Hack the Sidney VM (CTF Challenge)

Today we will take up a boot2root challenge by Nightmares. We will work on Sidney: 0.2 made by Nightmares.This is the third challenge he genially came up with. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag. You can download this VM from –> https://www.vulnhub.com/entry/sidney-02,149/

Breaching Methodolgies:

Network Scanning (Nmap, netdiscover)

Information gathering:

  • web server enumeration (view source)
  • Directory brute-force (dirb)
  • Wikipedia

Generate own Dictionary (crunch)

Login into admin console

Generate PHP Backdoor (Msfvenom)

Upload and execute a backdoor

Reverse connection (Metasploit)

Kernel privilege escalation (Metasploit)

Gain root access

Penetrate for flag.zip

Access Ram and finished the task

First things we need to know what IP did the VM got. So naturally scan the network using:

netdiscover

Now that we have located our target IP i.e. 192.168.1.103, our next step is to scan it.

Upon scanning we know that port number 80 is open that means this IP will open in the browser so let us try and do that.

Then we decided to look into its page source.

So we opened it in the browser (192.168.1.103/commorode64) and to our luck we found another page.

As you will read the page source you will come to know that username is robhubbard and going further you will find some hints about the password i.e. :

  • the password is in lowercase
  • password has 3 letters and four digits
  • and it is related to c=64 sound chip

Then we run dirb for web directory brute-force attack and here it has shown so many directories. But I was interested in index.php and decide to explore it.

So we opened it and as you can see it is asking for username and password. Now, we already know what is the username, we just have to find the password.

Getting the above hints about password, we firstly decided to look up c=64 sound chip on wikipedia. And we found:

We knew that password’s first three digits are alphabetic letters and so our best guess is MOS are the first three digits of the password.

Now everything falls on the last four digits of the password and finds that we used crunch command.

Crunch will generate your dictionary file.

And then apply dictionary attack using Burp Suite and then it will result in showing you the password as shown below:

Now on the index.php page enter the username and password. Following page will open and on this page you have to upload a malicious php file.

Entering the password you will logon to the following page:

Now to generate the said php open the terminal in your Kali and type:

Simultaneously start multi handler inside metasploit framework.

Copy the code from <?php to die() and save it in a file with .php extension. Now upload this file by browsing it on the webpage.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

From given below image you can observe Meterpreter session 1. But task is not finished yet, still we need to penetrate more for privilege escalation.

By executing sysinfo we came to know about the target’s architecture i.e. kernel 4.4; and with help of this we found metasploit exploit for kernel privilege escalation. Further type following command:   

And it will give 2nd meterpreter session with root privilege, now let’s get into root directory and capture the flag.

It gave us hint.gif file, let’s download it.

So when we opened hint.gif it has shown below image and I was unable to take-out hint from their conversation.

Further I execute following command:

Here is flag.zip file let’s download it on our desktop with help of following command:

We will apply dictionary attack using rockyou.txt so for this the command is:

And yes, at last you have the password. So now unzip the flag.zip by typing:

unzip flag.zip

Then it will ask you the password. Enter the recently obtained password here.

And YAY!!!!! We have captured the Flag!!! Enjoy with it.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply

Your email address will not be published. Required fields are marked *