DC416 - Fortress - CTF

Last weekend I tried another cool CTF from VulnHub - DC416 Fortress. This time the game was prepared by VulnHub CTF Team. Below you will find my solutions to all the challenges. Let's go...

Ok. Your machine is waiting here:

After you'll prepare it, started looks like this:

(As you can see on the background there is my putty.exe connected to Kali-VM.)

To detect new machine in the LAB I used netdiscover with -r parameter:

Target machine has IP 192.168.1.206 (but after the restart it will get .208 so don't worry ;]):

FLAG#01:

Ok, nice. We can perform some portscan now:

Ok, let's start from the 80/tcp port. Maybe we will find something interesting. I decided to make a little loop with dirb in wordlist directory in Kali, see below:

It wasn't the best idea, so I switched to the one below:

...and we've found a new link :]

Checking:

Checking the page:

Looks like an invite for RCE... :>

Let's try to verify this idea (intercepting with Burp):

...and sending to Intruder to check if there will be any interesting output...

One of my "payloads" contains 'CRLF characters' (I prepared this to find bugs similar to the one described as CVE-2004-2054. You can also use some line(s) from /dev/urandom if you want ;) anyway...)

Now encoding it with base-payload ('IP to scan') we should be somewhere here:

Checking:

It works ;]

Let's get some information about the files inside the box:

Unfortunately I wasn't able to visit the k3y's-catalog:

Reading scanner.php (as you can see we have some banned delimiters there):

Listing /home directory - 2 users found:

Checking s1kr3t:

Reading flag.txt:

Seems like we've got the first flag! :]

Let's dig a little more deeper:


FLAG#02:

Listing craven's home dirctory reveals some more files to check, here we go:

As you cann see there are: flag.txt, hint.txt and reminders.txt. We will check all of them:

- hint.txt :

- reminders.txt :

flag.txt was not readable so I decided to check also 2nd /home catalog - vulnhub. Few details below:

... but we will get back to it later.

Now - strings result for the binary is presented on the screen below:

Ok, there is a flag to win ;]

I decoded to check the k1ngd0m_k3yz again to look for the files inside the directory:

Results you'll find below:

- passwd:

- master:

Looks good.

Where we can use it? Maybe to the next step: reminders.txt + hash from the master-file + <your favourite cracking tool> (I used hashcat available on Kali Linux):

Results you'll find below:

After I while I found cracked password(s) in fin3.txt file on my Kali-box:

Checking:

Cool, we've got a shell. :]

What we can do now? Grab the flag:

Next...

Hm... maybe strace will help me:

...or maybe not.

But the results from the reader looks to be 'ok' (so I know I've got proper perms to run the binary, etc...). Now:

Maybe, but not this time :]

Do you see the hint?

Following the man we will now 'check' what 'is allowed' ("Symbolic links not allowed!" from the binary); checking:

Good. So this is how I've found 3 flags on DC416 Fortress CTF 

To be honest it was a little surprise for me when I saw FreeBSD box ;> (but it was also a good moment to learn more about the FBSD bugs ;])

So... once again we have an excellent CTF hosted by VulnHub :] I really enjoyed this one (kudos for fbsd ;]) Try it.


Hopefully see you soon...



o/