Capture the flag (CTF)

DR4G0N B4LL: 1 VulnHub CTF Walkthrough

As you may know from previous articles, Vulnhub.com is a platform that provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. You can check my previous articles for more capture the flag (CTF) challenges. I have also provided a downloadable URL for this CTF below; you can download the machine and run it on VirtualBox.  

https://download.vulnhub.com/dr4g0nb4ll/Dr4g0n-b4ll.zip

The torrent downloadable URL is also available for this VM; it's been added in the reference section of this article.

As per the information given on Vulnhub, this is a recent CTF posted by the author mr_xmen. As mentioned by the author, this is a beginner-level challenge, and it comprises of collecting one flag by getting the root. However, there is no further information available, but we presume that prerequisites would be having some knowledge of Linux commands and the ability to run some essential penetration testing tools. 

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The steps

1. Getting the target machine IP address by running the VM
2. Getting open port details by using the Nmap Tool
3. Enumerating HTTP Service with Dirb Utility
4. Extracting Hidden messages with Steghide
5. Logging in into the SSH and reading user flag
6. Escalating user privileges and getting the root flag 

So, now that we have all the information we need let's get started with the challenge. 

The walkthrough

Step 1

The first step is to run the Netdiscover command to identify the target machine's IP address. In the screenshot given below, we can see that we have run the Netdiscover command, which gives us the list of all the available IP addresses. It can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the highlighted area of the above screenshot, we can see the IP address, which is our target machine IP address. The target machine IP address is 192.168.11.31, and we will be using 192.168.11.14 as the attacker's IP address.

 Note: The target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

After getting the target machine's IP address, the first step is to find out the open ports and services available on the machine. We conducted a Nmap full-port scan for this purpose. We also used the -sV switch with Nmap to show us the version of the services running on open ports. The Nmap results can be seen in the screenshot given below.

Command used: << nmap -p- -sV 192.168.1.31 >>

From the Nmap scan results, we identified that there are two open ports on the target machine. Port 22 is open, which is being used for SSH service, and port 80 is open, which is being used for the HTTP service. We have to gain root access to the target machine using only these two ports. So, we'll start exploring the target machine.

Step 3

In this step, we will explore vulnerabilities in the target machine through HTTP port 80. Let's open the target machine IP address on the browser to check out the website.

As can be seen above, this is a simple image file, and no further functionality could be found to analyze the web application. So, we decided to enumerate files to identify further pages and folders in the application. For this purpose, we ran a 'Dirb' scan which is a default tool available on Kali Linux. The scan command and results can be seen below.

Command used: << dirb http://192.168.1.31 >>

From the scan results, we identified three files on the target machine. We opened each file one by one on the browser and found an interesting entry in the 'robots.txt' file.

In the above screenshot, we can see the robots.txt file opened on the browser. There is a string given in the file, which seems to be base 64 encoded. Let's first decode the string to read the contents. This can be seen below.

Command used:

<< echo eW91IGZpbmQgdGhlIGhpZGRlbiBkaXI= | base64 --decode >>

We decoded the string with the help of the echo command. The decoded string message is:

You find the hidden dir

This means a directory is hidden on the target machine, which could help us proceed further. But there is no more information provided about the directory. We decided to check the HTML source of the target application for more clues.

VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09

As can be seen above, we found one more clue hidden in the HTML source of the target application. This also seems to be encoded. Let us try to decode it using the same method.

 

Command used

<< echo VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09 | base64 --decode >>

<< echo UkZKQlIwOU9JRUpCVEV3PQ== | base64 --decode >>

<< echo RFJBR09OIEJBTEw= | base64 --decode >>

As can be seen above, the string was also base-64 encoded, but it was encoded multiple times this time. We used the echo command to decode it until we reached the final cleartext value: DRAGON BALL. This could be the name of the hidden directory, as mentioned in the previous hint. We'll open it into the browser.

As we can see, we correctly identified the hidden directory name as 'DRAGON BALL.' When we opened it into the browser, we found that the directory listing was enabled. There was another folder in the directory and a file named 'secret.txt.' Let's open the identified directory into the browser. 

This seems to be a login page to some application' xmen.' We tried various default usernames and passwords on the login page, but none of them were correct. We tried SQL injection to bypass the login page, but the page was not vulnerable to SQL injection.

After closely looking at the page, we found a download button underneath the login panel, which can be seen highlighted in the above screenshot. We clicked on the download button, which redirected us to another page that returned a 403 error response. So, we removed the '.' from the URL that opens up the image file, as seen below.

This image is the only thing we knew about, so we decided to download this image by using the wget utility for further analysis. The downloaded file can be seen below.

Command used:

<< wget http://192.168.1.31/DRAGON%20BALL/Vulnhub/aj.jpg >>

After downloading the file on our attacker machine, we checked the size of the image by using the 'ls –l' command. The size of the file seemed large for a jpg image file. To analyze the file further, we researched the internet and found a tool called 'steghide', which is used to identify hidden information from image and audio files. We know that the image file size was quite large, so this tool could help us to extract hidden information.

In the next step, we use this tool to extract information from the jpg file.

Step 4

The official website from where the Steghide tool can be downloaded is given below.

We checked whether it is available by default in Kali Linux, but it seems like we will have to download it first. The download command can be seen in the following screenshot.

Command used: << apt-get install steghide -y >>

Here, we have downloaded the tool on our attacker machine with the help of "apt-get" command. Let's now try to use this tool to extract data from the image file, see below.

Command used: << steghide –extract -sf aj.jpg >>

We tried to extract the information from the image file, but it required us to enter a passphrase. We do not know the passphrase, so let's try some other method to crack the passphrase. We will use another tool for this purpose, which can be seen below.

Command used: << pip3 install stegcracker >>

In the above screenshot, we have downloaded another tool named 'stegcracker,' used to crack passwords for image files. After successfully downloading the tool on our attacker machine, we simply run it with our image file, as seen in the following screenshot.

Command used: << stegcracker aj.jpg >>

The tool took some time to complete the password enumeration. It utilized the 'rockyou.txt' wordlist, which is by default available in Kali Linux. After trying various passwords, it finally cracked the correct passphrase for the file as 'love'. So, let us try to extract the file details again using steghide.

Command used: << steghide --extract -sf aj.jpg >>

Password: love

As can be seen above, the file was successfully extracted using the utility. There was an SSH private key that could be used to login into the target machine. We know that a username with the name 'xmen' exists on the target machine. In the next step, we will log in to the SSH.

Step 5

Let's try to login into SSH using the private key.

Command used: << chmod 600 id rsa >>

We copied the private key and saved it into the target machine as 'id_rsa.' After that, we changed the file permission to 600 using 'chmod.' As we already know from the previous step, there is a user named 'xmen,' so we used it to log in to the SSH. The login was successful, and we are now logged into the target machine as user xmen.

Command used: << local.txt >>

We checked the files in the current directory, where we found the very first flag. The flag file names' local.txt' can be read in the above screenshot. We checked the user privileges by using the id command and got to know this is not the root user I.

In the next step, we will escalate our privilege try to read the root flag.

Step 6

We enumerated the target machine for loopholes and known vulnerabilities using various techniques.

Command used:

<< cat /etc/issue >>

<< uname -a >>

We identified the target machine operating system and kernel version information using 'etc/issue' file and uname –a command. We tried to find some exploits for the available versions installed on the target machine, but none of them were suitable in our case. We kept on exploring the target machine files and folders for any other weakness.

Command used:

<< ls -la >>

<< ./shell >>

We found an interesting file named 'shell' in the '/script' directory. We checked the file information using 'ls –l' and found that the root user owns the file and has executable permission to all user groups. We checked the file content using the cat command and found a copy of the 'ps' binary. There is another C source file named 'demo.c', which does not have any specific path of the binary defined. We can utilize this weakness to escalate user privilege, which can be seen in the following screenshot. 

Command used:

<< cd /tmp >>

<< echo "/bin/bash" > ps >>

<< chmod +x ps >>

<< export PATH=/tmp:$PATH >>

<< which ps >>

In the above screenshot, we changed the binary 'ps' to a custom binary to escalate user privilege. In the tmp directory, we created a file named 'ps' with the content '/bin/bash.' After that, we gave executable permission to the file using chmod and exported the directory to PATH. 

After that, we checked whether the new custom binary is being called is. We search 'ps' in the terminal, and the result confirms that whenever the system looks for a ps file, it will result in the custom ps file created by us.

We'll now execute the shell to get the root access of the target machine.

Command used: << ./shell >>

The trick was successful, and we are now root in the target machine. After getting root access to the target machine, we read the root flag, named 'proof.txt. This was confirmed by using the 'id' command, as seen in the above screenshot.

Command used: << cat proof.txt >>

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The root flag was easily found in the root directory. This completes the challenge.

We read both the flags and gained root access of the target machine by exploiting two open ports. I hope you enjoyed solving the CTF. Let me know of any queries.

 

Sources

Dr4g0n b4ll, VulnHub

Dr4g0n b4ll, VulnHub

Dr4g0n b4ll, VulnHub