Capture the Flag (CTF) Tutorial: My File Server 1

So, today we are going to show you can solve the My File Server 1 , Vulnhub.com is a kind of which provides users with vulnerable applications/machines for there practice who has a experience in the field of information security. You can check our previous articles for more CTF challenges.

Please note: For all of these machines, I have used Oracle VirtualBox to run the downloaded VMs. I am using Kali Linux as an attacker machine for solving this CTF .

The walkthrough

Note please: The victim and attacker machine IP addresses may be different, as per your network configuration.

Step 1

After downloading the file server VM it will be our victim, or we run it in VirtualBox.

Now, the first step is to find out its IP address. On Kali — the attacker machine — I am using this command The netdiscover command output can be seen in the screenshot.

We found the victim machine’s IP address: 192.168.1.21 (the attacker IP address is 192.168.1.14).

Step 2

Our next step is to find the open ports and services available on the victim machine. For that I have used an nmap full-port scan for this purpose. Here is the output. The command we are using is nmap -p- 192.168.1.21 -sV.

There are a lot of open ports and services available on the target machine. I used this command for -sV switch for enumerating the version information of the identified services. This will help us identify vulnerable services to exploit.

Step 3

We are good to go by exploring the open ports and services on the target machine. And the FTP port 21 was open, We are decided to start form there.

I tried to connect to the victim machine’s FTP service by guessing common credentials and one worked.

Commands used: ftp 192.168.1.21 , ls

Credentials:

  1. Username: ftp
  2. Password: (none)

As we know that we can now have the FTP access on the target machine, I run the ls command to see the list of files and directories available for default user. I learn that there was one empty directory available on the target machine. I am trying to exploring the “pub” directory for further contents, but that was a dead end. After that, I checked the vsFTPd version.

Step 4

As we know from Step 2 above, there is one more FTP port available on the target machine. Let’s check the FTP service on port 2121. I started with enumerating the FTP login with some default credentials and one of them worked.

Command: ftp 192.168.1.22 2121

Credentials:

  1. Username: anonymous
  2. Password: anonymous

As we can see above, we’ve got the anonymous user FTP access on port 2121 by using default credentials. This time it worked for me, as I was able to view the contents of files on the target machine. I used the ls command and was able to list the contents of the “log” directory from there.

I tried to look for an available exploit for the FTP service running through this port. The FTP version which is running on this port was: ProFTPD 1.3.5 Server. I found some useful exploits on Google for this version of the FTP service.

Step 5

After exploring the FTP ports to get into the target machine, I shifted my attention to the HTTP port 80. I opened the target machine IP address into the browser and there was a simple webpage.

I chose the nikto vulnerability scanner which is by default available on Kali Linux and is used for scanning the host for web-based files and vulnerabilities.

Command: nikto –host http://192.168.1.21

As we can see, there is an interesting text file available on the target machine. When I opened this file on the browser, there was a password mentioned

Step 6

We have explored the FTP ports and HTTP port, but there are still five open ports remaining to be checked. Next, I started with the SMB service which was running on the port 445 on the target machine.

I used the smbmap utility, which is available in Kali Linux by default. It is basically used to enumerate the SMB server.

Command: smbmap -H 192.168.1.21

SSH on port 22 was open on the target machine, so I tried to login to the target machine with the username and password through SSH:

Command: ssh smbuser@192.168.1.21

The same username and password with the FTP service on port 21, and this time it worked as I was able to log into the target system through FTP

Command: ftp 192.168.1.21

After logging into FTP, I used the pwd command to check the current directory. It showed that the current directory was “/home/smbuser”. In the next step, we will use this information for gaining user access on the target machine.

This completes this CTF challenge. We hope you learned a lot from it!

Sources

  1. Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method), Exploit-DB
  2. My File Server: 1, VulnHub

Author :  Deepak Kohli

Leave a Comment

Your email address will not be published. Required fields are marked *