Home CTFs | Finale_CTF_INSA_2024 | Realiste
Post
Cancel

CTFs | Finale_CTF_INSA_2024 | Realiste

Posted Apr 4, 2024 Updated Apr 22, 2024
By Bat
8 min read

Réaliste

Kerb1

For this challenge, we are going to use the well known AS-REPRoasting attack. I will not explain in detail how the attack work but you can have more information here. The main idea is that some user may have the preauthentication disabled allowing to request a TGT (Ticket Granting Ticket) as this user. This allows us to crack the password of this user offline.

Enumeration

First we need to check if there is any AS-REPRoastable account. We have two ways to do it. The first one (the prettier) is by using bloodhound-python. This tool will allow us to recover all information on the domain. You will need a user of the domain to do so (we have bob):

[realiste_kerb1_bloodhound_zip.png]

Here is the command to run bloodhound: bloodhound-python -u bob -p bobby -d ctf.local -ns 172.10.0.59 --zip -c All

Now that we generated a zip file containing all the data of the domain we can run the bloodhound GUI to get a beautiful graph of the data we collected:

[realiste_kerb1_bob.png]

Here are the steps to configure the bloodhound GUI. You need to install and configure Neo4j.

As we can see, there is two domain admin in the domain ctf.local. We can use the panel of bloodhound to get information about possible AS-REPRoastable account:

[realiste_kerb1_asrepOpt.png]

We only have one user that looks AS-REPRoastable account and it is bob-admin:

[realiste_kerb1_asrepAcc.png]

AS-REPRoasting

The other method to get this information is by using the Impacket list of tools. We can use GetNPUsers.py to list all the user having the preauthentication disabled:

[realiste_kerb1_getNP.png]

Don’t forget to add ctf.local into your /etc/hosts file with the correct IP.

We now run the command with some more parameter to request the TGT:

[realiste_kerb1_getTGT.png]

Here is the command to run: GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip 172.10.0.58 ctf.local/bob:bobby

Cracking

Now that we have the TGT, we can try to crack it offline using tools like Hashcat:

[realiste_kerb1_hashcat.png]

Here you have to use the -m 18200 flag in hashcat

Get a shell dude

Now that we have the password of bob-admin, we can connect to the DC (Domain Controler) as him. Because we are admin now, we can list the shares C$ and ADMIN$ this can allow us to recover the flag by searching in the SMB shares. But why do that when we can have a shell using PSExec. First we can check that we are indeed domain admin by using CrackmapExec:

[realiste_kerb1_cme.png]

Note that we know we are domain admin because we see the Pwn3d! attribute and because we can READ,WRITE into the C$ and ADMIN$ shares of the DC.

Now that we know that we are domain admin, we can use PSExec to get a shell:

[realiste_kerb1_whoami.png]

And now that we have a shell, we can go into our desktop folder and get the flag:

[realiste_kerb1_flag.png]

Kerb2

For this challenge, we are going to use the well known Kerberoasting attack. As for the AS-REPRoasting part, I will not explain in too much detail the attack but you can find more information on how it work here. The main idea is that some user may have a SPN (EXPLANATION). An SPN is an attribute that, by default, only machine account have. Any user of the domain is allowed to query a ST (Service Ticket) of a user having an SPN.

As for the AS-REPRoasting, we can find the interesting user with bloodhound or with the impacket tools. Because we just have to click on a upper button for bloodhound, I will only explain the steps using impacket.

KerbeRoasting

We can use GetUserSPNs to find all users having an SPN:

[realiste_kerb2_list_spn.png]

Note that there is bob-admin and krbtgt$. This is because krbtgt$ is a service (as the $ specifies). We can’t crack the password of krbtgt$ because it is a 200 characters long random string.

Here is the command to find all kerberoastable account: GetUserSPNs.py -dc-ip 172.10.0.59 ctf.local/bob

Now that we found the bob-admin user as a kerberoastable account, we can request an ST of this user:

[realiste_kerb2_getST.png]

The full command is: GetUserSPNs.py -dc-ip 172.10.0.59 ctf.local/bob -request-user bob-admin -outputfile bob-admin.hash

Now we can use tools like hashcat or john to crack it offline. And we find the admin password:

[realiste_kerb2_hashcat.png]

The hashcat mode used here is -m 13100

Get a shell dude

As seen previously, we can now use PSexec to get a shell on the DC:

[realiste_kerb2_whoami.png]

And here is the flag:

[realiste_kerb2_flag.png]

Admin File

As you can see, there are a lot of files (no picture yet… teachers didn’t gave us access back to the chall ^^). But a file caught my attention. The Creds.txt. This file contain the text kliphu : Rvvspe it is just the ROT 7 of debian : Koolix.

[realiste_admin_rot.png]

You can see the Admin2.php code when you click on it. When we go to the path of this files, we can see… It’s a webshell:

[realiste_admin_webshell.png]

With this, we can get a reverse shell thanks to a basic nc mkfifo (cf. revshells.com) .

And now we are www-data. we can su as debian OR we could just ssh with the previously found credentials and have a really stable shell. And we can now get the first flag:

[photos/realiste_admin_user_flag.png]

As we can see, we have the right to run the python command as any user (root also ;) ). So we go to the beautiful website GTFOBins and find the command to get a root shell. And… Voilà:

[realiste_admin_root_flag.png]

Up to date

On this challenge we are given a URL. This website hosts a Drupal CMS:

[realiste_up_drupal.png]

When we search for the string Drupal in the source code, we get that the version is 7:

[realiste_up_drupal_version.png]

Now when we look for an exploit, we find this Drupalgeddon RCE unauthenticated. We launch the attack and get a shell:

[realiste_up_revshell.png]

At the time of writing, the ruby exploit didn’t worked. I used the this one to write this WU. It’s a python exploit and we juste have to replace the command id by a reverse shell command like nc mkfifo (cf. revshells.com)

With the www-data user, i get the flag:

[realiste_up_user_flag.png]

During the CTF, there was a protection on the home folder of debian. We could list all the files but couldn’t get the rights to list the rights, read or write anything in this folder. Here we have much more rights and we can see each right for each file.

Because there was nothing owned by debian, the only possible way to get his session was to find his password. That was… debian

Now that we are connected as debian we have any rights on his home directory but we can’t run any command as sudo

If we get a step back, we find that another user can:

[realiste_up_sudo_l.png]

Now we can use the well known library hijacking method to get a root shell. We can first read the ping.py file:

[realiste_up_ping.png]

Note that we are doing a library hijacking because we can’t write in the ping.py file. But if it was possible, we would have just put a reverse shell in it.

We know that the library to hijack is request. Now we can create our own library requests.py and make ping.py import it. To do so, we juste have to create our library in the same folder (hence the necessity to get debian account):

[realiste_up_root_shell.png]

For more information about python library hijacking you can check this blog. Section 2 is our case.

Note that we can launch the attack from any directory. The only requirement is that the library we create is in the same folder as the executable.

And… Voilà… We have the root flag:

[realiste_up_root_flag.png]

XAMP

In this challenge, we are facing a worpress website. We can see that in many ways but the easier is by looking at the robots.txt that shows us wp-admin page:

[realiste_xamp_wpad.png]

What’s cool about a worpress misconfigured, is that we know when we have the right user thanks to the error message:

[realiste_xamp_error.png]

A way to find the admin user is by searching for a post he created or by going at the URL /wp-json/wp/v2/users:

[realiste_xamp_wpUSer.png]

Now that we have the admin user, we can use it to find the correct password by bruteforcing the authentication page. To do that I advise to to use wpscan. This tool can be used for the enumeration phase too (list plugins, templates, CVE…):

[realiste_xamp_cracked.png]

The output is big, so here is the initial command: wpscan --password-attack xmlrpc -t 20 -U pwnme -P /usr/share/wordlists/rockyou.txt --url http://172.10.0.42

Now that we have the credential of the admin we can use it to authenticate and get a shell on the machine. The default technique to get a reverse shell didn’t worked because of the new interface. But the technique is good to know because we are going to do piratically the same. We first need to add an extension (go to Extnsions > Ajouter une extension) .

Now that the extension is installed, it has some PHP pages we can inject. We need to go into the Outils > Éditeur de fichiers des extensions section and modify the extension. We can set the basic command system("whoami"); and save the result:

[realiste_xamp_whoami.png]

And activate it:

[realiste_xamp_activate.png]

Now we head back to the URL http://172.10.0.42/jetpack/jetpack.php and we get the result of our command:

[realiste_xamp_whoami_admin.png]

We can now use a basic PHP command to get a reverse shell (cf. windows-php-reverse-shell) instead of our system("whoami");:

[realiste_xamp_revshell.png]

We can activate the plugin to get the shell. We can see the flag at the root of the file system:

[realiste_xamp_shell_gotten.png]

And voilà… We have the flag:

[realiste_xamp_flag.png]

CTFs, CTF_INSA_Final, Realiste
kerberoast asreproast kerberos crypto
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents