StegaPwn CyberSpace Kenya Walthrough
Hello guys back again with another walkthrough this time we’ll be handling another boot2room capture the flag challenge that involves a bit of stenography.Its called stegapwn. If you want to try the challenge please register a user using the link provided and you’ll have access to the challenge. I really like the room since it made me learn a new and really amazing tool i had never heard off before. The room is actually a fun one without much say lets jump in
The challenge just starts by providing an image
From previous CTF’s I’ve done before this hinted on stenography which basically is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video
First i downloaded the image to my local box and then started playing with it
First and most important tool i ran was strings to see if i could retries any meaningful strings from the image but got nothing
Next i ran exiftool the purpose of this tool was to check the metadata and see if anything will stand out but still got nothing useful
Next i ran binwalk to see if there were any embedded file if there were any files present we could extract the files using either foremost or binwalk itself
Looking at the screenshot above you can see that the file only consisted of a JPEG image that was a dead end
Next i tried to extract files using steghide. If we are lucky and the files were not stored using a passphrase we could easily extract them
But looking at the above screenshot it failed. Now that all method had failed i opted for a brute force attack.
Maybe a file was embedded and we needed the right phrase to extract it. Doing some research i found a tool called stegseek which brute force passwords at almost 100,000 times faster than stegcracker. You can go though the entire rockyou wordlist in less than 10 seconds
I installed the tool on my box and then ran it. It uses the same arguments just like stegcracker
And voila after chewing through 84.87% of the wordlist it found the right passphrase and even went a step further and extracted the contents and saved then in a file called index.jpeg.out
Looking at the file i got some ssh credentials
I used those credentials and logged into the box
Sweet we are in the box. Next i downloaded linpeas to the box. Linpeas is a bash script which checks for any privilege escalation vectors. And it outputs the information in really awesome colors. It’s actually my go to script when it comes to checking for privileged escalation on a UNIX bashed system
Looking at the output of linpeas you can see that we have write access to a file in
/usr/local/sbin/
Taking a closer look at the file you can see that it has
read write execute permission for every user
Meaning the permissions of the file were changed so that any user could alter the file’s contents in anyway they dim fit
This was achieved using the command
chmod 777 usr/local/sbin/runshell.shThe file seems to be running a cron job which we will se later executes every 5 minutes
I downloaded pspy to the box. Pspy is a Linux process monitor written in go language and monitored the processes being executed on the box
Looking at the screenshot below you can see runshell.sh the file which we have write access us executed by a user with UID(user id) 1000
Looking at the passwd file you can see that that user id belong to the user r374RD
Meaning if we put a reverse shell to runshell.sh file the user r374RD when he execute the file we will get a shell as him
The file simple runs any bash commands saved on the file as the user r374RD
The easiest way i used to get a reverse shell on the box was by using a bash reverse shell payload which i added to the file
Next i used ngrok to port forward since it make it easy to perform port forwarding in the real world where vpn config file are not used like CTF
Next i converted the ngrok hostname to an IP address because it always seems to be convenient to me but not necesary you can use the hostname and it’ll still work
And then compiled the entire bash reverse shell payload and added it to runshell.sh file
Next i did set up a netcat listener and waited for the 5 minute mark to hit
And looking at the screenshot below once the 5 minute mark hit i had a reverse shell as the user r374RD
Looking at the screenshot above we have successfully elevated our privileges to the user r374RD using a cronjob which apparently was which runshell.sh was world writable. Next what i decided to add a SSH public key in that users r374RD authorized_file file since i really prefer using SSH shells if SSH service is running on a box
And then logged in as the user r374RD using SSH
Running sudo -l we find that we could run commands as any user without a pasword
running the command
sudo suWe are directly dropped us to a root shell and going to the root folder we get the flag
Looking at the contents of the flag file you’ll see that it perfectly fit the misconfiguration that the box has
BONUS
A few day later after completing the box a really great friend of mine got back to me concerning privilege escalation and when i took another look at the box i found that the SUID bit that i had used for privilege escalation the first time to the user r374RD was missing and was told that was an unintended way to solve the box since those were test materials left back doing the testing phase of the box.But i decided to leave this piece here below since I’ve seen some boxes before using this same methodology for privilege escalation
Looking at the output of linpeas we see a bash binary in /tmp which as a SUID bit set
Meaning we can execute the binary in the context of the user r374RD. Sweet by just using the command
./bash -pWe could escalate our privileges to the the user r374RD
Let’s do it
Nice we are done Hope you enjoyed the walkthrough. If you clap for me down below and follow me so that you won’t miss any upcoming articles