Capture the flag (CTF)

ZION: 1.2 — VulnHub CTF walkthrough (part 1)

LetsPen Test
October 1, 2020 by
LetsPen Test

Introduction

In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by André Henrique. Per the description given by the author, you must “Help Morpheus to leave the Matrix and return to Zion.” To do so, we have to find and read two flags (user and root).

You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF here.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on VulnHub and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please note: For all these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes and I am not responsible if the listed techniques are used against any other targets

The steps

  1. Getting the IP address by running the VM
  2. Port scanning through Nmap
  3. Enumerating the web application with the Dirb utility
  4. Analyzing the application through Burp Suite and decoding the password
  5. Password brute-forcing with Burp Suite
  6. Getting into the system with SSH

The walkthrough

Step 1

After running the downloaded virtual machine file in the virtual box, the machine will automatically be assigned an IP address from the network DHCP and it will be visible on the login screen. The target machine IP address can be seen in the following screenshot: [CLICK IMAGES TO ENLARGE]

The target machine IP address is 192.168.1.4 and I will be using 192.168.1.2 as the attacker IP address.

Note: The target machine IP address may be different in your case, as it is assigned by the network DHCP.

Unlike my other CTFs, this time, we do not need the netdiscover command to get the target IP address.

Step 2

In this step, we will scan the target machine by using the popular port-scanning tool Nmap. This is to find the open ports and services on the target machine and will help us to proceed further. The running command and the output of the Nmap scan can be seen in the following screenshot.

Command used: nmap -p- -sV 192.168.1.4

In the above screenshot, we have used the -p- switch. It will scan all ports. The –sV switch will probe the open ports to determine the service/version info.

After scanning the ports, we found that port 22 is open and is being used for the SSH service. I checked the SSH version, and it seems to be running an updated version of the software. Port 80 was also found open and is being used for an HTTP service.

Step 3

So, port 80 is available. Let’s open the target machine IP address on the browser.

In the above screenshot, there is a Matrix-themed homepage with two button options. There is a random message on the homepage, and it our choice which one we choose to click. Let’s try to click both the options one by one and see what we get. After clicking on both buttons, “Truth” and “Illusion,” we get the same login page:

As we can see in above screenshot, we are getting a login page to access the “Zion’s System” application. At first, I started trying some random username and password combinations, hoping they would let us in. After trying some default username and passwords, none of them worked. I also checked the login page for SQL injection, but that was of no use.

I decided to use another tool to enumerate the directories and files on the target machine web application. I chose to use the dirb tool, which is an enumerating tool for web application files and folders and is by default available on Kali Linux. You can try any enumeration tool you like in this step. The output of the dirb command can be seen in the following screenshot:

Command used: dirb http://192.168.1.4

In the highlighted area of the above screenshot, we can see that the tool has identified a few files on the target machine. Let’s open these files on the browser one by one and find out further possibilities.

Above, we can see that we did not get any clue from the above files that will be useful to solve this CTF. So, in the next step, we will play with request and responses.

Step 4

In this step, we will try to capture the http request using the Burp Suite tool. Then we will read and analyze the response of the requests, which will be shown in the following screenshot.

In the above screenshot, we have captured the login request in Burp Suite and sent it to the repeater. As can be seen in the highlighted area, there are two interesting headers: “Matrix-banner” and “Matrix-message.” The header values are encoded, which seems to be Base64, so we are going to decode this Matrix banner code by using a Base64 decoder.

We have sent Matrix banner code on the decoder and tried to decode the message. It can be seen in the following screenshot.

In the highlighted area of the above screenshot, we can read the decoded result. We are getting an error for not using blocked characters and it seems that we did not use the correct decoding method. So, let’s try again this time using the Base62 decoding. This can be seen below.

As shown in highlighted area, the Base62 decoding worked, as we now have the username information. As per the message, the password for this user is present on the page where we made the “truth” and “illusion” choice. Let’s focus on this hint and try to identify the password from the webpage.

In the next step, we will be using another tool to create a password list by using the webpage’s content. Then we will use this as a dictionary for enumerating the correct login credentials.

Step 5

In order to get the password details, we are going to create a wordlist of webpage content. We will use a tool called CEWL for creating the dictionary. It is a Ruby app which spiders a given URL to a specified depth and returns a list of words which can then be used for various password crackers.

Command used: cewl http://192.168.1.4/

In the above highlighted area, we have created a dictionary of words that are available on the webpage URL. Now, we will go back to Burp Suite for conducting the dictionary-based brute-force attack. For this, we have forwarded the request to Burp Intruder:

In the highlighted area above, we can see that we have just chosen the password parameter for brute force, as we already know the exact username. After that, we just need to click on the Payload and paste the password list in the password options section. The setting would look like the screenshot given below.

Let’s click on the Start Attack option to initiate the brute-force attack. This will open a new popup and our attack will get started.

All the generated passwords were tried by the tool and their response stats code and response length can be seen in the above screenshot. When I closely analyzed all the response code, I found that there is one request which returns 302 as the response code and their content length is also different. This gave me the confirmation that it could be the valid login password. So, let’s try to log in with these credentials into the website, as seen below:

Username: morpheus.thematrix

Password: interpreted

In the above screenshot we can see that we are successfully logged into the Zion’s System application. After entering the correct username and password, it redirected to another path on the target machine.

Some information was given on the home page, telling us that there is another user in the system named “w.rabbit”. This user has forgotten their password.

While exploring other functionalities on the page here and there, we found a private key option. After clicking on this private key link, it redirects to a new page where the encrypted key can be seen on the browser screen. It is given in the below screenshot.

We can see the encrypted key. A very obvious way of using a private key on a system is to try it for SSH login. In the next step, we will try to log into SSH using this private key. This is going to be performed in the next step.

Step 6

In this step, we will copy this private key from the website and create a key file using the cat command on the attacker machine. This is shown in the following screenshot:

Command used: cat >> key

In the above screenshot, we have pasted the private key using the cat utility and saved it by the name key on our attacker machine. We already know from previous steps that port 22 is open on the target machine; now we will try to log into SSH using this key file. This command and its result can be seen in the following screenshot:

Commands used:

  • ls
  • ssh -I key rabbit@192.168.1.4
  • chmod 400 key

Here, we have tried to log into SSH using this key file, but it indicates an error: “bad permission.” I tried to log in again after providing permission and the error message changed to “invalid format error.” Let’s try to create a file with the proper key format.

I opened the file again and provided proper key format, that is, starting with “-----BEGIN OPENSSH PRIVATE KEY-----" and ending with “-----END OPENSSH PRIVATE KEY-----" .

Let’s try to log into SSH using this key file.

Commands used:

  • chmod 400 key
  • ssh -i key rabbit@192.168.1.4

In the above screenshot, we can see that after changing the key file permission, we are able to log into the machine.

So, up until now, we got the user access on our target machine. However, our targeted goal was to take the root access in order to complete the CTF.

In the next part of this article, we’ll dig in further to find a way into the target system as root.

 

Sources

ZION: 1.2, VulnHub

ZION: 1.2, Google Drive

Download ZION: 1.2, VulnHub

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Download ZION: 1.2, VulnHub (torrent)

LetsPen Test
LetsPen Test