Capture the flag (CTF)

Presidential: 1 CTF walkthrough part 1

Information shared in this article is intended for educational purposes only. Infosec and the author are not responsible for nefarious actions associated with the information shared in this article. 

Let's solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named "Thomas Williams." Here's a description of the challenge from Williams:

“The Presidential Elections within the USA are just around the corner (November 2020). One of the political parties is concerned that the other political party is going to perform electoral fraud by hacking into the registration system and falsifying the votes. The state of Ontario has therefore asked you (an independent penetration tester) to test the security of their server to alleviate any electoral fraud concerns. Your goal is to see if you can gain root access to the server — the state is still developing their registration website but has asked you to test their server security before the website and registration system are launched.”

You can check out my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF:

• https://download.vulnhub.com/presidential/Presidential.ova

You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

For those who are not aware of the site, VulnHub is a well-known website for security researchers to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on vulnhub.com and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please Note: For all these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

Summary of the steps

There are several steps needed to solve this CTF:

• Get the target machine IP address by running the VM
• Get open port details by using the Nmap tool
• Enumerate HTTP service with Dirb
• Identify Subdomain
• Log in to phpMyAdmin and find the exploit

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The walkthrough

Step one

The first step to start any CTF is to identify the target machine's IP address. Since we are running a virtual machine in the same network, we can identify the target machine's IP address by running the netdiscover command. The output of the command can be seen in the following screenshot:

Command used: << netdiscover >>

Above, we have the IP addresses of all the devices connected to our router. Due to security reasons, we have hidden the MAC address of my personal connected devices. The virtual machine IP address that we will be working on throughout this challenge is 192.168.1.14 (the target machine IP address). We will be using 192.168.1.18 as the attacker IP address.

Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.

Step two

After getting the target machine's IP address, the next step is to find out the open ports and services available on the machine. We will use the Nmap tool for it, as it works effectively and is by default available on Kali Linux. The results can be seen below:

Command used: << nmap 192.168.1.14 -sV -p- >>

The Nmap output shows two ports on the target machine that have been identified as open. In the Nmap command, we used the "-sV" switch for version enumeration. We also used the "-p-" option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentesting or solving the CTF for maximum results.

However, in our case, we have found only two ports, in which the first one is being used for HTTP and the second one is being used for SSH which is running on port 2082. So, in the next step we will start with the HTTP port 80.

Step three

We opened the target machine's IP address on the browser to see the web application. It can be seen in the following screenshot.

As per the description given by the author, the presidential election website is running on our target machine. We checked the website and it looks like a static website, so we ran the dirb utility to identify the hidden files and directories. The output of the dirb can be seen in the following screenshot:

Command used: << dirb http://192.168.1.14 >>

The output of the dirb utility does not give any good information which can help us to solve this CTF, so we ran another enumeration tool, Gobuster. The output of the Gobuster can be seen in the following screenshot:

Command used:

<< gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.14/ -x php,php.bak -t 50 >>

As can be seen in the above screenshot, the tool has identified a config.php.bak file. It means we can open this file into the browser to see its content, seen below:

We opened the file into a browser that shows the database credentials. As we know the SSH port was open, we tried the same credentials, but it does not work.

Step four

We know the database credentials from the previous step, so we tried to identify the phpMyAdmin but were not able to identify it. After spending some time, we observed that the domain name which was mentioned in the home page email ID (seen in the highlighted area of the above screenshot).

From the email ID, we got some clue that might be the case that subdomains are configured in this machine so we made the changes in the /etc/host file to see if the application is running on the identified domain name.

Command used: << echo “192.168.1.22 votenow.local” >> /etc/hosts

As can be seen in the above screenshot, we used to echo command to edit the host's file, and after that, we used the cat command to verify the changes. The output of the cat command shows that our changes are added in the host's file. So, let’s open the browser to see if it is working on the domain or not.

As can be seen in the above screenshot, our theory is currently that our target application is running on the domain. So, there might be a change that multiple domains would be running on this. To enumerate the other domain, I used another automated utility to identify the domain. The running command and the output of the tool can be seen in the following screenshot:

Command used:

<< wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -H "HOST: FUZZ.votenow.local" --hw 854 --hc 400 -t 100 192.168.1.22 >>

The output of the tool shows that there is another domain name, datasafe, available in our target machine, so let’s configure it first into the host file, which can be seen in the below screenshot:

Command used:

<< echo “192.168.1.22 datasafe.votenow.local” >> /etc/hosts >>

We again used the echo command to add the domain name into the file and we verify the same by using the cat command. Now, let’s open the newly identified domain into the browser to see this content.

• Username: votebox
• Password: casoj3FFASPsbyoRP

The running website shows phpMyAdmin running here. And we already know the database username and password from step three. So in the next step, we will log into phpMyAdmin.

Step five

As we already know the username and password of the phpMyAdmin, I have logged in into the phpMyAdmin, which can be seen in the below screenshot:

We checked the available database for any useful information but did not get anything. After that, we observed that an older version of phpMyAdmin was configured on the target machine, which can be seen in the highlighted area of the above screenshot. Since the older version was running, we searched the vulnerabilities and exploit on Google and the first result shows some vulnerabilities and their exploits, which can be seen in the following screenshot:

As can be seen in the highlighted area of the above screenshot, a local file inclusion vulnerability was reported in the phpMyAdmin, which is running on our target machine. Let’s open the exploit, which we can see below:

The exploit shows a URL with the payload, which can be used to exploit the local file inclusion vulnerability. The exploit also shows how can we use local file inclusion vulnerability for code execution. Before going into the details of code execution, let’s first try to read the /etc/passwd file by exploiting the local file inclusion vulnerability, which can be seen in the below screenshot.

The highlighted area of the above screenshot shows /etc/passwd file as the output of the HTML page.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

So, until now, we found the username and password, then we enumerated the phpMyAdmin and exploited it to read the internal files.

In the next part of this CTF, we will use this vulnerability for remote code execution.

Until then, we encourage you to try to finish this CTF! There are enough hints given in the above steps.

 

References

• https://www.vulnhub.com/entry/presidential-1,500/
• https://download.vulnhub.com/presidential/Presidential.ova
• https://download.vulnhub.com/presidential/Presidential.ova.torrent