SilkyCTF 0x01 vulnhub walkthrough
I will share with you a new write up for Vulnhub machines. The selected machine will be “SilkyCTF 0x01” and you can download it from here : https://www.vulnhub.com/entry/silky-ctf-0x01,306/
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- Checking robots.txt file content.
- Creating password lists using crunch utility.
- Brute-force SSH service using xHydra tool.
- Searching for SUID files.
- Exploiting SUID files using PATH Hijacking attack.
After downloading and importing the VM to my virtualization software I started it and perform a ping scan for the whole network to get the IP address for the target machine. I found that the IP address is : 10.0.2.17
Then I perform port scan on the target to get the open ports on it, this scan gives me that there are two open ports 22 and 80 (SSH & HTTP services).
Also, from the nmap results I found that the robots.txt file exists and contains an entry “notes.txt”. So, I visit and explore this file from the browser and found it contains a hint in German language.
After translating it, I found that I have to search for the password some where in the website. But the password is not complete, because the last two characters are missing.
By browsing the home page, I found that this page is the default page for Apache2 web server. So, I decided to perform brute-force attack on the files and directories but I did not find anything.
After that, I viewed the HTML source code for the home page and I found it contains a script called “script.js”. By viewing this script I found the word “s1lKy”, so I guessed that it is the password in the hint.
As mentioned before, this password is not complete because the last two characters are missing. So, I have to build a wordlist with all possible passwords that starting with “s1lKy” and seven characters length.
To do this, I used a tool called crunch as follows:
Then, since there is SSH service in the target machine I tried to perform brute-force attack to the login using xHydra tool (note: I used silky as username). I got that the password for user silky is s1lKy#5.
After connecting to the SSH service using the previously mentioned credentials I searched for the binaries which have SUID. I found one strange binary called sky. So, I decided to analyze it.
By, viewing the strings inside this binary file I found it runs the whoami command. But wait, the use this command by its name only not by full path. This means that I can perform path hijacking attack.
So, I created a new bash script with “whoami” name and write “/bash/sh” inside it and change its permission to be executable. After that I insert the directory in which this script located in to the PATH environment variable and tun the script to get the root privilege.
This was a simple machine and I hope that you learn something new from it. Please, don’t miss to share it with your friends and provide us with your feedback in the comments.
Wait us for the next walkthrough 😀 ..