June 10, 2021•527 words
Run a scan to see what services are running. Once it's done, look at it: an exposed DB surely looks interesting. Default credentials don't seem to work, and we have no known exploit to run against the SSH server, so let's just focus on the HTTP server for now. Running a directory buster reveals some interesting files and directories, mainly:
- interesting.txt, where we can find credentials for the DB;
- whatever, which doesn't seem to be accessible for some DB error right now.
Let's log in the DB server using the credentials. There are two databases, and the second one has an interesting name. It only contains one table, which contains a single value that determines whether or not we can access the "whatever" page. Modify it to 1 (aka, true) and access the page. Now you can run commands as user "www-data", so use this awesome feature to get a reverse shell back to your machine.
Once you have a shell, you will easily notice there isn't much you can do as www-data. There is a single, interesting directory in the root folder, /proct, which contains a python executable suggesting that the password for user "adam" is in rockyou.txt, but that it has also been previously encoded with ascii and base64, and also contains the hash of the password. To find out what the password is, let's build a small python script to turn rockyou in a new wordlist which is ASCII and b64 encoded. My script was the following one:
with open('/usr/share/wordlists/rockyou.txt', encoding='latin-1') as fp:
line = fp.readline()
bpass = base64.b64encode(line.strip().encode('ascii','ignore'))
line = fp.readline()
Run it as:
python3 exploit.py > new_wordlist
And then use this wordlist with john to crack the hash. Remember, the result given by john is the base64 encoding of the answer, so be sure to decode it before using it to change user to "adam".
Once you have a shell as adam, enumerate your home folder thoroughly, there is a Google Maps link that helps you find out what mason's password is. TIP: it's not the place, it's what you can see in the sky. Besides being called aurora borealis it has another couple of names, so be sure to try those as well ;)
Change user to mason with his password and grab your first flag.
Notice there is a service running on port 8080 which seems to allow you to run some predefined commands if you give it some password and the command itself as part of a POST body. This is a bit of a leap of faith (AC fans, this is for you), but try giving it mason's password and the command "passwd", by running:
curl -d "password=<not aurora borealis>&cmdtype=passwd" -X POST localhost:8080
It says it changed the password. The knowledge that you are playing a CTF whose primary purpose is for you to gain root access suggests this means it changed the root password, and what else could it change it to if not mason's password itself? "su root" and get the last flag, you are done and ready to move on with your hacking journey!