When venturing into the realm of Capture The Flag (CTF) challenges, it’s often the simpler boxes that impart valuable lessons, especially for newcomers to the world of ethical hacking and cybersecurity. In this blog post, I’ll share my journey through a relatively easy CTF box, highlighting key tactics and techniques that anyone can benefit from.
Insights
Enumeration is Key:
- The process of enumeration, which includes activities like scanning, wordlist generation, and manual inspection, is fundamental in cybersecurity. It uncovers crucial information and vulnerabilities that form the foundation of further exploitation.
Web Application Security Matters:
- Web servers are common attack vectors, and understanding their structure and content is crucial. The blog underscores the importance of thorough web application interaction, from manual inspection to automated scanning and exploiting vulnerabilities like SQL injection.
Perseverance and Curiosity:
- Ethical hacking often involves solving puzzles and navigating through cleverly designed challenges. The blog demonstrates the value of patience, determination, and curiosity. Cybersecurity professionals must keep exploring, even when faced with cryptic clues or seemingly dead-ends.
Initial Reconnaissance
My journey began with a fundamental but crucial step: performing an Nmap scan on the target. Keep in mind, I always export my target ip address as a $IP variable to make things easier.
└─$ nmap $IP -p- -sC -sV --open
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a7e5fd1f7c8a7ce77f595217d5c66d1 (RSA)
| 256 526c4350efaba823ad00a264480c531c (ECDSA)
|_ 256 d21622c87c18f34c304b6c0d3c26d2eb (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe scan revealed that ports 90 and 22 were open, giving me a starting point for further investigation. With a web server running, I initiated both Nikto:
Nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.11.121
+ Target Hostname: 10.10.11.121
+ Target Port: 80
+ Start Time: 2023-11-01 15:51:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /login.php: Admin login page/section found.In addition to a gobuster:
└─$ gobuster dir --url http://$IP --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.121
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/11/01 15:51:44 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 313] [--> http://10.10.11.121/assets/]
/server-status (Status: 403) [Size: 300]
Progress: 220560 / 220561 (100.00%)Manual Inspection
While automated scans provide valuable insights, manual inspection of the web server is equally essential. Web servers often serve as prominent attack vectors, making it important to grasp their structure and content. In this case, inspecting the source code paid off. I stumbled upon a comment that revealed the username as “R1ckRul3s.” It’s a small discovery but a reminder that sometimes, the most valuable clues are right in front of you.
Directory Enumeration
The results from Gobuster and Nikto scans led me to two intriguing paths: an “assets” page and a “login.php” page. The “assets” directory contained images found during the web server crawl. While my scans continued, I decided to explore the images, engaging in a bit of steganography to uncover hidden information. Regrettably, my efforts yielded no results.
Wordlist Generation
At this point, I expanded my reconnaissance by employing “cewl” to generate a wordlist from all the discovered pages, including “robots.txt,” a file often used by webmasters to communicate with web crawlers.
cewl $IP > passwords.txtWeb Application Interaction
The “login.php” page presented me with a typical login form. I started with the basics, attempting “admin/admin” for the login credentials, followed by some SQL injection (SQLi) attempts. My persistence paid off when I captured a request in Burp Suite, a versatile tool for web application security testing. Armed with the captured request, I turned to “hydra” and the wordlist generated from “cewl” to launch a brute force attack.
└─$ hydra -l R1ckRul3s -P rmwordlist $IP http-post-form "/login.php:username=^USER^&password=^PASS^&sub=Login:Invalid username"
[80][http-post-form] host: 10.10.11.121 login: R1ckRul3s password: WubbalubbadubdubSuccess! The password was found in the “robots.txt” file, and the username was tucked away in developer comments on the main page.
Command Execution
With access to the system, I moved on to the command execution phase. I began with simple commands like “whoami” and “ls,” leading me to the discovery of the first flag right off the main directory.
Continuing my exploration, I utilized basic enumeration commands, ultimately landing in the home directory where I uncovered the second flag.
A glimmer of hope emerged when I explored the new command page. Notably, I noticed another developer comment:
Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==I promptly recognized this as a potential clue, and my curiosity led me to apply Base64 decoding to unveil its contents. To my amusement, the decoded message was still encoded in Base64, leading me down a digital rabbit hole. I diligently applied Base64 decoding iteratively until the final message was revealed:
rabbit holeWhile this turned out to be a clever riddle, it wasn’t our true flag. The journey was filled with such twists and turns, underscoring the importance of patience and perseverance in the world of ethical hacking and CTFs.
Reaching for Greater Heights
In the quest to seize the third flag, I attempted to access the “/root/” directory. Unfortunately, I encountered a roadblock as I lacked the necessary privileges for this operation.
A light at the end of the tunnel emerged when I attempted to check my sudo permissions with “sudo -l.”
User www-data may run the following commands on ip-10-10-11-121.eu-west-1.compute.internal:
(ALL) NOPASSWD: ALLThe result indicated “ALL,” suggesting that all I needed to do was run “sudo” and find a suitable command that would grant me access to the coveted file contents.
sudo less /root/3rdFlag.txtSummary
In this journey through a relatively easy Capture The Flag (CTF) challenge, we dive into the foundational aspects of ethical hacking and cybersecurity. Initial reconnaissance, powered by Nmap, opens the doors to a web server with crucial information. Manual inspection of the source code reveals a valuable username, while directory enumeration uncovers promising paths. Wordlist generation broadens the scope, and web application interaction yields success with a brute force attack. The command execution phase unveils flags hidden in the system, and clever developer hints add intrigue. A twist involving Base64 encoding demonstrates the importance of patience and determination. Ultimately, the quest for the third flag continues as we discover a potential path through sudo permissions. This CTF adventure offers vital insights into enumeration, web interaction, and perseverance, making it a valuable lesson for both newcomers and seasoned professionals in the cybersecurity field.
