🦜 Parrot CTFs is an advanced cybersecurity education platform and Capture The Flag provider. Their goal is to create the most realistic Capture The Flag challenges and demonstrate real-world attack scenarios.

Content:

• Enumeration
• Initial access
• Privilege escalation

Enumeration 🔎:

We start by using ping to check the TTL of the machine to determine the OS we are dealing with.

Based on the TTL value of 63, we can determine that the machine is running a Linux machine. However, this is not for sure, but it gives us an idea. For more information, you can view: Identify OS using TTL value.

Now, let’s go with an nmap scan to view the open ports.

sudo nmap -p- --open -sS --min-rate 5000 -n -v -Pn 10.14.0.9 -oN allPorts

-p- –> We are doing a scan against all 65535 ports to search for open ports.

--open –> It will only report open ports.

-sS –> It can be performed quickly, scanning thousands of ports per second.

--min-rate 5000 –> It sets the minimum rate of packets sent per second to 5000.

-n –> Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds.

-v –> It will be verbose in its output.

-Pn –> This option skips the host discovery stage.

-oN –> It will save the output in a file called “allPorts”.

We find out the following open ports:

Let’s take a look at what the page has.

We can see a login panel that has some information that we can use. The login panel says Santa's administration panel, so maybe a valid username can be santa.

Initial access 🔑:

We can try common credentials like admin:admin or root:root and many others… But let’s try with the information that we have santa:santa, santa:admin or santa:northpole and with those credentials, we can gain access…

But let’s try other ways rather than guessing. For example, we can use the tool cewl to create a wordlist based on the content of the page.

cewl http://10.14.0.9/ --lowercase -w wordlist.txt

We can use the tool cupp to generate different variations of words.

./cupp -w wordlist.txt –> We pass the wordlist that we created with cewl.

The content of the wordlist.txt.cupp.txt file generated by cupp is as follows:

We can see that it generates a lot of variations.

Now let’s do a bruteforce attack with the use of wordlist that we have and let’s try with the username santa.

There are many ways to complete a bruteforce attack. We will use the tool hydra in this case.

hydra -l santa -P wordlist.txt.cupp.txt 10.14.0.9 http-post-form "/index.php:username=santa&password=^PASS^:Incorrect login" -v

And the correct credentials are santa:northpole.

We are in and we can see a button to download a file.

We can see a new username: elf-manager. Maybe we can use it to login with SSH.

But let’s first decrypt the MD5 hashes with md5decrypt.net.

What if we try reusing the password northpole with the username elf-manager? We can try to connect to SSH and see if we can get in.

It works 🎉. Now that we are inside the machine you need to do some things to ensure smooth operation:

1. export TERM=xterm

This will allow us to clean the screen with ctrl + l.

Now we can see the flag 🎉.

Privilege escalation 🚩:

We need to enumerate the system to find a way to escalate privileges.

One thing I always check first is sudo -l. This command helps us determine if we have the ability to execute commands as other user. If we are lucky, we might discover that we can execute commands with the privileges of the root user.

More info about privilege escalation techniques check here.

We can execute vim command as the root user. We can see in GTFOBins for a way to escalate privileges.

Or we can do it this way:

sudo vim

esc + : + !bash --> This is to spawn a shell as root user.

And now we are root :)

Hope you like it and learn something new :)