Hello friends!! Today we are going to take another
boot2root challenge known as KFIOFan. This lab is design in French language and
involve Geographical coordinates factor of France to Begin this CTF where you
have to find 4 flags by using your web penetration testing skill because this
machine is vulnerable to SQL.
Official Description : Two french people want to start the very first
fanclub of the youtuber Khaos Farbauti Ibn Oblivion. But they're not very
security aware ! (IMPORTANT NOTE : The whole challenge is in french, including
server conf. Which may add to the difficulty if you are non-native or using a
non-azerty keyboard)
You can download this VM here.
Penetration Methodology
Network Scanning
§ Open
port and Running Service (Nmap)
Enumeration
§
Abusing Http service for obtaining Credential
§
Use robot.txt for first flag
Exploit
§
Exploiting SQL vulnerability
§ Obtain SSH RSA_Key
§ SSH Login
§ Catch another flag
Privilege
Escalation
§ Check Sudo rights
§ Spwan root access
§ Capture the last flag
Walkthrough
Network Scanning
Let’s start off with scanning
the network to find our target.
nmap -A 192.168.1.105
So from nmap we found two ports (22, 80) are open in the
target’s machine, therefore let’s navigate to port 80 in the browser.
Enumeration
On exploring port 80, we notice it required authentication
but we don’t know that. Moreover there was a text message (This site says: “48.416667 -0.916667”) which was
pointing towards some Geographical coordinates.
When we canceled the authentication page, we saw a message
in French language which was saying “Let
me guess Bob, did you lose your password again? LOL”. Here we considered Bob as authorized username.
On searching 48.416667 -0.916667 coordinates in Google
map, we get the location “Levaré”
which could be the possible password for user Bob.
Hmmmm!! So our prediction was true and we successfully
bypass HTTP authentication using Bob:
Levaré
Note: Well this was not that much easier because on
reboot this machine the Geo coordinates gets changed and you will get the
password accordingly.
Luckily, on exploring /robot.txt,
I found our first flag randomly which was in French language and again I
translate it here:
FLAG1: Congratulations you found the first flag!
(Yes I know you're hoping for a clue but at least you have the right reflexes!)
As officially describe above “Two french people want to start the very first fanclub of the youtuber”
and from the given web page we can easily read the name of that two people
(Alice and Bob) are usernames.
Exploit
Again I translate the whole text of this web page and
conclude user “Alice” holds some very crucial information or any important file
such as SSH key.
A link on Khaosearch brings me on the search form for the
CTF author's YouTube channel, without wasting time I check for sql injection by
injecting following query:
raj" union
select 1,2;#
Lol J
! It was vulnerable to SQL injections, let’s exploit quickly.
With the help of following query we try to all table and
column names from inside the database.
raj" union
select table_name, column_name from information_schema.columns;#
I stumped when I saw an entry for SSH_Key, then I decided to
check it, as it seems the most exciting.
I found another link as Alice when inject following query to
check ssh_key
raj" union
select * from ssh_keys;
Alice was holding Private SSH_Key which should be open
properly, therefore I visit source code of this page here.
Then copy the RSA Key from -----BEGIN RSA PRIVATE KEY-----
to -----END RSA
PRIVATE KEY----- and past in a text file as “id_rsa” then set permission 600
for proper authentication.
chmod 600 id_rsa
Privilege Escalation
Now then connect to ssh using above key and run following
command:
ssh
alice@192.168.1.105 -i id_rsa
ls
cat flag3.txt
So we have successfully connected to ssh and found 3rd
flag also.
FLAG 3:
Congratulations for coming here. This shows that you master very well the
essential concepts! One last little effort and the root is yours!
For finding 4th flag we need to escalate root
privilege, let’s identify sudo rights for alice with the help of following command.
sudo -l
Hmmm!! So here alice can run awk as root without using
password and we can easily spawn root shell by exploit this permission
sudo awk 'BEGIN
{system("/bin/bash")}'
ls
cat flag4.txt
FLAG 4: COMPLETE!
Congratulations to you for coming here: the machine is yours, its survival or
destruction is now entirely based on your ethics. Good luck Hacker!
Note: On
rebooting this VM machine the Geo coordinates get changed each time which will
also affect password and SSH key and you get new password and SSH_key each
time.
0 comments:
Post a Comment