Capture the flag (CTF)

Beelzebub: 1 VulnHub CTF walkthrough

January 31, 2022 by LetsPen Test

In this article, we will solve a capture the flag challenge ported on the Vulnhub platform by an author named Shaurya Sharma. As per the description, the difficulty level has been marked as easy. There is no further information provided for this machine. We assume that the prerequisites would be knowledge of Linux commands and running some basic pentesting tools.

I have provided a downloadable URL for this CTF here, so you can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The Steps

  1. Getting the target machine IP address by running the Netdiscover utility  
  2. Getting open port details by using the Nmap tool
  3. Enumerating HTTP service with Dirb utility
  4. Logging in into SSH
  5. Escalating privileges to root user

So, now we have all the information that we need. Let us get started with the challenge.

The walkthrough

Step 1

The first step to solving any CTF is to identify the target machine’s IP address; since we are running a virtual machine in the same network, we can identify the target machine’s IP address by running the Netdiscover command. The output of the command can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the above screenshot, it can be seen that we have identified the IP address of all the devices connected to our router. Still, we have hidden the MAC address of my personal connected devices due to security reasons. Our target machine IP address that we will be working on throughout this challenge is 192.168.1.23 (the target machine IP address). We will be using 192.168.1.29 as the attacker’s IP address.

Note: the target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

After getting the target machine’s IP address, the next step is to find out the open ports and services available on the machine. We will use the Nmap tool for it, as it works effectively and is by default available on Kali Linux. The results can be seen below: 

Command used: << nmap 192.168.1.23 -p- -sV >>

We used the ‘-sV’ switch for version enumeration in the Nmap command. We also used the ‘-p-‘ option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results. 

The Nmap output shows two ports on the target machine that have been identified as Open, Port 22, which is being used for SSH service, and port 80, which is being used for HTTP service.

Step 3

As we have all the open port details, we can explore the open port and services on the target machine. Let us start the enumeration from the HTTP port 80. After opening the IP address in the browser, we found the default apache page, which can be seen in the screenshot given below. 

The Apache default page confirms that the apache service is running, which hints that some web applications must be running on the target machine on a different path. 

Let us enumerate the HTTP port further to identify hidden files and folders in the root directory of the target machine. This would help us identify the path to the web application (if any) running through this port. We will use the Dirb tool for this purpose as it is by default available on Kali Linux and is known to generate good results for web application file enumeration. 

Command used: << dirb http://192.168.1.23/ >>

The Dirb scan generated some interesting results, including the phpMyAdmin utility. Let us enumerate each file one by one. 

We started checking each identified file on the browser. We opened the ‘index.html’ file on the browser, which showed an error. When we checked the HTML source of the file, we found some interesting information which can be seen in the screenshot given below. 

In the comments section of the HTML page, we found a password for something decoded in md5 and somehow decoded. The identified value is given below for reference- Beelzebub 

Let us use these credentials for the phpMyAdmin login. 

We tried the credentials on the phpMyAdmin panel using various default usernames, but none of them could work. We thought that the credentials could be some directory name, so we encrypted it to md5 (as mentioned in the comment), which can be seen below. 

Command used: << echo -n “beelzebub” | md5sum >>

We used the echo utility to encrypt the identified password into md5. The identified md5 string can be seen in the above screenshot. Now, let us use this string in the URL as a directory, as seen in the following screenshot. 

In the above screenshot, we can see that we got an error message that the page could not be connected. This means that there is indeed a directory present for this name. Let us use Dirb on the directory to identify hidden files and folders to proceed further. The Dirb command and results can be seen in the below screenshot. 

Command used: << dirb http://192.168.1.23/d18e1e22becbd915b45e0e655429d487/ >>

We identified that directory listing is enabled and an ‘uploads’ folder. From the above results, we found a WordPress application running through this folder. So, let us open the URL into the browser. 

We found another folder named ‘talk to valak’ in the’ uploads’ directory. We found some applications running through this folder when we clicked on the folder. We configured the burp suite to analyze the application for weaknesses. While going through the requests in the burp suite, we found something exciting in the cookie section, which can be seen highlighted in the following screenshot. 

Password: M4k3Ad3a1

In the cookies section, a password is given, which can be used to gain further access to the target system. However, as of now, we do not know any username. We just see the password. We recalled that when we ran the VM in Oracle VirtualBox in GUI, some username was mentioned for login. Let us go back to the VM login screen in the GUI interface to check the username, which can be seen in the following screenshot. 

The identified username is Krampus. We know the password as identified in the previous step. We already know that SSH default port is also available on the target machine. So, we will log in to the SSH in the next step. 

Step 4

From the previous steps, we have identified a username and password. Let us login into the target machine as follows:

Command used: << ssh krampus@192.168.1.23 >>

The credentials were correct for user ‘krampus’ as we are now logged into the target machine. Let us enumerate the operating system and kernel version information to identify known vulnerabilities. The commands used for this purpose are given in the following screenshot.

Command used:

  • << cat /etc/issue >>
  • << uname -a >>
  • << sudo -l >>

The operating system and kernel version can be seen in the above screenshot. We researched over Google for an available and working exploit, but none could be useful. We used the ‘sudo –l’ command to check the sudo permissions for the current user ‘krampus’. We found that the current user does not have permission to run the sudo command. 

Command used: << ls -la >>

We continued exploring the target machine as user ‘krampus’. We started checking the files and folders that the current user could access. We used the ‘ls –la’ command to check the contents of the current directory and found an unusual ‘.conf’ file. When we searched over the web for the file name, we found a local privilege escalation vulnerability, and an exploit was also available for the same. The web results can be seen below. 

There was an exploit available for the vulnerability on the exploit-DB website. Let us open the exploit URL and check the process. 

As seen in the above screenshot, the local privilege escalation exploit is written in the C program language. We will download and run the exploit on our target machine in the next step. 

Step 5

As we already have user access on the target machine. So, we copied the exploit code from the website and pasted it into exp.c as follows: 

Command used: << cat >> exp.c >>

We used the cat command to create the exploit file named ‘exp.c’ and copied the exploit code as given on the website. To execute it on the target machine, we need to compile it first. We will use the gcc compiler for this purpose. The command uses, and the results can be seen below. 

Command used:

  • << gcc exp.c >>
  • << chmod +x a.out >>
  • << ./a.out >>

After compiling the file using gcc compiler, it created an executable file named ‘a.out’ which can be used to exploit the local privilege escalation vulnerability by simply running the executable file on the target machine. We used the chmod utility to give executable permission to the file ‘a.out’. After that, we ran the file on the target machine using ‘./a.out’ command. Upon successful execution, it provided root access on the target machine, and the same was verified using the ‘id’ command. 

We are now logged into the target machine as user root. Let us find the root flag to complete the challenge. 

Command used: 

  • << cat user.txt >>
  • << cat root.txt >>

There were two flags. One was the user flag which was found in the user ‘krampus’ directory. The second and the main flag was ‘root.txt’ which was found in the root directory.

This completes the CTF, I hope you enjoyed solving this interesting machine. 

 

Sources: 

Posted: January 31, 2022
Author
LetsPen Test
View Profile

Leave a Reply

Your email address will not be published.