Capture the flag (CTF)

Ripper: 1 VulnHub CTF walkthrough

This capture the flag (CTF) is an easy task to work on your pentesting skills.

Note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

A summary of the steps required in solving this CTF:

1. Getting the target machine IP address by using the Netdiscover Utility
2. Getting open port details by using the Nmap Tool
3. Enumerating HTTP Service with Dirb and Dirbuster Utility
4. Enumerating another HTTP Port
5. Exploring RIPS and identifying passwords
6. Logging into SSH and reading the user flag
7. Identifying a vulnerability for local exploit
8. Logging into Webmin portal and identifying vulnerability
9. Exploiting Webmin through Metasploit and got Root Flag

So, now we have all the information that we need. Let us get started with the challenge.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The walkthrough

Step 1

The first step to get started is to find the target machine's IP address. For this, we need to scan the active devices connected to our current network and identify the target machine's IP address. We used the Netdiscover tool for this purpose which is by default available in Kali Linux. We have downloaded and opened the target machine in a virtual box. [CLICK IMAGES TO ENLARGE]

Command used: <<netdiscover>>

The scan gave a few IP addresses connected to the network. We have blurred the details of other IP addresses. The target machine IP address can be seen highlighted in the above screenshot.

The target machine IP address is 192.168.1.23 for this CTF. Our attacker machine IP address for this CTF would be 192.168.1.20.

Please note: The target and attacker machine IP addresses may be different as per your network configuration.

Step 2

As we have the target machine IP address, let's find out the entry points into the target machine. The first step is to find out the open ports and services available on the device. We ran an Nmap full-port scan on the target machine for this purpose. The Nmap command used and the results of the scan can be seen in the following screenshot.

Command: <<nmap –p- -sV 192.168.1.23>>

The output of the Nmap shows that three open ports have been identified as open in the full port scan. Here, we used ''-sV'' option for version enumeration and ''-p-''to initiate a full port scan, which means that Nmap will include all 65535 ports in the scan. By default, Nmap conducts the scan only on known 1024 ports. So, it is essential to run the full port scan during the pentest or solving the CTF to get maximum output. However, in our case, we have found only three ports used for SSH, HTTP and another HTTP interface ob port 10000. So, in the next step, we will start with Port 80.

Step 3

Let us start by exploring the open port and services on the target machine. After opening the IP address in the browser, we found an application running on it, which can be seen in the below screenshot.

Unfortunately, we just got the default apache page. But as the port is open, there must be some application folder in the ''html'' directory. Let us run brute force to identify any hidden directories or files. We used the Dirb tool for this purpose. It is a very popular and efficient web application brute-forcing tool. The command used and the scan results can be seen highlighted in the below screenshot.

Command : <<netdiscover>>

As we can see above, we could not fetch much information by the scan; however, other options are available. So, we should give it another try. This time let's run a brute-force through the ''Dirbuster'' tool, which might take more time but is more efficient. The results can be seen in the screenshot that follows.

The Dirbuster scan provided us with some valuable results. With the help of the scan, we identified that there is a folder named ''rips'' available on the target machine. Let us open it into the browser.

We checked out the rips online and learned that RIPS is a source code analyzer that takes the path of the files and identifies the vulnerability. We do not know any way to scan, but we know the Apache default directory. So, let's start there and put /var/www/ in the file path and start the scan.

The scan got completed, and we found a few files in results in the ''/var/www directory but could not find any good lead which can be helpful to solve this CTF.

 

Step 4

As we know that there is another HTTP port available on the target machine, so let us start exploring port 10000. Since HTTP service is running on it, we opened it into the browser that can be seen below.

Here, we get an error message, but upon taking a close look, we found a URL to move forward from here. The site is running on HTTPS mode, so we have to open the URL with HTTPS. This can be seen below.

We tried some default usernames and passwords, which does not work. We checked the page HTML content where we found the Webmin version; this can be seen in the following screenshot.

As can be seen, highlighted above, the target machine has Webmin 1.9.10 installed. We did some research to identify a working exploit of this version. We found one Metasploit module, but it requires us to have the username and password. As we do not have the username and password, we cannot use this exploit. It seems that we reached a dead end.

Step 5

We decided to go back to the previous step, using RIPS to scan the ''var/html' folder. We again scanned the folder and started analyzing the identified files, each one by one. If we are lucky, we may find some helpful clues to get into the Webmin interface.

In the above files, there was an exciting file name ''secret.php''. We opened the source code of the file to check the contents, which can be seen below.

As can be seen, highlighted in the above screenshot, we found username and password in the ''secret.php'' file. It can be used either for SSH or Webmin login. Let us try the web login first.

Username: ripper

Password: Gamespeopleplay

Step 6

We tried the username and password for Webmin login, but it did not work there. Next, we tried the same on SSH.

Command used: << ssh ripper@192.168.1.23 >>

The credentials worked successfully on SSH login. Now we are logged into the target machine as user' ripper.'' Let us explore the target machine from here to find our way to the root.

Command used: << cat flag.txt >>

The first thing which we found after login is the user flag. We checked the current directory contents, and there it was named as ''flag.txt''. This can be seen in the above screenshot. Now, let us try to identify vulnerabilities and loopholes as the current user.

Step 7

Command used: << cat /etc/issue >>

      << uname -a >>

We searched the web for an available exploit and found some local exploits on the exploit DB website. For this, we started enumerating the target machine for identifying the OS and kernel version. But for some reason, this could not work. We resumed exploring various directories and files on the target machine to find further clues.

Command used: << cat secret.files >>

We found one more secret file during the enumeration. The file was named ''secret.file'' when we opened it using the cat command we found another password. The password can be seen below.

Password: Il00tpeople

We do not know where to use this password, so we took a note of it and resumed exploring different folders.

Command used: << su cubes >>

In the home directory, we found a folder named ''cubes.'' This meant another user named ''cubes'' on the target machine. We used the above password to log in as ''cubes'', and it worked!

Command used: <<< cat minister.log >>

We explored the folders available as user ''cubes'' and found the Webmin log file on the target server. We opened and read the file contents and finally found the password for the Webmin interface. The details are given below:

Username: admin

Password: tokiohotel

Step 8

So far, we have access to the target machine and read a flag file, but the goal is to gain root access. In this step, we will log in to the Webmin interface to find further vulnerabilities.

We got access to the dashboard of Webmin. We again did some research online and found a helpful exploit. The exploit website can be seen in the following screenshot. It also shows that this version of Webmin is vulnerable to remote code execution.

As we can see, it was a Metasploit module, and the website had detailed steps explained to successfully run the exploit. So, let us open Metasploit and get the root flag.

Step 9

Command used : << msfconsole >>

We opened the Metasploit console and selected the exploit by using the path given on the website. The exploit chosen can be seen below.

Command used:

<<use exploit/linux/http/webmin_packageup_rce>>

<< show options >>

In the below screenshot, we can see the details that are required to be provided to execute a successful exploit.

Command used:

• << set RHOSTS 192.168.1.23 >>
• << set PASSWORD tokiohotel >>
• << set USERNAME admin >>
• << set SSL true >>
• << show options >>

As seen in the commands above, we provided the target machine IP address as 192.168.1.23. After that, we entered the password of the Webmin interface and entered the username as admin. As the exploit runs on SSL, we selected that option as ''true''. Then, we used the show options command to verify that the changes have been successfully saved.

Command used:

<< exploit >>

<< id >>

Now, let's execute the exploit by using the ''exploit'' command. We checked the current user using the ''id'' command and found that we are now at root! As per the details provided on the exploit page, this should give us root access to the target machine.

Let us complete the challenge by reading the root flag. This was easily found in the root directory. The flag.txt file can be read in the below screenshot.

Command used: << cat /root/flag.txt >>

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

This completes the challenge hope it was an enjoyable exercise and fulfilled all the informative queries you had. Let me know in the comments, and stay tuned for further such exercises.

 

Reference:

• https://www.rapid7.com/db/modules/exploit/linux/http/webmin_packageup_rce/
• Ripper: 1 CTF, Vulnhub https://www.vulnhub.com/entry/ripper-1,706/
• Ripper: 1 CTF, Vulnhub https://download.vulnhub.com/ripper/Ripper.ova
• Ripper: 1 CTF, Vulnhub https://download.vulnhub.com/ripper/Ripper.ova.torrent