Capture the flag (CTF)

HACKATHONCTF: 2 VulnHub CTF Walkthrough

February 21, 2022 by LetsPen Test

Test out your stills with this basic level BootToRoot machine for beginners. The goal is to gain root access to the machine and read the two flag files to complete the CTF. You can check my previous articles for more CTF challenges. We have also provided a downloadable URL for this CTF:

You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and added in the sources section of this article.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

The summary of the steps required in solving this CTF:

  • Getting the target machine IP address by using the Netdiscover Utility
  • Getting open port details by using the Nmap tool
  • Enumerating HTTP service with Dirb Utility
  • Enumerating FTP service and reading the first flag
  • URL brute-forcing with Burp Suite
  • SSH brute-forcing with Hydra
  • Getting the root and reading the flag

So, now we have all the information that we need. Let us get started with the challenge.

The walkthrough

Step 1

After downloading and running the machine on VirtualBox, the first step is to explore the VM by running Netdiscover command to get the IP address of the target machine. The Netdiscover command output can be seen in the screenshot given below. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the above screenshot, we can see that we have identified the IP address of all the devices connected to our router. Still, due to security reasons, we have hidden the MAC address of my personal connected devices. Our target machine IP address that we will be working on throughout this challenge is (the target machine IP address).

We will be using as the attacker’s IP address.

Note: The target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

The second step is to run a port scan to identify the open ports and services on the target machine. We will use the “Nmap” tool for port scanning as it works accurately and is available on Kali Linux by default.

In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below.

Command used: << nmap -p- -sV >>

The output of the Nmap shows that only one open port has been identified as open. We used the ‘-sV’ option for version enumeration and ‘-p-‘ to conduct a full port scan, which means we are telling Nmap to conduct the scan on all 65535 ports. By default, Nmap conducts the scan only known 1024 ports. So, it is important to conduct the full port scan during the pentest or solving the CTF.

However, in our case, we have found three open ports in which FTP service is running: Port 21, HTTP service is running on Port 80 and SSH is running on Port 7223. We can also see the version information of utilities that have been identified. We will be using this information in the following steps. In the next step, we will start with HTTP port.

Step 3

Let us start enumerating with the default HTTP port 80.  We opened the target machine IP address in the browser and found a web page which can be seen below.

The webpage did not have any further functionality or login to explore. We decided to further enumerate hidden files and folders on the target web application. For this, we used the Dirb tool, which is used to brute force standard files and folders in web applications. The tool is available in Kali Linux. The scan command and results can be seen in the following screenshot.

Command used: << dirb >>

The scan could not fetch much information about the target system. In the output, we got a few default files from where nothing more could be concluded. So, let us move on to the next open port as we are done exploring the HTTP port.

Step 4

In this step, we will connect to the default FTP port, which was identified as open in the port scanning step.

Command used: << ftp >>

In the above screenshot, we can see that the FTP login was successful.

The FTP service has ‘anynymous’ user created by default, which was not removed on the target machine. So, we logged in by entering anonymous and both username and password.

After logging into the target machine as FTP, we used the ‘ls’ command to check the current directory contents and found our first flag.

Command used:

  • << get flag1.txt >>
  • << get word.dir >>
  • << exit >>

As can be seen above, we found the first flag and one more file. We can proceed further in solving the CTF. We downloaded both files on our attacker machine by using the ‘get’ command.

Command used:

  • << cat flag1.txt >>
  • << cat word.dir >>

Flag: 7e3c118631b68d159d9399bda66fc684

After downloading the files, we read the files using cat on our attacker machine. The flag1.txt file, which is our first flag, can be seen in the above screenshot. The second identified file, ‘word.dir,’ seems to be some wordlist. This can be used in many ways, but let us use this wordlist to identify more files on the target web application.

Step 5

In this step, we will use Burpsuite to conduct a URL brute force attack against the target application using the identified wordlist. For this, we opened the burp intruder and configured the URL as a brute-forcing parameter; this can be seen below.

We transferred the target application request into Burp intruder and configured the URL as a brute-forcing parameter. Now, let us configure the payload.

We clicked on the payload to configure the settings. In the payload options section, we pasted the wordlist contents as identified in the previous steps. Now, let’s execute the attack by clicking on the start attack option. The results can be seen below.

As can be seen above, all the files generated the same error; however, there was one file where the target application responded with a 200 OK response. Let us open this file in the browser.

As can be seen above, there is nothing on this page, just simple text. We decided to check the HTML source for further clues which could be hidden in the comments.

As can be seen above, we found a clue in the comments section of the HTML source. It mentioned a username on the target machine, which could be helpful for us in the further steps. The username is given below:

Username: hackathonll

Step 6

So far, we have explored the HTTP and FTP ports. We identified a username by enumerating the HTTP port and a wordlist through the FTP service. Let us move on to the next open port, SSH port 7223. Let us try to log in to SSH using the identified username and use the wordlist to conduct a brute force attack.

We will use the Hydra tool for brute forcing into SSH service; it is available by default in Kali Linux. The command used and the results can be seen below.

Command used:

hydra -l hackathonll -P word.dir ssh:// -s 7223

After initiating the scan, it took some time to complete, and finally, we got the username and password to login into SSH. The login credentials can be seen below:

Username: hackathonll

Password: Ti@gO

Let us login into the SSH service using these credentials, which can be seen below.

Command used:

ssh hackathonll@ -p 7223

The credentials worked, and we are now logged into the target machine as user ‘hackathonll.’ In the next step, we will explore the target machine to find our way to the root.

Step 7

We started enumerating the target machine for vulnerable operating systems and kernel versions. For this, we used a few information-gathering commands, which can be seen in the following screenshot.

Command used:

<< cat /etc/issue >>

<< uname -a >>

After getting the target machine operating system and kernel information, we searched over the web for an available exploit for these versions. However, nothing useful could be found.

So, we explored the target machine; we used the ‘sudo –l’ command to check the current user privileges.

Command used: << sudo -l >>

In the command output, we found a utility that can be run as root through the current user. This can help us get root access.

Command used: << sudo /usr/bin/vim >>

In the above screenshot, we can see that we have run the ‘vim’ utility using sudo to initiate privilege escalation.

Command used: << :!/bin/sh >>

Now, in the file, we pasted the above shell command to get shell access to the target machine. This should do the job and provide us the root access to the target machine.

Command used: << id >>

As can be seen above, we are now logged into the target machine as root. This was confirmed by running the ‘id’ command. Let us search the root flag and complete the CTF.

Command used: << cat flag2.txt >>

The flag file was in the current directory and was named ‘flag2.txt’. The flag file can be seen in the above screenshot. This completes the challenge as we have read both the flags and reached the target machine’s root. I hope you enjoyed this easy to intermediate level CTF. Stay tuned for more solutions, and keep practicing.



Posted: February 21, 2022
LetsPen Test
View Profile