Hello friends!! Today we are going to solve another CTF challenge “Shrek” which is available online for those who want to increase their skill in penetration testing and black box testing. Shrek is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have collection of vulnerable labs as challenges from beginners to Expert level.
Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.47 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.47
From given below image, you can observe we found port 21,22 and 80 are open in victim’s network.
As we know from the nmap scan that the target machine is running http on port 80, we use dirb to enumerate the directories.
dirb http://10.10.10.47
We first open the ip in our browser.
We open uploads/ directory that we found in the dirb scan and find a file called secret_ultimate.php.
wget http://10.10.10.47/uploads/secret_ultimate.php
We open secret_ultimate.php and find a path to a directory called secret_area_51.
We download into our system and use an online site called academo.org to analyse the spectrum, we find a hint to login through ftp using username donkey.
Further analysis of the audio file gives us the password to the username.
We login through ftp and find a few text files and a file simply called key.
We download the key and all the test files we use mget to mass download the txt files.
ftp> get key
ftp> mget *.txt
We decode the first base64 encoded string and find the decoded string to be ‘PrinceCharming’
In another file we find a base64 encoded string similarly differenctiated by space.
We use python to decode the hexadecimal string. We use seccure module and use ‘PrinceCharming’ as key to decode the string.
import seccure
string =”hexadecimal string”
print seccure.decrypt(string, “PrinceCharming”)
We use this key to login through using this rsa key. We use username as sec as we found earlier and use the passphrase we found before to login. As we login we go to /home/sec directory, in that directory we find a file called user.txt. When we open the file we get our first flag.
After a few minutes we find that it changed to root user and group.
Now to exploit the file we create a c program in our system that can give us the root.txt file in root directory. After creating the file we use SimpleHTTPServer module of python to transfer the file.
We now download the file into the target system using wget.
After downloading the file we compile the c program as rootshell.
gcc shell.c -o rootshell
