Capture the flag (CTF)

Victim 1: VulnHub CTF walkthrough

LetsPen Test
August 31, 2020 by
LetsPen Test

In this article, we will answer a Capture the Flag (CTF) challenge published on VulnHub by the author “iamv1nc3nt”. As per the information given by the author, the difficulty level of this CTF is easy to intermediate and the aim is to get the root access of the target machine and read the flag file. The author also hints that enumeration is the key to solve this CTF; however, brute-forcing on a SSH port will get us banned. That’s something that we have to keep in mind while solving the challenge.

Prerequisites for this CTF are to have some knowledge of Linux commands and the ability to run basic penetration testing tools.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

For those who are not aware of the site, VulnHub is a well-known website for security researchers that aims to provide users with a way to practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. I highly suggest attempting them, as it is a good way to sharpen your skills and to learn new techniques in a safe environment. You can check my previous articles for more CTF challenges.

I have provided a downloadable URL for this CTF. You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

Please note: For all of these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

The summary of the steps required in solving this CTF is given below.

  1. Get the target machine IP address by running the Netdiscover utility
  2. Scan open ports by using the Nmap scanner
  3. Enumerate HTTP port 80 with the dirb utility
  4. Enumerate another HTTP port 8080
  5. Enumerate HTTP port 8099
  6. Analyze and crack WAP password
  7. Log into SSH
  8. Get the root access and read the flag

The walkthrough

Step 1

After downloading and running this machine on VirtualBox, the first step is to explore the VM by running the netdiscover command to get the IP address of the victim machine. The netdiscover command output can be seen in the screenshot given below: [CLICK IMAGES TO ENLARGE]

Command used: netdiscover

As we can see above, we have got the virtual machine IP address, 192.168.1.15 (the target machine IP address). I can also see the IP address of other devices connected to my router but due to security reasons, I have erased the MAC address of the connected devices. We will be using 192.168.1.23 as the attacker IP address.

Please note: The target and attacker machine IP addresses may be different, as per your network configuration.

Step 2

After getting the victim machine IP address, the next step is to find the open ports and services available on the machine. We conducted an Nmap full-port scan for this purpose. In the Nmap command, we used the -Pn switch for a no-ping scan and -p- for including all 65,530 ports in the scan. The scan results can be seen in the following screenshot.

Command used: nmap -p- -Pn 192.168.1.15

The Nmap output shows us the scan has identified five open ports on the target machine. The open ports and services being run through ports can be seen in the above screenshot. Also, we know from the hint given by the author that brute force cannot be performed on the SSH port.

There are four other open ports, two of which are being used for the HTTP service. We will explore each port in detail in the next step.

Step 3

As we know, there are two ports being used for the HTTP service. Let’s start with the default port 80 by running the target machine IP address on the browser, which can be seen in the screenshot given below.

Here, we can see just a server message: no configuration file was found, and no installation code is available on this target machine. So, I decided to enumerate this by using the dirb tool to enumerate the internal files and directories. The scan results can be seen in the following screenshot:

Command used: dirb http://192.168.1.15

In the above screenshot, we can see the dirb scan generating a large output. It took some time for the scan to complete and generate a long list of files and directories on the target machine. I analyzed each and every identified file but none of them gave any interesting information.

We also know from the port scanning step that there is another port through which the HTTP service is running on the target machine. So, in the next step we will enumerate port 8080.

Step 4

We already know that the HTTP service is being run through this port, so I simply opened it into the browser, which can be seen in the following screenshot.

Above, we can see that when we tried to access the port 8080 through the browser it returned a 404 Not Found error. To further enumerate the HTTP service through this port, I decided to run the dirb tool again to identify the hidden files and directories. The output of the dirb scan can be seen below.

Command used: dirb http://192.168.1.15:8080

In the above screenshot, we can see very few files could be identified by the scan. I tried each file but could not find anything useful. The scan did not provide any useful information to help us find further vulnerabilities on the target machine.

We already know from the Nmap results that some other ports were also identified as open. So, let’s move on to the next open port in the next step.

Step 5

I checked the port 8099 and found that this port is also being used to run the HTTP service. I opened it into the browser, and here’s what we saw.

Here, we can see a web application being run through the 8099 port. We can see that directory listing is enabled here; due to that, we are able to view all the available files in the document root folder. I started checking these files one by one and most of them look like some WordPress files.

I found an interesting file, which was added by the root user. It can be seen in the following screenshot.

In the highlighted area of the above screenshot, we can see a file named as “WPA-01.cap”. We can also notice that this file was added by the root user. In the next step, we will download and analyze the information provided by this file.

Step 6

In the previous step, we had identified a cap file on our target system. Let’s use the wget utility to download this file on our attacker machine for further analysis.

The file extension already gives us some information about the purpose of this file. WPA is a wireless authentication mechanism mostly used for Wi-Fi security, so this file may contain some information about the W-Fi authentication and network. In the following screenshot, we can see that the cap file has been downloaded on the attacker machine.

Command used: wget http://192.168.1.15:8999/WPA-01.cap

After successfully downloading the WPA-01.cap file in our attacker (local) system, the file name also gives some information about it. It is mostly seen as a default file name that “airodump-ng” utility generates while capturing the handshake of the Wi-Fi device. So, let’s check this by using another utility whether this file contains the valid WAP handshake or not. We can verify it by using the Aircrack-ng utility, Aircrack-ng is a popular Wi-Fi sniffing tool available on Kali Linux. It can be seen in the screenshot given below.

Command used: aircrack-ng WPA-01.cap

As we can see, the output of the aircrack-ng command shows that this file contains a valid WAP handshake. Apart from that, it also shows that the ESSID is dlink. It means we can perform brute force or dictionary-based attacks on this captured handshake, which can be seen in the following screenshot.

Command used:

aircrack-ng WPA-01.cap -w /usr/share/wordlists/rockyou.txt

As can be seen in the above screenshot, we used the aircrack-ng command to brute-force the handshake key using a default Kali Linux dictionary.

After running the command, it eventually identified the Wi-Fi key, which can also be seen in the highlighted area of the above screenshot.

Key: p4ssword

So far in the challenge, we have found a WPA handshake where the Wi-Fi name was dlink and we are able to crack the password.

Step 7

As we know from the previous steps, we have identified a Wi-Fi name and password. Now, let’s explore another open port on the target machine, port 22, which is being used for the SSH service. Let’s try these identified credentials and try to log into SSH, which can be seen in the following screenshot.

Command used: ssh dlink@192.168.1.15

The credentials worked and our login attempt was successful. We are now logged into the target machine with the identified Wi-Fi credentials. However, this user is not root and our target is to get the root access to complete this CTF. In the next step, we will do some more enumeration for getting the root.

Step 8

The first step of enumeration is to identify the operating system and kernel version. I ran a few commands, which can be seen in the highlighted area of the following screenshot:

Command used:

  1. cat /etc/issue
  2. uname -a

The first command does not give any information about the running operating system, but from the second command result, we are able to know the available kernel version on the target machine. I searched for a local exploit for this version but couldn’t find any workable exploit. I ran the sudo-l command, which can be seen in the following screenshot.

Command used: sudo -l

This command is used to fetch information on the target machine about the current user privileges. As can be seen in the above screenshot, the command output shows that we must “Try Harder”. I had to find a loophole in the current user to escalate user privileges.

I tried various methods to enumerate further. After spending some time, I ran a command which gives us the command name that can help us to get the root access. This can be seen in the screenshot given below.

Command used: find / -perm -4000 -type f 2>/dev/null

In the highlighted area of the above screenshot, we can see the “nohup” utility can be used to get the root access. I spent some time researching on the web to write a nohup command, which can give us the root access of the target machine. The running command and its output can be seen in the following screenshot.

Command used: nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"

As can be seen in the above screenshot, the command was successfully executed on the target machine. After that, we got the root shell access.

We have completed one of the goals of this CTF: to gain access to the root user. Now, it’s time to read the flag file, which should be available somewhere in the root folder.

Command used: cat flag.txt

The above screenshot shows that first we changed the current directory to the root directory and then read the flag file by using the cat command. We got a nice graphic on the screen, which completes this CTF challenge.

I hope you liked this article and enjoyed learning this machine. I would love to answer your questions! Feel free to put them in the comments.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Sources

LetsPen Test
LetsPen Test