![Pallet City- Sacramentum Writeup 1 pallet city](https://www.meusec.com/wp-content/uploads/2021/10/pallet.png)
This post is the official write-up for the Pallet City themed machine used in Sacramentum CTF. You can find these machines on Tryhackme(when they get officially added).
Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
sudo nmap -sC -sV -T4 10.10.150.118 -oA pallet
![Pallet City- Sacramentum Writeup 2 Pallet City- Sacramentum Writeup 1](https://www.meusec.com/wp-content/uploads/2021/10/nmap.png)
After seeing the Nmap results, some quick observations are- there is an anonymous ftp login allowed, filtered ssh and, there is a website running on port 80 which has a robots.txt page.
Let’s take a look at the website first.
![Pallet City- Sacramentum Writeup 3 Pallet City- Sacramentum Writeup 2](https://www.meusec.com/wp-content/uploads/2021/10/landing.png)
After seeing the home page and the source code there is nothing much to see or conclude here. But I generally make sure to note down any sort of names that pops up on these websites which is Ash Ketchum in this case. So, earlier Nmap gave us information about the robots.txt file. Let’s take a look at that.
![Pallet City- Sacramentum Writeup 4 Pallet City- Sacramentum Writeup 3](https://www.meusec.com/wp-content/uploads/2021/10/rob.png)
At first glance, the robots.txt page looks like this but if you look closely in the end there is some useful information.
![Pallet City- Sacramentum Writeup 5 Pallet City- Sacramentum Writeup 4](https://www.meusec.com/wp-content/uploads/2021/10/robots.png)
Now let’s note down the key as we don’t know what it is and if we look closely at the user-agent disallow you would get to know that this is a vulnerable robots.txt file.
Now let’s visit the given path and see if we could find something there.
![Pallet City- Sacramentum Writeup 6 Pallet City- Sacramentum Writeup 5](https://www.meusec.com/wp-content/uploads/2021/10/profslab.png)
![Pallet City- Sacramentum Writeup 7 Pallet City- Sacramentum Writeup 6](https://www.meusec.com/wp-content/uploads/2021/10/flag.png)
These were the two paths in robots.txt as I was unable to retrieve some workable information from there. Let’s fire up our Burpsuite and take a look at the requests that are going to the application.
![Pallet City- Sacramentum Writeup 8 Pallet City- Sacramentum Writeup 7](https://www.meusec.com/wp-content/uploads/2021/10/burp-1024x375.png)
As we intercept the request we can see that the cookie which is being used here is a jwt token. Now we can try to decrypt this token and can change the values inside it. Let’s try to do that.
![Pallet City- Sacramentum Writeup 9 Pallet City- Sacramentum Writeup 8](https://www.meusec.com/wp-content/uploads/2021/10/jwt.png)
Here I used the “key” that was there in robots.txt and as we can see there is a name field that has user in it, now we will change the user field and replace it with “AshKetchum” which is the username we discovered when looking at the website.
After this, we will simply replace the existing jwt cookie with this one and see the result.
![Pallet City- Sacramentum Writeup 10 Pallet City- Sacramentum Writeup 9](https://www.meusec.com/wp-content/uploads/2021/10/Untitled-9.png)
As we can see in the response we get our first flag for the machine and there is a hint. Let’s take a look at the hint.
![Pallet City- Sacramentum Writeup 11 Pallet City- Sacramentum Writeup 10](https://www.meusec.com/wp-content/uploads/2021/10/hint.png)
While opening the zip file it asks for a password and we don’t have a clue. So, let’s try to crack it by using fcrackzip.
![Pallet City- Sacramentum Writeup 12 Pallet City- Sacramentum Writeup 11](https://www.meusec.com/wp-content/uploads/2021/10/fcrack.png)
As we can see, we got the password for the zip file now, let’s quickly unzip it and see what it contains.
![Pallet City- Sacramentum Writeup 13 Pallet City- Sacramentum Writeup 12](https://www.meusec.com/wp-content/uploads/2021/10/data.png)
When I open these types of files, I generally use ls -la command that helps if you have a hidden file that is not present in this scenario. After this, I did a file * command to see what type of files are these which can be misleading sometimes, and certainly in this case the hint.docx is a pcap capture file that can be analyzed in Wireshark and if viewed in a document format you might not find anything to work with.
![Pallet City- Sacramentum Writeup 14 Pallet City- Sacramentum Writeup 13](https://www.meusec.com/wp-content/uploads/2021/10/port.png)
This was the image that was present in the hints folder. It indicates that there is a port knocking on the 22 port, which Nmap showed as filtered.
Now let’s take a look at the pcap.png file.
![Pallet City- Sacramentum Writeup 15 Pallet City- Sacramentum Writeup 14](https://www.meusec.com/wp-content/uploads/2021/10/wireshark.png)
After analyzing the “hint.pcap.png”, a port knocking sequence can be seen. Which is 11701, 11702, 11703.
Now, if we realize we have some things to work with just an ssh password or some sort of ssh key is missing. Let’s take a look at the FTP port which had anonymous login enabled and see if we could find anything to work with.
![Pallet City- Sacramentum Writeup 16 Pallet City- Sacramentum Writeup 15](https://www.meusec.com/wp-content/uploads/2021/10/ftp.png)
When we login into the FTP with the anonymous user. we can see that there is a ‘…’ folder after entering that folder we can see that there is a .ssh file. We could get the file on our local machine by using the command “get”.
![Pallet City- Sacramentum Writeup 17 Pallet City- Sacramentum Writeup 16](https://www.meusec.com/wp-content/uploads/2021/10/get.png)
Now, let’s quickly see what is there in the .ssh file.
![Pallet City- Sacramentum Writeup 18 Pallet City- Sacramentum Writeup 17](https://www.meusec.com/wp-content/uploads/2021/10/cat.png)
Looks like we have found a password for our ssh, and for the username could be “ashketchum” which was there on the landing page of the website.
Firstly, since the ssh was filtered we would have to perform port knocking on it with the sequence we found in the Wireshark file.
knock 10.10.150.118 11701 11702 11703
![Pallet City- Sacramentum Writeup 19 Pallet City- Sacramentum Writeup 18](https://www.meusec.com/wp-content/uploads/2021/10/kn.png)
After this, we will again run our Nmap to see if the ssh port is now open or not.
![Pallet City- Sacramentum Writeup 20 Pallet City- Sacramentum Writeup 19](https://www.meusec.com/wp-content/uploads/2021/10/nmap1.png)
As we can see here the ssh port is now open and we also have the credentials.
![Pallet City- Sacramentum Writeup 21 Pallet City- Sacramentum Writeup 20](https://www.meusec.com/wp-content/uploads/2021/10/entering-box.png)
Now after we got into the box let’s try and find the user flag.
If we just ls we will get the flag.
![Pallet City- Sacramentum Writeup 22 Pallet City- Sacramentum Writeup 21](https://www.meusec.com/wp-content/uploads/2021/10/flag1.png)
For privilege escalation when we run the command
find / -perm /4000 2>/dev/null
![Pallet City- Sacramentum Writeup 23 Pallet City- Sacramentum Writeup 22](https://www.meusec.com/wp-content/uploads/2021/10/find.png)
If you have some experience in privilege escalation you will automatically see that the “/var/log/esctime” binary is a custom binary and is not present by default.
So let’s try to execute the binary and see what it does.
![Pallet City- Sacramentum Writeup 24 Pallet City- Sacramentum Writeup 23](https://www.meusec.com/wp-content/uploads/2021/10/exec.png)
As we can see here it just prints some random text Right?
So now, let’s run the strings command and see if we could find something else to work with.
![Pallet City- Sacramentum Writeup 25 Pallet City- Sacramentum Writeup 24](https://www.meusec.com/wp-content/uploads/2021/10/strings.png)
We can clearly see that the binary is just taking the cat /nothing/here and printing it.
So there is a technique called relative path exploitation you can learn more about it by clicking here.
So in short what it does is executes the cat command without specifying the full path.
So, if we can change the PATH variable to target the command cat at a different binary, the program will run our malicious cat instead of the one that is normally installed.
To escalate the privilege follow the steps below.
cd /tmp
nano cat
![Pallet City- Sacramentum Writeup 26 Pallet City- Sacramentum Writeup 25](https://www.meusec.com/wp-content/uploads/2021/10/cat1.png)
Now type /bin/bash when the terminal gets open and save it.
![Pallet City- Sacramentum Writeup 27 Pallet City- Sacramentum Writeup 26](https://www.meusec.com/wp-content/uploads/2021/10/nano.png)
Now make the file executable
chmod 777 cat
Now add /tmp to your PATH variable
export PATH=/tmp:$PATH
![Pallet City- Sacramentum Writeup 28 Pallet City- Sacramentum Writeup 27](https://www.meusec.com/wp-content/uploads/2021/10/priv.png)
Now run the binary
/var/log/esctime
![Pallet City- Sacramentum Writeup 29 Pallet City- Sacramentum Writeup 28](https://www.meusec.com/wp-content/uploads/2021/10/run.png)
After running the binary you will get root privileges which will lead you towards the last flag.
Since we have changed the PATH we have to run /tmp/cat to execute the cat command and reveal the flag.
![Pallet City- Sacramentum Writeup 30 Pallet City- Sacramentum Writeup 29](https://www.meusec.com/wp-content/uploads/2021/10/flag3.png)
If you liked this writeup there are many more writeups like this here.
Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.
Comments: