There is a new beginner level CTF challenge in Vulnhub. The author of the machine is Somu Sen. Also, I am trying the machine on the VMWare Workstation Player. “HackathonCTF 2 Walkthrough – Vulnhub – Writeup”.
Link to the machine: https://www.vulnhub.com/entry/hackathonctf-2,714/
Identify the target
Firstly, I had to identify the IP address of the target machine.
fping -aqg 192.168.19.0/24
Scan open ports
Next, I scanned the open ports to know the exposed services.
nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 192.168.19.141
Firstly, anonymous ftp access is allowed. Then, it is evident from the scan results that there is a dictionary file which we can use to bruteforce different logins. In my mind, I am going to use the dictionary list to bruteforce the SSH service running at port 7223. So, I logged in to the FTP server.
ls -al get flag1.txt get word.dir
Now that I have the wordlist, I require the username to bruteforce. For this, I enumerated the webserver.
Enumerate web server
gobuster dir -u http://192.168.19.141 -x html,txt,php --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dir.log
During the scanning, I found a URL path
The URL said there was nothing in there. However, when I looked at the source, I found a username.
Now, I have username and wordlist. So, I can bruteforce now.
Bruteforce using hydra
Hydra is a tool that does online bruteforcing. On the other hand, there are offline password cracking tools as well like John the Ripper.
hydra -V -l hackathonll -P word.dir 192.168.19.141 ssh -s 7223
Finally, I got the credentials of the SSH login.
ssh email@example.com -p 7223
However, this is not the user that had the flag. So, I looked up for the users in the machine.
cat /etc/passwd | grep bash
We can see that there is another user called dobash. Thus, I had to try to get his shell. But before that, you can see that the shell isn’t the bash shell. So, let’s switch to that.
However, while searching for the next clue, I looked at my sudo permissions.
Luckily, we could use vim as root without requiring the password of root. If we look at GTFObins, we get to learn that vim allows execution of shell commands.
sudo vim -c ':!/bin/bash'
Finally, I got the root shell and the root flag.
cd /root/ ls cat flag2.txt
Also, there is nothing in dobash. It was there to divert my mind.
This is a very beginner level machine. Hence, you can crack this within a few minutes.