11 April 2021

Pentesting Fun Stuff

following the cyber security path…


Starting with a port scan.

So SSH port 22 is filtered, which overall means the packet is dropped (by a firewall).
There is an open port 2222 which runs a SSH server behind it.
There is also a webserver running on port 80 and finally a DNS server runs behind port 53.
With these results there are a few things off.
First port 22 which I already mentioned.
Also DNS is mostly UDP and if TCP port 53 is open for DNS it’s mostly for domain transfers (link)
On port 80 an Apache webserver is running, but unfortunately it doesn’t leak a version number.
There are a few DNS recon tools, but Kali has by default dnsrecon installed which can do a scan of a nameserver and try and find any subdomain registered.
It can take a while, so I’ll run it in the back with a for loop.

On the website there is not that much. Just a picture.

When I check it with exiftool and hexdump there is nothing odd about it. Why did I download the image?
In some CTF’s there are comments placed in the meta-data of an image or the image is used for steganography.
No comments here, so I’ll hang on to it if there is a hint about steganography or something.
In the curl output there is another thing that stands out: Xdebug: 2.5.5
After some googling it looks like Xdebug is an extension for PHP to assist with debugging and development. It contains a single step debugger to use with IDEs (link).
Another hit that came up was for the use of a metasploit module.

I’ll jump onto the machine.

It looks like I’m in a docker environment.

Let’s get the file over to my local machine

And it’s send.

Opening the file with wireshark

SSID…..looks like WiFi.
Let’s check the wireless LAN option.

CCMP……looks like it is a WPA key.
A good way to crack a WPA key is with hashcat. Unfortunately I run Kali in a VM and it doesn’t like hashcat very much.
That’s why I use a somewhat older method with aircrack-ng.

For this brute-force attempt I use the favorite CTF wordlist……rockyou.txt
Another method is to use john the ripper, but then you need to convert the cap file into a hccap file and then in a file which John can digest (can be done with hccap2john).
As I now have the WPA key I can decrypt the traffic.
The capture file has over 6000 packets, so to filter there are some things that can be done.
First there is the statistics option with protocol hierarchy. With this you can see all the used protocols and get a overview on what to target on.
Also I can use a display filter to filter out unwanted packets. In this case I use the ‘ip’ filter so I can see all the ip traffic and nothing else.
Unfortunately I can’t find anything useful in this capture file other then the cracked password. The password on itself may be the final objective for this capture file.
So a password reuse maybe?

Nothing interesting is listening on this machine. So I go back to my local machine and try SSH on port 2222 with found username zeus and password flightoficarus

Not working. Maybe not the right username or password. Metasploit has a ssh enumeration module.
For this to work I need a list of usernames and because this machine has a clear theme.
I found a site with a nice list of the gods, but it’s not a straight list to download. Normally you can use a tool called CeWL to generate wordlists form websites. But because there is so much text on this site, it’s better to do it manually.
For this I found a website with a lot of names and copied the content into a file. Then I trim the file a bit to be of better use to metasploit.

As check I also put in root as user, because in most cases root is a valid username.

So there is a username other then root: icarus
That makes sense as the SSID was Too_cl0se_to_th3_Sun.

“flightoficarus” is not working? After some pondering I tried the SSID (because it was leet) and that worked as a password.

Still no user.txt
I guess I’m still not the user intended to find the first hash.
I got a hostname and the mentioning of Athena as goddess. But this username was already in my list….so that’s not a username for this box.

I’m in another docker.
When I try to enumerate this machine I notice there are almost no tools installed.
From the initial nmap scan I know that there is a nameserver running. But than I had no domain name.
Let’s try a domain transfer with dig.

Some comments:
"prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
RhodesColossus.ctfolympus.htb. 86400 IN TXT "Here lies the great Colossus of Rhodes"
The first one has again a string with leet, which looks like a password and 3 numbers.
The three numbers and the reference to temporal has port knocking written all over it.
There are several ways to knock on a port. You can use nmap, telnet, netcat or as I’m doing…..use knock (you need knockd installed for this).

Another port scan reveals port 22 to be open.

Finally………the first flag.
Now on to getting root.

I’m not in a docker anymore.

Looks like I don’t have SUDO, but I do have access to the docker group which give the opportunity to elevate your rights as being a member of the docker group is the same as giving a user full root access to the system (link).
The way I’m going to get root is to mount the root folder to a bind docker. The steps and explanation can be found here.
Docker has a very useful menu function whereas you just have to give an argument (command) and with –help you get another list of possibilities.

With docker -v I binded /root to /tmp/n0w4n

On entering that container /root was mounted in /tmp/n0w4n
And there is the final flag.
Normally I don’t really like CTF minded machines on HTB, but this one was really fun to do.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.