CTF Example – Hacking

Although hacking can have multiple different meanings, in the context of the RSM CTF the hacking category focuses on the active exploitation of vulnerable services. In this blog, you should expect to come away with the following skills:

• Use VMWare to set up and configure a safe test lab environment
• Use Nmap to find out what services are running on a remote host
• Use Metasploit to exploit a target
• Perform basic post-exploitation activities.

Software needed:

• VMWare Player: vmware.com/go/tryplayer (Virtualbox is an alternative. Other tools are available for Mac systems as well).
• Kali Linux 2.0 x64 http://cdimage.kali.org/kali-2016.2/kali-linux-2016.2-amd64.iso
• Metasploitable 2.0.0 https://download.vulnhub.com/metasploitable/metasploitable-linux-2.0.0.zip

 

Setting up your environment

For this exercise, I am assuming you already have a virtual workstation with Kali on it running correctly. Unzip the metasploitable file and open VMWare player. You will need to File -> Open and choose the .vmx file from the directory you just extracted. In the networking settings, make sure you either choose “Bridged” or “Host-only” for the type of connection you want to make. If you choose bridged, be warned – you are connecting a purposefully vulnerable machine to that network! If you are using this in the classroom, I recommend getting a cheap wifi hotspot and then have all the machines connect to it instead of running it on the guest network.

Power on your Metasploitable virtual machine and power up your Kali Linux machine.

Once Metasploitable comes up, log in with the default msfadmin / msfadmin. Type in ifconfig at the console to find out what IP address your virtual machine grabbed (inet addr). To verify that it’s able to connect, run a ping command from your Widows or Kali host. If you see fields that look like “reply from”, you are properly connected.

 

Discovery

The first phase in any cyberattack is reconnaissance. It’s difficult to attack a target if you don’t know exactly what you’re looking at. One of the leading tools in network discovery is nMap which is installed in Kali Linux by default.

In order to determine what applications are running on our target, we will use the following Nmap command:

nmap -sV --top-ports 1000 172.20.220.173 -v -O

Here’s what each flag does:

-sV : Service scan. Finds out the banner of each running service and tries to identify it based on a database.

–top-ports 1000 : This instructions nmap to look for the 1000 most common ports.

-v : verbosely print out information about the scan (helpful in troubleshooting issues and making sure it’s working)

-O : if possible, identify the operating system. If nmap can’t tell directly, it will give its best guesses.

You should get a report that looks like this:

This is a lot of information and might sound overwhelming, but let’s take it step by step. The left column tells us what port came back with something interesting. The third column tells us what type of service typically uses that port. For example, port 21 is used for file transfer (FTP). Nmap determined that this computer is running a specific version of FTP software called vsftpd 2.3.4.

(Note: This is not what a typical host should look like – there are many things exposed to the internet on it! A usual scan on your Windows machine might return 5-10 open ports.)

Enumeration/Exploitation

 

Now that we have the data we need, we can begin to do research. Typically in a penetration test, I will begin to Google strings I don’t recognize to see if there are any published security vulnerabilities. Googling “vsftpd 2.3.4 exploit” brings up lots of interesting information! It turns out someone has made a metasploit module to take advantage of the backdoor in this application.

Metasploit

To start metasploit, in a terminal run

msfconsole

. When you are finished, you should be prompted at a window that says msf> .
Now we are going to find out how to exploit vsftpd. In the console, type search vsftpd. If you get an error about the database connection, you may need to open up a new terminal and run msfdb init and msfdb start to get it going for the first time.

You should get output similar to this:

In order to load the module, we will say “use exploit/unix/ftp/vsftpd_234_backdoor”. Let’s use the “options” module to see what we have to configure:

 

Looks like we need to set an RHOST value where our target is. RPORT is automatically filled to be 21, so we are good to go for that option. Let’s use the address that we’ve been using this whole time:

When you are ready, type “run”!

Post-Exploitation

Now we have a valid command shell session on the remote computer as if we were sitting right in front of it! To get an output that makes a little better sense, type the following command:

/bin/sh -i

On Linux, this gives us an interactive shell that is a little friendlier to work with. Type in whoami to find out what user was running the vsftpd application. It’s always good to understand what files are on the system, so it wouldn’t hurt to do an ls -al

Let’s find out what other accounts might be on the system. On Linux, they are stored in the /etc/passwd file. To output the contents to the screen, use cat /etc/passwd.

If you are the root user on a Linux system, the passwords are stored in /etc/shadow. Output the contents of this file in the same way:

The reason why these passwords look so strange is because they are hashed, a form of storing passwords that is designed to be irreversible. However, armed with a good enough dictionary we can uncover some passwords that are weak. Copy the contents of this file to a new text document and give it a descriptive name.

Cracking the Hashes

Now that we have this file stored in a text file, let’s get a good wordlist. Kali comes with many excellent wordlists to start off with, but the cream of the crop is called rockyou.txt. Unzip it by saying gunzip /usr/share/wordlists/rockyou.txt.gz

We’re going to use John the Ripper to attempt to crack the password hashes that we found. Open up a new terminal and type the following:

john /root/Desktop/myfiles.txt –rules -w=/usr/share/wordlists/rockyou.txt

This will start an instance of John the Ripper and begin trying to guess passwords based on combinations found in the rockyou.txt wordlist. The –rules flag tells John to do simple substitutions, such as 0 for O in a word. When you’re done running it against the wordlist, you can remove the entire -w part to begin bruteforcing which will try random combinations of letters until it finds the correct one.

 

Next Steps

• Try to crack the passwords for all users
• Exploit the IRC server on the host and follow the same process.
• Research 2 different ways you can gain password hashes from a Windows system – 1 with Metasploit and 1 without.
• Research the 10 most common exploits for Windows that can be performed with Metasploit