CTF-200-07

This machine was part of an OffSec CTF on August 2023.

Information

Navigating through this Proving Grounds VM was quite fun! Definitely got better at enumerating the target and researching the vulnerabilities.

Name

CTF-200-03

Difficulty

Intermediate

Community Rating

Hard

Enumerated Ports & Services

Port

Description

Protocol

OpenSSH Server

TCP(6)

Apache 2.4.56 Web Server

TCP(6)

Let's run a port scan on the target!

# Change the target IP to the one in your lab environment
$ sudo nmap -sS -p1-65535 --open 192.168.154.38 -oN 38_nmap

After the ports were enumerated, a service/script scan was performed on the open ports:

# Change the target IP to the one in your lab environment
$ sudo nmap -sVC -p822,80 192.168.154.38

Findings

The website contained a demo link which redirected to a login page with a register button.

After registering an account successfully, I had the option to turn debug on.

After turning debug on in hopes of enumerating more about the service, I executed a random endpoint which helped enumerate the web application framework (Laravel 8.4.0):

R - C -E / CVE-2021-3129

Did some research and found an RCE exploit for versions lower than 8.4.2 . This exploit executed multiple endpoints and methods to check for remote code execution and found various methods were allowing it:

I edited the exploit code to execute a reverse shell instead of id and was successful:

And got my first flag local.txt :) now for PE! Using pspy, I found that there is a cron job running every minute to clear pictures from laravel:

Let's see if replacing reverse shell php script from pentest monkey with the artisan PHP script will execute the reverse shell....and it did :)

Checked sudo privileges and boom:

Privilege Escalation

Found Composer can run with sudo and GTFOBins has a nice sudo PE documentation. Based on the research in GTFOBins, I wrote a composer.json file as the www-data user and added it to /var/www/html/lavita to execute chmod +s /bin/bash:

$ echo '{"scripts":{"x":"chmod +s /bin/bash"}}' >/var/www/html/lavita/composer.json

Once the listed NOPASSWD sudo -l command was executed with the run-script x parameters (thanks to the * wildcard in command) I was able to elevate my privileges by invoking /bin/bash -p:

$ sudo /usr/bin/composer --working-dir\=/var/www/html/lavita run-script x

Got the proof.txt ;)!

Final Notes

With this challenge, I was able to demonstrate quick exploitation of the target as well as privilege escalation, thanks to all the practice! Practice makes perfect!!