Capture the flag (CTF)

Clover 1: VulnHub CTF walkthrough, part 1

This capture the flag (CTF) tasks you with gaining root access to a system. The OVA file of this CTF can be downloaded from the URL given below.

https://download.vulnhub.com/clover/Clover.ova

You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

The summary of the steps required in solving this CTF is given below:

Getting the IP address with the Netdiscover utility
Port scanning through Nmap
Enumerating FTP service
Enumeration of HTTP service with Dirb

So, now we have all the information that we need. Let us get started with the challenge.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The walkthrough

Step 1

The first step is as always to run the netdiscover command to identify the target machine's IP address. In the screenshot given below, we can see that we have run Netdiscover, which gives us the list of all the available IP addresses. It can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the above screenshot, we can see that we have identified the IP address of all the devices connected to our router but due to security reasons, we have hidden the MAC address of my personal connected devices. Our target machine IP address that we will be working on throughout this challenge is 192.168.1.16 (the target machine IP address). We will be using 192.168.1.25 as the attacker IP address.

Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.

Step 2

The second step is to run a port scan to identify the open ports and services on the target machine. I prefer to use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below.

Command used: << nmap 192.168.1.16 -p- -sV >>

The Nmap output shows two ports on the target machines that have been identified as Open. In the Nmap command, we used the "-sV" switch for version enumeration. We also used the "-p-" option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solving the CTF for maximum results.

In our case, however, multiple ports have been identified as open in which three ports are running HTTP service and FTP and SSH service is running on port 21 and 22. We will start the enumerate by the FTP port in the next step.

Step 3

As we know from the previous step the FTP port was identified as open. So, let’s try to connect with the FTP port as follows:

Command used: << ftp 192.168.1.16 >>

Username: anonymous

As can be seen in the above screenshot, we used the FTP command to connect with our target system and we used FTP default username anonymous which allows us to be logged in into the system. After that, we found some text files in the maintenance directory which can be seen in the below screenshot.

Command used:

<< cd maintenance >>
<< ls >>
<< get filename >>

We used the cd command to change the current directory and after that, we used the get command to download the text file into our system. Now let’s see the content of these text files for further hints.

Command used:

<< cat test.txt >>
<< cat test2.txt >>
<< cat locate.txt >>
<< echo cGluZyBwb25n | base64 --decode >>

As we can see in the above screenshot, we used the cat command to see the content of each downloaded file and one file contain base64 encoded data so we decoded it by using the base64 command so these files do not get any interesting clue which could help us to solve this CTF. So, let’s move on to the next open port which is HTTP and in the next step, we will start enumerating the HTTP service.

Step 4

Let’s start the CTF by exploring the HTTP port. We opened the target machine IP address on the browser.

The home page shows an OK message, but while we checked the HTML content of this page, we did not get anything. So, to further explore this application we will try brute-forcing some files and folders on the target machine. We will be using the Dirb tool for this purpose. The command used and the results of the scan can be seen in the following screenshot.

Command used: << dirb http://192.168.1.16/ >>

As can be seen in the above screenshot, the large output has been generated by the tool. We analyzed each identified directory and files and some of the interesting files and directories are highlighted as green in the screenshot. So, lets first open robots.txt into the as follows:

The robots.txt shows us some directory names in which some of them are allowed and some of them are disallowed by the search engine. However, this information might be helpful for us. So, we checked these directories one by one. The status directory shows ping pong message as follows:

After that, we checked the next directory which shows another message which can be seen in the following screenshot.

We can see another message which says, “Stop Hack our website!” We ran Dirb scanner in both directories to identify other hidden files but did not get anything. As we got another directory phpMyAdmin, so let’s open it into the browser.

As we can see, phpMyAdmin is running. So, we tried a few default usernames and passwords, but it was not using any default credentials. We tried to identify vulnerabilities in PhpMyAdmin but did not get any useful vulnerabilities. Another directory that was identified by the Drib is "website," so let’s open it into the browser as follows:

As we can see, we got a running website. Therefore, we’ll start checking the website for any possible vulnerabilities. During the manual analysis, we found this website was developed in ColdFusion CMS. This information was available in the HTML content of the home page as follows:

Now, we know that our target web application was developed in ColdFusion CMS. So we searched the administrator URL of the CMS on google and the google results can be seen in the following screenshot.

In the highlighted area of the above screenshot, we can see the default URL of the administrator URL so let’s open it into our application, which can be seen in the below screenshot.

We again got a website but there is no administrator login. During the enumeration, we got some interesting information in the HTML contents of the page which can be seen below screenshot.

As we can see above in the highlighted area, it’s mentioned that they have created a test login page that needs to be disabled. Let’s see if we can access this page.

The test login page was available. Let’s try to identify vulnerabilities on this page. First, we tested for authentication bypass with SQL injection the first payload was successfully executed and we were able to login to the application as follows:

Payload used for login: 1' OR '1'='1

We were able to bypass the authentication on the login page by using SQL injection, but the application shows a blank page with a logged-in message.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

So far, we have enumerated different open ports and web application and at the end, we have enumerated an Administrative login where which is vulnerable for SQL injection.

In the next part of this CTF, we will first use SQLMap to dump the database and accordingly will get the root shell.

Until then, I encourage you to try to finish this CTF. There are enough hints given in the above steps.