CTF - Bsides Vancouver 2018

Home Blog


I’ve been doing some research to see which CTF VM’s I can start off with as I am a complete beginner. I came across BSides Vancouver 2018 which is beginner friendly.

OBJECTIVE

TThe aim of this exercise is to gain ROOT access and capture the flag. ROOT access is privileged access, which means an attacker can potentially do anything on the victim machine. This is the ultimate end goal of any attacker. In this exercise, there is a .txt file within the /root folder of the Victim VM that I need to obtain. To obtain the contents of the file, there are challenges along the way that I need to complete and figure out by exploiting security flaws on the Victim VM.


PREPARING

After setting up my hypervisor with Kali Linux and the Victim VM running parallel, I managed to get it all started and running using my bridged connection which will obtain an IP through DHCP. Lets get cracking!
Fired both of it at the same time and first thing is first, I always run tmux just to make everything nice and organised. If you guys don’t know what tmux is, its basically a terminal multiplexer. I can run multiple terminals in the same window as well as different shell sessions. I also created a folder just so I can organise things properly (root/Documents/CTFS).

RECONNAISSANCE

I need to find out the IP address of the Victim machine. I completed this by scanning my subnet of -r 192.168.1.0/24, in which -r indicates the range. In preparation, I knew that my Kali box has an IP of 192.168.1.116 (ifconfig), as a result the IP address of the victim box is 192.168.1.113. I came to this conclusion because I am familiar with the other devices that correlates to the IP addresses within my network at home.

So now I know the IP address is 192.168.1.113, I need to find out what ports are used and which are currently opened so I can see what methods of attack I can attempt. I used nmap -sV -sC -oA nmap 192.168.1.113. I have named the file nmap so we can have a look at the contents later.

Once this has been completed, I cat the file to see the results of the scan.

 

Important information obtained

  1. 21/tcp open — FTP is open to Anonymous allowing logins. This is something I will be trying first, so lets keep that in the pocket.
  2. 22/tcp open — SSH protocol is open with Open SSH. Something that is also notable is that it is using a Debian Ubuntu 1.10
  3. 80/tcp open — HTTP protocol is open. This is good for me because I can see what website this resolves to. Something also interesting is /backup_wordpress which is a page within the site. Another note to take into consideration is that it is running Apache 2.2.222

1.3 21/FTP

From the results of nmap, lets see what I can do with FTP. I know that it’s a file transfer protocol to transfer files from one machine to another. I am able to log on as anonymous with no password. I used ftp 192.168.1.113, entered the username anonymous and I’m in!! This is easy!

Next step, I want to see what files are within this FTP server, so lets do an ls to list the files. I saw that there was a folder called public. I use cd public and used ls -ahl to list all hidden files which are human readable. A file called users.txt.bk was present! Im going to get it!!

To obtain this, I didn’t know how to transfer it to my machine, so I had to do a bit of google and I found out I could use the get command (doh). I typed in get users.txt.bk. Looks like it’s done.

Lets see what is within the file that I obtained from the FTP session. I used cat users.txt.bk. Something that is interesting is that it gives me a list of 5 different users. Are these users logins for the Victim machine? Are they logins for the WordPress Site? Interesting.. Well I don’t think I can do anything else with FTP, lets go onto our next findings.

2.3 22/SSH

From the results of nmap, lets see what I can do with SSH. We have 5 different usernames, however I have no passwords for any of them. Firstly lets see if I can I am allowed to SSH with the usernames I have obtained. Interesting.. Why am I prompted with a password for only anne but not the rest? I’m going to park this protocol on the side for now and revisit this. I may need to brute force against a wordlist to obtain the passwords.

I have googled the error message permission denied (public key) and there are a number of things that could cause this. I’ll need to look into this later.

3.3 80/HTTP

From the results of nmap I will be having a look at the HTTP protocol. I went into a web browser and browsed to http://192.168.1.113. I also queried http://192.168.1.113/backup_wordpress and http://192.168.1.113/backup_wordpress/wp-admin

The reason why tried /backup_wordpress/wp-admin is because usually wordpress websites have this preset as a default for their admin logins, so I decided to try it. All three screenshots are below. In reality, going to these websites didn’t really give me anything. What I leared is that there is a word press site that is located at /backup_wordpress. There is also an administrator login page and finally, I could see that there are two users name John and Admin.

SUMMARY OF INFORMATION GATHERED

  1. FTP — This has given me 5 usernames that I can use. I will need to obtain the password through bruteforce attack
  2. SSH — I know that SSH is opened so I can use one of the 5 usernames when I obtain their passwords. I have tested the usernames against the SSH and only anne has prompted with a password.
  3. HTTP — I learned that backup_wordpress is the wordpress site, there are 2 Users when browsing around called John and Admin. This doesn’t necessarily mean that John and Admin are user accounts for the Victim machine, it just means that both of these users have accounts to publish content within the WordPress site.

ENUMERATE

The next step is to see what vulnerabilities the wordpress site has by querying the wpscan command. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. I also want to confirm the 2 users that I saw when I browsed to the wordpress site earlier(Admin and John) I issue the command wpscan -url http://192.168.1.113/backup_word press -enumerate u. Something which is awesome is that this tool confirmed that there are two users (admin and john) that have accounts on the WordPress site. It also gives us a bunch of information as to what vulnerabilities the wordpress site has.

BRUTEFORCE — WPSCAN

Yay! Now the fun part! I can confirm that there are two user accounts on the WordPress site. I’ll have to perform a bruteforce attack on one of the names. To be honest, I had to do some googling and a lot of trial and error.. After a couple of hours, I found out I can use the same command to complete this against a pre-defined word list of my choosing.

wpscan — url http://192.168.1.113/backup_wordpress — wordlist /usr/share/wordlists/nmap.lst — username john

This means that I am issuing the wpscan command on the url. I am using the wordlist option and pointing this to my directory which houses the dictionary file called nmap.lst. This will be actioned against the username John. Its going to take about 14 minutes, so I’m going to take a break and make a coffee.

I managed to get the password for john!!! The password is enigma. I might do this for anne (Remember the FTP file) as well because I was able to obtain an SSH password prompt. Actually, that wont work because this command (wpscan) queries the url, in which anne is not a username for the website.. Grrrr.. think, Cuong!

HURDLES

I am unsure where to go from here. What I have found so far is a username and password. However when I jump onto the victims machine, and enter john/enigma, this does not work. This will not work because the username and password is for the WordPress site. I opened the url of http://192.168.1.113/backup_wordpress and able to log in with john/enigma. Browsing this website doesn’t give me anything interesting.

login for wordpress john/enigma

I also know that the 5 usernames that I have found in the FTP section, only anne gives me a prompt. My next logical step is to bruteforce this username using hydra.

BRUTEFORCE — HYDRA

After a lot of tinkering and trial and error on my environment, I found the correct command to use. I had to google quiet some time as I have never used this command before.

hydra -l anne -P /usr/share/wordlists/nmap.lst ssh://192.168.1.113

This means that I will be running the hydra command with the (-l) login name of anne. -P is the pathway/directory in which the wordlist is stored. The wordlist nmap.lst will be used (this is a word list I have used previously to obtain johns password). I will also target the ssh URL of 192.168.1.113.

This did not work! Instead, I will use a different word list which is in the /usr/share/wordlists directory. This word list is called rockyou.txt

hydra -l anne -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.113

nmap.lst wordlist on the left | rockyou.txt wordlist on the right

YES GOT IT!!!! Password is princess (lol). This is so exciting!! Now I have annes password, I should be able to gain access to the Victim Machine!! LETS GOOOO

ACCESS GRANTED!!!

Now to get root, I’m definitely going to try sudo -i. I then cat flag.txt

WOOO HOOOO!! I completed my first ever CTF!!! Im so proud!!

LESSONS LEARNED

This took me more than 2 days to complete as I am an absolute beginner. There were definitely frustrations on my behalf, mainly because I don’t know what steps to take next and the tools to use. What should I be looking for after nmap? How do I do a brute force attack on a user name? Which wordlists should I be using? It was mainly my lack of knowledge on the Kali linux tools. But hopefully, as I complete more, I will be more familiar with them.