Colddworld immersion: VulnHub CTF walkthrough
Let’s solve this VulnHub capture the flag (CTF), which can be downloaded here:
You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.
Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
- Getting the IP address with the Netdiscover utility
- Port scanning through Nmap
- Enumeration web application with Dirb
- Parameter fuzzing through Burp suite
- Getting the user shell
- Getting the root and reading the flags
The first step is to run the netdiscover command to identify the target machine’s IP address. In the screenshot given below, we can see that we have run Netdiscover, which gives us the list of all the available IP addresses. It can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]
Command used: << netdiscover >>
In the highlighted area of the above screenshot, we can see an IP address, which is our target machine IP address. The target machine IP address is 192.168.1.20 and I will be using 192.168.1.25 as the attacker IP address.
Note: The target machine IP address may be different in your case, as it’s being assigned by the network DHCP.
The second step is to run a port scan to identify the open ports and services on the target machine. I prefer to use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default.
In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below.
Command used: << nmap 192.168.1.20 -sV -p- >>
The output of the Nmap shows that two open ports have been identified open in the full port scan. Here, we used the “-sV” option for version enumeration and “-p-” for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. By default, Nmap conduct the scan only known 1024 ports. So, it is very important to conduct the full port scan during the pentest or solving the CTF. However, in our case, we have found only two ports in which port 80 is running HTTP service and port 3042 is being used for SSH, so in this article, we will be exploring these two ports. Let us start with Port 80.
Let us start the CTF by exploring the HTTP port. We opened the target machine IP address on the browser.
Here, we can see that there is no functionality given on the homepage; just an image is there. So, to further explore this port we will try brute-forcing some files and folders on the target machine. We will be using the Dirb tool for this purpose. The command used and the results of the scan can be seen in the following screenshot.
Command used: << dirb http://192.168.1.20/ >>
By the scan, we identified a few directories on the target machine that could be of use to us. Let us explore these directories on the browser one by one. To start with, we opened the “secure” directory on the browser which can be seen below.
There was a login page that was asking for credentials. We tried a few usernames and password combinations but none of them would work. We also tried SQL injection which could not be identified on the login page. We also checked the source of the page, wherein the comments we found some useful information, which can be seen below.
<!—Hi Carls, if you read this, I have gone on a trip, let me tell you,
after the last attack, we received (thanks to your inactivity as a web
developer) we had to make password changes, but since he doesn’t use a mobile phone
or home computers (a bit weird since you are a web developer), I left clues on the “page”
for you to find your password, I know it will be easy because you are
good for detecting security flaws (or so I thought before the attack :D), I leave your password in a file called carls.txt that is inside /var, when you get it,
log in and finish your work by preparing my bash.
Greetings, c0ldd. –>
A per the message, it says that the password is stored in a file named “carls.txt” inside the “/var” folder on the target machine. The hint for the password is given on the “page” and it is for us to detect security flaws that would help us to get the password.
Since the password file is not in the document root, we cannot access it on the browser directly. We need to identify some vulnerability, which allows to access the password file.
We ran Dirbuster on the folder to enumerate any other file but did not get anything. The application has an “account.php” file, which is processing the username and password. In the next step, we will try to further test this page for weakness.
We did parameter fuzzing on this page to enumerate the parameters. For this, we used the Burp Suite Intruder module. We first captured the login request then forwarded this request to Burp Intruder which can be seen in the following screenshot.
For a successful parameter fuzzing attack, we need to choose a suitable word list that would allow us to brute force all the possible parameters for the request.
I researched over the web for some good and detailed wordlists for parameter fuzzing and found the below result on the GitHub website.
As can be seen above, we chose the GitHub wordlist and downloaded this on the attacker’s machine. Now, we need to configure Burp Intruder with the above wordlist. This can be seen in the following screenshot:
We simply copied the wordlist into the payload options and the total word count was 2,588. So, let’s execute the parameter fuzzing attack through Burp Intruder. The attack in progress can be seen in the following screenshot.
After completion, there was one parameter that generated a lengthier response than the other files. We transferred the request to the Burp Repeater to check the server response. The output can be seen below.
We can see this in the above response. We could fetch the “etc/passwd” file with the help of parameter fuzzing. In the next step, we will use this vulnerability to read the text file which is available in the var directory as per the message.
Now, let’s try to read this file with the help of path traversal. The file can be seen below.
We tried to read the file “/var/carls.txl” and found the above username and password. We tried these credentials on the web portal and attempted to log in through SSH but it did not work. After spending some time over it, we figured that the password is base64 encoded. So, let us try to decode it using a Burp Decoder. This can be seen below.
We have the plain-text credentials now, by analyzing the “/etc/passwd” file we found that carls are a user in the system. Let us try to log in with this username into the target machine through SSH.
Command used: << ssh email@example.com -p3042 >>
In the above command, we have mentioned the SSH port as 3042 as discovered in the port scanning step. As we have user access to the target machine, let’s enumerate further to get the root.
The login was successful, and we could log in to the target machine as user carlos. Let us enumerate further from here and find out more loopholes in the system which could help us get the root access.
- << cat /etc/issue >>
- << uname -a >>
To start with the enumeration, we first ran a few commands to identify the operating system information and kernel version of the target machine. The result and the commands used for this purpose are given in the above screenshot. After getting the required information, we searched for an available local exploit on the web but didn’t get any working exploit.
We decided to check the privileges of the current user before further exploring the target machine. The command used for this can be seen below.
Command used: << sudo -l >>
As can be seen above, the current user “carlos” has access to run a shell as another user. So, let us execute the shell command as user “c0ld” using sudo to switch the current user. The command and the results can be seen below.
Command used: << sudo -u c0ldd /bin/bash >>
We are now logged into the target machine as user “c0ld.” We got one user up now but still have to find a way to get to the root. We again followed the same process, to check the current user privilege.
Command used: << sudo -l >>
As we can see in the results, there is a Python file in the current user directory that can be run as root. Let us go to the directory and check the file.
- << cat user.txt >>
- << echo TXV5IGJpZW4gaGVjaG8gOik= | base64 decode >>
We got the first user flag in the “usr/c0ld” directory. The flag file was named user.txt and the contents were base64 encoded. After decoding we could read the complete flag. Let us now check the Python file, this can be seen in the following screenshot.
- << ls -la >>
- << rm DoNotRun.py >>
- << echo “import os os.system(“/bin/bash”)” > DoNotRun.py >>
When we checked the file permissions, we found that the Python file does not have edit permission for other users. We decided to delete the file and create a new file with the same name to gain root access to the target machine.
Let us run the file using sudo to change the current user privilege. The command used for this can be seen below.
- << sudo -u root /usr/bin/python3 /home/c0ldd/DoNotRun.py >>
- << id >>
We successfully got the root access of the target machine with this trick. We need to find the root flag to complete the CTF challenge.
- << cat /root/root.txt >>
- << echo “RmVsaWNpZGFkZXMgY3JhY2s=” | base64 -d >>
The root.txt file was in the root directory which can be seen above. The flag file was base64 encoded so we decoded it locally to read the flag.
Ifi-fuzz, GitHub https://github.com/watchdog2000/lfi-fuzz/blob/main/lfi-fuzz-params-list.txt
Colddworld-immersion, VulnHub https://www.vulnhub.com/entry/colddworld-immersion,668/