Lab - CTF Walkthrough – INFOSEC Prep OSCP Overview FalconSpy created this CTF with the support of the staff at Infosec as part of a free voucher giveaway for their OSCP Lab, Lab materials, and an exam attempt. The free voucher has long expired, but the CTF still makes for good practice. This CTF is rated as easy. This first part of this lab will walk students through the lab setup portion of the CTF. Lab Requirements • • •
One install of either VirtualBox or VMWare. One virtual install of Kali Linux One virtual install of InfoSec Prep: OSCP
Begin the Lab Preparation! For this lab, I will be using VirtualBox. Download the InfoSec Prep: OSCP using the following download link.
Save the download to your preferred location. For this demonstration, I am extracting the contents of the downloaded zip file using 7-zip. Once the downloaded is complete, right-click on the downloaded zip file, and from your 7zip content menu, select to extract the contents to a folder named oscp.
1
Launch your VirtualBox application (or VMWare). Go to File, Import Appliance.
Browse over to your extracted OSCP folder, and x2 click the OVA file to begin the import process.
Click Next.
2
Click Import.
Once your VM has been imported, and it appears at the bottom of your left windowpane. Rightclick on it, and from the context menu, select Settings.
3
In the left windowpane, click on Network. Change your network type from Bridged Adapter to NAT Network. Click OK.
2x click your new VM. Allow the machine to boot. Do not worry about logging on to the target machine but do take note of the assigned IP address.
Start your kali machine. Once you are logged on, right-click on the desktop, and create a new folder. Call the folder OSCP. Once you have the new folder created, right-click on it and select Open Terminal Here from the context menu. This will be your work folder for the CTF exercise. Begin the Walkthrough Ensure both your Kali attack machine the OSCP target are up and running. Next, ensure both have their network setting configured for NAT Network.
4
From your Kali machine, open a terminal and discover the assigned IP address using ifconfig.
These are the IP addresses assigned to my two virtual machines. Yours will differ! Lastly, ensure you have network connectivity by pinging the IP address assigned to your target from your Kali terminal.
Use CTRL+C to end the ping test or close the terminal. Do not proceed with the lab until you have confirmed that you have connectivity between your Kali VM and the target! One ounce of prep is worth two pounds of troubleshooting! To help keep or results organized and in one central repository, right-click on your Kali Desktop, and from the context menu, select Create a New folder. Call the new folder, OSCP. This will be your working directory. Right-click on your new working directory, and from the context menu, select Open Terminal Here.
5
Methodology To beat the hacker, you must be the hacker, and that includes thinking like a hacker. All good hackers follow a hacking methodology. They may not follow all the steps sequentially but having a method does tend to yield better results. Enumeration Enumeration is defined as extracting usernames, machine names, network resources, shares, and services from a system. In this phase, the attacker creates an active connection to the device and performs directed queries to gain more information about the target. The gathered data identifies the vulnerabilities or weak points in system security and tries to exploit them in the system gaining phase. Nmap Our enumeration phase beings with conducting a Nmap scan of the target. Everyone has their preferred Nmap commands. Talk to two different hackers, and you will get two different opinions. For this target, I used the following Nmap command. nmap -sC -sV 10.0.2.17 If you prefer an all-inclusive scan that will run the basic scripts, conduct a nmap default TCP scan, and do a version detection of the target operating system, you can use nmap -A 10.0.2.17. This is my target IP address; yours may differ!
6
Our scan results show we have SSH running on port 22 and an Apache webserver running HTTP on port 80. We also have all the versioning information for the software running on ports 22 and 80. We have found a robot.txt file along with a secret.txt file. Lastly, we discovered that the web server is hosting a WordPress site. Minimize your terminal window. We will come back to these results if we need them. Back at your desktop, right-click on your working directory and open up a new terminal window. Gobuster For our next scan, we will use gobuster. Gobuster is a tool for brute forcing URIs (Files and Directories) and DNS subdomains. For this scan, we will be using gobuster with a password list to enumerate as many files and directories as possible. gobuster dir -u http://10.0.2.17/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
7
We get some excellent results regarding the WordPress site running on the target. I have highlighted some of the directories that look promising. We begin with the low-hanging fruit, which means looking closer at the web service running on port 80. Begin by opening a browser on your Kali machine, and in the address bar, type the IP address of the target machine.
Right from the start, we learn that there is but just one user account for this site, oscp. This will come in handy later.
8
Right-click on the web page, and from the context menu, examine the source code for any clues. Look for any comments that might provide anything helpful. Examining the source code for any web service running on a target should be a given. Click on the links and browse the site and examine the source code of the other web pages. The source code comes up empty, so we continue enumerating by looking first at the robots.txt file. Append /robots.txt to the front of the IP address for the site. Robots.txt file The robots.txt is a file that contains path information that should not be crawled by search engine bots such as google bot and others. It tells the search engine that this directory is private (Disallow) and should not be cataloged. For a pentester or hacker, the robots.txt can reveal restricted paths and the technology being used by the servers. As far as administration goes, the robots.txt acts should act as an access control mechanism with the content expected to be read by search engines and not by humans. That’s the fallacy of using a robots.txt file
We see that this robots.txt file is telling any search engine crawler that should read but not catalog the secret.txt file. We can see the contents of the secret.txt file just as we did with the robots.txt file by appending the file name to the front of our target’s IP address.
9
The secret.txt file contains Base64 encoded text. We need to decode the text to be able to read its contents. We can do this in a few different ways. We could copy the hash to a text file and decode that text using hashcat, or we could go online and search for a base64 decoder. For this demonstration, I opened a browser and searched for a base64 decoder. I took the first result from the list, https://www.base64decode.org/. I copied and pasted the base64 hash into the decoder’s first window, and I pressed the decode button.
10
I am presented with the decoded results in the second window, which is an OpenSSH private key.
Copy the entire hash for the OpenSSH private key’s contents by placing your mouse in the decoded window results and using your keyboard, press CTRL+A to select the contents. Press CTRL+C to copy the contents. We next need to save the contents to a text file inside our working folder called OSCP located on our desktop. To do this, right-click on your OSCP working directory and, from the context menu, select, Open Terminal Here.
We need to create a text file that can be used to save the OpenSSH key. For this demonstration, I am using the nano text editor. You are free to use any text editor you choose. At the terminal type, nano key.rsa. Press enter.
11
This opens a blank terminal screen. Right-click any in the terminal window and from the context menu and select, Paste Clipboard.
To save the file, press the CTRL+X key, and when prompted to save the buffer, press why for Y. Press enter to exit the nano text editor. At your terminal prompt, type ls to see the contents inside your working folder. You should see one file named key.rsa
(Optional) At the prompt, you can type, cat key.rsa to view the contents of the file.
We next need to change the permissions for the new key.rsa file. At the prompt type, chmod 600 key.rsa. Press enter.
12
Privileged Escalation Using SSH We have the username given to use on the main page of the web site. We have the OpenSSH key we learned from looking at the contents of the secret.txt file. Let’s attempt to establish a remote shell using SSH. At the prompt, type ssh
[email protected] -i key.rsa When prompted, type yes.
We have a bash prompt, but we need to see if we have sudo permissions and what sudo permissions we have. At the prompt type, sudo -i
13
We are prompted for the sudo password, which we do not have. We can next check the SUID permissions for the current user using the following command. find / -perm -u=s -type f 2>/dev/null / denotes that we will start from the top (root) of the file system and find every directory -perm denotes that we will search for the permissions that follow: -u=s denotes that we will look for files owned by the root user -type states the type of file we are looking for f denotes a regular file, excluding directories and special files 2>/dev/null means we will redirect all errors to /dev/null. In other words, we will ignore all errors.
14
We next set the current user to use the permissions assigned to the /usr/bin/bash directory using the -p switch. At the prompt, type the following command. /usr/bin/bash -p Check your permissions using the id command.
We now have root access. Change directory to root by typing cd / To see the contents of the root folder, use the ls command. Note the root directory. Change location to the root directory using the cd /root command. Type ls to see the contents.
To see the contents of the flag.txt file, use the cat command. cat flag.txt
Congratulations! You did not win a voucher for the OPSCP exam, but you did capture the flag. Summary – This CTF was fast and easy because we did not use any tools to capture the flag. We could have broken out any number of tools to brute force a password or escalate privileges, but we could power our way through using just a few CLI command tricks. Once we got an SSH shell, it was all over but the crying.
15
