Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

DC416 CTF CHALLENGES [FORTRESS]

Location

https://download.vulnhub.com/dc416-2016/dc416-fortress.ova

Introduction

This is one of  four virtual machines that were created by members of the VulnHub CTF Team for DefCon Toronto’s first offline CTF.
This machine was created by superkojiman
Each machine has a landing page on port 80 which describes the number of flags it has, along with any additional rules or hints.

Getting Started

First a nmap scan.

Looks like there are 3 open ports. And port 80 is redirecting to port 443.
I’ll try and do some banner grabbing before I start with port 80.
Nothing there but the info I already got from the nmap scan.
When visiting the website on port 80 I get redirected to port 443. Here are the rules of engagement noted.

To enumerate some directories I use dirsearch which finds  /scanner.php/.


Looks like an excellent vector for remote code execution (RCE).
Because I want to know if I can append some arbitrary code I start to add some chars and see what the result is. After I use the pipe char (|) I get a pat on the back – much appreciated LOL.

Because I wanted to know what was happening behind the scene, I used Burpsuite to capture the traffic. From there I sent the request to the repeater and try to execute code by bypassing the filter. After some time I find out that a simple break did the trick.

Next I’m using the command ls -aRl.

So I got the first flag and the passwd and shadow file of user “craven”.
First I’m going to gather the location of the remaining flags.

So the flags I can’t read yet, but there are some files I can.

So…..the name of the pet is probably “qwerty”. Leaving my to create a list with crunch.

Now to load this up with John the Ripper.

Now that I have the password it’s time to ssh my way in as “craven”.

First I take my second flag.

Next stop is user “vulnhub” and his flag.

This time I run the program.

Let’s do some testing first.

So it’s basically just checking the filename. If it’s “flag” it will deny access to it. Else it will echo the content.
To bypass this mechanism I’m going to make a symbolic link to the real “flag.txt”.

And there is the final flag.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.