In this article, we will try to solve another Capture the Flag (CTF) challenge which was posted on VulnHub by PaulSec. According to the information given in the description by the author of the challenge, this is the entry level boot2root web based challenge. The aim of this challenge is to gain root privilege through a web application hosted on the machine. The downloadable URL of the virtual machine is given below.

The torrent download URL is also available for this VM, which is given below in the reference section of this article. For those who are not aware of the site, Vulnhub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment.

I started with a Netdiscover scan on the network. The target machine IP address can be seen in the screenshot below.


After that, I ran the Nmap scan on the target machine. We can see the results in the screenshot given below.


After running the complete scan, I identified an 8081 Port on the target machine. When I opened this on the browser, I found that there was a web application running on the target machine, which we can see in the screenshot below.


As we see in the screenshot above, the target website has an option to Sign Up and Login. So, I created an account to log in to the application to analyze and explore the application further. After logging in to the application, we had access to more features in the application like Change Password, User, Messages, and Logout. It can be seen in the screenshot below.


Then, I explored and analyzed all of the functionalities of the target application, and found some information. Notice in the user section all of the usernames with their roles are listed. It can be seen in the screenshot below.


As we can see, I got a username spiderman, and its administrative flag was marked ‘true.’ This means it might be an administrative user on the target machine. Look at the additional information I have discovered:

  • Target machine has the change password functionally which does not ask for old password while changing the password and it was vulnerable to a CSRF attack.
  • There was send message functionality available on the target machine through which we can send messages to the administrator.

I tried to brute force on the login with the ‘spiderman’ username but could not succeed. After that, I ran the Burp Spider on the application to check all the files, and among them, I found a ‘hint’ file on the target machine. It can be seen in the screenshot below.


In the highlighted section, we can see the ‘hint’ file, which was identified by the Burp Spider. So, let’s open this file in the browser and check what hint has been given by the author of the CTF.


As can be seen in the screenshot, it does not show any hint on the web page. So, I decided to check the HTML source code hoping there might be some hint in the comments.


Yes, my guess was right! There was a hint in the comments by the author of the CTF. You may see the hint in the screenshot above marked in red. The first line says that admin visits this website very frequently. The second hint was that the admin is running this website on localhost and the third hint was something related to CSRF. It means somehow, I have to exploit CSRF vulnerability to get the admin access of the application.

As I have already identified, the change password module is vulnerable to a CSRF attack. So, I created an HTML page to change the admin password and host it on my system. The HTML content of the HTML page can be seen in the following screenshot.


In the above HTML code, we see, firstly, that I have created a form ‘changepass’ which will send the post request and change the password. Here, I have changed the password to “hehe” so when the admin opens this URL the admin password will be changed to hehe. I have automatically submitted this form by using Java Script.

After creating this form, I copied this HTML page in /var/www/html and started the apache2 service. It can be seen in the screenshot below.


First, I copied the bb.html file from my home directory to apache document root directory after that I started the Apache service. Now, it’s time to send a message to the administrator from the web application. I simply write a message in the application and send the message. We can see it in the screenshot below.


I selected the ‘spiderman’ user to send the message as I already know that ‘spiderman’ is the admin of the application. After that, I submit this form. On the other hand, I have opened the Apache logs to verify whether the admin has clicked the URL or not.

From the server logs in the above screenshot, we see that ‘spiderman’ has accessed the URL so his password should be changed to ‘hehe.’ So, let’s try to log in to the target application with the administrator user ‘spiderman’ and password ‘hehe’.


So, my attack was successful, and I have successfully logged in to the application as an admin user, and in the messages, we can see all the other users’ conversations. In the conversations, I found that there is another user ‘pirate’ with the password ‘CrazyPassword!’. So, I tried to log in to the web application, but the credentials were wrong. Then, I tried the same username and password for SSH login.


As can be seen in the above screenshot, I successfully logged into the target machine with those credentials. But this was not the root access. So, I had to escalate the privilege to the root user. After that, I ran some basic commands to check the kernel version and OS name. It can be seen in the screenshot below.


The target machine was running on Ubuntu 14.4 LTS with kernel version 3.13.0-24. So, I searched for an exploit on Google and found one. It can be seen in the screenshot below.


Ethical Hacking Training – Resources (InfoSec)

This exploit works to take shell access on the target machine, so I downloaded the exploit by using the wget utility in the temp folder. It can be seen in the screenshot below.


Firstly, I downloaded the exploit after that I used mv command to rename it with the .c extension. After that, I used the GCC compiler which compiled the exploit and generated the executable. So, now let’s execute it.


As can be seen in the screenshot above, the exploit was successfully executed, and I got the root access of the target system, and I read the flag file.

Reference:

https://www.vulnhub.com/entry/secos-1,88/

https://www.exploit-db.com/exploits/37292/

https://download.vulnhub.com/secos/SecOS-1.tar.gz.torrent (Torrent Download of the VM)