Hello, in this article I will show you step by step how to solve Toppo 1. The purpose of this CTF will be to become root and read flag in /root directory. Click to get more information about CTF.
LEVEL : Easy
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb
- Performing privilege escalation with LinEnum.sh script
- Reading /etc/shadow with the AWK tool
- Password crack attack with John tool
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.43.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n-sV --reason -p- 192.168.43.50
Fuzzing was performed via dirb on open port 80.
dirb http://192.168.43.34/
The URL/Path information obtained from the Dirb was visited one by one and a page like the one below was reached. The content of this page has been noted for later use.
After examining the other detected ports, the password information in the text obtained in the previous step was used on the SSH Port by trying several different combinations.
Entry is provided with one of these combinations, “ted : 12345ted123”
ssh ted@192.168.43.50
At this stage, controls are provided for the privilege escalation steps with the current user. A script named LinEnum.sh was used to automate these controls.
When the result obtained was checked, it was determined that the currently used user named ted could use it with the sudo privilege named “AWK”.
Here, some operations can be performed with root rights by taking advantage of AWK’s capabilities. Here, preparations were made for cracking the root password with John the Ripper by reading /etc/passwd and /etc/shadow files with AWK.
While revising the article, I saw a scenario where rooting can be done directly with AWK. You can go to the relevant article from here and skip the methods below.
For this process, shadow and passwd files were read and copied to the Desktop.
/usr/bin/awk -F: '{print $1,$2}' /etc/shadow
Using the unshadow command, shadow and passwd files were converted to the format supported by John the Ripper.
unshadow passwd shadow > unshadow
A problem was encountered while reading shadow with the AWK tool. The existing shadow passwords were added manually to the correct places.
The root password could then be obtained by giving John the Ripper the edited unshadow file as follows.
john unshadow
After this process, CTF was completed by reading /root/flag.txt in the root.
Summary
- I enjoyed using AWK for the Privilege escalation phase and then cracking the password with John the Ripper as it provided a good practice.
Click here to see my other articles about OSCP Walkthrough. Link
