Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • CTF - Toppa - Lab File

    Uploaded by

    cyber media
    141 views7 pages
    This document provides a walkthrough of gaining root access to a virtual machine configured as a Capture the Flag (CTF) exercise. The summary is: The CTF has one flag and is rated as easy. Network scanning reveals the target VM has IP 192.168.0.30 and is running an SSH server with four open ports. Directory bruteforcing finds a notes.txt file with a username and password, allowing SSH login as the ted user. Enumerating SUID binaries finds python and mawk can be exploited to spawn a root shell. Either of these allows accessing the /root directory, where the flag.txt file contains the flag.

    Original Description:

    J

    Original Title

    CTF - Toppa - Lab file

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a walkthrough of gaining root access to a virtual machine configured as a Capture the Flag (CTF) exercise. The summary is: The CTF has one flag and is rated as easy. Network scanning reveals the target VM has IP 192.168.0.30 and is running an SSH server with four open ports. Directory bruteforcing finds a notes.txt file with a username and password, allowing SSH login as the ted user. Enumerating SUID binaries finds python and mawk can be exploited to spawn a root shell. Either of these allows accessing the /root directory, where the flag.txt file contains the flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    141 views7 pages

    CTF - Toppa - Lab File

    Uploaded by

    cyber media
    This document provides a walkthrough of gaining root access to a virtual machine configured as a Capture the Flag (CTF) exercise. The summary is: The CTF has one flag and is rated as easy. Network scanning reveals the target VM has IP 192.168.0.30 and is running an SSH server with four open ports. Directory bruteforcing finds a notes.txt file with a username and password, allowing SSH login as the ted user. Enumerating SUID binaries finds python and mawk can be exploited to spawn a root shell. Either of these allows accessing the /root directory, where the flag.txt file contains the flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    Lab - Capture the Flag Walkthrough – Toppo

    Overview

    In this lab, you will be shown how to gain root access to a virtual machine designed as a
    Capture the Flag (CTF) exercise. This CTF is rated as easy. These walk-throughs are designed
    so students can learn by emulating the technical guidelines used in conducting an actual real-
    world pentest using as few automated tools as possible.

    Caveat

    For this machine, I used Oracle Virtual Box to run the target machine. Kali Linux is the
    attacker machine for solving this CTF.

    The Toppo OVA file can be downloaded here.

    CTF Description

    Difficulty: Easy

    Flags: There is one flag

    DHCP: Enabled
    IP Address: Automatically assigned

    Footprinting

    Though the IP address for the target is on available at the login screen when the machine boots
    up, it’s always a good practice to do your network discovery.

    My target has an IP address of 192.168.0.30, and my Kali has an IP address of 192.168.0.31.


    These addresses to apply to me and my network, yours will probably differ.

    Command used: netdiscover -i eth0

    1
    We next need to find out what ports and services are available. For this purpose, we can do a
    full Nmap port scan.

    Command used: nmap 192.168.0.31 -v -Pn -p-

    The scan returns the following results showing the target has four open ports.

    Let’s begin by looking at what is available for port 80.

    We open a browser, and in the address bar, we only need to type in the IP address of the target
    and are given the home page for the website.

    2
    The webpage has nothing of use. Time to breakout Dirb.

    Command used: dirb http://192.168.0.31

    After some time, dirb found some directories, and from the results, we have an admin directory
    which would be my first choice of where to start looking. Just need to copy the URL and place
    it in the address bar of our browser.

    Inside the admin directory, we have a notes.txt file.

    3
    If we add the name of the file to the front of our URL, we can see the contents.

    We have a password with a name in it! The target is running SSH and a possible username and
    password combination.

    Command used: ssh ted@192.168.0.31

    Post Exploitation

    Now that we have logged onto the server, time to exploit, and to root. Let’s see if the OS
    version is vulnerable.

    4
    Commands used:
    uname –a
    cat /etc/issue

    Using searchsploit, we discover there are no known vulnerabilities for this version of
    Debian 3.16.51-3.

    Using the following command, we can enumerate all binaries and having SUID permission.

    SUID is a special permission for executable files which enables other users to run the file with
    the effective permissions of the file owner. Instead of the normal x which represents execute
    permissions, you will see an s (to indicate SUID) special permission for the user.

    Command used: find / -perm -u=s -type f 2>/dev/null

    5
    There are two binaries we can exploit. We have mawk, and we have python 2.7.

    Option #1 - mawk

    mawk is an interpreter for the AWK Programming Language. The AWK language is useful for
    the manipulation of data files, text retrieval and processing, and for prototyping and
    experimenting with algorithms.

    Using the flowing command with mawk, gets us root access.


    mawk 'BEGIN {system("/bin/sh")}'
    Change directory over to the root.
    Command used: cd /root
    List the contents inside the root directory.
    Command use: ls
    Print the content of the flag.txt to the screen.
    Command used: cat flag.txt

    Option #2 -Python 2.7

    Using Python 2.7, we can also gain root access and capture the flag using the following
    commands:

    6
    python2.7 -c 'import pty;pty.spawn("/bin/sh")'

    Summary –

    We captured this flag is short order. This CTF was easy but it certainly was fun. In this CTF, you
    learned the following methodology.

    • Network scanning
    • Directory brute-force attack
    • Abusing HTTP web directories
    • Compromise confidential
    • Spawn tty shell (ssh login)
    • SUID privilege escalation
    • Get root access and capture the flag

    Regards –

    Prof. k

    You might also like