Capture the flag (CTF)

DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough

December 13, 2021 by LetsPen Test

This challenging machine resembles the OSCP-like machines as asked during the popular OSCP certifications. So, this is a good practice machine for those preparing for OSCP or any offensive security exams. The author has also provided some hints, which as of now, do not make much sense. We assume that the prerequisites would be knowledge of Linux commands and running some basic pentesting tools.

We have provided a downloadable URL for this CTF here, so you can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article.

Please note: we have used Oracle Virtual Box to run the downloaded machine for all of these machines. We are using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and we are not responsible if the listed techniques are used against any other targets.

The steps

A summary of the steps required in solving this CTF:

  1. Exploring the given Admin and web console
  2. Getting open port details by using the Nmap tool
  3. Enumerating the HTTP service on port 80
  4. Parameter fuzzing and vulnerability identification
  5. Logging in into SSH and reading the root flag

So, now we have all the information that we need. Let us get started with the challenge.  

The walkthrough

Step 1

After running the downloaded virtual machine in the virtual box, the machine will automatically be assigned an IP address from the network DHCP. It will be visible on the login screen. The target machine’s IP address can be seen in the following screenshot. 

We got the IP address, port information, and web console URL to explore the target machine. We already got the information to start with. We will run the port scan later. Now, let us open the application into the browser, given below. 

URL- http://192.168.1.21:9090

There was a login page on the target application. We tried a few default credentials, which did not work here. We used the Dirbuster tool to identify hidden files and folders but could not get anything. It seems like a rabbit hole. So, let us go to the next step, which is port scanning. 

Step 2

In this step, we will scan the target machine by using the popular port scanning tool Nmap. This is to find the open ports and services on the target machine and help us proceed further. The running command and the output of the Nmap scan can be seen in the following screenshot.

Command used: << nmap -p- -sV 192.168.1.21 >>

We used the ‘-sV’ switch for version enumeration in the Nmap command. We also used the ‘-p-‘ option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results. 

 

The Nmap output identified seven open ports on the target machine. The scan also enumerated the version information for some of the services. The open ports and services can be seen in the above screenshot. 

As the HTTP default port 80 is available, let us analyze the target machine with port 80. 

Step 3 

We opened the target machine IP address into the browser to access the web application running through this port. 

In the above screenshot, we can see that the website runs a CMS-based blog. We got the CMS name and version information from the website’s footer. We searched the web for an available exploit and found a remote code execution vulnerability. The web results of the vulnerability can be seen in the screenshot given below. 

There was an exploit available for this vulnerability on the exploit-DB website. We checked the exploit information on the website and found that it requires authentication to run the remote code execution. We do not have any credentials, so we cannot use this exploit. We started checking the website for weaknesses or loopholes but could not find anything interesting. 

So, we decided to run a Dirbuster scan to identify hidden files and directories on the target machine. The scan output is shown in the following screenshot. 

The Dirbuster scan identified a few files, which can be seen in the above screenshot. We checked each file and found an interesting file named ‘test.php.’ We opened the file into the browser, seen below. 

The file is a test file. When we opened the file into the browser, it showed an error that a get parameter was missing. 

In the next step, we will do parameter fuzzing to identify the valid parameter. 

Step 4

Multiple tools are available for parameter fuzzing. However, we would be using the FFUF tool, which is by default available in Kali Linux. The command the output of the parameter fuzzing can be seen in the following screenshot. 

Command used: 

<< ffuf -r -c -ic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u ‘http://192.168.1.21/test.php?FUZZ=/etc/passwd’ -fs 80 >>

The scan took some time to complete and soon identified a valid parameter ‘file.’ So, let us try to access some resources through the file parameter. We accessed the ‘etc/passwd’ file through the file parameter, which can be seen below. 

We analyzed the output of the /etc/passwd. At first, I noticed that the qiu user had bash access on the target machine. We tried to read the log file to use it for code execution, but it was not accessible. So, we started reading the default files, and during this process, we found the private key of the user qiu, which can be seen in the following screenshot.

view-source:http://192.168.1.21/test.php?file=/home/qiu/.ssh/id_rsa

As we identified the user’s private key, we can log in to SSH. In the next step, we will be logging in to SSH. 

Step 5

We have a user’s private key, and from /etc/passwd file, we also know the username. So, let’s try to log in with these credentials; however, before using the key, we have to change the key permission, which can be seen in the following screenshot. 

Command used: << chmod 400 key >>

We saved the private key on our attacker machine as ‘key.’ After that, we used the chmod utility to change the file permissions to 400. We already know that the default SSH port is available on the target machine, so let us try to login as a user qui through the SSH user with the help of the private key. The command used for this purpose can be seen below. 

Command used: << ssh -I qiu@192.168.1.21 >>

The SSH login was successful. We are now logged in as user qui. We ran the id command, and the output shows this is not the root user. So, we started exploring the target machine with information gathering. We ran a few commands to identify the operating system and kernel version information which can be seen below. 

Command used: 

  • << cat /etc/issue >>
  • << uname -a >>
  • << sudo -l >>
  • << cat local.txt >>

We searched over the web for an available local exploit for these versions, but none could be found working in our case. After that, we used the ‘sudo –l’ command to check the sudo permissions for the current user, but the sudo command was password-protected, and we do not know the password for the user qui. Next, we checked the contents of the current directory and found a clue hidden in a text file named ‘local.txt.’ The file mentioned a low privilege shell as some hint. So, we checked the bash history file for further clues, as seen below.  

Command used: << cat .bash_history >>

We found a string that could be the password in the bash history file. The identified string is given below for reference: 

remarkablyawesomE

Let us try to log in using the password for user qui. This can be seen in the following screenshot. 

Command used: 

  • << su qiu >>
  • << sudo -l >>

We used the ‘sudo –l’ command to check the sudo permissions for this user and found that it has full sudo permissions. The password was successful. So, we can simply switch the user to root without requiring any password. 

Command used: << cat proof.txt >>

We used the ‘sudo –su’ command to escalate user privilege. This changed the current user to root, which was confirmed by running the id command. The current user is now root. We looked for the root flag, and it was easily found in the root directory.

This completes the CTF challenge. I hope you enjoyed solving this CTF with us. 

 

Sources

Digitalworld, VulnHub

Digitalworld, VulnHub

Digitalworld, VulnHub

Posted: December 13, 2021
Articles Author
LetsPen Test
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *