A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.
Basic Checks to be performed before attacking the machine.
1.Power on the Target Machine and make a note of the IP address.
2.Start your Kali Virtual Machine.
3.Connect to TRY HACK ME OPEN VPN
Let’s start with nmap scan
-A: aggressivescan :basically it runs scripts for common things so you can better understand what you can find useful and what is useless.
sV : version detection:great for searching exploits related to that version of the running services
Pn:Treat all hosts as online:skip host discovery
sC: equivalent to script=default
You can type “ man nmap “ view summary options.
# nmap -A -sCV -Pn <Target Machine IP>
Discovered three (3) open ports. FTP, SSH and HTTP running on Operating System Linux.
FTP Port is “Anonymous” login.
Let us enumerate the server with gobuster directory search.
gobuster resulted in the following directories :
Open the url in the browser.
# <Target Machine IP>/secret
Only an Image is loaded and nothing avaialble in the page source code.
FTP to the machine and you’ll find the “lol.pcap” file.
# ftp <Target Machine IP>
Provide the anonymous username and password. Once the login is successful , type # dir and you will find the lol.pcap file. Download to your kali attacker machine and analyse it using wireshark.
In the FTP prompt type # get lol.pcap
Once the transfer is successful, go to attacker Kali terminal and check if the file is avaialble.
Open wireshark and open the pcap file. Sort by protocol and understand what are the contents and if something catches your attention.
Wireshark · Display Filter Reference: File Transfer Protocol (FTP)
Display Filter Reference: File Transfer Protocol (FTP)
Display Filter Reference: File Transfer Protocol (FTP)www.wireshark.org
You will notice three entries “FTP-DATA”.
Go to wire-shark and apply filter ‘ftp-data”.
After filtering, you can find three(3) entries. Inspect all the entries and in one of the entry , it might be a possible web directory.
Highligth the row, right click and navigate to Follow>TCP Stream.
Let us explore the web directory and figure out what it indicates.
There is a file in the web directory. Download the file. Open terminal and check out the file type.
It is an 32 bit executable and seems a dead end. Use the strings function in linux to figure out the contents. In Malware Analysis , you will use the strings function to view the hard coded values of an executable file.
In the output, if you carefully look at each line item , you will an address which seems to be a directory. I explored the directory and found indeed it gives two sub-directories as shown in the below image.
In one of the folders Good_Luck , you will find a text file with list of usernames. In the other folder, the folder name was this_folder_contains_the_password and inside the directory you will find pass.txt. Could pass.txt be the password or the content inside the pass.txt could be the password. I must admit that “Pass.txt” was very intelligent password.
Copy the list of usernames into a file , save it as username.txt. Make another copy of the username.txt , delete all usernames and add Pass.txt and also Good_job_:). Save it as password.txt.
From nmap scan, we know that SSH port was open. We need to know what is the username and password for SSH.
Let us use HYDRA and brute force the username and password text files on SSH.
With the above-extracted credential, made successful SSH login and spawned tty shell victim’s machine.
Need to escalate root privilege.
At the shell prompt type sudo -l and you will get a message
“Sorry, user overflow may not run sudo on troll”
Steady the shell with the following command
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Use whoami and the ID command to find out who the curent user is and privileges.
Find out the version of the linux running using the following command and strangely you can note that the session gets closed automatically.
The connection keeps getting terminated after set of time ~5 minutes. I quickly downloaded the linpeas.sh to the target machine. You need to navigate to tmp folder so that you do not face any permission issues while transferring the linpeash.sh exploit from the attacker machine.
Set permission for linpeas.sh (chmod +x linpeas.sh)
run # ./linpeas.sh > peas.log
After completion quickly transfer the file to the attacker machine. There is a script which removes all the files from tmp. You need to be very quick in trasferring the peas.log so that in the attacke machine you can look at possible exploits to get root shell.
Let us analyse the peas.log.
You can find there is a .py file which runs the script and clear the files from tmp folder. If you quickly look at the crontlog you can the job is schduled to run every 2 minutes.
Add the following line for every 2 minutes interval:
*/2 * * * * /path/to/your/script-or-program
Let us look into cleaner.py script
The script clears the tmp folder files. Let us check it out. create a file test1.txt.
Wait for theq script to run and you can find that test1.txt is removed.
We need to modify the cleaner.py script to get root access.
Use VIM/NANO editor , add the following lines under try block
os.system(‘cp /bin/dash /tmp/dash’)
os.system(‘chmod 4755 /tmp/dash’)
Offensive Security's Exploit Database Archive
Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes).. shellcode exploit for…
You can aslo try the following command
os.system('cp /bin/sh /tmp/sh')
os.system('chmod 4755 /tmp/sh')
Comment out the rest within the try block
# os.system(‘rm -r /tmp/* ‘)
Wait for few minutes for the script to run ~that is 2 min.
Go to the initial prompt type : /tmp/dash
type /tmp/dash as shown
cat proof.txt and you get the flag
Quite a challenge, but very satisfying. Since it times out every 5 minutes we need to be very quick in getting the shell and the flag.