Capture the flag (CTF)

Fuku Walkthrough

January 27, 2017 by Warlock

Fuku (pronounced “far queue”) CTF is designed to mess with people. This is a boot2root. Import it in VirtualBox, using a Host-Only adapter, or use an adapter that will assign it an IP address in the range. It only likes having an IP address in that range.

Treat the box as if it was on the network. Don’t try to do anything to it that you could only do with physical access, e.g. break into the BIOS or the Grub boot loader.

There are a few flag.txt files to grab. The final one is in the /root/ directory. However, the ultimate goal is to get a root shell.

If the machine seems to go down after a while, it probably hasn’t. This CTF isn’t called Fuku for nothing!

We fired nmap on the system’s IP and as it can be seen below all ports are open.

We started checking random ports from Netcat what is running on it and in every port we got the same message “FUKU” running on an Apache web server.

We can’t manually check all 65535 ports, in that case, we used Wfuzz which is a directory brute forcer tool. We ran it against 65535 ports in which we will get response code 200 if there is running any valid application on any port.

As we see above, we got response 200 on port 13370, and we opened it from the browser.

We checked the robots.txt file for any interesting files and directories.

We can see there is a flag.txt file, and we knew that it is not the actual flag. We just opened it for clues.

We came back to the homepage and checked the source view of the page. We found that application is running on Joomla CMS and version is 1.5

We searched on google for a vulnerability on this version of Joomla, and we found one exploit DB.

According to the exploit, we have to open this URL:

Then put a single quote in the token field, and it will ask you to change the admin password. We changed the password and browsed the administrator folder from where we were able to login in Joomla admin portal.

For uploading a shell, we need to edit the source code of any file that opened the template manager from the extension.

Replaced the source code of the file with PHP reverse shell and added our own private IP and port for reverse connection.

Now we browsed the edited file from the browser, and we got the reverse connection shell in our Netcat listener

From the shell, we were not able to run any command, so we need root access for that. In the running process, we found that chkrootkit 0.49 is running on the system.

After searching on google exploit for chkrootkit we got one local exploit which escalates privilege on the system.

After reading the exploit code, we understand that we need to create a file in the tmp/update directory with the desired command, which will be executed by chkrootkit from cron job, so we changed the password of the root user.

After few minutes we tried to log in as root user from SSH, and we logged in.

In the root directory, we got the flag.


Posted: January 27, 2017
View Profile

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.