Post

Sws101_ctf7

Posted Updated
By Pema dolker 1 min read

Topic : Creative

alt text

Overview

This penetration test aims to exploit vulnerabilities on the creative.thm server to obtain the user.txt and root.txt flags. The approach involves conducting an initial reconnaissance, identifying potential vulnerabilities, exploiting them to gain access, and escalating privileges to achieve our objectives.

What I Did

Initial Reconnaissance

  1. Nmap Scan:
    • Conducted a comprehensive scan to discover open ports and services on the target server.
    • Discovered OpenSSH on port 22 and nginx on port 80.
  2. Subdomain Discovery:
    • Used FFuF to find additional subdomains.
    • Discovered beta.creative.thm.

Investigating the Subdomain

  1. URL Tester App:
    • Found an app on beta.creative.thm that allows testing URLs, potentially vulnerable to SSRF.

Exploiting SSRF

  1. Capture and Save the Request:
    • Captured a POST request to beta.creative.thm and saved it as request.txt.
  2. Use SSRFmap:
    • Cloned the SSRFmap repository and moved the request file into the directory.
    • Ran SSRFmap to enumerate open ports and found port 1337 open on localhost.
  3. Read Sensitive Files:
    • Exploited the URL tester to access id_rsa file of user saad.
  4. Log in via SSH:
    • Extracted and formatted the SSH key.
    • Attempted to log in as saad using the extracted key.

Cracking SSH Key Passphrase

  1. Use John the Ripper:
    • Cracked the id_rsa passphrase using John the Ripper with the rockyou.txt wordlist.

Gaining Shell Access

  1. Log in as Saad:
    • Successfully logged in using the cracked passphrase.

Enumeration and Privilege Escalation

  1. Discover Credentials:
    • Found credentials in the .bash_history file.
  2. Check Sudo Privileges:
    • Enumerated sudo privileges for saad.
  3. LD_PRELOAD Exploit:
    • Created an exploit using LD_PRELOAD to gain root privileges.
    • Compiled and executed the exploit to obtain a root shell.

Capturing Flags

  1. User Flag:
    • Found user.txt in saad’s home directory.
  2. Root Flag:
    • Accessed and captured the root flag with elevated privileges.

Summary

Through approach of reconnaissance, vulnerability identification, and exploitation, I was able to gain unauthorized access to the creative.thm server. Utilizing tools like Nmap, FFuF, and SSRFmap, identified key vulnerabilities including SSRF and leveraged the LD_PRELOAD technique for privilege escalation. This allowed me to capture both the user and root flags, successfully completing the penetration test objectives.

  • User Flag: 9a1ce90a7653d74ab98630b47b8b4a84
  • Root Flag: <root_flag_value>
SWS101, CTF journal
SWS101
This post is licensed under CC BY 4.0 by the author.

Trending Tags

SWS101 DBS101