Professional Documents
Culture Documents
1 Walkthrough
Overview
This Capture the Flag exercise is rated Beginner/Intermediate. In the scenario, the Milburg
Highschool Server was compromised, causing the school's Window server to be replaced with
a Linux server. Your job is to find as many attack vectors as you can and access the flag
located at the root of the new Linux server.
Administration
For this CTF, I created a desktop directory called, bob. I’ll be doing all my work inside of this
directory.
Enumeration
The first thing we need to do is find the target. For this, we can use netdiscover.
netdiscover -r 192.168.0.0/24
1
© 2018 syberoffense.com All Rights Reserved
I identify my target as 192.168.0.27. We can now run a Nmap scan of the target.
NMap found two services, HTTP and SSH and some interesting files.
We run dirb and nikto to see if anything pops up. Both provide the same results.
dirb http://192.168.0.27
2
© 2018 syberoffense.com All Rights Reserved
nikto -h 192.168.0.27
3
© 2018 syberoffense.com All Rights Reserved
HTTP is the low hanging fruit and possible our best source for a target vector. As with all web
servers, the robots.txt is always a source of interest. These are web pages not being cataloged
by search engines.
192.168.0.27/lat_memo.html
http://192.168.0.27/passwords.html
4
© 2018 syberoffense.com All Rights Reserved
The next page is the dev_shell.php page. This is going to be our attack vector. Enumerate the
page and check out the source code.
5
© 2018 syberoffense.com All Rights Reserved
There is a blacklist, commands like ls, pwd, cat, nc are being blocked. Nothing we can't work
around. We can replace ls with find, echo, dir, and cat. There are different ways to
execute commands other than using a semicolon.
The double ampersand (&&) or a pipe ( | ) or double pipe ( || ) can be used to execute
commands. For instance, we can use the echo command with && to execute the id
command.
echo && id
We need to establish a reverse shell which can be done a few different ways, but simple is
always better. We can use the Metasploit framework and the exploit multi/handler
to as a listener for out reverse shell using Netcat.
6
© 2018 syberoffense.com All Rights Reserved
use exploit/multi/handler
Set the payload options. The LHOST will use the IP address of our Kali machine.
show options
I type in the run command, and I have the listener up and running.
Next, we use our tried and true Python code to give us an interactive shell.
Let’s enumerate what we have so far by listing the contents of the shell.
8
© 2018 syberoffense.com All Rights Reserved
Let’s cat out the.hint file.
We know that Bob is the admin for the school, so we should see if we can find his profile. I
get back to root and change location over to the home directory. I list the contents and
permissions of the home directory and find the following directories.
9
© 2018 syberoffense.com All Rights Reserved
I change location over bob and list the contents.
We have discovered the credentials for two of the four individuals found on the system.
10
© 2018 syberoffense.com All Rights Reserved
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
The secret directory is of interest, so I change location over to it and list its contents.
We find another directory named, Keep_Out. We change location and list the contents.
We find another directory entitled Not_Porn. I change directory and list the contents.
11
© 2018 syberoffense.com All Rights Reserved
We have another directory named No_Lookie_in_Here. I change directory and list the
contents.
(snipped…)
12
© 2018 syberoffense.com All Rights Reserved
We examine the adminisdumb.txt file.
elliot:theadminisdumb
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
Seb has nothing to offer so we can return our attention the notes.sh file.
13
© 2018 syberoffense.com All Rights Reserved
The first letter of each line spells out the word HARPOCRATES. Harpocrates was the Greek
god of silence, secrets, and confidentiality.
14
© 2018 syberoffense.com All Rights Reserved
I check to see what sudo permissions bob has.
We can now login as root using sudo su. Change location to the root directory.
15
© 2018 syberoffense.com All Rights Reserved
List the contents, find the flag.txt file and view the contents.
Summary
A lot of good stuff going on with this one. The PHP Dev page was locked down with a
blacklist of commands not allowed but we saw how to get around that roadblock. We also
learned how to create still another reverse shell and elevate it to a more interactive shell using
Metasploit.
16
© 2018 syberoffense.com All Rights Reserved
17
© 2018 syberoffense.com All Rights Reserved