This VM has a slightly higher difficulty level than the first entry in the series. If you've completed the first entry and tried some of the other beginner-oriented challenges, this VM could be a good next step. Again, this challenge contains some early exploit vectors and privilege escalation vulnerabilities.
Your goal is to remotely attack the VM, gain root access, and read the flags located in /root/flag.txt. Once that's done, try to find any other vectors you might have missed!
As usual, the first thing we do is find the target IP by scanning the machines on the network we are using, using tools like NetDiscover , Angry IP , etc. Here I am using NetDiscover, so let's get started.
sudo netdiscover
The IP address 192.168.0.106 will be our target. Once we have it, let's run an Nmap scan to check for open ports and running services.
nmap -A -p- 192.168.0.106
Okay, that's pretty interesting. So, the Nmap output shows that ports 22, 80, 139, 445, 8009, and 8080 are running. This means our target machine is running a web server. Let's visit it and see what information is there...
Like a new book that has been bought, empty and nothing, but wait!!! "Please Check Back Later" Hmmm, we'd better run the dirb tool to find out what's hidden inside
dirb -w http://192.168.0.106 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
There are two files here, take a look and pay attention to what is conveyed in both files.
With the following message, I assume that the OS has two local users and their names start with J & K, I can also see for J, it has some weak credentials that are easy to crack., And if the "dev.txt" message shows the word "SMB" it is probably "Samba", without thinking long, let's run "enum4linux" to see what it produces.
Wait a minute!!!!. Previously, my friend asked, "Why enum4linux?" and I answered, "It's a tool used to enumerate SMB shares on Windows and Linux systems. Essentially, it's a wrapper around the tools in the Samba package and makes it easy to quickly extract information from SMB-related targets." So, maybe this is the right tool.
enum4linux 192.168.0.106
See, there are two local users on the machine, So the conclusion is, J is Jan, and K is Kay. Hmmm,,, Interesting.
Since previously our target machine was running ssh on port 22, let's try logging in with the username Jan because the password is weak, as stated in the previous two files, actually in this case we can use the metasploit module, namely "auxiliary/scanner/ssh/ssh_login", but I didn't use it and chose to use a tool like "hydra". So let's use "hydra"
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://192.168.0.06
Yes, it looks easy, right? Now we get the password to log in to the machine with the local account jan and let's ssh into it.
Now let's explore the system and see if we find anything. Next, run the command cat /etc/passwd. You'll see that Kay has registered the directory on the target machine.
cat /etc/passwd
The user Kay has an interesting file called pass.bak, so I wanted to check it out, but I couldn't open it until we logged in as Kay. So, next, there's another directory called .ssh, which contains the private and public keys.
To gather more information about Kay's user, it was confirmed that the id_rsa file in the ".ssh" folder can be read by navigating to the /home/kay directory. This file is supposed to be downloaded directly to the Kali machine and used for SSH, but it was confirmed that it requires a passphrase to use it.
To find the passphrase of the "id_rsa" file, the "id_rsa" file must be converted to a format that can be attacked by the "John the Ripper" tool with "ssh2json," which is part of the John the Ripper tool. After this step, the id_rsa passphrase information is accessed through a brute-force attack with John the Ripper.
Next, open "id_rsa" and copy "id_rsa", and open your new terminal, then open "vim" and paste the copy of id_rsa using ":wq key" then use "ssh2john"
ssh2john key > decode
then
john --wordlist=/usr/share/wordlists/rockyou.txt decode
Here, we've got the password for kay , which is beeseax. Now we can log in as the kay user and perhaps view the pass.bak file. Let's give it a try.
Damn, I couldn't log in because of a permission denied error. I've tried several times, but to no avail. After some time, I realized that only the user/owner should have read and write permissions, and no one else should have them. So I changed the permissions using the "chmod 600 key" command. I was able to log in to the account via SSH.
chmod 600 key
and
ssh -i key [email protected]
And, well, Look... I successfully logged in, as user kay, don't forget to enter "beeswax" in "Enter passphrase for key 'key':"
Next is the increase in privileges, or you could say towards the top, Maybe...
Remember our main goal is to get root privileges, we can use this password as sudo password and now we are root and get flag.txt.
sudo -i
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Yeahhhh... That's the one we were looking for and we found him.
This CTF teaches the importance of a systematic approach to the pentesting process—starting with in-depth enumeration, utilizing the information found, and making informed decisions about moving on to the next stage. Patience, creativity, and analytical skills are crucial in completing each part of this challenge.
