In this article, we will solve a Capture the Flag (CTF) challenge which was posted on VulnHub.
As you may know from previous articles, VulnHub is a platform which provides vulnerable applications/machines for users to gain practical hands-on experience in the field of information security. You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF; you can download the machine and run it on VirtualBox.
The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.
As per the information given on VulnHub, this is a recent CTF which was posted by the author Coung Nguyen. As mentioned by the author, the challenge is aimed at beginners. The aim of the CTF is to get the root. Prerequisites include having some knowledge of Linux commands and ability to run some basic penetration testing tools.
For those who are not aware of the site, VulnHub is a well-known website for security researchers. It provides users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. I highly suggest attempting them, as it is a good way to sharpen your skills and also learn new techniques in a safe environment.
Please note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
Summary of the steps
The summary of steps required for solving this CTF is given below:
- Getting the victim machine’s IP address by running the netdiscover command
- Scanning open port by using the Nmap scanner
- Enumerating HTTP service with Dirb
- More enumeration with Burp Suite and identifying vulnerabilities
- Exploiting the command injection vulnerability to take the reverse shell
- Getting the root access and reading the flag
After downloading and running this machine on VirtualBox, the first step is to explore the VM by running the netdiscover command to get the IP address of the victim machine. The command output can be seen in the screenshot given below.
Command used: netdiscover
As we can see in the above screenshot, we have got the virtual machine IP address: 192.168.1.24 (the target machine IP address). We will be using 192.168.1.23 as the attacker machine IP address.
Please note: The target and attacker machine IP addresses may be different, as per your network configuration.
After getting the target machine IP address, the first step is to find out the available open ports and services on the system. I ran an nmap full-port scan on the target machine. The results can be seen in the following screenshot.
Command used: nmap 192.168.1.24 -p- -sV
We can see that port 80 and port 22 are open on the target machine. These ports are being used for the HTTP and SSH services, respectively. The above scan also provides some further information about the target system configuration that may be useful for us in later stages.
Let’s start by exploring the open port and services on the target machine. I decided to start with the HTTP port. After opening the IP address in the browser, we found that there was an application running on it, which we can see below:
As we can see, it is just a default web page which does not have anything further to do. To get more idea about the target machine, I decided to run a file and folder enumeration tool. I used the dirb utility for this purpose. The results of the scan can be seen in the following screenshot:
Command used: dirb http://192.168.1.24
The scan provided us with a few files to explore on the target machine. As we can see above, the index.html and robots.txt files are available on the target machine web application. So, I first opened the robots.txt file. The result was quite interesting, as you can see below:
From the robots.txt file, we got a password string. But when we observe closely, the password string is Base64-encoded. The password string is written thus:
super secret password – bG9sIHRyeSBoYXJkZXIgYnJvCg==
In the next step, we will use Burp Suite for more enumeration.
As we saw from the previous step, we got the password in the robots.txt file and it seems to be Base64-encoded. Let’s try to decode the password. I have used the Burp decoder for this purpose, but you can use any Base64-decoder that is convenient for you. The decoded password can be seen below.
As can be seen in the highlighted area of the above screenshot, the password is “lol try harder bro”. This means that we have to look further on the target machine to get the password. I started looking into the source code of the target machine and found something useful, as you can see below.
We found another string in the source code of the target machine web application. The string is given below:
We can see that the above string also needs to be decoded. I used the Burp decoder again to resolve the encoded string into plain text form. After spending some time with that, I was finally able to fully decode the string. This can be seen in the following screenshot.
As we can see, the decoded string “workinprogress.php” seems to be a file on the target machine web application. Let’s open the file on the browser and see if it works.
As we can see, the file was showing some information about the web application. If the information is true, it might be possible that there is command execution on the target machine.
I started testing the file for further vulnerabilities. After spending some time looking for various vulnerabilities on the file, I found that it can be vulnerable to command injection. To confirm the vulnerability, I passed a “cmd” parameter and added the “ls” command as the parameter value. If the page is vulnerable for command injection, we should be able to view the contents of the current directory. The result can be seen in the following screenshot.
As we can see in the highlighted area of the above screenshot, the results confirm that the page is vulnerable to command injection.
In the next step, we will use the command injection vulnerability for taking the shell access.
To utilize this vulnerability to gain access to the target machine, I first checked whether “python” is available on the target system. I used the python –help command for this purpose.
As can be seen in the above screenshot, the target machine application responded with the Python help menu. This confirms that Python is available on the target machine.
Let’s write a payload to get a reverse connection from the target machine. I prepared a shell payload in Python and passed it in the “cmd” parameter on the web application. I also set up my attacker machine to receive connections through port 1234. The following screenshot confirms that the payload was successful, as I was able to get access to the target machine.
- nc -lvp 4444
The URL with the crafted payload used in the above screenshot is given below.
We now have shell access to the target machine. However, it is the limited shell; I ran the id command and the command output shows that we have www-data user access on the machine. So, in the next step we will do some privilege escalation.
In the previous step, we got the user access. Now, we need to explore the target machine further to escalate privileges to root.
I started by gaining information about the target machine OS and kernel versions. I used the uname –a command for this purpose. It provided me with a lot of information about the installed versions on the target system. The results can be seen in the following screenshot:
- uname -a
- cat /etc/issue
I started to look for an available exploit for the above configuration but there was no vulnerable version installed. After that, I again got back to the target machine and started exploring further.
Command used: find / -perm -4000 -type f 2>/dev/null
As we can see, I enumerated the target machine for the list of commands that the user was allowed to execute without root permissions. There I found that the find command could be executed as root user.
I executed the above command on the target machine, which finally escalated user privileges to root. This can be seen in the following screenshot.
- /usr/bin/find -exec bash -p \;
- cat /root/root.txt
We have now gained access to the root of the target machine. After that, it was not difficult to find the flag file which was in the root directory of the target machine. The flag file was again encoded into Base64. So, I used the Burp decoder to decode it into plain text. The final flag file was “congratulations.”
This completed the CTF, as we have now gained access to the root and read the flag file. Hope you had fun working on this with me!