Africa Hackon CTF

RECONNAISSANCE AND TARGET ANALYSIS

I began with network enumeration to know the devices that were connected to my network, and the tools that I used to perform network enumeration was Nmap and net discover.

I started with net discover and I found out there were 6 hosts connected to my network and only one device was of interest which was the pcs systemtechnik GmbH. It was of interest because the other devices were not the devices of interest.

The next step was to start nmap to look for open ports and services of the device of interest which was 192.168.0.136.

following command was used nmap -sA -sV -f – -mtu 32 192.168.0.136 and the following ports were found open

  • Port 22 ssh closed (filtered)
  • Port 80 httpss open (filtered)
  • Port 443 httpsss open (filtered)

After noticing the httpss port was open I had to copy the ip address on the web browser and after doing so a web page popped up which was a word press blog web page.

After knowing that the ip address was a word press web page I went back to nmap and tried to enumerate the web page to see what files and directories were running. The command that was used was Nmap -sV -f – – script httpss-enum 192.168.0.136 to perform the httpss enumeration of the webpage and got a lot of useful information about the web page. I got information like the word press version, files and directories found on the webpage.

Summary:

  • 3 ports were open 22,80 and 443
  • Server: Apache
  • WordPress version 4.3.17
  • Important folders robots.txt, wp-login.php

PENETRATION

After finishing gathering information about the server, the next step was to try to exploit the web page to gain the root access. I copy pasted the robot.txt folder on the url and a page popped up with important data. It retrieved a dictionary which was called loot.dic and it also retrieved a 1 of the 3 keys.

I then took key-1-of-3.txt with the ip and pasted them on the url and a page with hash appeared

After getting the hash I copy pasted the has to a base64 online software and try to decode it and found out it was a string of words which states that robotsRpeople2AfricaHackonKey1

After getting the hash and pasted it to a base64 decoder, I copied the dictionary loot.dic with the ip to the web browser and a word list appeared which I saved on my desktop for later use.

I then did a word press scan on the website so that I could enumerate the website to the user name which is associated with the website and the user name that was found is hacker123 and I managed to get other information like the server that is running, powered by php/5.5.29, robots.txt and wordpress version too. The command user was Wpscan -u 192.168.0.136 -e u vp.

The next step that I did was to verify if the username was valid or not, word press has a tendency of if you put the right user name but the wrong password it will respond with an error that states the password you entered for the username hacaker123 is incorrect, with such type of error message it confirms to the person that the username exists.

Th next step was to brute force the the username with the obtained wordlist which was loot.dic, on the website using website using wpscan. The command used was

 wpscan – – url 192.168.0.136 – -wordlist /root/Desktop/loot.dic – -username hacker123                 And I managed to get the password of hacker123 which was “3AWikiActivityn”.

I next went to the the login page to test the password that I found and fortunately it was the password and I managed to login the website

Next, I looked at url and I saw the ip address 192.168.0.136/wp-admin and at this point I realized that hacker123 was the admin

Next I wend to the terminal to start Metasploit and searched for exploits associated with word press in order to exploit the sever.

I had set the global variables and then used the exploit exploit/unix/webapp/wp_admin_shell_upload because it’s a word Press Admin Shell Upload, I would be able to upload a shell.

The exploit was successful and I got a meterpreter prompt.

I had to list all the directories and files on the server, after getting them I listed the content of directory home and saw that there was a directory chicken and viewed the content of this directory and saw the second key “key-2-of-3.txt” and password.raw.md5.

I tried first to view the key but meterpreter wouldn’t allow me to do so I decided to try and open the file password.raw-md5. And I got a hash of password associated to the user chicken.

I took the hash and pasted it to hash identifier and it was identified as an md5 hashed algorithm.

Next I copied the has and pated it to the md5 decoder website and I managed to get a password which was a string of alphabets from letter A to Z

Next I went to the server and keyed in the username and password and I successfully logged in the server

After login in I had to see all the directories and files which have root permission. We require root permission to get the last key.

chicken@linux: find / -user root -perm 4000 print

Next, I used Nmap for privilege escalation to the root. I typed in the command Nmap – -interactive which started Nmap then the command !sh to get a command shell then I typed in whoami to verify if I was root which I was, then I changed the directory to root and the listed to see whats under root and I saw the last key.

I typed in cat key-3-of-3.txt to view the contents of the file.

SUMMARY

  1. Got a robot.txt directory which had a dictionary and the first key.
  2. Decrypted the hash on a base64 platform
  3. Found a wordlist from the dictionary loot.dic
  4. Used wp scan to enumerate for the username on the website and indeed I found a user name hacker123
  5. Verified the username through /wp-login
  6. Used wp scan and the dictionary to brute force the username and successfully got the password
  7. Logged in as an admin (hacker123)
  8. Started Metasploit and used the exploit exploit/unix/webapp/wp_admin_shell_upload and got a meterpreter.
  9. Found the second key and password.raw-md5 under /home/chicken
  10. Opened password.raw-md5 and got the password hash of user chicken
  11. The I run the hash in hash identifier
  12. Pasted the hash in a md5 decoder platform and got the password
  13. Logged in the server
  14. I had to get root permission, where I typed in the commandfind / -user root -perm 4000 print
  15. I then I had to run Nmap so as to escalate my privileges where I typed in nmap – – interactive then I typed in the command !sh, then I typed in whoami to see who I was logged in as and I was root at this time, then I listed the contents on root and saw the third key, I typed in the command cat key-3-of-3.txt to view the content on the last key.

Download A.H CTF

Leave a Reply

Your email address will not be published. Required fields are marked *