SilkyCTF 0x02 vulnhub walkthrough
I will share with you a new write up for vulnhub walkthrough. The selected machine will be SilkyCTF 0x02 and you can download it from here : https://www.vulnhub.com/entry/silky-ctf-0x02,307/
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- Using dirb to brute-force web files and directories.
- Detecting & Exploiting OS command Injection vulnerabilities.
- Searching for SUID files.
- Exploiting simple buffer overflow vulnerability.
- Cracking shadow file contents.
As usual, the first thing to do after downloading and importing the target is to get its IP address. So, I perform ping sweep scan to the whole network and I found that the IP address for this target is : 10.0.2.15
After that, I perform a port scan on it and found that it has two open ports 22 & 80 (SSH & HTTP services).
By browsing the HTTP server using Firefox, I found the default page for Apache server. So, I tried to perform directory brute-force on it.
Using the dirb tool with its default settings I found that there is a page called “admin.php”.
When I browsed it, I found that it has a login functionality. I tried to to perform SQL injection, and credentials brute-force but with no success. So, after doing a little fuzzing I found that this page is vulnerable to OS command injection.
So, I used this vulnerability to get a reverse shell to my Kali Linux machine using nc utility.
After that, I checked the contents of the users home directories and I found the first flag.
For privilege escalation, I searched for the files that has SUID bit and I found a binary called “cat_shadow”.
After moving and checking this binary in my Kali Linux machine, I found that it is vulnerable to buffer overflow vulnerability.
So, I generate a pattern with 500 character length using “pattern_create.rb”.
Then, I enter this generated string as input to the utility. I found that the “eax” register changed. This means that the string I entered overwritten the memory.
So, I have to know the exact offset of the string which overwrites the eax register. This can be done by using the “pattern_offset.rb” script. From its output, I found that the exact offset is 64.
So, I wrote a simple python script to write 64 characters of “A” and then adds the value of “0x496c5962” in little-endian format and provide the result as input to the “cat_shadow” script and I got the content of “/etc/shadow” file.
So, i perform the same attack on the target machine and I got the content of “/etc/shadow”.
After that, I read the “/etc/passwd” and crack them using john the ripper tool. The result shows me that the password of root user is “greygrey”.
By switching to root user I can read the contents of /root/flag.txt file.
This was a simple machine with a simple buffer overflow exploit writing. I hope that you learn something new from it.
Do not miss to share it with your friends and provide us with your feedback in the comments.
Wait us for the next walkthrough 😀 ..