| Capture the Flag (CTF) Challenge | Machine Difficulty: Easy |
Vulnhub is a platform for penetration testing, similar to Rootme and Hack The Box. I solved the challenge called ‘ICA:1’ CTF on Vulnhub and will share the process in this post.
CTF Description
According to information from our intelligence network, ICA is working on a secret project. We need to find out what the project is. Once you have the access information, send them to us. We will place a backdoor to access the system later. You just focus on what the project is. You will probably have to go through several layers of security. The Agency has full confidence that you will successfully complete this mission. Good Luck, Agent!
This works better with VirtualBox rather than VMware.”
boot2root
— begin —
After downloading the virtual machine image, I integrated it into my setup. At the same time, I launched my Kali Linux VM using VirtualBox.
To identify other machines within the same network, we need to perform reconnaissance. We have a few tools at our disposal, such as arp-scan, netdiscover, and nmap, that can help us achieve this. I prefer netdiscover for its ease of use.
After identifying the target IP address, which is 192.168.178.240, our next step is to determine which services are accessible on this system.
If you’re interested in obtaining version and OS details, you can execute a verbose scan to reveal the specific versions of these services and the operating system (OS) in use.
We see three ports open: 22 for SSH service, 80 for the web server, and 3306 for the MySQL server running.
We take a look at the hosted web page by going on a web browser and writing the IP: Port combination on the URL.
We see a login page that is running qdPM 9.2. Then, we searched for a potential security flaw related to password exposure. Although it might have been possible to brute force this login page, we determined that it wasn’t worth investing our time in attempting to exploit it.
We discovered a set of instructions outlining the steps required to exploit the vulnerability. Subsequently, we proceeded to download the file associated with the exposure provided in the ‘50176.txt’ file.
Now, we utilize the credentials from this file to establish a connection with the previously identified open MySQL server.
We are in :) Right away we check the databases and the information we have. After identifying the usernames and login information, we attempted to utilize these usernames and their corresponding encoded passwords to launch a brute-force attack on the SSH service running on port 22.
We decode these MD5 hashes and store them in a file named ‘passwords.txt,’ and similarly, we’ll extract and save their corresponding usernames into a file called ‘user.txt’.
Now, we use the ‘hydra’ tool to bruteforce ssh using our saved password.txt and user.txt files. And upon brute force, we get two hits.
We successfully gained access as Travis, as shown below. After conducting enumeration in Travis’ account, we didn’t come across anything noteworthy. We then proceeded to the next user, Dexter, and authenticated using Dexter’s credentials.
Under the user Dexter, we see a note.txt file, and when we display it, it gives us a hint.
The hint from the note essentially directs us to search for executable files that we can potentially exploit. To do this, we will use a command to identify files that possess both the SUID bit privilege and are owned by the root user.
This command searches the entire file system starting from the root directory (“/”) for files (-type f) with the setuid permission bit set (-perm -4000), which typically indicates they can be executed with the permissions of the file’s owner. For each of these files found, it executes the “ls -la” command to list detailed information about them, and any errors (2>/dev/null) are suppressed.
Basically, it finds and lists files with the setuid bit set, providing information about each file while ignoring any error messages.
Since they execute with the permissions of the file’s owner, this could potentially lead to unintended privilege escalation if wasn’t properly configured.
We see the first directory ‘/opt/get_access’ isn’t a usual directory, so we can take a look into it.
When we run the ‘/opt/get_access’, we get some information as seen below.
Then, trying to inspect the binaries contained within the executable, we utilize the ‘strings’ command. When you run the command ‘strings /opt/get_access’, the results are textual or character sequences embedded within the binary file. These strings could provide insights into the functionality or purpose of the binary and reveal hardcoded values and configuration settings.
We noticed an unusual string highlighted within the system output: ‘cat /root/system_info.’ This command seemed to offer an opportunity for us to try to exploit it. To take advantage of this, our initial step involved creating our own ‘cat’ executable under the ‘tmp’ directory. Following that, we set the ‘PATH’ environment variable to point to ‘/tmp/cat.’ The ‘PATH’ environment variable is crucial as it determines where the shell looks for executable files when a command is entered.
To prioritize the execution of our custom ‘cat’ command, we should make it executable by exporting the PATH to look in the ‘tmp’ directory first. Afterward, we can proceed to execute the ‘/opt/get_access’ command.
And we have obtained a root shell :)) effectively establishing ownership of this system.
— End —
