Breaking into Fortress DC416 – CTFha
In this article, we will be solving fortress VM which is one of the VMS created by Vulnhub team for DEFCON Toronto’s 2016 offline CTF.
I picked this VM randomly and found it very informative, as it covers most of the concepts of extreme information gathering techniques, filter bypasses, and a very little touch of Linux binary exploitation.
The VM can be downloaded here
Phase – Information gathering
We start by discovering the allocated IP address for VM machine using the following command:
|netdiscover -i eth2 -r 192.168.56.1/24|
We further performed a full nmap scan and found 3 open ports.
|nmap -T4 -v5 -A -n -Pn -p- 192.168.56.101 –open|
We start by analyzing the application listening on port 80 and 443 and found the following information.
The above image gives us a better idea of how we need to proceed and saved us a lot of time as they have stated: “No SSH brute forcing is necessary.” We started investigating the application by browsing through common files. However, got no luck there.
We further looked into the HTML source in the hope of hints/ unattended comments, well got no luck there too.
We further started a normal directory brute force in the hope of finding something interesting. However, the common dictionary was not able to find anything for us.
After performing a Nikto scan, exploring SSH service without credentials and analysis for over 20 minutes, we decided to give directory bruteforce another try with a larger dictionary.
|dirb https://192.168.56.101/ /usr/share/wordlists/dirb/big.txt -X .php|
This time we got a hit with one file named scanner.php. So scanner.php is a kind of admin utility to scan possible internal networks. We performed a scan of localhost just to confirm the same and correlated it with our nmap scan.
Phase – Exploitation
By looking at this file functionality, our main exploitation contender was a “Remote Code Execution Vulnerability.”
We started exploiting the same by injecting our commands directly. However, it seems there is some sort of filtering enabled on the server side. After further analysis, we got to know following characters are being filtered at the server end.
Blacklisted Symbols: $ ` ; |
We further used a newline character to separate the Nmap command from our payload and was able to execute system commands on the server as shown.
Privilege Escalation / Lateral Movement – FLAG-1
Well after having our code executed, it was time to find our first flag. We investigate the current directory structure and found multiple directories with two of them having some interesting names such as k1ngd0m_k3yz and s1kr3t.
We navigated to the s1kr3t directory and found our first flag as shown in the following figure.
Hunting for Flag 2
We further navigated to other directory and found a password and shadow file contents of username craven.
We copied the SHA 512 crypt hash from the master file and fed it directly to john. At this time, we were not able to crack the obtained hash. This led to more reconnaissance.
We started navigating to home directory and found one more user named “vulnhub” well we had the hash for username craven we were mostly interested in his folder.
Upon listing the contents of the home directory for Craven user, we found two interesting files named reminders.txt and hint.txt.
Following are the contents from the files mentioned above:
As can be seen, Craven has saved some hints for his password i.e. three digits followed by his pet name and a symbol. Upon looking the contents of reminders.txt file on line 3, we came to know his dog name is qwerty.
We quickly created a password mask for this to brute force all possible combination with obtained hash. Following screenshot shows the content of mask file used in cracking craven’s password.
The mask file consists of three ?d combinations denoting the first three characters should be integers and ?s is used for the symbol. We further feed this mask file to our favorite cracking tool hashcat using the following command and were successfully able to crack craven’s password.
|Hashcat Command: hashcat64.exe -m 1800 -a 3 -o found.txt –force hash.txt password.hcmask
-m 1800 – type of hash which is SHA 512 crypt
-a 3 – attack method, which in this case is bruteforce
-o – to store output of cracked hashes
–force – supress warnings
Hash.txt – file containing hash.
Password.hcmask – password mask file
We further logged into craven’s account via SSH and fetched our second flag.
Hacking SUID Binaries – FLAG 3
After obtaining our second flag, we navigated to vulnhub users home directory and found a SUID binary which takes file path as a parameter and reads it. A first thought comes to mind — well let’s read flag file; it was obviously not that easy. The binary detects the flag file path and name.
Okay Let’s try to read the symlink for the flag file, well it had checks for that too. We further created a hardlink to flag file and was able to read out our last flag.