I’m back and going to attempt another beginner friendly CTF. This time decided on one called Basic Pentesting: 1 from vulnhub
Gain root access on the Victim Machine.
This time, I didn’t use bridge connection. I used Host-only Network connection so my VM’s are not visible to from the outside network. I turned both my attacking VM (Kali Linux) and the Victim VM (Basic Penetration : 1). Once both is loaded I had a look at the Victim VM. This is what I saw from observiation.
Things to consider:
- There are 2 usernames that we can see. marlinespike and a guest session.
- It is running Ubuntu 16.04 LTS version.
- Top left hand side has a title called vtcsec
Probing further, I logged onto the Guest session without any password. I couldn’t find anything interesting. I assume that this only a Guest account, it wouldn’t have any privileged access.
Firstly, I need to find out the IP address. There are two way that I could do this. Since I was in the Victims machine as GUEST, I enetered ifconfig and obtained the IP address of 192.168.56.4. Also I did a netdiscover -r 192.168.56.0/24 which is the subnet of my Host only adaptor and yeiled the same results.
The next step is to find out which ports are opened on the 192.168.56.4. I entered the command nmap -sV -sC -oA nmap 192.168.56.4 on my Attacking VM (Kali Linux)
Top: Reults of netdiscover/ Bottom: nmap command
Lets see what the nmap reults gave us by typing cat nmap.nmap
- 21/FTP port is open. Something that is interesting is ProFTPD 1.3.3c. I dont know what this is so I googled. ProFTPD is a secure FTP server. I googled to see if there were any vulnerabilities. I found out that there is and this is something I can use! (https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor)
- 22/SSH port is open.
- 80/HTTP port is opened. This means I am able to acces 192.168.56.4 through a web browser.
21/FTP — FIRST TRY
Firstly I’m going to see if I can log onto this first and see if I can find anything. To do this, I enter the command ftp 192.168.56.4
This prompted with the root password, in which I don’t know and I need to figure out. Im going to scratch this and find another way.
21/FTP —SECOND TRY
Researching ProFTPD, I discovered that there was a vulnerability that I can exploit. I will use msfconsole to get into the metasploit framework and will search for proftpd to see if there is a particular exploit I am looking for. I am looking for exploit/unix/ftp/proftpd_133c_backdoor as mentioned in the site researched.
METASPLOIT — SEARCHING FOR FTP
I entered the command msfconsole. Then I entered search proftpd. Once the results appeared I found the exploit I was looking for. I then typed in use exploit/unix/ftp/proftpd_133c_backdoor.
To begin the exploit, I need to set the parameters. To do this, I typed in show options. Then I entered the correlating details required. I typed in set RHOST 192.168.56.4 because this is the remote host. Once done, I typed exploit
This is good!! Looks like the exploit has been completed. Now I have a session open.
After doing a bit of research, I need to obtain a python shell to be able to navigate with bash. To do this, I need to type in python -c ‘import pty; pty.spawn(“/bin/bash”)’. This imports a python script allowing me to run a python shell. This took me a while to find out as I did not know what the next steps were.
That was easy!! After launching the python shell, I have successfully gained ROOT access on my second CTF! Really happy and excited about this one!
LESSONS LEARNED (FTP)
- I didn’t know what to do after obtaining the reverse shell. So this took a bit of time, however, I will be storing the python script in my back pocket for future CTFs as it was helpful.
- I did not explore the other 2 open ports (SSH/HTTP) so I will complete this next. As you know there are many ways to gain root access
I was interested in learning more about this VM. So I dug deeper. Firstly, I wanted to test marlinspike’s password to see if it was anything easy such as Password123.. After a couple of tries, I managed to get in by typing in his username marlinspike as the password. If I was to suggest something, I would highly suggest the creator to issue a more difficult password.
After guessing this password, I tested ssh by typing in ssh email@example.com -p 22
I then typed in sudo -i and typed in the password to obtain root