DC416 Fortress – VulnHub

This CTF write up I am by members of the VulnHub CTF Team for DefCon Toronto’s first offline CTF.

You can download this machine from Vulnhub link provided.

Level: Beginner to Intermediate

Objective:Find three hidden Flags.

WalkThrough:

1. Start with Nmap

nmap -sV 192.168.10.7

As a result of nmap we found php is there, so let us use dirbuster to explore available directories.


2. dirb https://192.168.10.7/ /usr/share/wordlists/dirb/big.txt -X .php

browse to the link provided by dirb https://192.168.10.7/scanner.php


3. It is a nmap service running on web


4. Now intercept in burpsuite and try issuing commands


5. now we can find the flag in these directories.


6. Now for flag 2 we will traverse the other directory by ls directory


After opening these files master and passwd we get

master====
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh
passwd====
craven:*:1002:1002:User &:/home/craven:/bin/sh

So now go to home folder of craven and look


7. We dont have permision to open flag.txt, so open reminder and hint

Reminder,

Now Hint,


8. It seems the pet name is qwerty,

So using crunch crunch 10 10 -t %%%qwerty^ -o craven.lst

and ingesting that to john the ripper

In passwd and master files we got /etc/passwd and /etc/shadow for craven
So now copy paste them into files using john unshadow


9. now Flag 2


10. For the final flag traverse to the /usr/home/vulnhub
now we have two files reader and flag.txt
refer screenshot reader is basically checking for keyword flag so trick it by making symbolic link


Flag 1 = FLAG{n0_one_br3aches_teh_f0rt}

Flag 2 = FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

Flag 3 = FLAG{its_A_ph0t0_ph1ni5h}


 

Leave a Reply

Your email address will not be published. Required fields are marked *

17 − fourteen =