StegaPwn CyberSpace Kenya Walthrough

The challenge just starts by providing an image

Just a screenshot not the real image

From previous CTF’s I’ve done before this hinted on stenography which basically is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video

First i downloaded the image to my local box and then started playing with it

First and most important tool i ran was strings to see if i could retries any meaningful strings from the image but got nothing

Next i ran exiftool the purpose of this tool was to check the metadata and see if anything will stand out but still got nothing useful

Next i ran binwalk to see if there were any embedded file if there were any files present we could extract the files using either foremost or binwalk itself

Looking at the screenshot above you can see that the file only consisted of a JPEG image that was a dead end

Next i tried to extract files using steghide. If we are lucky and the files were not stored using a passphrase we could easily extract them

But looking at the above screenshot it failed. Now that all method had failed i opted for a brute force attack.

Maybe a file was embedded and we needed the right phrase to extract it. Doing some research i found a tool called stegseek which brute force passwords at almost 100,000 times faster than stegcracker. You can go though the entire rockyou wordlist in less than 10 seconds

I installed the tool on my box and then ran it. It uses the same arguments just like stegcracker

And voila after chewing through 84.87% of the wordlist it found the right passphrase and even went a step further and extracted the contents and saved then in a file called index.jpeg.out

Looking at the file i got some ssh credentials

I used those credentials and logged into the box

Sweet we are in the box. Next i downloaded linpeas to the box. Linpeas is a bash script which checks for any privilege escalation vectors. And it outputs the information in really awesome colors. It’s actually my go to script when it comes to checking for privileged escalation on a UNIX bashed system

Looking at the output of linpeas you can see that we have write access to a file in

/usr/local/sbin/

Taking a closer look at the file you can see that it has

read write execute permission for every user

Meaning the permissions of the file were changed so that any user could alter the file’s contents in anyway they dim fit

This was achieved using the command

chmod 777 usr/local/sbin/runshell.sh

The file seems to be running a cron job which we will se later executes every 5 minutes

I downloaded pspy to the box. Pspy is a Linux process monitor written in go language and monitored the processes being executed on the box

Looking at the screenshot below you can see runshell.sh the file which we have write access us executed by a user with UID(user id) 1000

Looking at the passwd file you can see that that user id belong to the user r374RD

Meaning if we put a reverse shell to runshell.sh file the user r374RD when he execute the file we will get a shell as him

The file simple runs any bash commands saved on the file as the user r374RD

The easiest way i used to get a reverse shell on the box was by using a bash reverse shell payload which i added to the file

Next i used ngrok to port forward since it make it easy to perform port forwarding in the real world where vpn config file are not used like CTF

Next i converted the ngrok hostname to an IP address because it always seems to be convenient to me but not necesary you can use the hostname and it’ll still work

And then compiled the entire bash reverse shell payload and added it to runshell.sh file

Next i did set up a netcat listener and waited for the 5 minute mark to hit

And looking at the screenshot below once the 5 minute mark hit i had a reverse shell as the user r374RD

Looking at the screenshot above we have successfully elevated our privileges to the user r374RD using a cronjob which apparently was which runshell.sh was world writable. Next what i decided to add a SSH public key in that users r374RD authorized_file file since i really prefer using SSH shells if SSH service is running on a box

And then logged in as the user r374RD using SSH

Running sudo -l we find that we could run commands as any user without a pasword

running the command

sudo su

We are directly dropped us to a root shell and going to the root folder we get the flag

Looking at the contents of the flag file you’ll see that it perfectly fit the misconfiguration that the box has

A few day later after completing the box a really great friend of mine got back to me concerning privilege escalation and when i took another look at the box i found that the SUID bit that i had used for privilege escalation the first time to the user r374RD was missing and was told that was an unintended way to solve the box since those were test materials left back doing the testing phase of the box.But i decided to leave this piece here below since I’ve seen some boxes before using this same methodology for privilege escalation

Looking at the output of linpeas we see a bash binary in /tmp which as a SUID bit set

Meaning we can execute the binary in the context of the user r374RD. Sweet by just using the command

./bash -p

We could escalate our privileges to the the user r374RD

Let’s do it

Nice we are done Hope you enjoyed the walkthrough. If you clap for me down below and follow me so that you won’t miss any upcoming articles

--

--

--

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Tilla Progress Report: January 2022

They want immediate gains and instant gratification, even if part of them knows it’s smoke and…

First day as QA

How To Build Your Blog Site: A Tutorial, Part 1

How to Build Your Own Blog Site

Introducing: openTenancy — Event Recap

Explore the possibilities with hundreds of domain extensions — {link} -

Booking’s Journey with Brotli

The Transfagarasan road in Romania has many tight curves & winds up a mountain. It gives stunning views & a challenging drive

Stop reading. Start coding. Share your knowledge.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Musyoka Ian

Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

More from Medium

Log4Shell

Vulnerability

THM Blue