Culimomnibus CYSCA Challenge Writeup
DISCLAIMER: I am not a hacker
So I just woke up from a 12 hour slumber. This challenge took me probably longer than 10 hours and almost killed me, so as probably the least qualified person in universe, I’m going to explain it.
This was the third challenge in the Corporate Pentesting challenge.
It asks you to assess an FTP server to see if you can leverage it to gain root access. In the previous challenge, you’re required to do a Zone transfer, and I saw that ftp.tictoc.cysca existed. So, I browsed to that address in my browser and there were some Windows shares. I was able to view some shared Software, including WinSCP Portable which is a Windows FTP client. I decided that was going to be helpful, as a portable version would probably store some user/session details within the same directory. I checked the .ini and saw the saved username and what looked like a hashed password for the user ‘mctarget’:
Because WinSCP is a Windows application, I downloaded the .exe and the .ini to my Windows installation and ran it. It logged into the FTP server and I was able to go up a few directories and browse most of the server, however there were a few directories and files I was unable to view, including the /etc/sudoers file and the /root directory. This was due to the permissions that mctarget had.
I thought it would be helpful if I could get shell to the server instead of WinSCP so I could run some commands against the FTP server. The password from the ini file is hashed or encrypted though. Luckily, WinSCP allows you to copy the session URL to the clipboard: https://winscp.net/eng/docs/ui_generateurl
Using this, I was able to see the password in almost plaintext: S0Str0ng%21N0tFl%40gTh0
%21 is encoded for ! and %40 is encoded for @
The password for mctarget is S0Str0ng!N0tFl@gTh0
I used PuTTY to SSH into the FTP server. I knew that I needed to escalate mctarget’s privileges somehow. The sudoers file looked like a good place to start, but mctarget didn’t have permission to view it.
After smashing my face against the keyboard, consuming more V than anyone had thought previously possible, and just hating life in general, I came across some posts about an exploit for editing files that you don’t have permission to edit: https://www.exploit-db.com/exploits/37710/
The exploit seemed like it could help. It says you can use sudo -e to edit a file you don’t have permission to access/view/execute if you run the ‘sudoedit’ command against a symlink that points to a file, rather than the file directly, so long as the ‘sudoers’ file has an entry with more than two wildcards, “*”.
CYSCA released a hint that basically said to use sudo -l. Research told me to use it multiple times, so I used ‘sudo -l -l’ and it showed me something interesting. I don’t have access to the FTP server anymore, so I’m doing this from memory:
/etc/bin/vi /var/ftproot/[A-Z, a-z, 0-9]*
vi, of course, is a text editor. It looked like I could use the exploit detailed above if I placed a symlink to sudoers in the ftproot directory.
The command to create the symlink: ln -s /etc/sudoers /var/ftproot/home/mctarget/link
With the link in place, I was ready to try the exploit: sudo vi /var/ftproot/home/mctarget/link
And there it was – the sudoers file had opened in vi.
There was an entry that basically said “ALL users have no sudo permissions’. I removed a single ! from the sudoers file (in vi, you press x) to change this. The file was readonly, however if you press ESC, then type :w! it would write to it anyway.
So, now mctarget has more sudo permissions! I used ‘sudo chmod 777 -R /root’ to give mctarget full permissions to the root directory. I can now browse this directory. There was a file call flag.txt. Inside this file was the flag.
This may have taken me in excess of 10 hours, but, shut up.











