CTF Challenges

Broken 2020: 1 Vulnhub Walkthrough

Broken 2020 is a beginner level virtual machine created by EuSecinfo. There was no running of public exploits, no rabbit holes in the machine, however, there was a need for custom exploitation and a little bit of common sense.

Table of Content

  1. Reconnaissance
    1. Nmap and directory enumeration
    2. Locating a malicious script to gain shell access
  2. Exploitation
    1. Writing our own script to gain a reverse shell
  3. Post Exploitation
    1. Gaining Alice’s shell by modifying a python script
    2. Understanding the algorithm of the script’s working
  4. Snagging the flag
    1. Manipulating a script to read root flag

Let’s start

We detected the IP address of the vulnerable machine and ran nmap scan on it to begin with.

We could only find port 80 open.

We immediately scrolled to the website but didn’t find anything useful over there.

Next obvious step was to run directory enumeration. We used dirb for the purpose and found a directory “/cms”

It looked like an installation page of a CMS. We clicked install.

Upon clicking install, something vague happened and seemed like it was a trap.

Here we could see flag 1 and it is self-explanatory, our website got defaced by that installation of CMS.

However, since the website got defaced, some change in directories, new files, or some payload must have been executed or created. So we ran directory enumeration once more in the “/cms” directory.

A new directory called “/cc/” seemed to have been created by this installation. We head over there to see what had been created. As the page explains itself, it is a malicious script that is used to connect the server to a remote IP with a remote port! That means a ready-made shell. But let’s see what it actually does first by inputting a random IP and port.

Hence, it is searching for some script in the designated IP. Lets actually create a simple python server and see what script it is searching for.

So, it was asking for a shell script with a random system-generated name. So, we created a script with the specified name with a python reverse shellcode in it (Pentest Monkey python reverse shell). Make sure you also launch a netcat reverse listener on port 8888 in a new terminal window.

Upon inputting this python server’s IP and port we see a new status code in the website.

Meanwhile, on our other terminal, we saw a shell was obtained. We traversed to /home/alice directory and read our next flag. There was also a note left there that said that a script log.py was created to clear apache logs.

Upon inspecting log.py we saw that it was clearing out apache logs and creating a log file “clear.log” that was updated every time the machine cleared it.

Here is the catch: upon inspecting clear.log we found that the logs were being cleared after every 1 minute sharp. This could be due to a cron job. Since the script log.py is being run as alice we could gain Alice’s account access if we somehow manage to insert our reverse shellcode in log.py.

Now, log.py is not editable by www-data (the current user) but the directory is writable! So we replaced the log.py file with our own log.py file as below.

1: Create a log.py file in our own system with the code as used before:

2: Launch a python server

3. Rename the existing log.py in the VM’s session to log_new.py

4. Copy log.py using wget command and give execute permissions.

In a new terminal, start a netcat listener on the port specified in the payload. Here, 5555, and wait for a reverse shell.

Surely, we received Alice’s shell. Now we traversed through directories and found a /back directory with the backup folder. There we snagged our third flag!

Now, we saw a note.txt too which had a message saying “Please put the path of the website backup directory in path.txt and bot will do the rest.” That means those three scripts (backup.py, check.py and hack.sh) were doing something using the contents in path.txt.

Upon analyzing the three scripts we understood that the bot (scripts) are picking up the contents in the directory specified in “path.txt” and copying it in the current directory! That solved our purpose since we can just dump the contents of /root directory using this.

Hence, we input /root in path.txt with the command:

Echo “/root” > path.txt

After waiting for about a minute again, we easily saw the contents of the root directory and read the congratulatory flag!

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here