_ In this CTF challenge, we embarked on a journey of enumeration, exploitation, and privilege escalation to uncover hidden flags and complete the mission._

Recon

Recon\nmap

We start as usual with an nmap scan over the IPv4 address we have obtained. I use the following parameters in my command:

• -sV: Service version detection
• -sC: Script scanning using default scripts
• -A: Aggressive mode, including OS detection, version detection, script scanning, and traceroute

Below you will find the result:

As you can see in the output, we only have two active open ports:

• Port 22: SSH
• Port 80: Web server

Recon\port 80

Let’s start with the web server.
When we open the webpage in the web browser, we see the default Apache web server page.
There isn’t much to find here yet, and there’s also nothing in the source code.

The next logical step is to investigate if there are any pages to visit.
For this, I’ll use gobuster as a tool.
I’ll be using the following parameters:

• -w: Wordlist for directory/file brute force
• -o: Output file to save results

The output only shows one page we can visit: <host>/app.
Let’s take a closer look at this one.

On the /app page, there is a directory named pluck-4.7.13.
When we open this directory, we land on the page below.

There isn’t much to do on this page.
However, we do have a hyperlink below the admin section. It can’t hurt to take a look at this.

Now we’re on a login page where we can only enter a password.
Let’s try the low-hanging fruit manually first. If this doesn’t work, we can always resort to brute force techniques. Passwords to try:

• admin
• welcome
• password

“password” was the correct guess! :)
Now let’s further explore if we can find anything on the admin panel.

Just to be sure, I’ll start another gobuster, but this time from the point /app/pluck-4.7.13/.
Who knows, it might give us more information.

The latest gobuster scan gives the following entries:

• image
• files
• docs
• data

Let’s start with “docs”. Who knows, maybe there’s some information about the web application and/or misconfigurations.

It wouldn’t hurt to take a look at the changes and see if there are any old exploits we might still be able to reuse.
But so far, there’s no additional information that we can use.

As you can see in the screenshot below, there is a possibility to upload objects.
I’ve tried multiple reverse shells, but unfortunately, the application adds a .txt extension to the uploaded item.

Let’s run the application pluck through searchsploit and see if it comes back with a known exploit.

And there it is, we found one! See the highlighted exploit: 49909.py.

Exploit

Exploit\shell_upload

If we open 49909.py in a text editor like Sublime, we can see what syntax we should use to utilize the exploit.
See the highlighted text in the screenshot below.

The syntax for this exploit is as follows:
<ip_address> <port> <admin_panel_password> <pluck_cmd_path>

If we execute this exploit, we’ll get a web shell. See the screenshot below for an example.

After some manual enumeration, I discovered that there are some items in the /opt folder.
We only have permissions to read test.py, so let’s do that.

Now that we have a username and password, we can try to log in via SSH with the username lucien.

And yes, we’re in! Let’s further investigate what we can find under the user lucien. Let’s read the first flag.

Privilege Escalation

Privilege Escalation\sudo-l

We have the first flag. Let’s see if we can escalate privileges to a user with more rights. We can use the command sudo -l to see if we can do anything.

We can use getDreams.py to perform privilege escalation.
Let’s give that a try.

Unfortunately, that didn’t work. So let’s get linpeas.sh onto the host and use it to scan the machine for misconfigurations.

We see in the bash history of the user lucien that they connected to MySQL and we see a plaintext password. Let’s take a look at the script getDreams.py in the folder /opt and see if we can do something with it.

We see in the else statement that a shell can be invoked, which we could theoretically abuse. Furthermore, we see that the script uses an SQL instance, and we know that the user lucien has used MySQL. Let’s further investigate this.

Now that we’re logged into MySQL as the user lucien, we need to look around to see which databases exist and which tables are present.

We have multiple databases, but we’re only interested in the library database.\ Let’s select this one, and when we read the tables, we see 2 columns (dreamer, dreams) with multiple rows.\ We’re on the right track. If you scroll back to getDreams.py, you’ll see that two columns are being called: dreamer and dreams.

We know that a shell can be invoked, so let’s get a standard reverse shell from the website https://www.revshells.com. \ Also, let’s start a netcat listener on port 9001.

As you can see in the screenshot below, we have a successful connection :)
Let’s read the flag of the user death and continue with enumeration.

In the home folder of the user death, we also find a script named getDreams.py.
When we read this script, we see a database password for the user death.
In this box, passwords are used in multiple places at once. Maybe we can also log in as the user death with this password.

We are now logged in as the user death. Let’s navigate to the home folder of the user.\ Who knows, we might find something interesting there.

If we read the script restore.py, we see that backups are being made and that a library is being imported.
Let’s see if we can abuse this :):):)

Let’s search for this library on the machine. I’ll use the find command with the following parameters:

• type f
• group death
• name shutil
• ls

We see in the output that the library is owned by root and that the group death also has access to it. So, we can do something with this :)

If we open shutil.py in a text editor and search for copy2, we can place a reverse shell in the script. We’ll also get this from revshells.com.

And now we have a connection as the user morpheus. Let’s read the last flag; we’ve managed to collect all the flags.

Summary of CTF Challenge

1. Enumeration:
   • Conducted an nmap scan to identify open ports and services.
2. Web Exploration:
   • Discovered a web server and used gobuster to explore directories.
3. Exploitation Attempts:
   • Attempted to exploit an upload feature, but encountered file extension limitation.
4. Exploit Discovery:
   • Found a known exploit for the application pluck using searchsploit.
5. Initial Exploitation:
   • Successfully exploited pluck, gained a web shell, and escalated privileges.
6. Credential Discovery:
   • Discovered credentials in MySQL and utilized them to SSH into the system.
7. Privilege Escalation:
   • Explored the file system, found another script, and escalated privileges further.
8. Library Vulnerability:
   • Leveraged a vulnerability in a system library to gain a reverse shell as another user.
9. Completion:
   • Successfully collected all the flags and completed the challenge!