DC416 Fortress – VulnHub
This CTF write up I am by members of the VulnHub CTF Team for DefCon Toronto’s first offline CTF.
You can download this machine from Vulnhub link provided.
Level: Beginner to Intermediate
Objective:Find three hidden Flags.
WalkThrough:
1. Start with Nmap
nmap -sV 192.168.10.7
As a result of nmap we found php is there, so let us use dirbuster to explore available directories.
2. dirb https://192.168.10.7/ /usr/share/wordlists/dirb/big.txt -X .php
browse to the link provided by dirb https://192.168.10.7/scanner.php
3. It is a nmap service running on web
4. Now intercept in burpsuite and try issuing commands
5. now we can find the flag in these directories.
6. Now for flag 2 we will traverse the other directory by ls directory
After opening these files master and passwd we get
master====
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh
passwd====
craven:*:1002:1002:User &:/home/craven:/bin/sh
So now go to home folder of craven and look
7. We dont have permision to open flag.txt, so open reminder and hint
Reminder,
Now Hint,
8. It seems the pet name is qwerty,
So using crunch crunch 10 10 -t %%%qwerty^ -o craven.lst
and ingesting that to john the ripper
In passwd and master files we got /etc/passwd and /etc/shadow for craven
So now copy paste them into files using john unshadow
9. now Flag 2
10. For the final flag traverse to the /usr/home/vulnhub
now we have two files reader and flag.txt
refer screenshot reader is basically checking for keyword flag so trick it by making symbolic link
Flag 1 = FLAG{n0_one_br3aches_teh_f0rt}
Flag 2 = FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}
Flag 3 = FLAG{its_A_ph0t0_ph1ni5h}