“Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal.” – Robert Winkel
More information and OVA file download please check here.
Using arp-scan as routine to detect the target’s IP address.
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.2 00:50:56:f1:61:7e VMware, Inc.
10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.134 00:0c:29:29:7a:4e VMware, Inc.
10.1.1.254 00:50:56:f0:91:47 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.839 seconds (90.17 hosts/sec). 4 responded
10.1.1.134 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
root@kali:~# masscan -p1-65535 10.1.1.134/32 --rate=10000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-06-07 07:39:25 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 80/tcp on 10.1.1.134
root@kali:~/simpleCTF# nmap -v -sV -A -O 10.1.1.134 -oN 134_nmap.txt
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))|_http-favicon: Unknown favicon MD5: 759585A56089DB516D1FBBBE5A8EEA57
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)|_http-title: Please Login / CuteNews
MAC Address: 00:0C:29:29:7A:4E (VMware)Device type: general purpose
Running: Linux 3.X|4.X
Only port 80 is found and Apache 2.4.7 is the HTTP server, also find that, from the title, the CMS is CuteNews.
In the meanwhile, I run nikto to scan web vulnerabilities in terms of port 80 found by port-scanning stage.
- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.134
+ Target Port: 80
+ GET Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.6
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ GET Cookie CUTENEWS_SESSION created without the httponly flag
+ GET Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x47e 0x4ec3e1d077c80
+ IZUYPEIH Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: GET /docs/: Directory indexing found.
+ OSVDB-3092: GET /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: GET /icons/README: Apache default file found.
Nothing special, so next I open firefox to check the WEB application.
I found a login page, also the WEB application is CuteNews 2.0.3.