my own machine and now i should give permission for execute this file.
chmod +x linpeas.sh
I found a pcap file and this file is contain password.I will download this file to my own machine with python server and i will analyze this file.
I found password of “chat_with_kral4” file and they talked about hakanbey’s password so i should use social engineering skills for learn hakanbey’s password.
I learned hakanbey’s password and i will enter ssh with this password.
Now i want to enter kral4’s account.
sudo -l
sudo -u kral4 /bin/bash -p
export HOME=/home/kral4
I logged in to the kral4’s account and i give /home/kral4 value for HOME variable.
I want to look kral4’s emails.
If i change index.html,root will give suid to nano.
I copied nano to /home/kral4 folder.Now i can go /var/www/html for web files.
I can’t read and write web files.I want to look suid for privilege escalation.
find / -perm -u=s -type f 2>/dev/null
I can read and write files with /dd.
Now i want to edit index.html for suid.
I think this mail from root.Let’s check.
Very good!I will edit sudoers file.
If i will write sudo su i can be root but i must go back hakanbey’s account because i know hakanbey’s password.
Thanks for read my writeup.