Categories
Capture The Flag

Pallet City- Sacramentum Writeup

pallet city

This post is the official write-up for the Pallet City themed machine used in Sacramentum CTF. You can find these machines on Tryhackme(when they get officially added).

Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.

sudo nmap -sC -sV -T4 10.10.150.118 -oA pallet
Pallet City- Sacramentum Writeup 1

After seeing the Nmap results, some quick observations are- there is an anonymous ftp login allowed, filtered ssh and, there is a website running on port 80 which has a robots.txt page.

Let’s take a look at the website first.

Pallet City- Sacramentum Writeup 2

After seeing the home page and the source code there is nothing much to see or conclude here. But I generally make sure to note down any sort of names that pops up on these websites which is Ash Ketchum in this case. So, earlier Nmap gave us information about the robots.txt file. Let’s take a look at that.

Pallet City- Sacramentum Writeup 3

At first glance, the robots.txt page looks like this but if you look closely in the end there is some useful information.

Pallet City- Sacramentum Writeup 4

Now let’s note down the key as we don’t know what it is and if we look closely at the user-agent disallow you would get to know that this is a vulnerable robots.txt file.

Now let’s visit the given path and see if we could find something there.

Pallet City- Sacramentum Writeup 5
Pallet City- Sacramentum Writeup 6

These were the two paths in robots.txt as I was unable to retrieve some workable information from there. Let’s fire up our Burpsuite and take a look at the requests that are going to the application.

Pallet City- Sacramentum Writeup 7

As we intercept the request we can see that the cookie which is being used here is a jwt token. Now we can try to decrypt this token and can change the values inside it. Let’s try to do that.

Pallet City- Sacramentum Writeup 8

Here I used the “key” that was there in robots.txt and as we can see there is a name field that has user in it, now we will change the user field and replace it with “AshKetchum” which is the username we discovered when looking at the website.

After this, we will simply replace the existing jwt cookie with this one and see the result.

Pallet City- Sacramentum Writeup 9

As we can see in the response we get our first flag for the machine and there is a hint. Let’s take a look at the hint.

Pallet City- Sacramentum Writeup 10

While opening the zip file it asks for a password and we don’t have a clue. So, let’s try to crack it by using fcrackzip.

Pallet City- Sacramentum Writeup 11

As we can see, we got the password for the zip file now, let’s quickly unzip it and see what it contains.

Pallet City- Sacramentum Writeup 12

When I open these types of files, I generally use ls -la command that helps if you have a hidden file that is not present in this scenario. After this, I did a file * command to see what type of files are these which can be misleading sometimes, and certainly in this case the hint.docx is a pcap capture file that can be analyzed in Wireshark and if viewed in a document format you might not find anything to work with.

Pallet City- Sacramentum Writeup 13

This was the image that was present in the hints folder. It indicates that there is a port knocking on the 22 port, which Nmap showed as filtered.

Now let’s take a look at the pcap.png file.

Pallet City- Sacramentum Writeup 14

After analyzing the “hint.pcap.png”, a port knocking sequence can be seen. Which is 11701, 11702, 11703.

Now, if we realize we have some things to work with just an ssh password or some sort of ssh key is missing. Let’s take a look at the FTP port which had anonymous login enabled and see if we could find anything to work with.

Pallet City- Sacramentum Writeup 15

When we login into the FTP with the anonymous user. we can see that there is a ‘…’ folder after entering that folder we can see that there is a .ssh file. We could get the file on our local machine by using the command “get”.

Pallet City- Sacramentum Writeup 16

Now, let’s quickly see what is there in the .ssh file.

Pallet City- Sacramentum Writeup 17

Looks like we have found a password for our ssh, and for the username could be “ashketchum” which was there on the landing page of the website.

Firstly, since the ssh was filtered we would have to perform port knocking on it with the sequence we found in the Wireshark file.

knock 10.10.150.118 11701 11702 11703
Pallet City- Sacramentum Writeup 18

After this, we will again run our Nmap to see if the ssh port is now open or not.

Pallet City- Sacramentum Writeup 19

As we can see here the ssh port is now open and we also have the credentials.

Pallet City- Sacramentum Writeup 20

Now after we got into the box let’s try and find the user flag.

If we just ls we will get the flag.

Pallet City- Sacramentum Writeup 21

For privilege escalation when we run the command

find / -perm /4000 2>/dev/null
Pallet City- Sacramentum Writeup 22

If you have some experience in privilege escalation you will automatically see that the “/var/log/esctime” binary is a custom binary and is not present by default.

So let’s try to execute the binary and see what it does.

Pallet City- Sacramentum Writeup 23

As we can see here it just prints some random text Right?

So now, let’s run the strings command and see if we could find something else to work with.

Pallet City- Sacramentum Writeup 24

We can clearly see that the binary is just taking the cat /nothing/here and printing it.

So there is a technique called relative path exploitation you can learn more about it by clicking here.

So in short what it does is executes the cat command without specifying the full path.

So, if we can change the PATH variable to target the command cat at a different binary, the program will run our malicious cat instead of the one that is normally installed.

To escalate the privilege follow the steps below.

cd /tmp
nano cat
Pallet City- Sacramentum Writeup 25

Now type /bin/bash when the terminal gets open and save it.

Pallet City- Sacramentum Writeup 26

Now make the file executable

chmod 777 cat

Now add /tmp to your PATH variable

export PATH=/tmp:$PATH
Pallet City- Sacramentum Writeup 27

Now run the binary

/var/log/esctime
Pallet City- Sacramentum Writeup 28

After running the binary you will get root privileges which will lead you towards the last flag.

Since we have changed the PATH we have to run /tmp/cat to execute the cat command and reveal the flag.

Pallet City- Sacramentum Writeup 29

If you liked this writeup there are many more writeups like this here.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *