Tuesday, February 27, 2018

Enum 150 Writeup - TamuCTF 2k18

Texas A&M University CTF (TamuCTF) event was really one of the best CTFs, most of the challenges are realistic and I like that. In this writeup we will see the solution of the best challenge of this whole CTF contest. Honestly, it was like a PenTest challenge and not just a simple CTF one.

  • Challenge Name: enum
  • Challenge Score: 150 points
  • Challenge Category: Misc
  • Challenge Solves: 128 Solves
  • Challenge Description: Find the hidden flag.
  • Challenge: ssh tamuctf@shell2.ctf.tamu.edu -p 2222 --- Password: tamuctf


When we try to login through SSH for the first time we see that there is a bunch of restricted Linux commands!

Like we see, we are getting a weird message starting with the word rBash (Restricted Bash), from previous experience when doing boot2root machines on VulnHub & HackTheBox I've learned that there is something called rBASH and basically it is like a Linux Jail it just jails some commands so we can't use them!

There is a bunch of tricks and techniques to bypass and escape the Linux jail but I took the smartest and easiest way that basically bypass the rBash jail before the bash profile loads because it rBash basically works there!

So, like we see by adding the '-t' option to the ssh line and the "'bash --noprofile'" we bypassed the rBash restriction easily! We are still getting the weird message but this time it say bash and not rbash, Successful Bypass!

After a couple of hours of failed attempts and bunch of enumeration and a bunch of wrong/fake flags. I finally figured out there is some kind of weird & hidden login details that I really didn't know where we can use it!

So, after reading this hidden file, we are given two hints: Snake-server & Backup credentials. So, it means that there is a running server somewhere and those are the credentials to log in into that server.

I started feeling that I am looser because I really took more than 5 hours trying that challenge (Honestly it is cool and it deserves it!).

After, a bunch of BashFu commands and tricks that I know and that I used and got over the net nothing worked :'( I felt like I am completely out of the SCOPE because the challenge is about getting the flag and I was trying to get ROOT :-3 What a stupid guy -.-'

It doesn't matter after a simple mind refresh I remembered there is something called background processes so boom let's try the (ps -aux) trick to see commands and services running…

After doing the (ps -aux) trick, we are given a list of processes running in the background. I've noticed a service running as (root) user! It is actually running a python script under (/.administrators/pyserver.py) on the port 9000 ; but, damn that was running in the internal system and not exposed to the outside and I started overthinking as usual :-3

The idea behind that was related to something called Port Forwarding. It works by forwarding the port 9000 to some ports into our machine through the SSH. There is bunch of articles online that shows that and you can find them by googling 'Port Forwarding through SSH'.

What I did here, is I just forwarded the local port of the target 9000 to my 1210 port into my local Machine through the SSH using the '-L' option to my localhost address.

I forget stuff quickly, but I didn't forget the message that I've got before ;-) Snake-server means there is an HTTP Server, so if we link all stuff together (Detective Conan <3) We get to know that the server was on port 9000 and it is now on our address:

BOOM :-D After browsing the address, we are given an authentication form :-D I hope you still remember the credentials that we've found ;-) Try it now :-)

Very nice challenge. A big thanks to the organizers <3