Capture the flag (CTF)

R-TEMIS: 1 VulnHub CTF walkthrough

LetsPen Test
October 21, 2021 by
LetsPen Test

RootNik Labs' capture the flag (CTF) tasks people with collecting two flags and gaining root access. You should have some knowledge of Linux commands and the ability to run some basic pentesting tools. 

 As you may know from previous articles, Vulnhub.com is a platform that provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. You can check my previous articles for more CTF challenges. The torrent downloadable URL is also available for this VM; it's been added in the reference section of this article.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The steps

The summary of the steps required in solving this CTF:

  1. Getting the target machine IP address by Netdiscover
  2. Getting open port details by using the Nmap Tool
  3. Enumerating HTTP Port with Dirb and Dirbuster
  4. Decoding the message with Brainfuck Algorithm
  5. Logging in into SSH
  6. Escalating privileges getting the Root

So, now that we have all the information we need, let's get started with the challenge. 

The walkthrough

Step 1

The first step is to find the target machine's IP address. For this, we need to scan the current network for all connected devices and identify the target machine's IP address. We used the Netdiscover tool for this purpose, which is a default utility in Kali Linux. We have downloaded and opened the target machine in a virtual box. [CLICK IMAGES TO ENLARGE]

Command: << netdiscover >>

The scan gave a few IP addresses connected to the network. We have blurred the details of other IP addresses. The target machine IP address can be seen highlighted in the above screenshot.

The target machine IP address is 192.168.1.19 for this CTF. Our attacker machine IP address for this CTF would be 192.168.1.20 (if required).

Please note: The target and attacker machine IP addresses may be different as per your network configuration.

Step 2

Now that we have the target machine IP address, we'll find out the entry points into the target machine. The first step is to find out the open ports and services available on the machine. We ran an Nmap full-port scan on the target machine for this purpose. The Nmap command used and the results of the scan can be seen in the following screenshot.

Command: <<nmap –p- -sV 192.168.1.23>>

Here, we used '-sV' option for version enumeration and '-p-'to initiate a full port scan. The output of the Nmap shows that three open ports have been identified as open in the full port scan. This means that Nmap will include all 65535 ports in the scan. By default, Nmap conducts the scan only on known 1024 ports. So, it is very important to conduct the full port scan during the Pentest or when solving the CTF to get maximum output.

In our case, we have found only three ports used for SSH, HTTP and MySQL services. So, in the next step, we will start analyzing the target machine with the HTTP Port 80.

Step 3

In this step, we will start pentesting the target machine with the HTTP port 80. For this, we opened the target machine IP address on the browser to check the target application being run through this port.

As can be seen above, this is a simple homepage without any functionality. However, there was a 'hint' given at the top right corner of the page. When we clicked on the hint, it took to another page with a long message. The hint message can be seen in the following screenshot.

At first, the message mentions cryptography, where hackers use text files and images to hide secret messages. It also says 'brainfuck,' which is an algorithm to decode messages. There is also mention of symmetric and asymmetric algorithms and the SSH port. We noted the information, but we do not have anything to conclude from this.

We decided to further enumerate the target application for hidden files and directories. We used the Dirb tool for this purpose, which is by default available in Kali Linux. The scan results can be seen below.

Command used: << dirb http://192.168.1.19/ >>

From the above scan results, we can see that directory listing is enabled on the target machine. We checked the identified directories on the browser, but nothing could be found. So, we decided to do a more thorough brute force on the target application to identify hidden files. We started the OWASP Dirbuster tool, which is not as fast as Dirb, but can conduct more deep enumeration. The scan results can be seen below.

As can be seen, highlighted in the above screenshot, we identified a text file with the help of Dirbuster, which was missed by the Dirb tool. Let us open the file on the browser, which can be seen below.

The file 'easy.txt' contains some special characters without anything in plain text. This seems to be related to the hint which was given on the target application.

 

In the next step, we will try to decode the message.

Step 4

As we know, the hint message mentioned the 'brainfuck’ algorithm, so we used an online decoder to decode the text using brainfuck algorithm.

We copied the message on the online website and decoded the message using the brainfuck algorithm. We found that the first section of the message got decoded into plain text, but after that, it still showed unreadable characters. There was some space between the messages, so we decoded the first part and left out the characters given after space. The result can be seen below.

The first half was decoded into clear-text as 'rtemis'. Now, there was no garbage value which means the string was correctly decoded. Let's try to decode second part of the encoded data as follows:

The second part of the string was also successfully decoded using the brainfuck algorithm. We got a clear-text output which is given below for reference:

t@@rb@ss

In the next step, we will utilize this information to further gain access to the target machine.

Step 5

As we know from the hint message, SSH was mentioned along with other details. So, we decided to attempt logging into the SSH port using the identified credentials.

Command used: << ssh rtemis@192.168.1.19 >>

Username: rtemis

Password: t@@rb@ss

In the above command, we can see that we used the credentials to login into the SSH port 7223 with user rtemis. The login was successful, and we are now logged into the target machine as rtemis.

We will explore the target machine as this user and find loopholes to further escalate user privilege.

Command used: << ls -la >>

While exploring various directories and files on the target machine, we found our first user flag in the '/var/www/html/Image' directory. The flag file 'flag1.png' can be seen above.

Step 6

The goal of the CTF is to gain root access to the target machine. Until now, we have gained user access to the target machine and read one user flag. We continued exploring various directories on the target machine and reading every file one by one to find out further clues. During this process, we found some interesting files in another directory, which can be seen below.

Command used: << ls -la >>

In the '/home/somu/.hint/' directory, we found two files names, 'user.txt' and 'pass.txt.' The files contained a list of usernames and passwords which could be used somewhere to exploit the target machine. We decided to brute force into SSH to gain further access.

Command used: << hydra -L user.txt -P pass.txt 192.168.1.19 ssh -s 7223 >>

We used the hydra tool to brute force, which is a default utility in Kali Linux. For this, we first saved the contents of both files on our attacker machine and then used them to brute force into the SSH port. But none of the username or password combinations were successful for SSH login. We do not have any other application to use these credentials for, so we left this information and continued enumerating the target machine as user rtemis.

Command used:

<< uname -a >>

<< cat /etc/issue >>

We identified the operating system and kernel version information using 'uname –a' command. We researched over the web to find a local exploit for these versions, but none would work in our case. We identified some hidden files in the home directory of the user.

Command used: << ls -la >>

As can be seen above, we found a few hidden files and directories in the user 'somu' folder. We started visiting all directories and analyzing all files one by one. After spending some time over this, we found an interesting entry in one of the files, seen below.

Command: << cat .mysql_history >>

In the file' .mysql_history,' we found the username and password for the root user. The username and password can be seen highlighted in the above screenshot. Let's try to login into root using the credentials.

Command used: << su >>

Password: H@ckMe

We used 'su' to switch the current user to root. After that, we entered the identified password, which was successfully accepted. The current user was verified using the 'id' command, which confirmed that we are now logged into the target machine as root. Let's now find the root flag and complete the challenge.

Command used: << cat /root/flag2.txt >>

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The root flag was present in the root directory and was named as 'flag2.txt.'

This completes the challenge as we have gained access to the root user and read both the flag files.

 

Sources

R-temis, Vulnhub 

R-temis, Vulnhub 

R-temis, Vulnhub 

LetsPen Test
LetsPen Test