Hack Acid Reloaded VM (CTF Challenge)

Acid reloaded is the 2nd VM of the Acid series of Boot2Root CTF exercise. It is created by Avinash Thappa. To capture the flag, first we have to gain the root access that means escalating administrator privileges.

You can download this VM from: https://www.vulnhub.com/entry/acid-reloaded,127/

WalkThrough

As always start by finding our target

netdiscover

This tells us that our target is 192.168.1.10. Now is time to scan with nmap.

nmap –p- -A 192.168.1.10

The result of nmap shows us that only port 22 is open with the service of SSH. Let’s check out this 22 port.

ssh 192.168.1.10

Checking out port 22 hints us that we should use Port Knocking technique.

nmap –r –Pn –p 3,2,1 192.168.1.10

Let’s scan with nmap again.

nmap –p- -A 192.168.1.10

Port knocking helped us to open port 33447 on which the service of HTTP was redirected. Now open the target IP on browser using this port.

A simple webpage opens that tells us to use our brain. Haha! Even the page source did not help. It’s time to use nikto.

nikto –h 192.168.1.10:33447

Now nikto reveals that /bin/ might be interesting as it might have a shell system. No harm in checking it out in browsing so let’s do that.

And it’s a log in portal. Now let’s check its page source.

In the page source there is a directory called: includes/validation.php. I decided to check it out.

Alas! I could not find anything on it. So decided to use DirBuster to find out about directories. In the DirBuster give the URL and for wordlist use medium 1.0 wordlist.

And then click on Start button and it will start finding directories.

I checked every directory related to bin and only /bin/dashboard.php was useful. When I opened it in the browser, I found nothing useful so I looked in to the page source and even that proved to be non-useful.

When nothing helped I decided to capture its cookies using BurpSuite. To capture the cookies using BurpSuite, set proxy and then turn on the interception and then simply reload the page. When the cookies are captured just add the following below the Host.

Referer : http://192.168.1.10:33447/bin/includes/validation.php

And now as soon as you will hit the forward button it will automatically log in.

On the page it says to click and when you do that it will redirect to the following page.

There was nothing on the redirected page or its page source. So decided it to use SQLMap.

sqlmap –u “192.168.1.10:33447/bin/l33t_haxor.php?id=1” –dbs –tamper=space2comment

It shows us the name of the table i.e. UB3R/strcpy.exe

Now I have a name o the table so I decided open it in URL.

When I opened it in the browser, a dialogue box opened and asked to save a file and so I did. Now I used foremost tool to know a bit about the file.

Foremost tool is a forensic tool which is used to recover files using their headers and footers.

Foremost strcpy.exe

As soon as you will run the above command a folder is created with the name of output. Let’s check out this folder.

cd output/

ls

There is a text file in the folder with the name of audit, I decided to read it through cat command.

Cat audit.txt

There is a .rar which I decided to unrar.

unrar x 00000213.rar

On unzipping there are two files that has been extracted i.e. acid.txt and lol.jpg. I decided to read acid.txt

cat acid.txt

This .txt tells us that we are on right path. So ofcourse next I opened lol.jpg

exiftool lol.jpg

But found nothing. So I unzipped it.

unrar e lol.jpg

 

Unzipping the lol,jpg gave me two files again, one was hint.txt and another Avinash.contact. So I opened hint.txt which told me to go with Avinash.contact, so I next opened.

cat Avinash.contact

There was base64 code given in the file with some random words like avinash, person, etc. So I saved these random words in a text file and decoded the base64 code which turned to be NooB@123.

And then applied brute force on SSH using the text file I just created with random words because one of them could be username and other could be password. And for that open metasploit and type:

use auxiliary/scanner/ssh/ssh-login

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass.txt

exploit

And it gave us makke:NooB@123 as username and password respectively. And so I logged in with SSH.

ssh makke@192.168.1.10

Give the password when asked. And when I logged in I checked kernel’s version and tried to download its exploit but it didn’t happen. All the options for downloading were blocked so started exploring.

So I directly went for /bin.

cd /bin

ls

In /bin, there was files called overlayfs. This is a famous exploit so I executed it

./overlayfs

id

ls –la

And then fortunately there was a flag.txt.

cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

Related Posts Plugin for WordPress, Blogger...

Leave a Reply