Capture the flag (CTF)


September 9, 2021 by LetsPen Test

Follow along as we solve this Capture the Flag (CTF) from Vulnhub. Download it here:

The CTF focuses on improving privilege escalation and CMS exploiting skills. There is one root.txt flag that should be read to complete the CTF. The difficulty level of this CTF is from easy to medium. Pre-requisites would be having some knowledge of Linux commands and the ability to run some basic pen-testing tools.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

A summary of the steps required:

  • Getting the target machine IP address by running the VM
  • Getting open port details by using the Nmap tool
  • Enumerating HTTP service with Dirb Utility
  • Identifying pluck exploit
  • Identifying open ports through port knocking technique

So, now we have all the information we need, let’s get started with the challenge.

The walkthrough

Step 1

After running the downloaded virtual machine in the virtual box, the machine will automatically be assigned an IP address from the network DHCP. It will be visible on the login screen. The target machine’s IP address can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

The target machine IP address is, and we will be using as an attacker IP address.

Note: The target machine IP address may be different in your case, as the network DHCP assigns it.

Unlike my other CTFs, this time, we do not require running the Netdiscover command to get the target IP address. The next step is to scan the target machine by using the Nmap tool.

Step 2

In this step, we will scan the target machine by using the popular port scanning tool Nmap. This is to find the open ports and services on the target machine and help us proceed further. The running command and the output of the Nmap scan can be seen in the following screenshot.

Command used: << nmap -p- -sV >>

In the highlighted area of the above screenshot, I used the -p- option, which tells Nmap to conduct the complete port scan. I have also used the -sV option. It will enumerate the version of the running service. We can see in the results that two ports are shown as open on the target machine. The HTTP port 80 is open through which the apache service is running, and. Port 22 is shown as “filtered.” The SSH service is running on the target machine. In the next step, we will start enumerating the FTP service.

Step 3

So, let’s start by exploring the open port and services on the target machine. We will start the enumeration via the HTTP port. After opening the IP address in the browser, we found an application running on it which can be seen in the screenshot given below.

We are redirected to a page without much info. So, we decided to enumerate the files and folders on the target application. For this purpose, we used the Dirb utility which identifies hidden files and folders in an application by brute-forcing common web application files and folders. The tool is by default available in Kali Linux. The scan command and results can be seen below.

Command used: << dirb >>

The scan generated massive output. We also identified that the directory listing was enabled on the target machine. Among the scan results, there was an interesting file that caught our attention. The file was named ‘admin.php,’ so let’s open this file into the browser.

As can be seen above, the admin.php file redirected us to a login page. The login page only required a password. First, we tried our luck with a few commonly known default passwords, but we weren’t that lucky. The login page mentioned a software named ‘pluck.’ We could also see the version information on the browser. In the next step, we will explore this utility and find further possibilities and vulnerable areas.

Step 4

We could find from the information provided on the login page that the installed version is 4.7.13. We researched over the web for an available exploit for this version. The very first google search results mentioned that it is vulnerable to remote shell upload vulnerability. We could find two exploits on the exploit-db website, which can be seen below.

We opened the URL to understand further how the exploit works and what all pre-requisites would be required. The exploit-db page can be seen below.

As we can see above, the exploit-db website shows a working file upload remote code execution exploit. However, it must be authenticated to successfully run the exploit as we know that there is a login page. So, let us make more efforts to enumerate and identify the login credentials.

We ran another hidden file and directory enumeration tool, which could help us identify two new directories, which can be seen in the following screenshot.

As can be seen, highlighted in the above screenshot, the scan identified two more directories: ‘planet’ and ‘/planet/travel.’ We opened the ‘/planet’ directory on the browser where directory listing was enabled. From there, we traversed to another sub-directory, ‘/travel.’ When we opened it on the browser, we got an exciting page which can be seen below.

However, there was no functionality or interesting details available on the page. So, we decided to analyze the HTML source of the page for more clues. The HTML source can be seen below.

We found a note hidden in the comments. The message is stated below for your reference.

“<!— here you can open portal and travel to proxima,the coordinate is? RA for open, Dec for close The proxima blackwhole portal……get coordinate from –!>”

The note seems like a hint, and it mentions some portal named ‘proxima.’ It also mentions some coordinates. Let us open these details on the browser to find further about the message. We searched the above-described coordinates and found the below search results from Google.

As per the hint, we have identified the Proxima Centauri coordinates. So, it could be the password of the admin page, or it might be the ports that are open in the network. First, we tried the above details as the password to log in on the login page of the target application. But this could not work on the login page. As the above information is given in the hint, we cannot ignore them. Let us put some more effort here. We decided to try the port knocking technique on the target machine to try these credentials on different ports.

Step 5

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. As we know, port 22 is shown as filtered on the target machine. With the help of this technique, we can connect to the SSH port.

We searched and downloaded a Port knocking script from google. The script can be downloaded from the following GitHub repository.

Command used:

In the above screenshot, we used a few commands to complete the port knocking. We downloaded the script using the ‘git clone’ command from the Github repository. After that, we executed the script and provided the number of requests required to connect to all the available ports on the target machine. Once the script was run successfully, we checked the open ports by running the Nmap command.

In the Nmap results, we got a different output than we got in step 2. This time the status of port 22 is being shown as ‘open.’ This means that our port knocking technique was successful, and the port is now open for our network.

We do not know any username and passwords, so we left this information here for later use.

In the next part of this article, we will complete this CTF by using other methods to exploit the box. Until then, we encourage you to try to finish this CTF! There are enough hints given in the above steps.



Posted: September 9, 2021
Articles Author
LetsPen Test
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *