Torment CTF walkthrough (IRC server exploitation and misusing apache server’s intended functionality)
Security Level: Intermediate
Scanning with nmap
Some other important ports are also open i.e. 25 (smtp), 631 (cups), 6667–6669 (IRC).
Exploring files in FTP server
inside .ssh file we found RSA private key which we will use later to gain access via SSH login
And inside .ngircd there are two channel names which can be useful
Inside the ngircd.conf file we can see the default password for connecting to IRC servers
I am using pidgin IRC client to connect to IRC server with the default password
Lets join a channel which we have found earlier on the .ngircd directory
Inside #games channel there is nothing interesting so we will try to join another channel
Joining another channel i.e. #tormentedprinter from .ngircd directory
Yes! we found a password of something which can be useful later
We can see there are two user present on the machine i.e. patrick and qiu
Trying to logging in with SSH key found earlier and it is also asking for passphase we can use the password which we have found in the channel i.e. #tormentedprinter
We have gained an initial level of access and after this only we have to escalate our privilege to root for capturing the flag
we can use systemctl as root privilege without entering root password
finding a file(s) with all read,write,execute permission using find utility
Specifying 2<dev/null will filter out the errors so that they will not be output to your console. In more detail: 2 represents the error descriptor, which is where errors are written to. By default they are printed out on the console. /dev/null is the standard Linux device where you send output that you want ignored.
found 2 files with all permissions apache2.conf and index.html
Adding user qiu in apache2.conf file
Than preparing a php reverse shell script and copy it in the /var/www/html directory so that we can execute it from browser
At the same time we run netcat at listening mode so that when we execute the reverse php script, the reverse connection is received by us as user “qiu”
ran sudo -l command to find NOPASSWD executable programs
we can see that we can run python as sudo
used command sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’ to spawn a shell with its user and we got a root shell
there are 2 files in /root directory proof.txt and author-secret.txt, lets see them
inside author-secret.txt
Inside proof.txt
Hence! successfully rooted the machine