HA: Infinity Stone CTF Boot2Root Write up.

Hruday Charan

·

Follow

6 min read

·

Sep 20, 2019

--

Listen

Share

Raj Chandel’s Hacking Articles just pushed out a new Boot2Root CTF named HA: Infinity stones, created by Kavish Tyagi, HA.

My way of approach was weird per se, but what happened in the end matters, Isn’t it? So first, I’ve mounted the Vulnerable Machine into VMWare Workstation and shifted the network from NAT to Bridged so that It’ll directly be connected to the Router, in my case.

The VMs being connected to my physical network gave me an advantage so that I could just directly go and check my Router’s Client list rather than doing netdiscover . Smart work, ain’t it.

Network Scanning

The Initial step to get started is performing a Network Scan on the target. In this case, 192.168.0.2 is where the Vulnerable VM is connected to. This scan revealed there are 3 Services running which are 22-SSH; 80/443-HTTP/S; 8080-Jetty.

Initial observation got the “MINDSTONE” flag which was nicely put up in the SSL certificate’s Organization’s field. Noiceeee… 1 Down, 5 More to go.

HTTP Scanning

As we’ve seen an HTTP/S service is also being run on the VM, I opened that in the browser which brought me to this place. On the Navbar, there is a direct link 192.168.0.2/aether.php which actually looked like this and did Nothing.. :3 Strange! There was an Avengers Quiz which did absolutely nothing, Initial Impressions.

But the words looked kinda kinky. Computer tells us Binary is the path to Reality. Maybe hint for the Reality stone. There was no Submit button but after all, it said Binary , I gave it a try. I did, 192.168.0.2/01101001 where Every True is a 1 and False is a 0. I got this.

Nicee!!! Opening it, there were characters which appeared to be like a BrainFuck Code.

+++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. — — .
+++++ .<+++ ++++[ -> — — — — < ]> — — .<+++ +++[- >++++ ++<]> +++.< ++++[
->+++ +<]>+ ++++. <++++ [-> — — <]> -.+++ +++++ +. — — — — . — .<+ ++[->
+++<] >++++ .+.<

Interpreting the Brainfuck Code, gave me an amazing thing which seemed like a username: password.

admin:avengers

EXPLOITATION

This could be the login to the Jenkins which is running on port 8080. Smart! Let’s get into Jenkins. A quick google search said, Exploiting Jenkins Groovy Script Console in Multiple Ways, I got to know the script console could be exploitable. I’ve searched for reverse shell methods in PTM and found this amazing code… Andd!!! Bamm

A Reverse shell pops out. Its just 1/6 stones still but Hey, It’s a reverse shell. I tried checking around and found this. I couldn’t work on this Janky TTY so I did an /bin/bash Spawn. I just checked the /etc/passwd I found 2 users named Morag and Stones. I manually searched so many places, home directories, basic manual privilege escalation and then I tried automated. I downloaded a bash script, LinEnum whereas python isn’t installed. The most intriguing line in that scan was the line possible Interesting SUID files. and When I Ran that Script, BOOM!!

ESCALATION

Friggin “TIMESTONE” Mayn! That is 2/6. If you closely observe there is another file called morag.kdbx . There’s an Amazing twist here. Okay, Umm, So I wanted to copy or download that kdbx file to my local system I didn’t use scp this time, Instead, I tried to copy that file to /var/www and then I found some more directories.

Parallelly, I copied the file to my local machine and started exploring the folders first. The File: tesseract.html was just a normal HTML page with text called “tesseract page”. the folder gamA00fe2012 had a file named “realitystone.txt” and the folder wifi had a pcap file and this text

Your Password is thanos daughter name   "gam" (note it's all lower case) plus the following
I enforced new password requirement on you ... 12 characters
One uppercase charracter
Two Numbers
Two Lowercase
The Year of first avengers came out in threatre

So, I presume that the folder “gamA00fe2012” is the answer. I Ignored the Pcap file thou. 3/6. Reality Stone too. Now left 3 more.

PASSWORD CRACKING

Okay, Going with the kdbx file we’ve obtained then. If that is a KeyPass file, then it has to be JohnTheRipper. So, I’ve fired up JTR and converted kdbx to hash and Used John again to crack the hash with the default wordlist and it turned out to be morag:princesa So, I opened the KeyPass online with the password and I found out “POWERSTONE”. Yo!! 4/6.

REMOTE CONNECTION

If you again look closely, the section Creds is having an encoded message. By seeing it we can say it is in Base64. Quickly decoding it gives morag:yondu this time,

I Made an SSH Connection to Morag. :P

There has to be some service which is being run with root. I checked crontab, No Luck. I tried to execute sudo su , But didn’t work out. Then I looked for ‘Sudo’ rights permitted programs being run by ‘Morag’. I found this. BTW, https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/, This is the go-to guide for Basic Priv escalation methods for Linux. Using this I found FTP can spawn a root shell.

https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/ Hit for references.

HITTING YO!

I opened FTP with Sudo rights and then I spwned a root Shell and Bamm! It’s here. I cd’d to /root and there’s a final.txt there which said It’s Final Flag. 5/6. YOO!!!

We’ve got em.

MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}

REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}

TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}

POWERSTONE:{EDDF140F156862C9B494C0B767DCD412}

SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}

I am wondering now where did space stone go. I tried freaking lot and couldn’t get hands on it. I went back to tesseract.html and searched so many places. I’ve seen Raj’s post which had something to do with dirBuster. I felt dirBuster performs a brute-force on the HTTP/S version of the VM. Which means either 80/443 or 8080. I searched folders in the webserver and surprisingly found 2 Image directories. 1 had all the images another one had one file space.jpg. I opened it and found a cute little image of the blue and bright tesseract. That has to be EXIF, for sure. I downloaded it and BOOOM! 6/6 Yo!

Here comes all the six stones and Thanos, Buoye!

This machine is pretty neat and clean. The Binary part was solid. Nice work Kavish Tyagi , Raj Chandel, Pretty good work on this. I’ve solved this machine after 2 years of being away from CTF. Now It feels amazing.

Thank you for having a read. Regards, Hruday Charan. AKA H3LL4R.