A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.

Basic Checks to be performed before attacking the machine.

1.Power on the Target Machine and make a note of the IP address.

2.Start your Kali Virtual Machine.


Let’s start with nmap scan

-A: aggressivescan :basically it runs scripts for common things so you can better understand what you can find useful and what is useless.

sV : version detection:great for searching exploits related to that version of the running services

Pn:Treat all hosts as online:skip host discovery

sC: equivalent to script=default

You can type “ man nmap “ view summary options.

# nmap -A -sCV -Pn <Target Machine IP>

Discovered three (3) open ports. FTP, SSH and HTTP running on Operating System Linux.

FTP Port is “Anonymous” login.

Let us enumerate the server with gobuster directory search.

gobuster dir -u http://<Target Machine IP> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -x .php,.txt,.js,.html

gobuster resulted in the following directories :

  1. robots.txt
  2. /secret

Open the url in the browser.

# <Target Machine IP>/secret

Only an Image is loaded and nothing avaialble in the page source code.

FTP to the machine and you’ll find the “lol.pcap” file.

# ftp <Target Machine IP>

Provide the anonymous username and password. Once the login is successful , type # dir and you will find the lol.pcap file. Download to your kali attacker machine and analyse it using wireshark.

In the FTP prompt type # get lol.pcap

Once the transfer is successful, go to attacker Kali terminal and check if the file is avaialble.

Open wireshark and open the pcap file. Sort by protocol and understand what are the contents and if something catches your attention.

You will notice three entries “FTP-DATA”.

Go to wire-shark and apply filter ‘ftp-data”.

# ftp-data

After filtering, you can find three(3) entries. Inspect all the entries and in one of the entry , it might be a possible web directory.

Highligth the row, right click and navigate to Follow>TCP Stream.

Let us explore the web directory and figure out what it indicates.

<Target Machine IP>/<Directory Name>

There is a file in the web directory. Download the file. Open terminal and check out the file type.

file <filename>

It is an 32 bit executable and seems a dead end. Use the strings function in linux to figure out the contents. In Malware Analysis , you will use the strings function to view the hard coded values of an executable file.

In the output, if you carefully look at each line item , you will an address which seems to be a directory. I explored the directory and found indeed it gives two sub-directories as shown in the below image.

# <Target Machine IP>/<Directory Address>

In one of the folders Good_Luck , you will find a text file with list of usernames. In the other folder, the folder name was this_folder_contains_the_password and inside the directory you will find pass.txt. Could pass.txt be the password or the content inside the pass.txt could be the password. I must admit that “Pass.txt” was very intelligent password.

Copy the list of usernames into a file , save it as username.txt. Make another copy of the username.txt , delete all usernames and add Pass.txt and also Good_job_:). Save it as password.txt.

From nmap scan, we know that SSH port was open. We need to know what is the username and password for SSH.

Let us use HYDRA and brute force the username and password text files on SSH.

# hydra -L Downloads/username.txt -P Downloads/password.txt ssh://<Target Machine IP>

With the above-extracted credential, made successful SSH login and spawned tty shell victim’s machine.

Need to escalate root privilege.

At the shell prompt type sudo -l and you will get a message

“Sorry, user overflow may not run sudo on troll”

Steady the shell with the following command

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm-256color

Use whoami and the ID command to find out who the curent user is and privileges.

Find out the version of the linux running using the following command and strangely you can note that the session gets closed automatically.

The connection keeps getting terminated after set of time ~5 minutes. I quickly downloaded the linpeas.sh to the target machine. You need to navigate to tmp folder so that you do not face any permission issues while transferring the linpeash.sh exploit from the attacker machine.

Set permission for linpeas.sh (chmod +x linpeas.sh)

run # ./linpeas.sh > peas.log

After completion quickly transfer the file to the attacker machine. There is a script which removes all the files from tmp. You need to be very quick in trasferring the peas.log so that in the attacke machine you can look at possible exploits to get root shell.

Let us analyse the peas.log.

You can find there is a .py file which runs the script and clear the files from tmp folder. If you quickly look at the crontlog you can the job is schduled to run every 2 minutes.

Add the following line for every 2 minutes interval:
*/2 * * * * /path/to/your/script-or-program

Let us look into cleaner.py script

The script clears the tmp folder files. Let us check it out. create a file test1.txt.

Wait for theq script to run and you can find that test1.txt is removed.

We need to modify the cleaner.py script to get root access.

Use VIM/NANO editor , add the following lines under try block

os.system(‘cp /bin/dash /tmp/dash’)

os.system(‘chmod 4755 /tmp/dash’)

You can aslo try the following command

os.system('cp /bin/sh /tmp/sh') 
os.system('chmod 4755 /tmp/sh')

Comment out the rest within the try block

# os.system(‘rm -r /tmp/* ‘)

Wait for few minutes for the script to run ~that is 2 min.

Go to the initial prompt type : /tmp/dash


type /tmp/dash as shown

cat proof.txt and you get the flag

Quite a challenge, but very satisfying. Since it times out every 5 minutes we need to be very quick in getting the shell and the flag.