Category: CTFs

Kioptrix: Level 1.1 (#2)

Kioptrix VM image: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

Aim : To get to the root of the machine.

Difficulty Level : Easy

As always, we would start with the initial scan to see the open ports on the target machine. I have shifted from “nmap” to “rustscan” for this initial investigation.

rustscan -a 10.0.2.15 -u 5000
These ports are open on target machine.
Services running.

There is a web-server running on port 80. Also , we should do some vulnerability scan. This time I would use a new tool in my arsenal : “Owasp Zap” .

Owasp Zap is a wonderful tool !

In the alert section we can see:

Running an automated scan on the target ip , we see the machine is vulnerable to an SQL Injection attack. Going to the site in browser and trying the most basic form of SQL injection attack we get a successful login:

SQL Injection will be successful with above input

We get a box saying ping the machine, this turns out to be vulnerable to remote code execution/command injection .

So , my first aim here was to get a reverse shell on this machine, using pentest monkey reverse shell cheatsheet :

we will use port 4567 here , instead of 8080
We Got a reverse shell successfully, but with a low privilege

Our aim now is to escalate our privilege and get root. Let’s get some info about the system and OS version:

we got CentOS version and also Kernel version

We would now look for this exploit online. Luckily we got one with good reputation:

see the kernel and os version :))

So , our main aim here is to execute this piece of code on the target machine. I tried directly downloading this code on the victim machine through wget/curl, but it didn’t worked.

So we will spawn a server , and download on victim machine through that:

WE ARE ROOT. we have accomplished our mission here.

Topics/Command Covered:

i) wget/curl

ii)SQL Injection

iii) uname , cat /proc/version , cat /etc/*release

iv)file sharing with the help of python SimpleHTTPServer

v)Netcat

vi)privilege escalation

TryHackMe : Simple CTF

TryHackMe Room : https://tryhackme.com/room/easyctf

Aim : To get to the root of the machine and read the flag file.

Difficulty Level : Easy

Connect to the TryHackMe network using openvpn:

sudo openvpn /path/to/username.ovpn

Scanning and Enumeration

1. How many services are running under port 1000?

sudo nmap -sV --script vuln -p1-10000 -vv "Target Ip"

we have 3 services running on ports 21, 80 , 2222 . we also have a page “/robots.txt” , though it gives us no useful results .

2 .What is running on the higher port?

From above nmap scan , the service running on highest port(2222) is ssh .

3 . What’s the CVE you’re using against the application?

To answer the above question we need to do some more enumeration. I will use tools such as “nikto” and “gobuster” for this purpose . 

nikto -h "Target IP:
we just get the same “robots.txt” here too

We can enumerate the entire domain and can use directory busting to see if there is any thing of interest .Using “gobuster” :

gobuster dir -u "target_ip" -w wordlists/small.txt -t 200 -x .php -q
we got “/simple”,we should check what is there.

upon visiting the url , “/simple” is a CMS system .we also get a version at the very bottom left hand corner of the page:

CMS Made Simple version 2.2.8

To know about the exploits in this version of CMS Made Simple, let’s see exploit-db .

The answer to our 3rd question, we will use: CVE-2019-9053

4. To what kind of vulnerability is the application vulnerable?

It’s already given in above image, SQL Injection.

Exploitation

5. What’s the password?

Now to crack the password , I should at least have a username to bruteforce against. Since on the target machine ftp port 21 is open, it is wise to see if anonymous login is available or not:

we can use any password in most cases of anonymous login
ftp "target IP"
upon doing successful anonymous login , we have a text file and an Idea of username for the target machine.

Now on trying hydra to crack the password for username “mitch”:

hydra -l mitch -P rockyou.txt ssh://10.10.246.98:2222
woah , we have a password . So this will be the answer for this question.

6. Where can you login with the details obtained?

7. What’s the user flag?

we also have an ssh port at 2222 open , doing ssh using credentials for “mitch“:

ssh mitch@10.10.246.98 -p 2222
The output of last command give us the user flag (ques7), answer to question 6 will be ssh.

8. Is there any other user in the home directory? What’s its name?

ls /home
we have one more user ,this will be the answer .

9 . What can you leverage to spawn a privileged shell?

Now , this question is interesting , we need to check the system privilege for user “mitch” :

sudo -l
so , vim will be used to spawn a privileged shell

10. What’s the root flag?

we have permission to run vim as root , with no password required. Doing a little bit of googling , I got this :

Running this command as root :

sudo vim -c ':!/bin/sh'
Now , we have gained root privilege.

we can now find the root flag by :

ls /root -la
The output of last command give us the root flag!

The Machine has been conquered .

Design a site like this with WordPress.com
Get started