Alzheimer Write-Up

Introduction

In this write-up, I will guide you through the steps I took to complete the HackMyVM - Alzheimer CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video here (to be updated).

TL;DR

• Run Nmap.

• Checkout FTP server.

• Knock mentioned ports.

• Run Nmap again.

• Checkout FTP server again.

• Visit web page and URL found by Gobuster.

• SSH login with found credentials.

• Get user flag.

• Checkout binary with SUID.

• Refer GTFOBins.

• Get root flag.

Reconnaissance

Network/Port Scanning (Nmap)

Command:

Explanation:

• nmap: Tool used to scan network and ports to discover which services are running.

• -sV: Perform version detection of services.

• -sC: Scan using default scripts.

• -oA: Output in filename "alzheimer".

• 172.16.101.89: IP address of Alzheimer VM on my network.

Output:

Findings:

We see that the following services are running:

• Port 21: FTP service with anonymous user login enabled.

• Port 22: An SSH server which I am assuming is for better shell access after we find the user password or private key.

• Port 80: An HTTP server.

But Port 22 and 80 are filtered, so that leaves us with investigating the FTP server. So let's check out the FTP server.

File Sharing Server Enumeration

The Nmap output shows us that the FTP server has anonymous login enabled. Let's first try accessing the server using the anonymous user (blank password).

Command:

We see that the server lets us in using the anonymous user. There is a hidden file in the server called .secretnote.txt, let's get it to our machine to inspect it.

Command:

Note: I changed the file name from .secretnote.txt to secretnote.txt so that it is not hidden on my file system.

Output:

Now that we have a secret note lets read it.

Output:

The secret note tells us that we need to knock the given ports. This blog is a great resource to understand Port Knocking in the context of CTFs. As mentioned in the blog, we will use knockd to knock the given ports in the given order.

Command for Port Knocking:

You will not get any output for the command but according to the concept of Port Knocking, the filtered services should now be open. Let's start from the start with Reconnaissance.

Nmap Scan Again

Command:

Output:

Findings:

We see that the following services are running:

• Port 21: FTP service with anonymous user login enabled.

• Port 22: An SSH server which I am assuming is for better shell access after we find the user password or private key.

• Port 80: An HTTP server running Nginx.

Let's checkout each service as if we are looking at it for the first time. So we start with the FTP and in the background we can run gobuster to brute force web directories on the HTTP server.

File Sharing Server Enumeration

The Nmap output shows us that the FTP server still has anonymous login enabled (so that has not changed). Let's access the server using the anonymous user again (blank password).

Command:

This time there the same hidden file in the server called .secretnote.txt, let's get it to our machine to inspect it.

Command:

Lets check if anything has changed in that note.

Output:

A new line has been added to the note. i am not sure where we can use this, but lets keep it in mind and move forward with enumerating the other services.

Directory Brute-forcing (Gobuster)

Command:

Note: I have setup an alias to run gobuster inside a docker container.

Alias: alias gobuster='docker run -it --rm --name gobuster -v /home/ayush/Tools/SecLists/:/SecLists ghcr.io/oj/gobuster'

Explanation:

• dir: Mode of operation indicating directory/file enumeration.

• -u http://172.16.101.89: Base URL of the target web server to scan.

• -w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt: Path of the word list to use.

• -x php,txt,html: Search for the PHP, HTML and TXT file extensions.

Output:

Findings:

The directories show 3 endpoints are available on the web server. Let's check them out.

Visiting Web Page (Port 80)

First we visit the root URL of the web server http://172.16.101.89/.

This is interesting, it says the password was saved in a .txt file and the secret note we got from the FTP server was also a .txt file. We also get a username medusa from the message. So, maybe the extra line we got in the secret note is the password. We can try that after checking the other URLs.

We visit the http://172.16.101.89/home/ endpoint.

We visit the http://172.16.101.89/secret/ endpoint.

If the credentials we found don't work then we will have to enumerate the above 2 URLs for any deeper URLs we could find.

We visit the http://172.16.101.89/admin/ endpoint.

The most promising URL gives us a 403 status.

User (medusa) Access

Let's try the credentials on the SSH server.

Command:

And insert the last line from the secret note as the password.

Output:

We see that the credentials work and we have shell access for the user medusa.

Read the user.txt file to get the flag:

Privilege Escalation

Using HackTricks as our guide, we run the following commands to check for anything that can help with getting root.

On checking sudo permissions, we see that all users can execute the /bin/id binary with sudo.

There was no entry on GTFOBins for the id binary. So this was just a trick by the creator of the box, as we can execute the id command with sudo and get the output saying the id is root but we won't really have any root access.

We move on to the next command mentioned in HackTricks:

Output:

We see that there is a /usr/sbin/capsh binary that has the SUID flag set.

Note: I initially did not know that usually /usr/sbin/capsh does not have the SUID bit set. So, I ran linPEAS and there it was highlighted that /usr/sbin/capsh having SUID is unusual.

On checking GTFOBins for capsh we see there is a command we can use to get root access:

Output:

And finally, we can read the root flag: