# I participated in a "Hack Night" and survived it

Hello, hackers and writers.

Someone at the local hackerspace convinced me to give the CTFish event at
their pentesting company a try. There will be free pizza and caffeinated
drinks they said. Even more surprisingly, those without a team would get the
chance to join a random one, a strategy I haven't seen for this yet.

Today I tried my skills and found them subpar. It was all web challenges in
PHP with some kind of exploit giving you command execution, a privilege
escalation and finally some way to read the flag. There's one nifty thing I
came up with for a medium difficulty box after my team mate figured got
command execution, but struggled with privilege escalation. Executing `sudo
-l` showed one privileged command, the venerable nmap port scanner. If you
look around the webs, you'll find exactly one way to get out of it, however
it doesn't apply to anything but completely ancient versions of it.  There
had to be a different way...

One of the lesser known nmap features is that it can be scripted to execute
code after detecting an open port to test for interesting functionality on
the remote side. What I didn't know until today is that these scripts are
just Lua code. Here goes my very first Lua program:

   portrule = function(host, port)
     return true
   end

   action = function(host, port)
     require("os").execute("echo 42 > /tmp/pwn")
   end

Save the above as exploit.nse, then execute `nmap --script exploit.nse
localhost`. Verify with `strace -e file ...` that it works as intended.
Finally, turn this into something more useful, like an interactive shell.

You are viewing proxied material from brause.cc. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.