Kebechet!


a collection of stuff, thangs.....

enum - TAMUCTF 2018

Posted: 2018-02-26 02:24:35 (ohai)

Find the hidden flag.
You do not need to bruteforce. Don't do it.

ssh tamuctf@shell2.ctf.tamu.edu -p 2222
password: tamuctf

SSH'ing to the box we are presented with an rbash shell. Simply typing bash gets us some manueverability. The first interesting thing we find is in cron.daily

~$ ls -la /etc/cron.daily
total 20
drwxr-xr-x   2 root root 4096 Feb 20 13:51 .
drwxr-xr-x 123 root root 4096 Feb 20 13:51 ..
-rwxr-xr-x   1 root root 1474 Jun 19  2017 apt-compat
-rwxr-xr-x   1 root root 1597 Nov 26  2015 dpkg
-rwxr-xr-x   1 root root  249 Nov 12  2015 passwd
Let's check out that passwd script. I bet it's tasty.
~$ cat /etc/cron.daily/passwd
#!/bin/sh

cd /var/backups || exit 0

for FILE in passwd group shadow gshadow; do
        test -f /etc/$FILE              || continue
        cmp -s $FILE.bak /etc/$FILE     && continue
        cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
done
Tasty, indeed. Let's see what we may find over in /var/backups
~$ ls -la /var/backups
total 12
drwxr-xr-x  2 root root 4096 Feb 20 13:51 .
drwxr-xr-x 38 root root 4096 Feb 20 13:51 ..
-rw-r--r--  1 root root  236 Feb  9 04:32 .srv.bak
MONEY
~$ cat /var/backups/.srv.bak
Our lazy IT guy hasn't set up our apache server yet, so we have to use some weird snake-server in the meantime.
Save this file as a backup for the credentials.

uname: administrator
passwd: dcVMOlH5e6Hd1LGHXLmWzFhjqMu2/nIP9CXt23aq2CE
Time for a little more enum....
~$ ps aux | grep "[p]y"
root         1  0.0  0.0  18024  2880 ?        Ss   01:53   0:00 /bin/bash -c /usr/sbin/service ssh restart && cd /.administrators && /usr/bin/python /.administrators/pyserver.py 9000
root        26  0.0  0.0  37988 12360 ?        S    01:53   0:00 /usr/bin/python /.administrators/pyserver.py 9000
I bet it's listening on port 9000.... Unfortunately there are no tools available on the box to hit it directly, BUT, we can just set up a little socks proxy with the given creds and grab it with a browser ourself!
~$ ssh -cd 8080 tamuctf@shell2.ctf.tamu.edu -p 2222
And configure firefox juuuuust right.. ff configs See where we want to get to...
~$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:ac:12:00:03
          inet addr:172.18.0.3  Bcast:0.0.0.0  Mask:255.255.0.0
          
And then go there. enum flag

Post Tagged with:
ctf


   Allowed tags: [code][/code], [b][/b], [i][/i], [u][/u]
Comments: