2023 Business CTF: Contempt - Revenge

#htb #ctf #fullpwn #pwn #system-exploitation

Challenge Information

AttributeDetails
Event2023 Business CTF
CategoryFullPwn
ChallengeContempt - Revenge
DifficultyHard

Summary

A full system compromise challenge requiring exploitation of multiple vulnerabilities to achieve complete system takeover. The challenge involves finding and exploiting security flaws in running services, privilege escalation, and maintaining access to the compromised system.

Analysis

This full-pwn challenge typically involves:

  • Network service enumeration and vulnerability discovery
  • Remote code execution exploitation
  • Local privilege escalation
  • Post-exploitation persistence mechanisms

Standard reconnaissance methodology:

  1. Port scanning to identify open services
  2. Service version detection and CVE research
  3. Vulnerability assessment and exploit development
  4. Initial shell acquisition
  5. Privilege escalation through kernel exploits, misconfigurations, or sudo access
  6. Data exfiltration and proof of compromise

Solution

The general approach for full-pwn challenges:

  1. Enumerate services: Use nmap to discover open ports and services

    Terminal window
    nmap -sC -sV -p- <target>

  2. Identify vulnerabilities: Research CVEs for discovered services and versions

  3. Develop exploits: Create or adapt exploits for identified vulnerabilities

  4. Achieve initial access: Execute exploits to gain shell access

  5. Escalate privileges:

    • Check sudo permissions
    • Look for world-writable files in critical locations
    • Search for kernel exploits
    • Enumerate cron jobs
    • Check for capability assignments

  6. Obtain flags:

    • Locate user.txt in home directories
    • Locate root.txt in /root directory

Key Takeaways

  • Full-pwn challenges require holistic understanding of system security
  • Proper enumeration and reconnaissance are critical foundations
  • Exploitation chains often require chaining multiple vulnerabilities
  • Post-exploitation persistence ensures long-term access
  • Defense-in-depth would prevent many of these compromise chains
  • Regular patching and configuration hardening are essential
  • Always audit sudo permissions and file ownership