Case Unlocked: Yukthi CTF 2024 Prelims

Introduction

Case Unlocked is a web-based challenge in the Yukthi CTF 2024 prelims, designed to immerse participants in a scenario of digital exploration and exploitation. Specifically, the challenge tests participants' skills in identifying and leveraging web vulnerabilities. The journey begins with discovering sensitive information through exposed .git directories. From there, participants advance by gaining unauthorized access to a system and escalating privileges using a known vulnerability. Ultimately, this challenge provides a comprehensive test of your web security skills and problem-solving abilities.

Skills Learned

  • Effective methods for exploring and exploiting web endpoints
  • Techniques for uncovering hidden or obscured login credentials
  • Strategies for privilege escalation on Linux systems

Enumeration

1. Initial Reconnaissance

The first step involved scanning the network for open ports. Using the command nmap -p- 10.11.3.92, we performed a comprehensive scan.

nmap -p- 10.11.3.92

This preliminary scan is essential because it helps to identify potential entry points on the target machine. Specifically, it reveals which ports are listening and may be vulnerable to further exploitation. Thus, this scan provides crucial information for planning subsequent steps in the exploitation process.
Open Ports Image

2. Discovering Port 80

The scan results showed that port 80 was open, which indicated that a web service was running. By accessing this web service through a browser, you obtained a pivotal clue for further actions. Consequently, this clue guided the next steps in your exploration and exploitation process.
Web Service Access Image
Upon accessing the webpage, I encountered an interactive game embedded within the site. This discovery provided an intriguing element to explore further. Therefore, it became a focal point for deeper investigation and analysis.

3. Endpoint Exploration

Utilizing the Nikto tool, a comprehensive web server scanner that checks for dangerous files, outdated server software, and other problems, I was able to discover some interesting endpoints:

 nikto -h http://localhost:34829

Endpoint Exploration Image

These included admin login and .git pages. Navigating to the admin page redirected to a login page, but without known credentials:
Login Endpoint Image

The discovery of a publicly accessible .git directory was crucial. It is a common security oversight to leave git directories accessible on production servers, which can expose sensitive information.
Git Tools Usage Image

Using GitTools (https://github.com/internetwache/GitTools), I cloned the repository found on the server, allowing access to the development history and potentially sensitive data.

4. Unearthing Credentials

https://github.com/internetwache/GitTools
cd GitTools

After cloning the git repository, the command git log | grep "commit" | cut -d " " -f2 | xargs git show was used to extract and decode commits. This command sequence is useful for examining commit histories to find potentially leaked sensitive information.

git log | grep "commit" | cut -d " " -f2 | xargs git show

The credentials were found encoded in Base64 within the commit messages: mail=tetris@gmail.com: passwd=VDdpM19pM181ZXJlY3RfN2E1NXcwcmQ=, which decodes to T7i3_i3_5erect_7a55w0rd.

username= testris@gmail.com
password=T7i3_i3_5erect_7a55w0rd

5. Securing the Flag

With the decoded credentials in hand, I used them to log in through the login.html page. Upon successful authentication, It was redirected to the /secret.php page, where the first flag was revealed.

Secret Page Flag Image

Challenge 2: Loophole Discovery

After completing the initial challenge, I resumed with another round of port scanning to uncover further points of attack. This scan highlighted an active SSH service on the target.

1. Further Reconnaissance

A subsequent port scan revealed that SSH (port 22) was open, providing an ideal vector for utilizing the credentials discovered earlier. This allowed for direct access to the system's shell.

ssh tetris@IPaddress

SSH Access Image

2. Identifying Vulnerable Sudo Version

Once inside the shell, I employed various strategies to escalate privileges. Noticing the sudo version was 1.8.21, an older and known exploitable version, I identified a potential avenue for attack. The presence of password feedback (asterisks when typing the password) confirmed that pwfeedback was enabled, a feature vulnerable to specific exploits.

sudo --version

Sudo Version Check: Sudo Version Image

Research on Google led me to an exploit in the Exploit Database that could leverage this vulnerability (CVE-2019-18634).

3. Gaining Root Access

I cloned the exploit script from GitHub:

git clone https://github.com/Plazmaz/CVE-2019-18634/
cd CVE-2019-18634
/self-contained.sh

Root Access Image
Root Access Image

Running the ./self-contained.sh script from the cloned repository exploited the pwfeedback buffer overflow vulnerability, successfully granting root access. This allowed me to locate a critical document inside /root/locker/.

Leave a Comment

Realted Blog >>

A Blockchain OSINT Challenge
Case 118 Unlocked: A Blockchain OSINT Challenge Guide
Introduction Case 118 Unlocked is a blockchain-based OSINT challenge that tests your detective skills...
Pickle Portal
Pickle Portal - Yukthi CTF Prelims 2024 Write-up
Introduction The Pickle Portal Challenge offers an engaging test of Python and Linux skills through the...
Mystery 013
Mastering the Mystery 013 - Yukthi CTF 2024 Prelims
Introduction to Mystery 013 Mystery 013” is a captivating digital forensics challenge featured in the...
1 2
Scroll to Top