Capture the flag (CTF)

NYX 1: VulnHub CTF walkthrough

May 24, 2021 by LetsPen Test

This VulnHub capture the flag (CTF) is an entry-level challenge tasking users with finding a flag in a root folder, and then the rest of them. You should know some Linux commands and have the ability to perform basic pentesting.

Please note: I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

Here are the steps to complete this CTF:

  • Getting the target machine”s IP address by running the VM
  • Getting open port details by using the Nmap tool
  • Enumerating HTTP Service with Dirb utility
  • Logging in through SSH credentials
  • Getting the root access and reading the flag

The walkthrough

Step 1

The first step is to identify the target machine”s IP address. Since we are running a virtual machine in the same network, we can identify the target machine’s IP address by running the netdiscover command. However, for this CTF, we do not need to run “netdiscover,” as the IP address was automatically assigned by the DHCP and visible on the login screen as follows. [CLICK IMAGES TO ENLARGE]

We have the target machine’s IP address on the welcome screen of the target machine. The target machine’s IP address is 193.168.1.26.

Note: The target machine’s IP address would be different in your case as it is being assigned by the DHCP.

Let’s explore all the entry points into the target machine from where we can start identifying weaknesses in the system to gain root access. In the next step, we will be running a port scan on the target machine.

Step 2

For this, we have decided to run an “Nmap” scan, which is an extremely popular port scanning tool and available in Kali Linux. The Nmap scan command and results can be seen in the following screenshot.

Command used: << nmap 192.168.1.26 -p- -sV >>

The Nmap output shows two ports on the target machine that have been identified as Open. In the Nmap scan, we used the “-sV” switch for version enumeration. We also used the “-p-“ option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results.

However, in our case, two ports have been identified as open during the scan in which port 22 is being used for SSH, and port 80 is being used for HTTP.

So, in the next step, we will start with the HTTP port 80.

Step 3

Let us start enumerating the target machine through port 80 by running the IP on the browser.

As we can see on the browser screen, there is just an image available. We could not find any other functionality to proceed further. Let’s run a quick “dirb” scan to find any hidden files and directories. This can be seen in the below screenshot.

Command used: << http://192.168.1.26/ >>

We found only two files from the “dirb” scan, both without any information. We decided to run another directory brute-forcing tool, “DirBuster.” This may provide us some useful results. The scan output can be seen below.

In the DirBuster scan results, we found one file to which the server responded positively. Let us open the identified file, “key.php,” on the browser. This can be seen in the following screenshot.

As we can see above, there is an input field asking for a key. Check the input field thoroughly for vulnerabilities. There are none. It could be possible that after entering the key we would be able to get further access to the web application. But for now, let us try harder to find the key.

Command used: << nmap 192.168.1.26 -p 80 –script=http-enum >>

We tried to use a few Nmap scripts to enumerate the HTTP port further. After some time, we found a filename in the Nmap results, which can be seen highlighted in the above screenshot. We opened the file on the browser and found a private key. This can be seen in the following screenshot.

URL: http://192.168.1.26//d41d8cd98f00b204e9800998ecf8427e.php.

As can be seen above, this seems to be an SSH key for authentication; however, we do not know any valid usernames on the target machine. We started looking for further clues and found the username in the HTML content of the web page. This can be seen in the following screenshot.

As can be seen in the highlighted area of the above screenshot, we found a valid username, “mpampis,” on the target machine. We also have the private key. So, in the next step, we will be using these credentials to log in to the machine.

Step 4

So far, we have the SSH username, port number and key for authentication. Let us save the private key on our attacker machine to use for SSH authentication. We saved the private key as “key” on the attacker machine, which can be seen below.

Command used: << cat >> key >>

As we can see, the file “key” has been saved on the attacker machine. Set the key permission to 400 with the help of chmod command. Let’s log in to the target machine as follows.

Command used: << ssh mpampis@192.168.1.26 -i key >>

As we can see in the above screenshot, the SSH login was successful, and we are now logged into the target machine. Let us check the privileges of the user. We will be using id command for it. The output of the id command can be seen in the below screenshot.

Command used: << id >>

As we can see we are logged in as user “mpampis,” which is not a root user. As per the author of this CTF, the target is to get the root. So, in the next step will try to get the root access.

Step 5

So far, we have limited access on the target machine. Now let us utilize this user access to gain further user privileges. First of all, let us gather information about the running operating system and kernel versions.

Command used:

  • << uname -a >>
  • << cat /etc/issue >>

As can be seen in the above screenshot, we used the “uname –a” command for identifying the version information and read the “etc/issue” file for more information. We researched the web for an available exploit for these versions, but nothing could be found to help us gain further privilege. We ran the “sudo –l” command to check current user privilege, the result can be seen in the screenshot given below.

Command used: << sudo -l >>

In the above screenshot, we can see that the user “mpampis” can run the “gcc” utility as root. Let us execute the gcc through sudo to gain root access. This can be seen below.

Command used:  << sudo gcc –wrapper /bin/sh,-s . >>

As we ran this, the system granted the root access of the target machine. The current user was verified using “id” command and it confirmed that the current user has changed to “root.” Now, let us identify the root flag and complete the challenge.

Command used: << cat /root/root.txt >>

As we can see above, we found a “root.txt” file in the current directory. We used the cat command to read the content of the file, but the file was empty. We verified the same by checking the file size by using the ls -l command. This completes the challenge.

 

Sources:

Nyx:1, VulnHub (hyperlink to first part before comma, https://www.vulnhub.com/entry/nyx-1,535/)

Nyx:1 (download), VulnHub https://download.vulnhub.com/nyx/nyxvm.zip

Nyx:1 (torrent), VulnHub https://download.vulnhub.com/nyx/nyxvm.zip.torrent

Posted: May 24, 2021
Articles Author
LetsPen Test
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *