Tips for an Information Security Analyst/Pentester career - Ep. 19: CTF
Intro
Over the previous episodes, I tried to go through some basic penetration testing and information security concepts.
This time, I want to demonstrate some basic hacking concepts and techniques by using a vulnerable virtual machine available on www.vulnhub.com.
This website allows to download virtual machines used for CTF (capture the flag) competitions.
So, instead of having me yakking about theoretical concepts such as white hats and black hats, get out of your comfort zone and face real obstacles and scenarios, by having to basically pwn the system, going from zero to root.
The newest additions are referred to CTFs in progress, but it is also possible to download VM's used for past CTFs, and sometimes a write up is available with a step-by-step walk-through for them.
I chose an older VM, intended for beginners, with an available walk-through, because going through the steps needed to pwn a system may require a variable amount of time, sometimes even days, weeks, or months.
When I went through my first Ethical Hacking lab, which was way harder than this, it took me two days to get it done and I hated my life.
I could access no files because I lacked permissions, and it was a school-owned machine, so I couldn't really think of finding a way to become root.
But I could use grep, and found all I needed to find.
Having a step-by-step walk-through doesn't always make it easier for you to successfully go from zero to root, mind you.
Some steps that worked for other guys didn't work for me and I had pretty much to improvise and think outside the box, but that's what hacking is all about.
A real hacker finds creative solutions for a specific system where automated tools don't seem to work, or don't deliver the desired results.
In other words, if you can only run Metasploit and alike tools, but you don't know how to code or develop a custom solution, you're not a hacker.
Scenario
I downloaded a VM called Quaoar.ova and then I installed it in VMware (you can use VirtualBox as well).
I booted the machine and I was presented with a login screen displaying some information and a password prompt.
That's when you start getting lost.
You'll be like, "I don't have the damn password, what am I supposed to do?".
Well, first of all, you can read, right?
The on-screen message tells you what you are supposed to do and gives you the IP address of this virtual machine.
So you start out by firing your Kali Linux VM on the same network and initiate – guess what – your reconnaissance.
You start out with an Nmap scan with service versioning, in order to understand what ports are open and what services are running on this machine.
Nmap returns information on several services running on this machine.
Each one of these services might have a vulnerability that could be exploited, so there can be different solutions to hack this machine.
We can surely tell an HTTP server is running on port 80 and so we can access it through Kali, by opening the browser and surfing to http://192.168.1.65.
We obtain a webpage.
The HTML code of this page doesn't reveal anything interesting but, if we access the robots.txt file, we find an important information, precisely an allowed directory.
So we can conclude this is a WordPress website and we can navigate to that directory.
Knowing this, we can use a tool called wpscan to look for more information.
The scan returns two users: admin and wpuser.
I found more directories with dirbuster but they were accessible only to authorized users.
As the default user is enabled on the site, I tried to use the default password as well and the admin/admin combination allowed me to successfully log in.
I tried several steps suggested in the walk-throughs but I was unable to upload a PHP shell, therefore I tried a different way.
As the administrative interface on the WordPress website is called wp-admin, I tried several combinations, until I found that wpadmin/wpadmin allowed me to access through SSH.
And, lo and behold, I could get in.
Once I was in, I immediately noticed a file called flag.txt, which is obviously our first flag.
To capture the flag, we only need to read this file with the cat command.
Now one only problem remains, which is how to get root privileges on this machine.
I started going through the directories in the root folder until I found one interesting file called config.html, located in /var/www/upload directory.
By reading it, I could retrieve the root user credentials, so I exit the shell and relog as root.
After doing that, I find another file on the root directory, also called flag.txt.
Bingo!
We're all done.
Wrap-up
Learning hacking isn't very easy and, under certain points of view, it can't really be done.
Each system is unique and a proper recon activity is paramount. What I showed here is very accelerated and I was following a guide, so I knew where to go.
In a real-world scenario, each step would cost me days or even weeks of blind attempts, mind you.
Of course, this isn't real hacking, but I recommend you to go through these VMs as a mental training exercise.
It teaches you to twist your brain, to think in an unconventional way and, above all, to never give up, which is the first rule.
It teaches you techniques and tools commonly used in real pentesting scenarios and encryption concepts, that can be very handy.
Without any guide, you're going to hate your life, like it happened to me in my Ethical Hacking Lab, but that's where you tell the man from the boy (or the woman from the girl, I don't want to be accused of sexism here:).
You need to keep trying and, sooner or later, you'll start finding a clue, and then another one and another one, and you'll feel like the mystery starts being unlocked, until you pwn the system,
I can't tell you how much I cussed over those two days, but the achievement feeling I had when I could finally complete that lab (and got 100%, by the way) was worth it.
I felt like I could do something in this industry for real.
So start from this VM and download more and more and more VMs, until you'll be able to try exploiting one without any walkthroughs available.
It's a good training for your OSCP and for hard times you (and me) will surely have to face.
Comments
Post a Comment