Today we’re going to solve another CTF machine “Vault“. It is now retired box and can be accessible if you’re a VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.109
  • Difficulty: Medium

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumeration

Let’s browse the URL http://10.10.10.109/

As the page mention Sparklays let’s check if there’s a directory under that name.

http://10.10.10.109/sparklays/

Now, we know that we have some hidden stuff let’s enumerate directory using dirbuster.

Dirbuster

We found admin.php, login.php and another 403 directory /sparklays/design/ let’s dig more into design directory first.

WFuzz

We’re going to use Cewl to generate the wordlists based upon the words you found on the website.

Now, let’s enumerate for directories using WFuzz.

Let’s enumerate more into ‘sparklays’ directory using wfuzz.

GoBuster

Now we’re talking!

We can start uploading with something which is not an image to see which file extension restrictions it has or we can use simple bash script to automate this process.

File Upload Bypass

The wordlist is derived from /etc/mime.types like so.

script.sh

Look’s like we can upload php using php5 extension.

Now, we can easily spawn a reverse shell.

Let’s get a proper reverse shell now!

OR

Reverse Shell Cheat Sheet

Start up the listener.

Awesome we have a shell now, let’s move towards getting a fully interactive tty shell.

Upgrading simple shells to fully interactive TTYs

After doing some enumeration you can find interesting files in /home/dave/Desktop.

Here’s what they include. In Servers we have network information and inside key and ssh we have i believe ssh creds.

Let’s try ssh [email protected] with password: Dav3therav3123

Now we can take a look at network information which we found. lets type ifconfig and check.

Notice that the host has many virtual network interfaces. One of them links to virtual bridge 192.168.122.0/24.

DNS

Let’s scan for open ports 192.168.122.4 to see what we’re up against.

We can see SSH and HTTP ports are opened in 192.168.122.4 but since, we don’t have curl installed on dave machine. we’re gonna port forward and enumerate on our machine.

SSH Port Forwarding

Now, let’s navigate to localhost:8000 to see what we got on port 80.

Dynamic SSH Port Forwarding

FoxyProxy socks5://127.0.0.1:9999.

ProxyChains

Let’s setup proxychains with dynamic SSH port forwarding to make our enumeration process more easier to use tools.

Let’s modify /etc/proxychains.conf & add socks5 127.0.0.1 1337

Now, let’s scan for opened ports using nmap.

Now, i’m using SSH Port forwarding and using Foxy-proxy addon.

Let’s enumerate more and find hidden directories.

Directory Enumeration

WFuzz

We found a directory called notes and it indicates two files which exists in the root of localhost:8000/123.ovpn and script.sh.

123.ovpn

script.sh

The .ovpn file it’s the one we can edit and run in /vpnconfig.php.

Now, setup the listener on dave SSH machine.

We got root shell to DNS. User flag is inside /home/dave/. 

There’s a SSH file /home/dave/ssh But we don’t know where this could be used.

Password: dav3gerous567

It look’s like we found the SSH credential for 192.168.122.4 which is [email protected] and we can upgrade our reverse shell to SSH. Let’s exit from reverse shell and login to SSH.

Now, we’re in the dave DNS proper way. Before we had to spawn a reverse shell through VPN configurator.

Since, we’re enumerating network of this machine let’s do some digging.

We discovered DNS has access to 192.168.5.0/24 through the firewall at 192.168.122.5. Check out the routing table.

We still haven’t found the vault host yet. but i think it should be inside 192.168.5.0/24 subnet.

If we check /etc/hosts file we can see the IP of our target machine which is 192.168.5.2.

Let’s check logs and grep for string ‘192.168.5.’ inside those files.

We found something interesting firewall accepting inbound traffic from port 4444 to host 192.168.5.2 which is listening on port 987.

Let’s find out what’s running on port 987.

Let’s find out what’s behind that port 4444 on our vault machine.

It look’s like we need root privilege let’s check sudo -l

I think we can use sudo with nmap.

Nothing interesting comes up.

To access Vault from Kali, we’ll need to set up another tunnel. Additionally, we’ll need to set up a netcat relay like the ones we found in the logs. Let’s start with the tunnel.

SSH comes with a slew of options, particularly the ProxyCommand option allows ssh to proxy traffic through a network utility tool like ncat.

We got vault! Let’s change the SHELL environment variables.

Our root flag is encrypted.

Root File Decryption

To decrypt the file we need a private key and a password.

We found a private key inside /home/dave/.gnupg/secring.gpg [email protected]

Let’s convert into base64  encoded string using python3m.

Copy and paste to the ubuntu machine and base64 decode it back.