A very interesting CTF VM from HackMyVm, can be download here.
nmap ports scan.
At 80 port, index.html has useful message.
Wireshark capture file has extension: pacp. Add it to the folder/file brutefore options.
gobuster dir -u http://192.168.56.43 -t 50 -x .html,.php,.txt,.pcap -w /usr/share/dirbuster/worlists/directory-list-2.3-medium.txt -b 400,403,404,500 --wildcard -o 80.log
Download it and open it with wireshark. First, we can find "teste:simple" name/pass couple.
Then, we noticed a file named "mysecret.png".
Third, we noticed a file named "filexxx.zip".
We can log in ftp as teste now. It look like the home folder of teste.
In parent folder, we can see the other two users.
The note.txt says: I need to find the file.
That's all for ftp, now we need to get ssh login. We try to directly visit filexxx.zip from port 80, and there did has a filexxx.zip.
Unzip it, we get a file named "id_rsa", which belongs to teste.
But infact, we can do nothing with user "teste" for now. So we need to find other ways. The size of filexxx.zip we download form port 80 is 1.5k.
But the size of filexxx.zip in wireshark capture file is 38k. Apperently, the two filexxx.zip have same name, but different content.
We can export filexxx.zip from wireshark using: File --> Export Objects --> Http.
Give it a new name and unzip it, we get an image: mycode.png.
It's a QR code. Decode it online, we get an internet address.
Wget the file as user teste.
Now we have the private key of jackob. We can ssh in as user jackob.
Sudo shows jackob can run a bash script and su to kratos.
But jackob has no wirte permissions to edit the file.
Directly change the file content failed.
But if we create another file, we can move the file to overwrite attack.sh. So we create a.sh, which has only one piece of code "bash".
Sudo run, and we are kratos now.
Kratos can sudo run cppw.
Help says cppw can replace passwd file.
We generate a password hash.
Then copy /etc/passwd to /tmp, and add a new line with name "windy" and root permissions.
At last, we get root.