Host & Network Penetration Testing: System-Host Based Attacks CTF 2 (EJPT INE)

Hello, everyone!
Welcome to the second part of our exploration into system-host-based attacks. In this section, we will focus on attacks targeting Linux environments. Linux, being a widely used and robust operating system, is often a target for attackers. Understanding its vulnerabilities is crucial for strengthening system security.

So let’s get started!

Let’s begin with the first question. Both of the initial questions are related to the same host, target1.ine.local.

Q.1 Check the root (‘/’) directory for a file that might hold the key to the first flag on target1.ine.local.

To obtain this flag, we must first gain access to the target’s shell. The next step is to identify the appropriate exploit to use.

We will begin by performing a network scan using Nmap to gather detailed information about the system and potential vulnerabilities.

From the Nmap results, we identified that port 80 is open, and the server version, which is disclosed as 2.4.6 (Unix), has been found. Let's proceed by navigating to the website.

Upon navigating to the website, we observe that it redirects to /browser.cgi. The Shellshock exploit specifically targets the .cgi extension to gain access to a shell.

To verify if the target is vulnerable to Shellshock, we can use Metasploit. We’ll begin by utilizing an auxiliary module designed to check for this vulnerability. The module we’ll use is: scanner/http/apache_mod_cgi_bash_env.

For this module, we need to configure two parameters: the first is RHOSTS, and the second is TARGETURI. After setting these parameters, we simply need to execute the exploit using the run command.

Upon running the check, we find that the website is indeed vulnerable to the Shellshock exploit. Now, let’s proceed by exploiting this vulnerability using another Metasploit module: exploit/multi/http/apache_mod_cgi_bash_env_exec.

Let’s first review the available options to see what we need to properly exploit this vulnerability:

For this exploit, we need to specify three parameters: RHOSTS, TARGETURI, and LHOST. In my case, the default listening IP is set to localhost, but since we don't need a shell on the localhost, we need to update it. To set the LHOST option, open a new terminal and run the ifconfig command to obtain your machine's IP address.

After executing the exploit, we successfully obtain our Meterpreter session. To interact with the shell, simply type the following command: shell

To make the shell more interactive, type the following command: /bin/bash -i

To find our first flag, navigate to the / directory. Then, type ls to list its contents. In this directory, we will find our first flag.

Once you locate the flag, use the cat command to read its content:

FLAG 1: 40669ec194984ac498e6d00bdc36cead

Q.2 In the server’s root directory, there might be something hidden. Explore ‘/opt/apache/htdocs/’ carefully to find the next flag on target1.ine.local.

Navigate to the /opt/apache/htdocs/ directory and type ls to list its contents.

At this point, we didn’t find anything related to the flag. So, the next step is to enumerate the hidden files by running the command ls -la. After doing so, we discovered our next flag.

Use the cat command to read its content.

FLAG 2: 4fdde55feb3d450ebf4ee75d1ac3b6d3

Our next two questions are based on the host target2.ine.local

Q.3 Investigate the user’s home directory and consider using ‘libssh_auth_bypass’ to uncover the flag on target2.ine.local.

As usual, let’s begin by performing an Nmap scan to gather information about the target system.

From the Nmap result, we can see that port 22 is the only open port, and the version disclosed is libssh 0.8.3. Let’s connect to Metasploit and search for any available libssh exploits.

Metasploit has an exploit for this. In the same module, there are both auxiliary scans and the exploit itself. Since we need to exploit it, let’s first check the available options.

For this exploit, we only need to set two parameters: RHOSTS and SPAWN_PTY. In the auxiliary section, we can confirm that it will directly spawn a shell once executed.

After setting the parameters, type exploit to execute the exploit and gain access to the shell.

As the output shows, the session has been created and opened. To verify, type the following command: sessions

To use this session, type sessions -i 2. This will successfully grant us access to the shell.

To find the third flag, we need to enumerate the user’s home directory. First, navigate to the directory using the command cd /home/user, then list the contents with the ls command.

Here, we found our third flag, which is:

FLAG 3: 5846673ee27f4d008b4c0c40c7f3b651

Q.4 The most restricted areas often hold the most valuable secrets. Look into the ‘/root’ directory to find the hidden flag on target2.ine.local.

Let’s attempt to access the root directory, but when we try, it returns a ‘permission denied’ message.

To obtain our last flag, we need to elevate our privileges. As we observed while obtaining the third flag, the user directory contains two additional files: ‘greetings’ and ‘welcome.’ By using the file command, we can confirm that both are binaries. We can utilize these binaries to escalate our privileges.

Let’s check the permissions of these two binaries. We don’t have permission to execute the ‘greetings’ binary, but we are able to execute the ‘welcome’ binary.

Now, let’s execute the ‘welcome’ binary by typing: ./welcome.

Let’s check what is used in the backend when executing the ‘welcome’ binary. To do this, we can type strings welcome.

The strings command is used to extract human-readable text embedded within the binary file. This can help us identify important information such as function names, hardcoded strings, or any other useful data that might assist in privilege escalation or reveal details about how the binary operates.

After examining the output, we discovered that the ‘welcome’ binary uses the ‘greetings’ binary, as shown in the image above.

We can delete the ‘greetings’ file from this folder and create a new ‘greetings’ file containing our custom payload.

Our payload is: cp /bin/bash greetings, which will copy the Bash shell into the 'greetings' binary, allowing us to execute it with elevated privileges.

After making these changes, simply run the ‘welcome’ binary again by typing ./welcome

Now, we have successfully escalated our privileges to root. Our final flag is located in the root directory, so let’s navigate to it.

And here we found our last flag which is:

FLAG 4: 3b090ea80ca34694953e25e6ebb50dd1

Thank you for following along!