Name: HackathonCTF: 1
URL: https://www.vulnhub.com/entry/hackathonctf-1,591/
Release Date: 27 Oct 2020
Author: somu sen
Difficulty Stated: N/A
Difficulty I found: Easy
OS used: KaliLinux 2020.3
Things you can learn from this VM: Enumeration, SSH brute force, file command linux, fcrackzip, bash history, rabbit hole, base64 decoding, privilege escalation via sudo, CVE 2019-14287
Nmap is the first step, identified SSH running on port 7223.
Next, ran gobuster and found some HTML pages.
Read the source code of “sudo.html” and found potential username to be “test“.
Ran medusa for SSH bruteforce and found jordan23 to be the valid password.
SSH into the server as test user. Found 02 rabbit holes. 1st one was a RAR file in /var directory, copied it to my local Kali box. This file was actually a password protected ZIP file (used file command to identify its a ZIP file not RAR), it contained a empty hint.txt.
Renamed the rar file & used fcrackzip to crack the ZIP file.
Hint.txt being an empty file.
Ran linpeas script and found test user is having .bash_history (which contains the history of all the command typed by test user, so opened this file). Identified a potential password in /media/floppy/media/imp path, used this for ctf and root user but it was the 2nd rabbit hole.
Ran sudo -l command & re-read the .bash_history file.
Finally switched to root user with command: sudo -u#-1 /bin/bash (I found it in bash history first and later realized this sudo is vulnerable ^_^). The vulnerability is of sudo version — CVE 2019-14287; you can read it here.
Research Blog 