My hackthebox.eu rank is falling like a rock because I don’t have much time to spend. To remember better days I post my former rank banner which I saved before probably knowing what happens later on 😉
I was in the top 200! If you don’t know hackthebox head over to their website and enjoy hacking server and solving challenges like stego, reversing, forensic and others: https://www.hackthebox.eu/
My first boot2root beginners challenge taken from here: JIS-CTF: VulnUpload from vulnhub.com.
First we start with a nmap scan:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# Nmap 7.60 scan initiated Sat Mar 10 13:13:04 2018 as: nmap -sV -sC -oN jordan.txt 192.X.X.X Nmap scan report for Jordaninfosec-CTF01.fritz.box (192.X.X.X) Host is up (0.00015s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA) | 256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA) |_ 256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 8 disallowed entries | / /backup /admin /admin_area /r00t /uploads |_/uploaded_files /flag |_http-server-header: Apache/2.4.18 (Ubuntu) | http-title: Sign-Up/Login Form |_Requested resource was login.php MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Mar 10 13:13:11 2018 -- 1 IP address (1 host up) scanned in 7.18 seconds |
The nmap scan already reveals a lot of information. The first flag can be found under the url http://[jordan vm]/flag:
The 1st flag is : {8734509128730458630012095}
When I got some free time I try to solve some beginners hacker ctfs. Recently I stumbled over cmd2 at Pwnable.kr and it took me some time to solve it. Later I realized that my earlier attempts would have been successful if I knew the difference between calling arguments with "..." or '...'. 🙂
For starters, when calling a binary with "$(...)" the code inside $(…) will be executed first and then the result will be the arg for the binary.
When a binary is called with '$(...)' the whole parameter will be seen as argument. With some help from youtube I used the following solution for cmd2:
./cmd2 '$(cs() { printf ${@}; }; cs "\57bin\57cat\40fl"; cs "ag";)'
An easier solution as seen here would be:
./cmd2 '$(echo "\57bin\57cat \57home\57cmd2\57f")lag'