Waldo was a great box and what makes it special is its unique way in getting the root flag. Every step with this box was very fun and I liked this box too much.
It’s a linux box and its ip is 10.10.10.87 so let’s jump right in
Starting with nmap to scan for open TCP ports and services.
nmap -sV -sT 10.10.10.87
We only see http on port 80 and ssh on port 22.
On port 80 there’s a web application called List Manager.
We will intercept the traffic with Burp then we will start to perform actions on the application like creating a list , editing it , deleteing it etc..
By looking at the requests we will find two interesting requests.
The POST request to fileRead.php and the POST request to dirRead.php.
Let’s send them to the repeater and play with them.
We will notice that dirRead.php lists the contents of a directory by giving the path in a POST request so we might have a path traversal vulnerability here.
If we tried to go up one directory it works
But going up 2 directories doesn’t work so there might be a filter that prevents that.
We can try to bypass the filter by adding another
../. And it worked
Then after enumerating in home directory we will find out that we can read the ssh key of a user called nobody
/home/nobody/.ssh but the ssh key is called
But we can only read directories with dirRead.php.
If we check fileRead.php we will find a path traversal there too.
Now we have the key but it’s json decoded. We can use any online json decoder.
Now will change permissions to 600 then try ssh with nobody. If we try monitor it will give us permission denied.
chmod 600 monitor.key
ssh -i monitor.key firstname.lastname@example.org
And we got user !
After we login as nobody we need to elevate to a higher privileged user.
Since we couldn’t ssh as monitor before let’s try again but this time locally.
And We’re in as monitor .
But we are in a restricted shell and can’t run commands.
We can try some commands and ls will work.
We see two directories app-dev and bin.
Let’s ls bin and see what commands can we run.
We can run
rnano and red are restricted versions of the text editors nano and ed
We can use
red to escape.
We will run it first .
Then we will execute sh from the editor.
And we cd to
/bin and execute
And we escaped the shell !
This is where the awesome part comes. For me it was the first time to deal with linux capabilities.
If we look at the bins in
/sbin we will see
So If we run getcap on the bin folders.
We will find under
/usr/bin that a binary named tac has the
cap_dac read_search+ei capability.
This allows it to read files as root.
And tac does exactly the same as cat but the name is reversed.
We can simply read root.txt