Capture the Flag

DMV 1: VulnHub Capture the Flag (CTF) walkthrough

July 13, 2020 by Nikhil Kumar

In this article, we will find an answer to a Capture the Flag (CTF) challenge published on VulnHub by the author Jonathan. As per the information given by the author, the difficulty level of this CTF is easy and there are two flag files that are needed to be read to complete the CTF. One of the files is only readable by the root user.

To complete this CTF, we must capture two flags. Prerequisites would be having some knowledge of Linux commands and ability to run some basic penetration testing tools.

As you may know from previous articles, VulnHub is a platform which provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF below; you can download the machine and run it on VirtualBox.

The torrent downloadable URL is also available for this VM; it’s been added in the reference section of this article.

VulnHub is a well-known website for security researchers which aims to provide users a technique so that they can learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them and I highly recommend attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please note: For all of these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes and I am not responsible if the listed techniques are used against any other targets.

The steps

The summary of the steps required in solving this CTF is given below.

  1. Getting the IP address by using Netdiscover
  2. Scanning open ports by using Nmap
  3. Enumerating HTTP Service by using Dirb
  4. Manually identifying vulnerabilities by using Burp Suite
  5. Getting the target machine reverse shell
  6. Getting the root access

The walkthrough

Step 1

After downloading and running the machine on VirtualBox, the first step is to explore the VM by running a netdiscover command to get the IP address of the target machine. The command output can be seen in the screenshot provided below: [CLICK IMAGES TO ENLARGE]

Command used: netdiscover

In the above screenshot, we can see that we have got the virtual machine IP address: 192.168.1.25 (the target machine IP address) and I will be using 192.168.1.23 as an attacker IP address.

Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.

I have edited the other identified devices’ data as these were my other connected devices on the network, which were identified by the netdiscover utility.

Step 2

After getting the target machine IP address, the first step is to find out the open ports and services available on the machine. I conducted an nmap full-port scan for this purpose. The results can be seen in the screenshot given below.

Command used: nmap -p- 192.168.1.25 -sV -p-

We can see that ports 22 and 80 are open, through which SSH and HTTP services are running. The above scan also provides us further information about the target system configuration that may be useful for us in the later stages.

Let’s start exploring the target machine further through these ports.

Step 3

Let’s start with port 80 first, as it is being used for the HTTP service. That means that a web application is running through this port. To start with this, I opened the target machine IP address on the browser. This can be seen below:

As we can see, from the homepage it seems like it is a video converting website. There is an option to enter “video number” and then press the convert button.

As there is no further functionality available, before looking further into it, let us first enumerate other files and folders on the web application with the help of an automated tool. I prefer to use the dirb tool for this purpose, as it is by default available on Kali Linux. The scan results can be seen in the following screenshot:

Command used: dirb http://192.168.1.25

In the output above, we can see that there are some directories which were identified by the tool. We can further explore these directories such as “admin” and “tmp.” So, let’s run the “admin” directory on the web application. This can be seen below:

I checked the identified “admin” directory, but it requires further authentication. I tried some of the default username and password combinations but none of them worked here. I finally decided to check the application manually with the help of an intercepting proxy to find further clues.

In the next step, we will manually check this application by using the Burp Suite proxy.

Step 4

I set up my Burp Suite up and running by enabling the proxy in Burp Suite. After that, I checked the application, which is expecting a Video ID as the user input; after that, it will be converted into the mp3 file. So, I entered a random ID and moved the request into Burp Repeater for further analysis, which can be seen in the following screenshot.

We can see that by adding a random ID, the application returns an error. As a pentester, I can say if the application is returning an error in the response, there are very high chances to identify the vulnerability.

By closely analyzing the error in the response, I could understand that this error is coming due to some encoding characters. After spending some time on this, I simply searched this error online. The first google result shows a GitHub URL:

I quickly opened the URL to see the details. It was a kind of YouTube downloader which is written in Python and deployed on the target machine. As the source code was available, it means that I can check the source code and try to identify a vulnerability that would be helpful to exploit this machine.

In the above screenshot, we can see the source code on the Github website. I checked the code and documentation of the tool and observed a few options which could be helpful for us. It can be seen in the following screenshot:

In the highlighted area of the above screenshot, we can see that there are some options available which can be used on the website. The options are a part of the “youtube-dl” command available in the YouTube downloader package on the target machine.

First, let’s try to use the “—version” option to check whether the output of the command would be shown in the response. This can be seen in the following screenshot.

As we can see, the command option “—version” returned the result in the response and provided the available version of the target application. This confirms that we can use all the other available options to get some more information about the target application.

I started checking the available options on the GitHub website. There is a large set of options available on the website which may be used, but we were looking for something which could help us to execute a command on the target machine. After reading all the options, I finally got something through which could serve our purpose. It can be seen in the highlighted area of the following screenshot.

URL: https://github.com/ytdl-org/youtube-dl

In the highlighted description above, we can see that the option “—exec”, which can be used to execute a command on the target machine and return the output. Let’s try the same in the next step.

As per the details given on the GitHub website, I tried to run the whoami command on the target machine using the —exec option. But for some reason, it did not work. The application returned an error message.

I understood by the errors that it is related to encoding, so I tried some encoding techniques to make it work. But it did not seem to be working here. After spending some time on this, I tried some fuzzing techniques by using the Burp intruder. I was able to generate a payload which can be used to run the command on the target system. By utilizing those special characters, I was able to create a payload which successfully executed the command on the target system and returned the output as a part of the server response. It can be seen in the screenshot given below.

Payload used: <`ls${IFS}-l`

In the above screenshot, we can see the working payload which returns the output of the command. Here, we had to replace the spaces with ${IFS} to make it work.

By following the same technique, I have created another payload which reads the “/etc/passwd” file from the target machine. It can be seen in the screenshot given below.

In the response, we can see the output of the “passwd” file. As we already know that the application on the target machine is written in Python, I used a Python reverse shell payload to take the shell access of the target machine. In order to make it executable in our scenario, I made some changes to the payload, which can be seen in the following screenshot.

As we can see, when we tried to use the Python reverse shell script to take the reverse connection of the target machine, we received an error message in the server response. This means it could not execute.

Step 5

For this reason, I had to find another way to utilize this command execution technique to successfully get the reverse shell of the target machine. I wrote down the reverse shell script in a file called “bb.sh” on the attacker machine and downloaded that on the target machine with the help of the wget utility. The file was downloaded on the target machine as can be seen in the above screenshot.

Now let’s execute the shell on the target machine. I set up my attacker machine to receive connections on port 4444 and executed the script. This can be seen in the following screenshot.

Command used: nc -lvp 1234

As we can see above, the payload was successfully executed on the target machine and we have received the reverse shell connection. Let’s explore the target machine to find the flag file and escalate privilege to the root user.

In the above screenshot, we can see that we have got the first flag in the “admin” directory. We already know that there is a root flag that needs to be read to complete the CTF, but it requires root privilege on the target machine. Let’s move forward to the next step to find the root flag.

Step 6

As we already know that the “admin” directory was password-protected when we accessed it through the website on the target machine, now we have the limited access on the target machine so we can utilize this to check the password. When I checked “ls –a” we got the “.htpasswd” and got the cryptographic version of the password.

Command used: ls -a

As we have the cryptographic version, let us decrypt the password in order to access the admin section of the target machine web application. For this purpose, I first copied the string to a text file on the attacker machine and saved it as ‘pass.txt’. This can be seen in the following screenshot.

Commands used:

  1. cat >> pass.txt
  2. john pass.txt

Next, I used the “john” password-cracking utility which is available by default in Kali Linux to crack the password. The password got cracked but when I tried to use that password on the web application, it did not work.

After spending some time on the target machine, I found a “tmp” directory in the document root in which there is a bash script file called “clean.sh.” It can be seen in the following screenshot.

Command used: cat clean.sh

The script in the file can be seen in the above screenshot. The script is to remove all contents of the “downloads” folder on the target machine. As I had the write permission through the limited shell, I added another reverse shell script in the “clean.sh” file.

In the above screenshot, we can see that the reverse shell script was successfully added to the “clean.sh” file. I set up my attacker machine to listen to connections on the 4444 port. After that, I executed the “clean.sh” file and received the root connection of the target machine. This can be seen in the following screenshot.

Command used: nc -lvp 4444

As we can already see, the username is “root.” I further verified this with the id command, which confirmed that we now have the root access of the target machine. Now, let’s look for the flag file on the target machine.

As we can see above, it was in the root directory of the target machine! We have finally read the flag file and completed the challenge.

 

Sources

  1. Download DMV 1, VulnHub
  2. DMV 1, VulnHub
  3. DMV 1, Google Drive
  4. Download DMV 1, VulnHub (torrent)
Posted: July 13, 2020
Articles Author
Nikhil Kumar
View Profile

Nikhil Kumar, a Certified Ethical Hacker, works as a Information Security Consultant. He has experience in web application pen-testing, social engineering, password cracking and android pen-testing. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.