As always, we will start off with a OS and Version scan for open port using nmap.
So we have ssh open on port 22 and an Apache web server open on port 80.
Port 80 — Web Server
Opening the page we get the standard Apache page; however, checking the source code we see the following:
There is an interesting comment here, “They will never find me”, which seems to be under the thm.jpg
When we try and open the file it cannot be displayed due to errors.
lets download the file with wget:
wget http://10.10.92.6/thm.jpg
Once downloaded, we can use GHex to view the file, GHex can be installed using:
sudo apt-get install ghex
Launch GHex and open the file:
The first thing we can see is that the header is referencing a PNG file and not a JPG as per the file extension. We need to correct this but first we need to know what the HEX header is for a JPG. A bit off Google gives us the answer.
The HEX for the downloaded image starts 89,50,4E,47,0D,0A,1A,0A,00 and as can be seen in the ASCII refers to .PNG. Using the header information from the above site we can see that the HEX code for a JPG is FF D8 FF E0 00 10 4A 46 49 46 00 01.
Replacing the HEX code with the JPEG HEX code using GHex and saving the file works.
We can now load the .jpg and it gives us a hidden directory.
Navigating to the secret directory we land on the following page:
Checking the source code we find the following comment:
I guess that this is another directory, as there is no additional code in the source. So we know it is between 0–99.
As my Python skills are very poor at this stage, I used Burp suit as follows:
So I captured the request using burpsuit
Then sent it to the Intruder and set the Position
I then set the Payload as below and started the attack
From the response time returned ‘73’ was the longest, so this was our number.
We have the right answer:
Initially I thought this was another directory; however, this did not work, so I went back to the original image to check for hidden files using the new found code.
Using the passphrase, we extract a file hidden.txt:
I also noticed that the username was odd, so decided to run it through Cyberchef sequentially going through the cyphers.
I tried to ssh into the server as user joker and password y2RPJ4QaPF!B, but it did not work. Next I tried to brute force the ssh with the username and rockyou word list, nothing worked, then remembered that the introduction to the box said that brute forcing ssh was not required..
I got totally stuck at this point and had to get a hint off the forum, sad I know but the hours were burning away and as a beginner to CTF I was starting to panic. Turns out there is a file hidden in the main image on the HTB room.
I downloaded the image with wget and checked it using Steghide.
So there is a file called password.txt embedded within the jpg image, I will extract with Steghide.
I will try and log into the ssh server using the username and new password:
And we are in, the user.txt file can be seen in the /home/joker directory.
Unfortunately Joker does not have any sudo privileges, so we will have to enumerate further. To make life simple, I am going to throw a reverse shell back to my machine and catch it using Pwncat. The reason for using Pwncat is simply because it is awesome. It has many functions including upload, download, privesc and many others. For more information, see the link below:
From our ssh server I am going to through a bash shell back to our local machine and catch it with a Pwncat listener as below:
Now we have our pwncat reverse shell and this is where the magic happens. Simple press Ctr-D to enter into local shell and enter privesc -l, this will enumerate privesc opportunities and list them.
Just like that it gives us an attack vector of screens. Lets just double check this and upload LinPEAS and run that script.
We can now run Linpeas.sh and tee it to a privesc.txt file:
./linpeas.sh | tee privesc
Linpeas has a great legend to identify privesc opportunities with a 99% a PE vector:
Scanning through the output we can see the following:
Screen-4.5.0 is highlighted as a potential attack vector for privesc.
We can see that this is owned by root and has the SUID flag set, this is our attach vector. A quick google and we find an exploit for the CVE-2017–5618.
Using Vim on the target machine I paste the code and name the file exploit.sh. We need to chmod the exploit file to give executable rights.
chmod +x exploit.sh
All we need to do then is run the exploit.sh file with ./exploit.sh
An there we have it, we are root.
Navigating to the /root directory and we can grab the root.flag
I really enjoyed this box and the hidden file on the room home page really got me stuck. Thank you to the developer of this box.
