Capture the flag (CTF)

Photographer 1: CTF walkthrough, part 1

LetsPen Test
November 9, 2020 by
LetsPen Test

In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named “v1n1v131r4”. As per the description given by the author, this machine was developed to prepare for OSCP. The goal is to get root access of the machine and read the flags. There are two flags, user.txt and proof.txt, which need to be read to complete the CTF.

You can check my previous articles for more CTF challenges. We have also provided a downloadable URL for this CTF here. You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

For those who are not aware of the site, VulnHub is a well-known website for security researchers. It aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on vulnhub.com and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please Note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The steps

  1. Getting the target machine IP address by running the VM
  2. Getting open port details by using the Nmap tool
  3. Enumerating HTTP service with Dirb
  4. Enumerating SMB service
  5. Enumerating another HTTP port 8080

The walkthrough

Step 1

The first step is, as always, to run the netdiscover command to identify the target machine IP address. In the screenshot given below, we can see the netdiscover command, which gives us the list of all the available IP addresses. [CLICK IMAGES TO ENLARGE]

Command used: netdiscover

In the highlighted area of the above screenshot, we can see the target machine IP address. The target machine IP address is 192.168.1.26 and I will be using 192.168.1.27 as the attacker IP address.

Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.

Step 2

The second step is the starting step of the CTF challenge. In this step, we will run a port scan to identify the open ports and services on the target machine. I will use the Nmap tool for port scanning, as it works effectively and is by default available on Kali Linux. You can use any port scanning method or tool which gives the results.

In the highlighted area of the following screenshot, we can see the nmap command to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below:

Command used: nmap 192.168.1.26 -p- -sV

In the output of the Nmap scan, we can see four ports on the target machine that have been identified as open. In the Nmap command, we used the -sV switch for version enumeration. We also used the -p- option for full port scan. It tells Nmap to conduct the scan on all the 65,535 ports on the target machine. By default, Nmap conducts the scan only on known 1,024 ports. So, it is especially important to conduct a full port scan during the pentest or solving the CTF for maximum results.

In our case, we have found only four ports, two of which are being used for HTTP service. The rest are NetBIOS ports. So, in the next step, we will start with the HTTP port 80.

Step 3

We opened the target machine IP address on the browser to see the web application. It can be seen in the following screenshot.

A nice website is running on our target machine. We manually explored the website but did not find anything. After that, we ran a dirbuster scan to enumerate the internal files and folders in the document root of the target machine. This can be seen in the in the following screenshot:

Command used: dirb http://192.168.1.26/

After waiting for some time, the Dirbuster scan completed, but it didn’t give us any useful information. In the next step, we will enumerate another open port.

Step 4

As we know from the port scanning step, the SMB port is also open in our target machine. We use the SMB client utility, which is available by default in the Kali machine, to connect with the SMB port. It can be seen in the screenshot given below:

Command used: smbclient -I 192.168.1.26 -L -N

As can be seen in the above screenshot, we used the smbclient command to connect with our target machine. In the smbclient command, we used a few options that are explained below:

  1. –I — This will direct smbclient to connect with the appending IP address
  2. –L — This will list all the shared resources of the target machine, if available
  3. –N — This tells it to connect with the target machine without the password

The output of the command shows that there is a folder named “sambashare” on the target machine. With the help of smbclient commands, we can list the contents of this folder which can be seen in the following screenshot:

Command used:

  • smbclient \\\\192.168.1.26\\smbshare -N -L
  • ls
  • get mailsent.txt
  • get wordpress.bkp.zip
  • ls -l mailsent.txt wordpress.bkp.zip

The highlighted area shows that first we used the ls command to see the contents of the sambashare folder. It was identified that there are two files available on the target machine; one is a text file, and another is a zip file. We further used the get command to download these files on our attacker machine, which can be seen in the below screenshot.

Command used: cat mailsent.txt

Here, we can see that when we opened the “mailsent.txt” file, there was an email from where we got two email IDs. There is secret message that was sent in that email: it could possibly be “my babygirl” or just “babygirl”. As of now, we do not have a login page, so let’s just keep this information for later use.

Let’s check the contents of another folder, which is a zip file. I extracted the zip file which contains the default WordPress files. There was nothing interesting found in the zip files.

Since we know that there is another port where the http service is running, we will enumerate it in the next step.

Step 5

As we know, HTTP service is running through port 8000. We directly opened it into the browser, which can be seen in the following screenshot.

We can see that there is another website running on the target machine. As it is just a default page, I used the dirbuster utility to gather further information about the files and folders in the application. This can be seen in the screenshot given below:

Command used: dirb http://192.168.1.26:8000/ -f

The Dirbuster scan took some time to complete and generated a large amount of output. We started analyzing all the files one by one and found that there is an admin folder in the application:

So far, we have identified an admin login page on our target machine. Also, we know some details we enumerated from the SMB service.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In the next article, part 2 of this CTF, we will complete the rest of the steps that involve gaining the root access of the target machine and reading the flag file.

Until then, I encourage you to try to finish this CTF! There are enough hints given in the above steps.

 

Sources

Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated), Exploit Database

php, GTFOBins

Photographer: 1, VulnHub

Download Photographer: 1, VulnHub

LetsPen Test
LetsPen Test