Hello guys, this post is a guide for newbie to learn on how to do CTF. The box can be downloaded from Vulnhub VM Image HACKER KID: 1.0.1. This is my first time trying a challenge in CTF environment.
Description: This box is OSCP style and focused on enumeration with easy exploitation. The goal is to get root. No guessing or heavy bruteforce is required and proper hints are given at each step to move ahead.
The steps: A summary of the steps required in solving this CTF:
- Getting the target machine IP address by using arp-scan
- Getting open port details by using the Nmap Tool
- Identifying vulnerability in running application
- Running brute forcing on parameter value
- Enumerating subdomains
So let's get started with this challenge!
Step 1: ARP Scan Tool
The very first step in solving any CTF (that I've learnt from youtube) is to identify the target machine's IP address. We are running the Vulnhub box in virtual machine, also in the same network (NAT configuration). So Arp-scan tool is used for this purpose. The output of the command can be seen in the following screenshot.
So our target machine's IP address is 192.168.61.129 (identified, everyone else should be different). My attacker's IP address (Kali Linux) is 192.168.61.131.
Step 2: NMap Discovery Tool
We need to find the open ports and services available on the machine. Nmap tool is great for this moment. The results can be seen in the following screenshot.
So, the results tell Port 80 and 9999 are being used for the HTTP service.
The ‘-sV’ is for version enumeration. I also used the ‘-p-’ option for a full port scan. It is important to conduct a full port scan during the pentest or solve the CTF for maximum results.
Step 3: Enumeration
I opened the target machine IP address on the browser (http port 80). A response from the server that can be seen below.
Next, when I check the page source, I found another hint.
Based on the hint, I understand that there are other pages that can be accessed. GET parameter “page_no”. So, I know that I need to fuzzing the parameter in order to proceed to next hint. So I use the Burp Suite’s Intruder to do the job.
Once the attack started, I saw a page_no that has a different response size.
When I visited the link, it shown a new hint at the bottom of the page.
Step 4: Adding Subdomain into hosts file
First, I need to add the subdomain into my ‘etc/hosts’ file so that the browser understands that the subdomain belongs to the target machine’s IP address.
Next, I open the subdomain.
It seems there is one more subdomain available on the target application. The subdomain is ‘hackerkid.blackhat.local.’
The same step will be used to access the target application on the browser. Echo command into 'etc/hosts' file.
Step 5: Burp Suite and Payload Injection
After accessing the new subdomain, it pointed to a different application that has a form/signup feature in it.
If I click the 'Register' button while intercepting it from Burp Suite, I see that the POST body is in XML format.
When I type a random email, it shows back the email I entered.
By using Burp Suite's Repeater, I use this payload to inject XXE. The injection was successful.
A common guess/practice while doing a CTF challenge is by exploring the bash file inside home directory. We have a user named "saket". But the '.bashrc' file cannot be simply opened. I need to use PHP wrapper in order to get the content in base64 format. The payload executed below.
After the payload executed, I need to decode the base64 content.
Nmap scan result show that the server at port 9999 is running Tornado which is a python web technology. The hint on this page is asking for my name. So, I guess that there is a GET parameter “name” which I can fuzz.
It returned the same thing that I entered in the parameter. So next step is I am going to use a Server Side Template Injection (SSTI) payload.
Reference: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python
This means that I can inject a more advanced payload such as reverse shell. Since it is using Tornado that have exploit available.
Step 6: Reverse Shell
Let's start by opening a netcat listener on my attacker machine.
Next, I will use Burp Suite's Decoder to encode this payload as URL-encode.
Next, I will use Burp Suite's Decoder to encode this payload as URL-encode.
Then paste the URL-encoded injection to "name" parameter that we fuzz earlier.
Right after this payload executed, I see the netcat receiving connection.
So right now I'm in shell of Saket user id.
Step 7: Root Privilege Escalation
The last part is getting root access of this target machine. I need to check the capabilities of different binaries on the machine, by using command /sbin/getcap -r / 2>/dev/null
Result is shown above. Python2.7 has cap_sys_ptrace capability. This has exploit available on the internet. It will allow me to get the root shell.
Next, I need to identify a root process running on this target machine.
Before that, I need to download a python program injection code. This must be done on the target machine shell.
I verify the injection with dump socket statistics (ss -tnlp). It shows the port 5600 is currently listening for a bind shell.
The challenge is successfully done at this point.
Another way to escalate root privilege is by using python shell spawning in the target machine itself.
python3 -c 'import pty;pty.spawn("/bin/bash");'
So the result for this one is I escalated myself to root within the target machine itself.
That is the end of this challenge.
I hope my sharing is beneficial to others and I welcomed any recommendations/suggestions to improve my pentesting skills.
Thank you!
Comments
Post a Comment