Capture the flag (CTF)

FINDING MY FRIEND: 1 VulnHub CTF Walkthrough - Part 1

LetsPen Test
February 28, 2022 by
LetsPen Test

As per the description given by the author, there are four flags in this CTF that needs to capture to complete the challenge. Pre-requisites would be knowledge of Linux commands and the ability to run some basic penetration testing tools. 

  • I have provided a downloadable URL for this CTF, so you can download the OVA file of the machine and run it on VirtualBox or VMWare. The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article. You can download it here: https://download.vulnhub.com/findingmyfriend/FindingMyFriend.ova 

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The Steps

  1. Getting the IP address with the Netdiscover utility
  2. Identifying open ports and services 
  3. Exploiting the web application through HTTP port
  4. Logging into the FTP port
  5. Extracting Hidden Data from an Image file

So, as we have all the information that we need to start. Let us get started with the challenge. 

The walkthrough

Step 1

We started the CTF by exporting the OVA file into the Virtual Box. When the virtual machine is started, it shows the machine's IP Address, which can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

We tried to ping the IP Address, but it was not accessible. So, we ran the Netdiscover command to identify the IP Address of the virtual machine. In the screenshot given below, we can see that we have run the Netdiscover command, which gives us the list of all the available IP addresses. It can be seen in the following screenshot.

Command used: << netdiscover >>

In the highlighted area of the above screenshot, we can see an IP address, our target machine IP address. The target machine IP address is 192.168.1.18, and I will be using 192.168.1.29 as the attacker's IP address.

Note: The target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

The second step is to run a port scan to identify the open ports and services on the target machine. I prefer to use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. In the highlighted area of the following screenshot, we can see the Nmap command, which is used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below:

Command Used: << nmap 192.168.1.10 -p- -sV >>

In the Nmap Command, we used '-sV' option for version enumeration to identify the details about the running services. We used the '-p-'to start a full port scan, it guides Nmap to conduct the scan on all available 65535 ports. By default, Nmap conducts the scan only on known 1024 ports. So, it is very important to conduct the full port scan during the Pentest or solve a CTF exercise to generate maximum results. 

The output of the Nmap command shows that three open ports have been identified as Open in the full port scan. Port 80 is being used for the HTTP service, and ports 22 and 21 are being used for the SSH and FTP service, respectively. So, in the next step, we will start solving the CTF with Port 80.

Step 3

Let us start the CTF by exploring the HTTP port. We opened the target machine IP address in the browser and found the below homepage.

As we can see, there is not much to be explored on the homepage. So, we decided to run a file enumeration scan using an automated file enumeration scanner. We used the Dirb tool as it is a default utility in Kali Linux. The scan command and results can be seen in the following screenshot. 

Command Used: << dirb http://192.168.1.18/ >>

The Dirb scan identified a few directories on the target machine, exploring further. We also identified a directory listing enabled on the target machine. Let us open the directory '/friend/' on the browser, seen below. 

We found another web page, but there is no other functionality to be explored. Let us check the page's HTML source code to find further clues. The HTML source code of the page can be seen below. 

We checked the page's HTML source code and found a hidden string in the comments. The identified String is given below for reference – 

NjMgNjEgNzAgNzQgNzUgNzIgNjUgM2EgNjggNzUgNmUgNzQgNjkgNmUgNjc=

By looking at the encrypted string, we identify that it has been encrypted using the base 64 encryption. As we are already aware, numerous ways are used to decrypt the string. We used the echo command to decrypt the string using the base 64 encryption. 

Command used: 

<< echo "NjMgNjEgNzAgNzQgNzUgNzIgNjUgM2EgNjggNzUgNmUgNzQgNjkgNmUgNjc=" | base64 -d >>

The result was not clear text. It seemed to be encoded into Hex form. So, this time we used the burp decoder to convert the string into clear text.

We used the ASCII HEX decoder to convert it into the string. The clear text identified can be seen below. 

capture: hunting

Step 4

The FTP and SSH ports have been identified as open during the port scan so let us use the above credentials on these ports. First, we used these credentials on the SSH port, but it did not work. When we used these credentials on the FTP port, the login was successful. 

Command used: << ftp 192.168.1.18 >>

As we can see, we have logged into the target machine through the FTP service. After logging in, we used the 'ls' command to check the current directory contents. We found four files in the current directory. Let us download these files on our attacker machine for further analysis. 

Command used:

  • << get flag1.txt /tmp/flag1.txt >>
  • << get getme /tmp/getme >>
  • << get note.txt /tmp/note.txt >>
  • << get .get.jpg /tmp/.get.jpg >>

Using the get command, we downloaded the files in the 'tmp' directory on our attacker machine. Let us read the files one by one to check the contents. 

Command Used: << get flag1.txt >>

We used the cat command to read all the files. We found the first flag named 'flag1.txt', which can be seen in the above screenshot. The second file had a hint message stating an image file that should be opened for further clues. Then we used the file command to see the file type. The output of the file command shows that it is an image file. 

Step 5

This step will extract the hidden information from the image file, which was identified in the last step. We will use the 'steghide' tool for this purpose, which is available in Kali Linux. Steghide is a type of stenography program used to hide information in various image and audio format files. The Steghide command and results can be seen in the following screenshot. 

Command used: << steghide --extract -sf .get.jpg >>

The command returned an error message which mentions that the image file is password protected. We need to identify the passphrase to read the hidden data. We can use another stenography program known as StegCracker, which helps crack the password-protected image and audio format files. It uses brute force capabilities to extract the passphrase from the image files. The results of the stegcracker command can be seen in the screenshot below. 

Command used: << stegcracker .get.jpg /usr/share/wordlists/rockyou.txt >>

We started the StegCracker scan on the '.get.jpg' image file. We used the default wordlist 'rockyou.txt' to brute force the passphrase. After some time, the tool was able to identify the password which is given below for reference- 

Password: pollito 

As we have the required passphrase, let us again run the steghide utility on the image file to extract the hidden data. 

Command used: << steghide –extract -sf .get.jpg >>

We provided the identified passphrase when prompted by the system, and this time the file extraction was completed successfully. The data was copied into a file named 'abcd.txt.' We opened the file using the cat command and found an encoded string consisting only of special characters. We need to identify the clear-text data to use it somewhere on the target machine. We decided to search the string on Google for better understanding. The Google search results can be seen below. 

As seen in the above screenshot, we identified that the encoded string is a Morse code. Morse code is a method that is used to encode text using only a few special symbols. This method is popularly used in telecommunications. There were a few Morse code translators available in the search results. We used one of the translators to convert the Morse code into clear text, which can be seen below. 

The identified clear-text data is given below for reference- 

JOHN:BOOGIEWOOGIE

These seem to be login credentials, which can be used on the target machine. 

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Since we already know the SSH port is also available, we will try to log into the target machine through the SSH port in the next part of the CTF. We will find the rest of the flag files and learn to gain root access to the target machine. 

Until then, I encourage you to try to finish this CTF! There are enough hints given in the above steps.

 

Sources: 

LetsPen Test
LetsPen Test