Synopsis

I recently had the opportunity to participate in a Capture the Flag (CTF) challenge, designed to assess and enhance various skills essential for effective penetration testing and incident response. The challenge involved gaining access to a target system, identifying and retrieving hidden flags (representing sensitive data or vulnerabilities), creating user accounts, and simulating lateral movement within the compromised environment.

Masterschool link to challenge notes:

Methodology

I logged into the provided target environment using the specified credentials.

SSH to victimbox:
ssh ctf@IPaddress
Username: ctf
Password: ctf

Upon successful login, the value for Other Flag was displayed, indicating initial access.

I proceeded to create a new user account as part of the privilege escalation and lateral movement simulation.

I then switched to the newly created user account to mimic an attacker's actions after gaining a foothold in the system.

To further simulate the attacker's activities, I created a folder as the new user and placed a simple message within, potentially representing data exfiltration or leaving breadcrumbs.

Switching back to the original user, I ran the ls -la command to check for hidden files and directories, a common practice in incident response and forensic investigations. This revealed a flag (#4), representing sensitive information or a vulnerability.

Hidden within the directory, I found the file story.txt, which contained text with specific letters replaced by numbers. Flag #2 was cleverly concealed within this obfuscated text (story{St0ry_Fl4g}).

Next, I conducted a file search for any files matching the name find_flag.txt, mimicking the process of triage and evidence gathering during an investigation. Luckily, I found a relevant file at the end of the long list, potentially containing important data.

Unfortunately, I encountered permission issues while searching certain directories, a common challenge in real-world scenarios. To overcome this, I redirected the error messages to a null device, suppressing the permission denied errors and allowing me to continue the investigation unhindered.

Displaying the contents of the found file revealed another flag (#1), further validating the successful exploitation or identification of a vulnerability.

Continuing my reconnaissance, I searched for files containing the word "flag" and discovered two directories hiding in the www web server directory, a common location for web application vulnerabilities.

Listing the contents of the deeper directory revealed two more flags, potentially indicating successful exploitation of web vulnerabilities.

The first flag file corresponded to flag #11, while the second file revealed what appeared to be a hash, which could represent encrypted or hashed sensitive data.

To decipher the hash, I utilized Cyberchef, a powerful tool for various cryptographic operations. Luckily, the hash was encoded using Base64, a common encoding scheme, allowing me to successfully decrypt flag #12.

Expanding my search, I checked other folders within the www directory and found suspicious files that warranted further investigation.

Displaying the contents of secret.txt revealed flag #9, potentially representing a misconfiguration or insecure storage of sensitive information.

Although I initially considered skipping the robots.txt file, assuming it contained instructions for web crawlers, I decided to inspect it on a whim, a prudent practice in any thorough investigation. This decision paid off, as I found flag #7 hidden within the file.

To ensure I hadn't missed any crucial evidence, I performed another search for text files within the flags directory.

This additional search yielded flag #3, further demonstrating the importance of thorough investigation and attention to detail in cybersecurity operations.

Flag #4 was discovered by loading the web site hosted on the target machine, mimicking

the process of identifying potential web application vulnerabilities or entry points for an attack.

Hidden within the source code of the web page, I found flag #5, a common technique used by attackers to conceal malicious payloads or backdoors within legitimate web content.

To leave no stone unturned, I decided to load each of the other HTML files found in the directory, as they could potentially contain additional flags or clues.

The file hide.html yielded flag #8, demonstrating the importance of inspecting seemingly innocuous or obfuscated files during an investigation.

The file index2.html concealed flag #10 within the default loading page for Apache2, a common web server software, highlighting the need to scrutinize even standard configurations for potential vulnerabilities.

Moving on to the hash cracking tasks, a crucial aspect of incident response and forensic analysis, I remembered the techniques from a recent training exercise. The specific hash I needed to crack using John the Ripper was: 53e06b5830ae3f4d7ebbf0baab22a2d1.

Since the necessary tools were not installed on the target machine, a common scenario in real-world engagements, I exfiltrated the data to my attack machine, where I had the required tools installed. I created a dedicated working directory to keep everything organized and ran the following command to copy all the relevant files:

scp USER_ACCOUNT@IP_ADDRESS:./PATH_TO_PARENT_FOLDER/*.txt ./

With the files successfully copied, I proceeded to analyze them.

When attempting to check the hash algorithm on hash1.txt using hashid, a tool for identifying hash types, I realized it wasn't installed on my attack machine. I promptly installed it using the apt install hashid command.

This time, hashid worked as expected, and I determined that hash1.txt was using the MD5 algorithm.

I then employed John the Ripper, a widely used password-cracking tool, passing the necessary parameters for hash1.txt and specifying the downloaded wordlist:

john hash1.txt --format=raw-MD5 -wordlist=wordlist.txt

John successfully cracked the hash, providing me with the plaintext value.

Scanning hash2.txt with hashid indicated that the hash algorithm used was SHA1.

Running John again with the appropriate parameters yielded the decrypted value for the next hash.

The subsequent hash appeared to be using the SHA-512 algorithm, based on hashid's analysis.

Employing John once more, I was able to reveal the secrets hidden within this hash.

Hash #4 was identified as using the SHA-256 format by hashid.

With John's help, I successfully revealed the contents of this hash as well.

Hashid revealed that hash5.txt was encoded using the MD5 algorithm.

Leveraging John's capabilities once again, I successfully cracked the final hash file in the set.

My mentor had advised me to run Nmap, a powerful network exploration and security auditing tool, to assess the target environment comprehensively. In the past, I had typically run Nmap with the following options:

nmap -sV IP_ADDRESS

This approach was sufficient for regular port vulnerability scans to determine the versions of services running on open ports. However, for this exercise, the target machine required a more in-depth scan.

I chose to add the -sC flag, which runs the default set of NSE (Nmap Scripting Engine) scripts. These scripts automate various networking tasks and provide a detailed report on the target system's configuration and potential vulnerabilities.

The comprehensive Nmap scan revealed a few vulnerabilities, including an anonymous FTP service

that was allowed on the target system.

Leveraging this finding, I proceeded to download the contents of the default FTP directory, potentially containing valuable data or clues.

Among the downloaded files, flag.txt revealed the value for Other Flag, further validating the successful exploitation of the identified vulnerability.

Moving on to the next challenge, I attempted numerous passwords to unzip an encrypted file, a common task in incident response and forensic investigations. After an hour of persistent effort, I finally found the correct password: Masterschool. This allowed me to successfully unzip the file using the following command:

unzip -P Masterschool ./files.zip -d ./

With the files extracted, I tried using John to find the password for another encrypted file, but this attempt failed. After further research, I learned that John has a utility called zip2john specifically designed for cracking ZIP file passwords. I ran this utility on the secret.zip file, obtaining the password hash, which was stored in the zip.hashes file.

Armed with the password hash, I was then able to use John's capabilities to successfully crack it.

Finally, I extracted the contents of the ZIP file using the cracked password hash.

Displaying the contents of the extracted file revealed the final flag, which initially appeared to be incorrect. Undeterred, I took a step back, slept on the problem, and discussed a potential correction with a fellow cybersecurity professional. After implementing the suggested correction, I confirmed that the flag was indeed correct.

Outcome

Despite initial challenges and setbacks, I successfully completed the CTF, retrieving all hidden flags and demonstrating proficiency in a wide range of cybersecurity skills, including:

• Efficient directory navigation and file system exploration
• Identification and analysis of hidden files and directories
• Cracking password hashes using John the Ripper and hashid
• Comprehensive network scanning and vulnerability assessment with Nmap
• File extraction and decompression techniques
• Lateral movement and privilege escalation simulations

The CTF challenge provided an invaluable opportunity to apply theoretical knowledge in a practical, hands-on environment, reinforcing the importance of continuous learning and skill development in the ever-evolving cybersecurity landscape.

Conclusion

Participating in this Capture the Flag exercise proved to be an invaluable experience, allowing me to hone my skills in penetration testing, incident response, and cyber forensics. The challenges encountered reinforced the need for a multidisciplinary approach, combining technical expertise with analytical reasoning and problem-solving abilities. As a cybersecurity professional, I am confident that the knowledge and experience gained from this exercise will significantly enhance my capabilities in identifying, mitigating, and responding to various cybersecurity threats and incidents.