Offensive Security is a world wide renowned Cybersecurity company that offers Cybersecurity consulting for companies as well as Cybersecurity training for security professionals veterans as well as those wanting to break into the industry. Proving Grounds however is a platform they offer which contains a number of virtual machines which people can play which are created in a 'Capture The Flag' format with the intention to sharpen hacking skills. The following is my documentation of the 'Vegeta' machine I played on the platform.
IP: 192.168.234.73
OS: Linux
Recon & Initial Access
The Beginning of my recon on this machine begins with an nmap scan which shows the following:
The NMAP scan (NMAP is a popular network reconnaissance tool which assists scan target machines or networks and gives information about them like what OS, ports and services are available) tells us that we have SSH running on port 22 (specifically OpenSSH 7.9p1) and running on the web server is an Apache 2.4.38. My first reaction was to first go on ahead and inspect the web server to see whats there. Maybe we could find a basic authentication login page we could exploit.
On the web page, we discover that there is no login page and that this machine is themed after Vegeta from the popular anime DBZ. Fancy lol.
One of the things that are done when trying to find initial access to any web server is to poke around for anywhere data can be inserted in order to manipulate any backend database or application (ex. SQL INJECTIONS or LOCAL FILE INCLUSIONS or any other similar functioning vulnerabilities) or even any information that can aid us to craft an exploit against the target server. Upon looking at this webpage, I went on to search for a /robots.txt file on the server as this file usually contains some information that we can use.
Immediately, after discovering the web server has a robots.txt file, I see the file pointing to a /find_me directory on the server.
Putting that into the URL and we are met with a 'find_me.html' file that we can look at. I checked it out and saw that there was nothing much. I went on to check the source code of the particular page as usually you get more information of what is running on the server as well as any more directories which can have more information. The more the information, the more the chances are high for a successful hack.
Scrolling down the source code reveals a long string (array of random characters like "=uwh8h2787yhdhiqhj8d9yhjbuhbs36ffj") which I then
discover is a base64 encoded string. I try and decode it and realize the string is just another bunch of unreadable text which won't serve
me for an entry point into the server. I was expecting maybe a hint to another directory or maybe even credentials we can use to SSH into the machine but nothing. Cool.
So then after poking around and looking for ways to have initial access, I realize that this machine is themed after Vegeta from DBz.
file ('hahahaha.wav' was the filename just so you know. DON'T ASK WHY... NO ONE KNOWS lol.).
I downloaded the file and began to look into it for any obfuscated data. Looking into the file, I realise that the file has morse code. So I went online and looked for any morse code decoders. I finally found one and managed to decode it. Upon decoding, the morse code reveals that there is a user available on the server named trunks and his password is "us3r with the 'S' as a dollar symbol". Since this is gamified, it isn't exactly realistic. Realistically, a web developer or even a system administrator would at least try not to expose any files... better still a morse code containing .wav file which can disclose any information of what is in the web server.
So upon finding information about this 'trunks' user, I refer back to my NMAP reconnaissance results and remember that there is a way I
can establish initial access to the server via SSH. SSH is a service which allows for authenticated and encrypted remote logins with typically is found on port 22 in networking, unless a sysadmin
configures a different port altogether. I then SSH in to the machine and I am logged on as trunks within the web server. I'M IN! finally.
Privilege Escalation & ROOT Access
Whenever a hacker finds an entry point to a system, a network or a server, it is of utmost priority to elevate privileges because on every
computer system, there are 'root' (in unix) or 'administrator' (in windows systems) which have the ability to execute anything. Realistically, a hacker
would then attempt to craft a piece of malware code or a file embedded with malware code in order to achieve this and go even further to establish persistent access to the system or the network. In my case,I am logged in as the trunks user, thus concluding that I don't have alot of privileges as to what I can do. My goal is to get to root in
order to have administrator privileges in order to have FULL CONTROL of the machine.
So next, for me to know any privilege escalation vectors, within my attacker machine are scripts I have available which essentially can look
through the machine and see any vectors I can use to maliciously escalate my privilege and get 'root' access to the machine. For me
to get this script (called LinEnum.sh) to the target machine I have access to, I initiate a python based local web server which will serve
my script in order for me to use the target machine and grab it, so I can execute it.
I grab it, change the script into an bash executable and execute it.
 |
| LinEnum.sh script running |
This script outputs alot of information such as the kernel version, the SUID, SGID binaries and a whole lot more I just won't get into as it typically leads, even myself, down unnecessary rabbit holes.
The script then shows me that on the machine is a '.bash_history' file, which is basically a file that saves the history of commands that we're executed by the user. Looking at these commands, we see that this user created a 'Tom' user.
So I then try to see if this user exists. To do this, there is a file called the 'passwd'
file in the /etc directory.
 |
| /etc/passwd contents |
I review this file and find out that there is no such user that exists by the name of 'Tom'. So my curiousity
was like "Why is this command here if it was'nt even executed in the first place???? Maybe... what I can do is execute it????"... And
so I did with a simple copy/paste.
Executing it, I then discover that this 'Tom' user is assigned as 'root'. Which is is good for me as the attacker. So I login as Tom on the machine and finally. I'm ROOT! At this point, I have full control of the target and I can run additional scripts to cause more chaos if I wanted to
At this point, I have full control of the target and I can run additional scripts to cause more chaos if I wanted to. But since this is just a CTF, we'll leave it at that.
What This Machine reinforced:
- The importance of the .bash_history file in Linux systems
- The importance of Proper Recon. Being proficient with Information Gathering will allow a hacker to be time efficient in an investigation as well as craft the exploit or a strategy that will enable quicker RCE (Remote Code Execution) and eventually fully exploit the target machine.
This machine took me about approx 1.5 hours to fully enumerate & hack into an gain into, but again, this is gamified and is just a means to hack in a legal environment. This is the first of many other CTFs I will be using to learn as much as I can.