🦜 Parrot CTFs is an advanced cybersecurity education platform and Capture The Flag provider. Their goal is to create the most realistic Capture The Flag challenges and demonstrate real-world attack scenarios.

This is an easy difficulty machine that exploits a SQL injection vulnerability and library hijacking in a Python script to gain root privileges.

Content:

• Enumeration
• SQLI
• Privilege escalation

Enumeration 🔎:

We start by using ping to check the TTL of the machine to determine the OS we are dealing with.

Based on the TTL value of 63, we can determine that the machine is running a Linux machine. However, this is not for sure, but it gives us an idea. For more information, you can view: Identify OS using TTL value.

Now, let’s go with an nmap scan to view the open ports.

sudo nmap -p- --open -sS --min-rate 5000 -n -v -Pn 10.14.0.32 -oN allPorts

-p- –> We are doing a scan against all 65535 ports to search for open ports.

--open –> It will only report open ports.

-sS –> It can be performed quickly, scanning thousands of ports per second.

--min-rate 5000 –> It sets the minimum rate of packets sent per second to 5000.

-n –> Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds.

-v –> It will be verbose in its output.

-Pn –> This option skips the host discovery stage.

-oN –> It will save the output in a file called “allPorts”.

We find out the following open ports:

Let’s take a look at what the page has.

Well… nothing, it is a default page of apache2, so let’s start fuzzing.

You can use whatever fuzzing tool you want, in my case I am going to use wfuzz.

wfuzz -c --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.14.0.32/FUZZ

We are doing a simple fuzzing to find directories and we find website that seems interesting.

There is an about.html page, but it is not interesting.

So let’s start fuzzing again but this time let’s search for .html pages.

wfuzz -c --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.14.0.32/website/FUZZ.html

We found these: contact.html and search.html.

The contact.html page doesn’t appear to have any functional or reflected elements where we can inject something.

However the search.html page is interesting because is trying to get data from something so we can try to test for SQLI.

SQLI 💉:

So how can we know if this is vulnerable to a SQL injection?, let’s do a simple injection like ’ OR 1=1– - if this give us all the data that the actual db has, we can keep doing futher injections to try to get creds if there exists.

Yeah! there is a result of all the entries that are in the actual db.

Let’s start doing more injections 💉:

This is to view which fields of output we have control over.

' union select 1,2-- -

This is to view all the available databases. There, we can see an interesting database name, which is creds.

' union select 1,group_concat(schema_name) from information_schema.schemata-- -

With this, we can view the table names of the database, and there is only one table, which is named credentials.

' union select 1,group_concat(table_name) from information_schema.tables where table_schema="creds"-- -

With this, we can see the column names, which are username and password.

' union select 1,group_concat(column_name) from information_schema.columns where table_schema="creds" and table_name="credentials"-- -

So know that we have enumerating the db let’s retrive all the usernames and passwords.

' union select 1,group_concat(username,":",password) from creds.credentials-- -

With this we can retrive only one credential that is: charles:pyvzngr

You can learn to do this injections here, and remember there is a lot of material out there for you to learn more about SQLI.

So now that we have the credentials, we can try to log in through SSH, and once successful, we will have access to the machine as the user “charles”.

Privilege escalation 🚩:

Now that we are inside the machine you need to do some things to ensure smooth operation:

1. bash
2. export TERM=xterm

This will allow us to clean the screen with ctrl + l.

We need to enumerate the system to find a way to escalate privileges.

One thing I always check first is sudo -l. This command helps us determine if we have the ability to execute commands as other user. If we are lucky, we might discover that we can execute commands with the privileges of the root user.

More info about privilege escalation check here.

We can see that we can execute a python3 script like root user but we can’t edit it :(

The script basically hashes a random value and writes it to a file. It doesn’t seem to be useful, but we can see that it imports various libraries.

The issue here is that we have write permissions in the directory where the Python3 script is located. Thanks to the priority python library path, we can add a malicious Python3 script to gain a shell with root user privileges. To accomplish this, we need to create a Python3 file and include the name of the module that is being imported, like this:

Now, the only thing we need to do to become root is to execute the script with sudo privileges.

Hope you like it and learn something new :)