I started - as usual - from the scan of the machine. Nmap (used to do that) presented results like those from the screen below:
Let's start from the beginning - checking FTP server:
Ok, cool. So we have a 'ftp-access' (but as you can see, telnet was not the best idea; I installed ftp client - console version). On 2nd terminal I decided to start checking possible directories/files on remote HTTP ports (80 as well as 443). Results you will find below:
Let's check those results in the browser:
... I was able to collect some of the usernames and some 'interesting content' - you'll see below:
Ok, let's write it down for the future use. Next I prepared 2 files: one for the users and one for the password(s). See below:
...but after a while I saw the badboy message:
...after mentioned ftp-client was installed I tried to log in (as anonymous user) again (ftp):
As you can see, now we can get some more results than before. Good.
Checking next link from dirb and this is what I've found:
Great, maybe we will use it. After checking results from port 80/tcp I switched to check results from 443 - https. Some details you'll see below:
Good, more dirs to check. Let's do it:
Still no luck... I decided to try the same at the forum:
Great, it worked! ;] So now I can grab the email address to check if I'll be able to log in to the webmail:
Great. Let's see what do we have here:
Good. My next idea was: raptor or webshell-via-sql? Unfortunately I was not able to do any-select-into-outfile query ;) so I decided to check what's inside the database(s). For example:
Good. We will use it later. Now let's try to crack some of the hashes grabbed here.
Good. Let's check where we can reuse those passwords:
Hm... (in the middle of time I tried to use the exploit code available here
but it was not the case this time... :] so... )
Playing with the ftp and 'my current directory':
helped me to find some backup-file, see below:
Good. I tried to unlock the file with the passwords I found before but without any luck. After a while I found another interesting directory - .ssh ;]
Let's check if we can use those file somehow:
Yes we can ;]
Great, what's next? After a while I found some more passwords:
Good. Moment later I decided to switch to another user. Surprisingly it worked as well:
Great. Let's try to reverse that process to grab the content of the backup archive (when I was trying to do it in Kali there was an error. Solution I've found you'll see on the screen below):
Now it was easier:
I found very interesting content inside the unpacked archive, for example passwd and shadow files ;)
So far so good. Now it's time to crack the shadow...
Unfortunately I wasn't able to crack those passwords with rockyou.txt and this is how I found that resourses:
Using password files available there I was able to crack the shadow file, see below:
Good. Let's check it now.
Looks like we got it ;]
I downloaded 'secret' file to my Kali box to check it and I found:
I must admit that it was very cool CTF. I think this machine was a good start for the whole series ;]
Big thanks for De-ICE and VulnHub!