Capture the flag (CTF)

HA: Narak CTF walkthrough

LetsPen Test
December 17, 2020 by
LetsPen Test

In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named “Hacking Articles”. As per the description given by the author, enumeration is the key to solving this CTF. The end goal is to get root access of the machine and read the flags. There are two flags, user.txt and proof.txt, which need to be captured to complete the CTF.

You can check my previous articles for more CTF challenges. We have also provided a downloadable URL for this CTF here. You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

For those who are not aware of the site, VulnHub is a well-known website for security researchers. It aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on vulnhub.com and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The steps

The summary of the steps required in solving this CTF is given below:

  1. Getting the target machine IP address by running the VM
  2. Getting open port details by using the Nmap tool
  3. Enumerating HTTP Service with Dirb
  4. Creating worklist and brute-forcing with Hydra
  5. Uploading shell with webdav and taking the reverse connection
  6. Enumerating for local exploit
  7. Decoding message and local exploitation

The walkthrough

Step 1

The first step is to run the netdiscover command to identify the target machine IP address. In the screenshot given below, we can see the command, which gives us the list of all the available live host IP addresses in the network.

Command used: netdiscover

In the above screenshot, it can be seen that we have got the IP address of all the devices connected to our router, but due to security reasons, we have hidden the MAC address of my personal connected devices. The virtual machine IP address that we will be working on throughout this challenge is 192.168.1.14 (the target machine IP address). We will be using 192.168.1.18 as the attacker IP address.

Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.

Step 2

After getting the target machine IP address, the next step is to find the open ports and services available on the machine. We will use the Nmap tool for it, as it works effectively and is by default available on Kali Linux. The results can be seen below:

Command used: nmap 192.168.1.14 -sV -p-

The Nmap output shows two ports on the target machine that have been identified as open. In the Nmap command, we used the -sV switch for version enumeration. We also used the -p- option for full port scan. It tells Nmap to conduct the scan on all the 65,535 ports on the target machine. By default, Nmap conducts the scan only on known 1,024 ports. So, it is especially important to conduct a full port scan during the pentest or solving the CTF for maximum results.

However, in our case we have found only two ports. The first one is being used for SSH and the second one is being used for HTTP. In the next step, we will start with the HTTP port 80.

Step 3

We opened the target machine IP address on the browser to see the web application. It can be seen in the following screenshot.

As we can see above, a nice website is running on our target machine. We manually explored the website but did not find anything. After that, we ran a Dirbuster scan to enumerate the internal files and folders in the document root of the target machine. This can be seen in the in the following screenshot.

Command used: dirb http://192.168.1.14/

After waiting for some time, the Dirbuster scan completed and we got one interesting directory which can be seen in the green highlighted area of above screenshot. So, let’s open this directory into the browser.

We can see in the above screenshot that the webdav directory was password-protected, so we searched the webdav default username and password online and got few default passwords. However, none of them help us to log in.

Because the author of the CTF has given the clue that enumeration is the key to solve this CTF, we’ll continue the enumeration and use Dirbuster to enumerate it further. The output of the Dirbuster can be seen in the below screenshot.

Dirbuster took some time to complete, but we got one more text file, which can be seen in the highlighted area of above screenshot. So, let’s open this file into the browser.

We got another clue: to open the door of narak, there is another file, creds.txt. We tried to open creds.txt file but this file was not available on the target machine. So, after spending some time, we got to know that we are in a trap. Now, we will have to identify a different way to solve this CTF.

Step 4

During the analysis, we observed some text message in the hosted website. We used the Cewl utility to generate the wordlist, which can be seen in the below screenshot.

Command used: cewl http://192.168.1.14/ -w wordlist.txt

As can be seen in the above screenshot, Cewl has generated a wordlist, so now we will use this word list to brute-force for the webdav credentials. There are multiple tools which can be used to brute-force; however, we will use Hydra, which is a command-line tool and available in Kali Linux by default. The hydra command and output can be seen in the below screenshot:

Command used:

hydra -L wordlist.txt -P wordlist.txt 192.168.1.14 http-get /webdav -v

As we already generated the username and password, we used this list with hydra and the green highlighted area shows the valid username and password identified by the brute-force attack. In the next step, we will use these credentials to log in and carry out further exploitation.

Step 5

We used the identified username and password to login into webdav, which can be seen below.

Username: yamdoot

Password: Swarg

As can be seen in the above screenshot, the webdav directory does not have anything. We did some research and found a command-line utility to connect with webdav. This utility will be used to upload the file on our target system.

Command used: cadaver http://192.168.1.14/webdav/

First, we tried to log in with the Cadaver utility, which is successful and can be seen in the above screenshot. Now we can use the put command to upload any file on the target machine. We upload the php-reverse-shell on our target machine; but before uploading the shell, we have to mention the attacker IP address for the reverse connection, which can be seen in the below screenshot.

As we can see in the above screenshot, we first used the cp command to copy the reverse shell in the current directory. Then we open the file with vi editor, change the IP address with our Kali machine IP address (attacker IP) and save this file. After that, we again connected with the Cadaver utility and used the put command to upload the shell, which can be seen in the below screenshot.

Command used:

After uploading the reverse connection shell, we used the ls command to verify the uploaded file. The output of the command shows that our file is successfully uploaded. Now, let’s set up the NetCut listener in our attacker machine and open the file from the browser, which will give us the reverse connection of the target machine.

Command used: nc -lvp 1234

As we can see, we first started the listener on port 1234 and then open this file into the browser. After a few seconds, we got the reverse connection of our target machine.

Step 6

In the previous step, we got the shell access; however, that was not the root access. So, we started the enumerating in order to get the root access.

Command used:

  • uname -a
  • cat /etc/issue

The above screenshot shows that we first used the uname -a command, which gives the running kernel version. After that, we used the cat /etc/issue command, which tells us about the running operating system. We searched online for local exploits but did not get any working exploits.

During the enumeration, we got a file called hell.sh while searching the file and it can be seen in the below screenshot.

Command used: find / -type f -prem -ug=rwx 2>/dev/null

The identified file location is /mnt/hell.sh. We opened this file by using the cat utility, which can be seen in the below screenshot.

Command used: cat /mnt/hell.sh

The file gives us another challenge, as it shows some message in a quite different way:

--[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.

In the next step, we will decide this message.

Step 7

We spent some time and got to know that this message is written in the Brainfuck programming language. So, we searched the Brainfuck interpreter online to read the message. We found a website which decodes the message, which can be seen in the below screenshot.

After putting the message, we click on the Run button, which gives a string. It can be seen in the above screenshot.

We got only one word, so it could be the root password. We tried to log in as root, but this does not work. However, we observed three folders, which would be the username. We used the identified string as password for username, which was successful. You can see this in the following screenshot:

Command used: su inferno

Password: chitragupt

The folder name shows three usernames. We tried su inferno and the system asked for a password. We entered the identified string as password, which works for us, and now we are one step closer to getting the root access.

Now we go to the directory where we find our first flag, user.txt, which can be seen in the following screenshot:

Command Used: << cat user.txt >>

Up till now, we got the user flag. Now our only target is to get the root access and read the root flag file. So, we did some more enumeration and found a file with weak permissions. That means we can edit this file, and it can be used for getting the root access.

The steps can be seen in the below screenshot:

Commands used:

  • cd /etc/update-motd.d/
  • ls -la
  • echo “echo ‘root:hehe’ | sudo chpasswd” >> 00-header
  • su root

As we can see in the above screenshot, we first changed the current directory to another directory. Then we used ls -la, which shows the files with their permissions. We can see that all the files are having all permissions, so we added 00-header file and put the root password in it and after that, logged into the machine with the password.

Since we have the root access, we read the root flag file:

Command used: cag /root/root.txt

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We have achieved all the targets of the challenge — we got the root access and read both flag files.

This completes the CTF. I hope you enjoyed learning this machine!

 

Sources

HA: Narak, VulnHub

Download HA: Narak, VulnHub

Download HA: Narak, VulnHub (torrent)

El Brainfuck, copy.sh/brainfuck

LetsPen Test
LetsPen Test