Task 1 – Questions #1
Intermediate level CTF. Just enumerate, you’ll get there.
We run nmap first nmap to enumerate ports, we notice web, ftp and ssh open.
nmap -sV -sC -Pn -p- -v 10.10.206.160
Nmap scan report for 10.10.206.160
Host is up (0.020s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.22.188
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 7A89A2BD40E0AA88430233D60AA82EB4
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
| 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We connect to the ftp anonymously and check for files
ftp ftp@10.11.22.188
ls -la
wget .info.txt
Bonus: The info.txt has some encoded code. This is ROT13. I passed this to CyberChef and unencoded it.
https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,13)&input=V2hmZyBqbmFncnEgZ2IgZnJyIHZzIGxiaCBzdmFxIHZnLiBZYnkuIEVyenJ6b3JlOiBSYWh6cmVuZ3ZiYSB2ZiBndXIgeHJsIQ
This returned…
Just wanted to see if you find it. Lol. Remember: Enumeration is the key!
File extension after anon login
txt
Check our nmap scan from earlier for the next two answers..
What is on the highest port?
ssh
What’s running on port 10000?
Webmin
searchsploit webmin
Can you exploit the service running on that port? (yay/nay answer)
nay
Enumerating the webserver for extra directories, we notice some useful ones here.
└─$ gobuster dir --url http://10.10.206.160/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.206.160/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 292]
/.htaccess (Status: 403) [Size: 297]
/.htpasswd (Status: 403) [Size: 297]
/index.html (Status: 200) [Size: 11321]
/joomla (Status: 301) [Size: 315] [--> http://10.10.206.160/joomla/]
/manual (Status: 301) [Size: 315] [--> http://10.10.206.160/manual/]
/robots.txt (Status: 200) [Size: 257]
/server-status (Status: 403) [Size: 301]
Progress: 4727 / 4727 (100.00%)
===============================================================
Finished
===============================================================
What’s CMS can you access?
Joomla
Keep enumerating, you’ll know when you find it.
The interesting file name in the folder?
log.txt
Task 2 – Questions #2
You can complete this with manual enumeration, but do it as you wish
Where was the other users pass stored(no extension, just the name)?
backup
user.txt
You made it till here, well done.
What did you exploit to get the privileged user?
find
root.txt
It wasn’t that hard, was it?”