NASEF1: LOCATING TARGET VulnHub CTF Walkthrough
Muhammad Nasef’s capture the flag (CTF) is one made for entry-level users. The target of this CTF is to get to the root of the machine and read one user flag.
Download the CTF here:
You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and added in the reference section of this article.
For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are many other challenging CTF exercises available on vulnhub.com. I highly suggest attempting them, as it is an excellent way to sharpen your skills and learn new techniques in a safe environment.
Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
The summary of the steps required in solving this CTF is given below:
- Getting the target machine IP address by Netdiscover
- Getting open port details by using the Nmap Tool
- Enumerating HTTP Service with Dirb and Dirbuster
- Cracking the Password with John the Ripper
- Logging in into SSH and Reading User Flag
- Getting the Root
So, now we have all the information that we need. Let us get started with the challenge.
The first step to get started is to find the target machine’s IP address. For this, we need to scan the active devices connected to our current network and identify the target machine’s IP address. We used the netdiscover tool for this purpose which is by default available in Kali Linux. We have downloaded and opened the target machine in a virtual box. [CLICK IMAGES TO ENLARGE]
Command used: <<netdiscover>>
The scan gave a few IP addresses connected to the network; we have blurred the details of other IP addresses. The target machine IP address can be seen highlighted in the above screenshot.
The target machine IP address is 192.168.1.30 for this CTF. Our attacker machine IP address for this CTF would be 192.168.1.20.
Please note the target and attacker machine IP addresses may be different as per your network configuration.
As we have the target machine IP address, let’s find out the entry points into the target machine. The first step is to find out the open ports and services available on the device. We ran an Nmap full-port scan on the target machine for this purpose. The Nmap command has been used, and the scan results can be seen in the following screenshot.
Command: <<nmap –p- -sV 192.168.1.23>>
Here, we used ‘-sV’ option for version enumeration and ‘-p-‘to initiate a full port scan, which means that Nmap will include all 65535 ports in the scan. By default, Nmap conducts the scan only on known 1024 ports. So, it is essential to perform the full port scan during the pentest or solving the CTF to get maximum output. The output of the Nmap shows that three open ports have been identified as open in the full port scan. However, in our case, we have found only two ports used for SSH and HTTP services.
In the next step, we will start with Port 80.
Let’s start by exploring the open port and services on the target machine. After opening the IP address in the browser, we found an application running on it, which can be seen in the below screenshot.
We just got the default apache page, but there must be some application folder in the HTML directory since the port is open. Let’s run brute-force to identify any hidden directories or files. We used the dirb tool for this purpose – it is a very popular and efficient web application brute-forcing tool. The command used and the scan results can be seen highlighted in the below screenshot.
Command : <<dirb http://192.168.1.30/>>
As we can see above, we could not fetch much information by the scan. However, there are other options available, so let’s give it another try. This time, we’ll run the brute-force through the ‘Dirbuster’ tool, which might take more time but is more efficient. The results can be seen in the screenshot that follows.
The Dirbuster scan provided us with some valuable results. With the help of the scan, we identified a text file on the target application. The text file is named gootmath.txt. Let’s open it into the browser.
We can see the text file opened on the browser. This is a private key, and at the end of the key, a user on the target machine named agentr. As we already know, port 22 is also open on the target machine, which is used for the SSH service. Let’s try to log in to SSH using the private key.
For this, we need to first save the private key on our attacker machine. The key can be seen below for reference-
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4, ENCRYPTED
—–END RSA PRIVATE KEY—–
We saved the private key and named it ‘key.’ After this, we provided the executable permission to use it to log in to SSH. This can be seen in the following screenshot.
Command used: << cat >> key >>
In the above screenshot, we verified the file contents by using the cat command. Let’s now log in to SSH.
Command used: << ssh email@example.com -i key >>
As can be seen above, our efforts were in vain. The SSH login was not successful. As we know from the hint, this is the private key for login, but the target system is asking for a passphrase which we currently do not know. Let’s try some other techniques to log in to SSH successfully.
In this step, we will try to identify the passphrase using a password-cracking technique. We used an online utility that accepts the key file as an input and generates the password hash, which can be seen below.
After creating the password hash, we copied it into the text file again using the cat command.
Command: cat >> key_hash
In the above screenshot, we can see the hashed private key, which has been saved as ‘key_hash’ on our attacker machine. Now, let’s try brute-forcing the passphrase using the john utility, which is by default available in Kali Linux. We used the default wordlist to brute-force the password, which is given below.
Command used: << john key hash –wordlist=/usr/share/wordlists/rockyou.txt >>
The scan took some time to complete, but it provided us the passphrase of the private key after some time. The identified passphrase is- ‘reading.’ So, we have all the required details now; in the next step, we will log in to SSH.
We changed the file permissions of the private key and used it for SSH login. The command used can be seen in the following screenshot.
- << chmod 600 key >>
- << ssh -i key firstname.lastname@example.org >>
In the above screenshot, we can see that the SSH login was successful this time, and we are now logged into the target machine as user’ agentr.’ Now, let’s explore the target machine to look for further clues and loopholes which could help us get the root.
Command used: << cat user.txt >>
While checking various files and directories, we found the very first flag. The flag file can be read in the above screenshot and was named as ‘user.txt.’
Until now, we have gained user access to the target machine and also read the user flag. As we already know from the description of the CTF, there are only two flags. So, let’s get root access to the target machine and read the root flag to complete the CTF.
- << cat /etc/issue >>
- << uname -a >>
After being logged in, we first enumerated the target machine to identify the operating system and kernel version information. This can be seen in the above screenshot. We searched the internet to find a working exploit for the available versions but found none. We kept on enumerating the target machine for further weaknesses.
Command used: << ls –l /etc/passwd >>
We found a permission misconfiguration flaw on the target machine, which allowed us to edit the ‘/etc/passwd’ file.
As we already know, the ‘etc/passwd’ file contains passwords for all the available users on the server. We can modify the file to gain root access.
Command used: << vi /etc/passwd >>
We opened the ‘vi’ editor and removed the ‘x’s from the root user. This will directly allow us to sudo into root without requiring any password.
Command used: << su >>
As can be seen above, we used the su command to escalate user privilege, and the target system did not ask for any password. We verified the current used by using the id command and it confirms that we are now logged in as root. Let us find the root flag and read the file to complete the CTF.
Command used: << cat root.txt >>
The root flag was placed in the root directory on the target machine. In the above screenshot, we can read the root.txt file.
This completes the challenge.