mhz_cxf: c1f Vulnhub Walkthrough
CTF’s are a great way to sharpen your axe. As a security enthusiast, this is probably the best way to get some hands-on practice that lends perspective as to how an adversary will exploit a vulnerability and how as an infosec professional we will eliminate that risk or guard against it.
This is a very engaging CTF, it has some aspects of steganography. It gives you the chance to turn those wheels but not so much so that you get frustrated, think of it as somewhere between easy and intermediate level. You can download it from here.
Now, let’s dive in.
Penetration Testing Methodology
- Network Discovery and Scanning
- Using Netdiscover
- Using Nmap
- Directory Bruteforce using dirb
- System Exploration
- Data Exfiltration
- Using SCP
- Using Steghide
- Privilege Escalation
We begin by scanning our network for the target machine using Netdiscover.
The target machine is active on 192.168.1.104. Let’s scan it and see which services are running and which ports are open.
We do an aggressive scan on the target using map.
nmap -p- -A 192.168.1.104
The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.
This does not help much, time to move to the next stage.
Let’s try to bruteforce the directory using dirb and see what we come across. We are using the -X flag to specify that we are looking for .txt formats only.
dirb http://192.168.1.104/ -X .txt
It seems we have found something! Let’s navigate to the link that’s given above in our attacking machines web browser and see what we find.
The maker of this CTF seems to be hinting that remb.txt and or remb2.txt might hold some valuable information. Let’s navigate to them.
This looks like a username and a password; I wonder where we will be able to use it?!
We did see that the victim machine has port 22 open, let’s try our luck with SSH, maybe these credentials will work.
ssh firstname.lastname@example.org ls cat user.txt cd /home ls cd mhz_cif ls cd Paintings ls
We were successfully able to connect with the victim machine over SSH using “flagitifyoucan1234” as the password.
Moving around in the directories we find “user.txt” that gives us a clue about the privilege level. Looking further we find a directory named after the CTF machine that holds image files, this is the part where see the potential for steganography.
The images need to be moved from the victim machine to the attacking machine so that they can be investigated further.
There are many ways to exfiltrate data from a system but considering that this is a Linux system, the chances of finding SCP installed on it already are very high, so let’s use that instead of un-necessarily trying to install a new application.
In our attacking machine, we make a directory to call the files to, enter that directory and then start SCP with the credentials that we found earlier. Defining that we want to import all the files in the “Paintings” directory.
mkdir raj cd raj scp email@example.com:/home/mhz_c1f/Paintaings/* .
On checking the contents of the “raj” folder, we see that our operation to exfiltrate data was successful, all the image files in the Paintings directory are now in the attacking machine, ready to be scrutinized.
Steghide is the tool of choice here for obvious reasons. We need to find what information is hidden in these images.
steghide extract -sf spinning/ the/ wool.jpeg cat remb2.txt
On running Steighide, for the image names “spinning the wool.jpeg”, we are prompted for a passphrase, where we use the credentials that we had found earlier. This reveals a text file named “remb2.txt”. If you recall, we have come across this particular file name in our earlier screenshots.
We open the file to reveal what looks to be more credentials, let’s see where they can be used.
We go back to the terminal we have open into the victim machine and try to switch users to “mhz_c1f” and use the password that we just found, and it works, we are in!
su mhz_cif id sudo su cd /root ls ls –la cat .root.txt
On checking the privilege level held by this account. This account is part of the sudo group, so let’s try to get a better foothold. We are now in the root directory and on checking it’s contents we find “.root.txt” and on opening it, we get our final flag!!
This concludes our walkthrough for mhz_cxf: c1f, we hope you enjoyed it and picked up a few useful pieces of information on the way.
CTF’s are the best way to wrap your head around the concepts and though flows required to be a penetration tester, it gives you a chance to think critically and apply what you have learnt so far about hacking, in a safe environment.
As always, we at hacking articles will try to get you latest and greatest in the sphere of infosec.
Have fun and stay ethical.
About The Author
Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here