Categories

Archives

CTF Challenges

Hack the Defense Space VM (CTF Challenge)

Defense VM is made by Silex Secure team. This VM is designed to honor and pay respects to the military of Nigeria and the soldiers who stood up against the terrorist attack. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. You can download it from https://www.vulnhub.com/entry/defence-space-ctf-2017,179/

Are you ready for the challenge soldier? The first step to attack is to identify the target. So, identify your target. To identify the target we will use the following command:

netdiscover

Now that you have identified your target (mine is 192.168.1.17) you will need to acquire it and declare your victory.  In order to acquire it we will need a plan to enter our enemy. To let us search for all the doors, closed or not. And for that let’s fire up the nmap.

nmap -p- -A 192.168.1.17

Our search has led us to the result that Port nos. 21, 80,443, 2225 is open with the services of FTP, HTTP, HTTPS, SSH respectively. As the port 80 is open we can open our target IP in the browser.

But there is no hint or what-so-ever in there. But as this based on military aspects the hint could be camouflaged. Therefore let’s check the source code.

And yes!! We have found the flag 0 although it is coded base64. Upon decoding it will become netdiscover.

As the source is unknown territory, I inspected more and found that there was a directory which proved to be very useful: assests/lafiya.js

Open the said directory in the browser and check its source code. In the source code, you will find flag 1 which will be in hex.

Upon converting hex you will uncover flag 2 in an MD5 form.

When you convert MD5 value to its original, it will be nmap as shown in the image below.

The second flag was nmap that means there is something the nmap that we missed. And upon reviewing it I remembered that SSH service was open on the port 2225. And so I accessed it with the following command.

ssh 192.168.1.17 -p 2225

And there we have it our flag 2B in an MD5 value. Let’s convert it.

Our flag 2B is encrypted. That means there is something related to encryption and security. Now the best way to provide security to a website is through its security certificate. Let’s check it out.

Now, upon examining the certificate, you will find your third flag and a hint i.e [39 39 30].

Firstly, decode the flag which will be unit. Now if you decode it anywhere you will not get a result. And I did searched and searched again but couldn’t get it to decode. So I visited the author’s walkthrough and there it says that it is translated the unit. And therefore I used the unit in my walkthrough.

The combination of 3, 9, 0 will be the suffix of the word unit. But there is a lot of combination for it so let’s create those combinations with the help of crunch with the command:

crunch 3 3 390

We will get 27 possible combinations and so make a text file for dictionary attack and add the word ‘unit’ as a prefix to every combination. Now let’s use dirb to find anything related to unit and these combinations.

dirb http://192.168.1.17 /root/Desktop/dict.txt

To our joy there is a directory that goes by unit990. Let’s open it in our browser without further delay.

We do not have credentials for logging in. So, I checked it source code instead. In the source code, you will find flag 4 in a base64 code.

Decode the flag and you will get admin.php

After finding the flag, I opened the directory in the browser.

Opening the previously found directory in the browser will show the same page but its source code is edited. As you will check it, you will find that flag 5 again in base64 code.

By decoding flag 5 you will get SQL injection. That means the next step should be SQL injection.

Now, this hint is just to throw us off our track. I used every SQL injection technique I could find but it didn’t help. So I used dirb on the target.

dirb http://192.168.1.17

I found a directory called assets. And opened it in the browser and found the 7th flag.

Now try and decode it widgets.

Now you can try and decode it but it’s hopeless to decode it anywhere online. So examined the dirb result more and found another directory called phpmyadmin

If you open this directory in the browser you will find a login page. I used the top 10 most commonly used password and username i.e root and root and got in. In the database, I found a silex table. Now silex is the team’s name so I guess this is the most important table.

Upon checking it, I found the admin and in admin, there was our 6th flag coded in base64

Upon decoding, it says Nigiarforcecloud.

And voila!! All our flags are uncovered. Good work soldiers. Solving this VM was good exercise and I salute the fallen Nigerian soldiers and wish them peace and praise the whole army.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here