Capture the Flag (CTF) Challenge | Type: boot2root
Vulnhub is a platform offering gamified, vulnerable machines for penetration testing. I solved one of them to gain root access and will detail the process here.
Machine Description
Tr0ll was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple: gain root and get Proof.txt from the /root directory.
Not for the easily frustrated! Fair warning: there are trolls ahead!
Begin
Reconnaissance
First, familiarization with our environment. As we’re on the same network as the target, we’ll conduct an Address Resolution Protocol (ARP) scan to identify entities on our network. If not on the same network, we would locate the target’s IP by alternative methods.
There are different tools for initial reconnaissance.
- Use ‘netdiscover’ for a straightforward scan. A sample command would be
netdiscover -i [network interface] -r [target IP]
. - You can also use the tool ‘hping3’. A sample command is
hping3 -S -F -w [target IP] -p ++20
. - Most of the time ‘nmap’ is the tool that offers the most comprehensive options. It ranges from basic network scans (
nmap -sn [network range]
) to detailed vulnerability scanning (e.g.nmap -sS -sV --version-all -O --osscan-guess -A -sC -Pn --script vuln -T5 -p 21,22,80 [target IP] -oA [output path]
). - For even more control, you could consider writing a simple ARP tool. This can be done using a library like ‘Scapy’, allowing you to modify DHCP, PING, and ARP packets.
- I prefer
arp-scan -l
due to its ease of use.
In the ‘/usr/share/wireshark’ directory, the ‘manuf’ document contains manufacturers’ MAC addresses. We can use these MAC addresses to disguise ourselves better. Use ‘Wireshark’ and/or online MAC vendor databases to identify specific vendor MAC addresses. For instance, to find Apple devices, you can use the command cat /usr/share/wireshark/manuf | grep -i "Apple"
. Then, you can disguise your device while scanning with arp-scan -l -s [your IP] -S [spoofed MAC]
.
Using a fake Apple device MAC address, let's do the scan.
We will now attempt to identify which services are accessible and open for communication on the target machine.
Looking at our target and available services more aggressively, we find out that we can FTP anonymously.
We connected to the FTP service, and discovered a file named ‘lol.pcap’.
We then transferred the file to our system for analysis in Wireshark. In the mean time, we also performed a directory enumeration. Recall the open HTTP service on port 80? The target is a website that displays a troll message when accessed.
To identify potentially interesting directories, we can use tools like ‘dirb,’ ‘wfuzz,’ and ‘gobuster.’ I prefer ‘gobuster’.”
After examining the discovered directories, we found nothing significant, only more troll content.
We then moved back to analyzing the ‘lol.pcap’ file found earlier in Wireshark. As the packets were transmitted via FTP, they are inspectable and readable. If they were sent through SFTP, we wouldn’t be able to read them. By following the TCP stream, we discover a message that turns out to be a hint for a directory on the website.
Trying the ‘sup3rs3cr3tdirlol’ as a directory listing, we find a file. Let’s download it and see what’s up.
When we opened the file in ‘vim,’ it appeared to be nonsense code. Switching to a ‘hex editor’ revealed something intriguing: a hint directing us to find a specific address.
The ‘strings’ command can also be used to inspect some contents of a file, which helps identify opportunities for privilege escalation.
When we came across ‘0x0856BF’, we suspected it might also be a directory. Indeed, upon trying, we discovered a new secret directory.
We located and downloaded two files, ‘which_one_lol.txt’ and ‘Pass.txt.’ Upon examining them, their contents displayed:
We attempted to brute force the open SSH service on port 22, identified during our earlier reconnaissance, and used these found files as credentials. For these attempts, I used the tool ‘hydra’, but ‘medusa’ and ‘msfconsole’ are other options.
The password was the file name :D another troll.
In the next part, we will utilize these credentials to establish an SSH connection to the machine. Our end goal is to navigate through the system and ultimately acquire root (super-user) privileges.