A ctf for beginners, can you root me?
Task 1 — Deploy the machine
Task 2 — Reconnaissance
1. Scan the machine, how many ports are open?
Let’s do a simple nmap scan.
sudo nmap -sV 10.10.67.173
2. What version of Apache is running?
3. What service is running on port 22?
See above
4. Find directories on the web server using the GoBuster tool.
gobuster dir -u http://10.10.67.173 -w /usr/share/wordlists/dirb/common.txt5. What is the hidden directory?
Task 3 — Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
user.txt
Found a form in one of the hidden directories.
Let’s upload a php reverse shell by pentestmonkey.
reverse shell here.
shell walk through here.
That is very not looking good, looks like our script upload was blocked.
Let’s change the php file extension to “php5" and upload it again.
(Explore on file upload bypass as this is about File Upload Vilnerability)
We go on green.
Listen to the shell with netcat(changed my listening port).
nc -lnvp 5555Navigate to the php script and check netcat.
(Damn! I always forget disabling my firewall — parrot)
Finally!
Let’s search for the flag user.txt
find . -name user.txt 2>/dev/null
Nice, kill that rat!
Task 4 Privilege escalation
(Usually my best parts)
1. Search for files with SUID permission, which file is weird?.
Using:
find / -user root -perm /4000Found python with SUID permissions meaning it does not drop elevated privileges.
2. Find a form to escalate your privileges.
Let’s get root access with:
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
See GTFOBins
There we go, we are powerful now.
3. root.txt
Let’s look for flag with:
find . -name root.txt 2>/dev/null
Nice, kill that rat!
Well, There are many ways of killing a rat!
Happy Hacking.
