Capture the flag (CTF)

SO SIMPLE 1: CTF walkthrough

In this article, we will solve a capture the flag (CTF) challenge that was posted on the VulnHub website by an author named Roel. As per the description given by the author, this is an easy- to intermediate-level CTF with some rabbit holes. The target of the CTF is to get the root access of the machine and read the flag files. You can check my previous articles for more CTF challenges.

I have provided a downloadable URL for this CTF. You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section.

For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on VulnHub and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The steps

The summary of the steps required in solving this CTF are given below:

1. Get the target machine IP address by running the Netdiscover utility
2. Scan open ports by using the Nmap scanner
3. Enumerate HTTP service with Dirb
4. Brute-force on the WordPress login page
5. Exploit remote code execution vulnerability
6. Enumerate and get root access

The walkthrough

Step 1

After running the downloaded virtual machine, the machine will automatically be assigned an IP address from the network DHCP and be visible on the login screen. The target machine IP address can be seen in the following screenshot: [CLICK IMAGES TO ENLARGE]

The target machine IP address is 192.168.1.103 and we will be using 192.168.1.101 as an attacker IP address.

Note: The target machine IP address may be different in your case, as it is assigned by the network DHCP.

Unlike my other CTFs, this time we do not need to run the netdiscover command to get the target IP address. The next step is to scan the target machine by using the Nmap tool.

Step 2

In this step, we will scan the target machine by using the popular port scanning tool Nmap. This is to find the open ports and services on the target machine and will help us to proceed further. The running command and the output of the Nmap scan can be seen in the following screenshot:

Command used: nmap -p- -sV 192.168.1.103

The Nmap output shows two ports on the target machine that have been identified as Open. In the nmap command, we used the -sV switch for version enumeration. We also used the -p- option for full port scan. It tells Nmap to conduct the scan on all 65,535 ports on the target machine. By default, Nmap conducts the scan only on known 1,024 ports. So, it is especially important to conduct a full port scan during the pentest or CTF for maximum results.

However, in our case we have found only two ports. The first one is being used for SSH and the second one is being used for HTTP. In the next step, we will start with the HTTP port 80.

Step 3

Let’s start by exploring the open port and services on the target machine. We decided to start with the HTTP port. After opening the IP address in the browser, we found that there was an application running on it, which we can see below:

In the above screenshot, we can see the default page which does not have any useful information. We decided to enumerate this by using the Dirb tool to identify the internal files and directories. The scan results can be seen in the following screenshot:

Command used: dirb http://192.168.1.103

In the above highlighted area, we can see the WordPress directory identified by the tool. We opened the directory in the browser, which can be seen in the following screenshot.

As this was a WordPress website and we all know that WordPress is a highly vulnerable CMS if the components and plugins are not updated on a regular basis, we decided to identify and explore vulnerabilities on the website. We used the WPScan tool to enumerate the website, which is available in Kali Linux by default. The running command and scan results can be seen below.

Command used:

wpscan --url “http://192.168.1.103/wordpress” --enumerate

In the above screenshot, we ran the WordPress scanner, which took some time to complete the scan and generated a large output. We analyzed the scanner result and got to know some valid users are identified by the scanner, which can be seen in the below screenshot.

We have found the user’s admin and max on the WordPress site, but we didn’t find the password. To get the password, let’s try brute-forcing authentication using a wordlist. We will do it in the next step.

Step 4

We can now go ahead and try to brute-force the password. Here, we used a dictionary available in Kali Linux to brute-force the password. It took some time to complete but when it completes, it shows the cleartext password. This can be seen in the highlighted area of the following screenshot.

To brute-force this website, we are using rockyou.txt wordlist file.

Command used:

wpscan  -–url  http://192.168.1.2/wordpress/  -U max -P /usr/share/wordlists/rockyou.txt

In the highlighted area of the above screenshot, we can see that max has successfully brute-forced the password along with plugin on the target website. The plugin may contain vulnerabilities that could help us to find our way further towards our goal plugin on the target website.

Let’s log into the WordPress admin login with the idented credentials, which can be seen the below screenshot.

• Username: max
• Password: opensesame

After providing credentials and hitting the submit button, we have entered Max’s profile. We checked if can we upload a shell from here to get the command access of the target machine, but it does not work.

Step 5

During the enumeration, we also got some vulnerable plugins, so let’s try to identify the vulnerabilities in plugins. We searched the plugin version on Google and got a remote code execution exploit for the installed plugin, which can be seen in the below screenshot.

We checked the exploit and found that there are some steps which need to be followed to successfully execute the exploit.

 

Command used: nano simple.txt

As per the steps given in the Exploit-DB website, we created a text file with the reverse connection payload which can be seen in the highlighted area of the above screenshot. Now our payload is ready, but before running it, we start the Python server, which can be seen in the following screenshot:

Command used: python3 -m http.server 80

After setting up the Python server, we started NetCut on our attacker machine and configured it to listen to incoming connections on the 4444 port. We hit the URL as per the details given in the Exploit-DB website, which gives us the reverse connection of the target machine.

Command used: nc -lvp 4444

Now we have the command shell of the target machine. However, it is not the root access. So, in the next step, we will enumerate it further to get the root access.

Step 6

Till now, we have the limited shell access on the target machine. In order to get the root access, we enumerated the operating system and running kernel version, which can be seen in the following screenshot:

Command used:

• uname -a
• cat /etc/issue

As can be seen in the above screenshot, first we used the uname -a command, which gives the running kernel version information. After that, we used cat /etc/issue, which tell us the running operating system version. After getting this information, we searched for the local exploit but did not get a working exploit.

During the directory enumeration, we got two usernames, max and steven, which can be seen in the below screenshot.

Command used: cd /home

Since we already know the password of the max user, we tried the same password to log in as max. It didn’t work, but we found some keys, which can be seen in the following screenshot.

Command used: su max

We downloaded the identified keys into our attacker machine and used this key to log in as user Max, which can be seen in the following screenshot:

Command used: ssh max@192.168.1.103 -i id_rsa

Now we have the access of user Max, but it is still not the root user. We did some more enumeration and found some interesting files, which can be seen in the below screenshot.

Command used: ls -la

In this above screenshot, we have run the ls -la command and got multiple files and directories. We tried to read each file one by one and got an encoded message, which seems to be Base64 encoding. We tried to decode that message but got a message: “It’s not that easy.”

After that, we checked for the sudo permission of the max user. The output of the command shows that /user/bin/service can be used by “steven.” We again search it on Google and got to know that can be used, and escalate the privileges as follows:

Now let’s use this command with the steven user to escalate the privilege:

Command used: sudo -u steven /usr/sbin/service ../../bin/sh

In the above screenshot, we can see that we have successfully logged in into the target machine as user “steven”. We used the whoami command to verify the same.

During the enumeration, we found the user2 flag and read it by using the cat command, which can be seen below.

Command used: cat user2.txt

Now, we are able to read the user flag. However, our target was to get the root access, and steven is also not the root user. So, we again run the sudo -l command, which shows that there is a script which can be run as root user. It can be seen below:

Command used: sudo -l

We tried to check the file server-health.sh but it was not found in the mentioned folder. So, we created a folder called “tools,” put the simple reverse shell command and saved it as server-health.sh so that we can run it as root, which can be seen in the below screenshot.

Command used: sudo -u root /opt/tools/server-health.sh

After creating the file, we again used the sudo command to run this script, which gives us the root access of the target machine. Now we can read the root flag file:

Command used: cat flag.txt

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

This completes the CTF! I hope you enjoyed completing this challenge with us.

Stay tuned for many more examples of CTF solutions to come.

 

Sources

• SO SIMPLE: 1, VulnHub
• Download So Simple: 1, VulnHub
• Download So Simple: 1, VulnHub (torrent)
• WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution, Exploit Database
• .. / service, gtfobins.github.io