Parrot CTFs: Tiki 2 Writeup
Task 1 — Deploying The Box
To start off with the Tiki box, you first must deploy it. You can find this box at https://parrot-ctfs.com. I highly recommend signing up and possibly upgrading to PRO as their boxes are very engaging and fun.
Once you sign up and find the box in the “Lab Machines” drop-down, you can click the “Start” button and the box will begin to spin up (with only a 30 second wait time by the way).
Task 2 — Recon
Once you have the IP address of the box and you are connected to the VPN, you can begin to perform recon.
By performing a simple Nmap scan, we can see that the box has a web server running on port 80/tcp.
Since we have found that, the next logical thing that I thought to do would be a directory brute force. This can be accomplished with dirb.
We will first visit the robots.txt as sometimes directories are hidden there.
/tiki caught my eye, let’s go there first!
This login page looks like we could maybe exploit it later, but for the time being, I want to check out the cron-trigger.php file that we found in the robots.txt file.
Task 3 — Exploitation
The page looked like a blog about ethical hacking. But, when I scrolled to the bottom, I saw input where it asked for an IP. After I saw that, I knew it was going to make a connection somehow to that IP.
I started a listener on port 80 and put my IP in the input form. In moments, I saw a connection back to my IP with a Base64 encoded Authorization header.
After decoding the Base64 string, we see a username and password combo which I assume is being used for the login page.
I was correct. In the admin panel, I saw a section called “Edit Templates”. Often, CMS services/themes will not restrict what files can be edited which can lead to a shell. With that thought, I navigated to the “Edit Templates” section.
After some researching, I learned that I was allowed to include another file inside of this template file. I thought: “There has to be a database running this”, so I tried to include a common file that stores database logins.
And just like that, we have the login to the database. During my reconnaissance, I also noticed that phpMyAdmin was installed. phpMyAdmin is a web UI to interact with a MySQL (or similar) database, so let’s navigate there and attempt to use the credentials we just obtained to log in to the database.
The first user looks like the admin user and since we already know the hash of the second user because we decrypted it’s a Base64 string, so let’s set the first hash to the second hash and try and log in as the first user.
Success! In the cron scheduler, we are going to schedule a reverse shell to run and then start our Netcat listener to get a connection back from the shell.
Back at our listener, we got a connection back from the vulnerable box and we now have access!
As I was poking around the server, I found this file called purple_des.py and I also found out that I can find backup.data as SUDO. I remember “pickle” being related to insecure deserialization from past labs and boxes that I’ve done, so I researched into it more.
I found an article that told me to use this code, so I copied it to the backup file and then ran the purple_des.py file (after fixing the indentations).
Awesome! We now have access to the “silky” user and we can get a reverse shell over a Netcat listener by editing that backup file once again to connect to our machine.
Task 4 — Privilege Escalation
In this box, we will be exploiting lxc in order to gain root access. If you need help with this part, please refer to: https://www.hackingarticles.in/lxd-privilege-escalation/
In short, if you follow those steps you will get the root flag.
I hope you enjoyed this box as much as I did. If you have any questions, please redirect them to the amazing Parrot CTF team!
