Capture the flag (CTF)

LazyAdmin: CTF walkthrough

Today’s Capture the Flag (CTF) walkthrough will be performed via TryHackMe, a platform in which you can set up CTF machine over the cloud and access using OpenVPN network or by using your browser as a Kali Linux terminal.

In this article, we are going to learn and talk about a new CTF hosted by TryHackMe with the machine name LazyAdmin.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

What is TryHackMe?

TryHackMe makes the entire process of both teaching and learning cybersecurity a lot easier. As a student, you can join rooms in different areas of security, learn practical skills about these areas and build amazing skill sets. Traditionally, it’s been a pain to set up teaching material and keep track of users' progress.

Creating rooms makes it easier for anyone (both casually and professionally) to teach cybersecurity classes. With a click of a button, you can make your own material available to students, and easily check up on how well they are doing with the class. TryHackMe allows you to set up CTFs, workshops, assignments or assessments with its user-tracking functionality.

The walkthrough

Once you are ready with your setup and got the machine details, let's kick off with enumeration as our first step in penetration testing. Enumeration is required to learn about the target, such as what services/port is running/open over a machine.

There are several tools available over the internet to enumerate or map network services. We’ll use NMAP (Network Mapper) with its multiple scripting engine script and technique to do the job.

Nmap is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides several features for probing computer networks, including host discovery and service and operating system detection

For enumeration: to get to know about what the target is all about, let’s do an Nmap scan. We’ll do a top 100 port scan to get the results faster with the help of the below command: [CLICK IMAGES TO ENLARGE]

Command: nmap –top-ports 100 10.10.234.155

The scan result shows two ports (22 and 80) are open. After this, we’ll go for a heavy scan on open ports to know more about the services with the help of the command below.

Command: nmap -sV -sT -O -A -p 22,80 10.10.234.155

Let’s have a quick look at port 80. Interesting, port 80 is running with the Apache2 default page, which tells us this is a default installation.

To further enumerate, let’s run the Dirbuster to get the directories. Dirbuster is a penetration testing tool that is used to brute-force directories and file names on web and application servers.

Command: dirbuster http://10.10.234.155

Ah, we got some directories in the result. Let’s check those out.

We got a directory named /content, so we checked the directory by browsing it.

SweetRice seems an interesting word. We have tried SweetRice as a directory, but nothing worked out. We then tried SSH username and password, but … no luck.

We decided to try harder and Google “SweetRice”, and we got a lot of references.

I checked the Exploit-dB link and got a working exploit.

Searching the recommended directory:

Notice the mysql_backup file is downloadable. We have downloaded and checked the file to see if some useful information is available to proceed further.

On the downloaded file, we got the username and password but the password is in hash format.

With the help of the online rainbow table, let’s use the online hash cracker website to see the password. We have tried the same username and password as SSH, but again, no luck.

In our Dirbuster scan results, we got other directories as well like /content/as which has a login page and /content/inc.

I tried to log in with the username and password we have, and bingo! After logging in, click on Ads. Notice that it allows you to add script. Let’s use this to get the reverse connection.

Click “Done” to upload t he shell and start the Netcat listener.

Now click on our reverse shell (evil_shell.php) to get started.

Now the Netcat connection has been established.

We have to look around for files and got find the user.txt file that contains the first flag.

Bingo!

Now we need to get the root.

Let’s check for the permissions we have with the current user.

Command: sudo -l

Hmm, backup.pl. Let’s check what is inside the backup.pl file.

Basically, we have a script that executes another script. That script appears to have a reverse shell. And that second script is writable to us as the following:

Edit the script with your system IP and port number you have set up listen:

Now start another Netcat listener on port 5554.

Run the Perl backup.pl script.

Netcat connection has been established as the script got executed.

We are root now!

Command: whoami

Now look around the files available.

Got the second flag in the root.txt file. We did it!

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Stay tuned for another CTF writeup soon.