HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1
This capture the flag (CTF) is intermediate, and it is in OSCP style. The goal of the CTF is to gain root access to the target machine and read the flag files. The machine mainly focuses on enumeration with easy exploitation and does not require heavy brute-forcing. Prerequisites would be having some knowledge of Linux commands and the ability to run some basic pentesting tools.
The torrent downloadable URL is also available for this VM; it’s been added in the reference section of this article.
Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
A summary of the steps required in solving this CTF:
- Getting the target machine IP address by using arp-scan
- Getting open port details by using the Nmap Tool
- Enumerating HTTP Service with Dirb Utility
- Identifying vulnerability in running application
- Running brute forcing on parameter value
- Enumerating subdomains
Since we have all the information we need to start, let’s get started with the challenge.
The first step to solving any CTF is to identify the target machine’s IP address. Since we are running a virtual machine in the same network, we can identify the target machine’s IP address by scanning and identifying all the IP addresses in the network command. We used the Arp-scan tool for this purpose which is a default utility in Kali Linux. The output of the command can be seen in the following screenshot.
Command used: << arp-scan -i >>
In the above screenshot, we see that we have identified the IP address of all the devices connected to our router. Still, due to security reasons, we have hidden the MAC address of my personal connected devices. Our target machine IP address that we will be working on throughout this challenge is 192.168.1.7 (the target machine IP address). We will be using 192.168.1.13 as the attacker’s IP address, wherever applicable.
Note: the target machine IP address may be different in your case, as the network DHCP is assigning it.
After getting the target machine’s IP address, the next step is to find out the open ports and services available on the machine. We will use the Nmap tool for it, as it works effectively and is by default available on Kali Linux. The results can be seen below:
Command used: << nmap -sV -p- 192.168.1.7 >>
In the Nmap command, we used the ‘-sV’ switch for version enumeration. We also used the ‘-p-’ option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results.
We identified three open ports on the target machine. Port 80 and 9999 are being used for the HTTP service, and port 53 is being used for the domain service.
Let us start enumerating the target machine by exploring the HTTP port 80. We opened the target machine IP address on the browser. We found a response from the server that can be seen below.
In the above screenshot, we can see the target application opened up on the browser. There was a quirky message displayed on the home page and a few web pages. We explored all the pages available on the target application, but nothing useful could be found. Next, we decided to initiate a brute force scan for identifying web application hidden files and folders. We used the Dirb tool for this purpose which is by default available in Kali Linux. The scan commands and results can be seen in the following screenshot.
Command used: << dirb http://192.168.1.7 >>
From the Dirb scan, we identified a few folders available on the target application. We also got to know that the directory listing is enabled on the target application, making it easier for us to see the directory contents on the browser. We opened all the identified folders on the browser and checked the contents, but nothing of use could be identified.
We decided to conduct a more in-depth brute force scan to enumerate hidden files and folders on the target application. For this purpose, we used the OWASP Dirbuster tool, which is also available in Kali Linux by default, so we do not need to install it. The tool works more effectively than Dirb, but it is a bit more time-consuming. So, let’s start the scan and wait for the results.
The Dirbuster scan identified that there are two HTML files available on the target application. The files can be seen highlighted in the above screenshot. In the next step, we will explore these files and identify vulnerabilities.
We have identified two HTML files in the target application, so let’s open the files one by one on the browser to enumerate for vulnerabilities and loopholes. We opened the ‘app.html’ file on the browser, which does not give any useful information however, when we checked the HTML content of the same page, we got parameter name in the HTML comments as follows:
From the above hint, we understand that there are other pages that can be accessed in the target application. We need to use the get parameter ‘page_no’ to identify and access the other pages. So, we used the get parameter and provided ‘2’ as the parameter value to see if it works. The result can be seen below.
The above page seems similar to the home page. However, there is one hint which confirms that the trick worked. At the bottom of the page, another message is given that confirms that we are going in the right direction. So, now we know that to access further pages on the target application, we can provide any numeric value in the required get parameter. We decided to use Burp Suite to make our job easier.
In the next step, we will use burp to access all the available pages on the target application.
We opened the Burp suite and intercepted the request where we had added the ‘get’ parameter. After that, we transferred the request onto Burp Intruder, which can be seen below.
As can be seen above, we chose the parameter value as the only payload position. Now, we need to choose the payload values which will be inserted into the parameter value. We opened the payloads option to make the necessary configurations.
In the above screenshot, we can see the payload configurations in the burp window. In the payload sets tab, we choose a single payload set, and in the payload type option, we choose ‘numbers.’ In the payload options tab, we gave the numbers which burp intruders will attempt from 1 to 500. So, let’s start the Intruder scan by clicking the start button.
The intruder scan results can be seen in the above screenshot. We analyzed the results and found one request which loaded different size data. The parameter value for the request is ‘21.’ Let us open the web page on the browser to check the contents.
In the above screenshot, we can see another hint message displayed on the web page. The message says that there are many subdomains created on the server to access, and out of those, one such domain name is ‘hackers.blackhat.local.’ So, in the next step, we will access the web application behind this subdomain.
Let us start with adding the subdomain into our ‘etc/hosts’ file so that the browser understands that the subdomain belongs to the target machine’s IP address.
<< echo “192.168.1.7 hackers.blackhat.local” >> /etc/hosts >>
We used the ‘echo’ command to add the subdomain ’hackers.blackhat.local’ into the ‘etc/hosts’ file on our attacker machine. After that, we used the ‘cat’ command to verify that the changes had been updated into the file. Let us open the URL into the browser, which can be seen below.
As can be seen in the above screenshot, the subdomain points at the same target application that we have already enumerated. As per the hint message, we know that there are more subdomains. So, let us try to find other subdomains which are available on the target machine. We need to scan the target application for all the subdomains. Luckily, there is a utility in Kali Linux that can help us make our tasks easier. We will be running a ‘dig’ scan to scan on the target machine.
Command used: << dig hackers.blackhat.local @192.168.1.7 >>
The scan identified one more subdomain available on the target application. The subdomain is ‘hackerkid.blackhat.local’. So, let us follow the same step we did earlier to access the target application on the browser. We used the echo command to add the subdomain into our ‘etc’hosts’ file, which is seen below.
<< echo “192.168.1.7 hackerskid.blackhat.local.” >> /etc/hosts >>
After adding the subdomain into our host’s file, we confirmed the changes using the ‘cat’ command. We’ll open the URL into the browser to see the target application which is running here.
The subdomain pointed to a different application which seems to be the application that can help us take the root access of the target machine. There is a signup feature on the home page which seems interesting.
We will analyze and exploit this application in the next part of this article, complete further steps, and read the flag. Until then, I encourage you to try to finish this CTF. There are enough hints given in the above steps.