Texte Write-Up
Introduction
In this write-up, I will guide you through the steps I took to complete the HackMyVM - Texte CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video here (update this).
TL;DR
Reconnaissance
Network/Port Scanning (Nmap)
Command:
Explanation:
nmap: Tool used to scan network and ports to discover which services are running.-sV: Perform version detection of services.-sC: Scan using default scripts.-oA: Output in filename "texte".172.16.100.32: IP address of Texte VM on my network.
Output:
Findings:
We see that there is a web server running on port 80 and an SSH server on port 22 which I am assuming is for better shell access after we find the user password or private key.
Let's check out the web server and in the background we can run gobuster to brute force web directories.
Directory Brute-forcing (Gobuster)
While we brute force the directory of the website, we can check out the website on a browser.
Note: I have setup an alias to run gobuster inside a docker container.
Alias:
Explanation:
dir: Mode of operation indicating directory/file enumeration.-u http://172.16.101.88: Base URL of the target web server to scan.-w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt: Path of word list to use.-x html,php,txt: File extension(s) to search for.
Output:
Findings:
We only find 2 pages and no hidden pages.
So let's just checkout the web page and its functionalities.
Visiting Web Page (Port 80)
We see a basic web page that has a file upload functionality. After trying, we understand that it only allows image formats to be uploaded such as .jpg, .png, etc.
And after uploading the image, it displays it as shown:
So, I started by trying to upload a PHP Reverse Shell with different file extensions but that did not work. The request only accepted image data, so I tried to inject PHP in an image.
I followed this amazingly well written and informational blog to inject some PHP in the image but again to no avail.
Exploitation
Command Injection Vulnerability
So, after reading up more and reaching this part in the HackTricks page, I decided to try command injection in the filename.
So, I sent the following request:
and as you can see on line number 18, the filename is the payload:
Below is the response I got for the above request:
which shows that there is another file hosted on the web server which we can access.
After visiting the following URL:
a file is downloaded with the following contents:
User (kamila) Access
We can try using these credentials for the SSH server we found earlier. And on doing so, we see that the credentials work and we have shell access for the user kamila.
Read the user.txt file to get the flag:
Privilege Escalation
On running the first privilege escalation command:
we see that the machine does not have a sudo binary.
Note: I refer this GitHub page for Privilege Escalation methods.
Next we check for SETUID capable binaries using the command:
Output:
We see there is a /opt/texte binary which we can run as the root user because of the SETUID capability.
On checking the strings in the binary we see that it is invoking the following command:
So, since it is invoking the mail binary, we need to somehow use that to elevate our privileges. I checked out the man page for mail which mentions that we can add commands to the ~/.mailrc file which are executed whenever the mail program is executed.
After some help from ChatGPT, I realised the way to execute shell commands is to add a ! before it in the ~/.mailrc file.
So, I created the ~/.mailrc file using the following command:
After this, execute the /opt/texte binary to get the root shell as follows:
And finally, we can read the root flag:
Last updated