Capture The Flag (CTF) Deloitte – CyberAcademy
1. Introduction and Objectives
In this article, we will provide a solution to the “Deloitte-CyberAcademy” CTF, which features a variety of challenges similar to our CTF-1. You can download the CTF-1 from the following link:
This is a virtual machine with a Linux operating system (hereinafter referred to as the “victim machine”) that presents a series of challenges that need to be overcome in order to capture all the flags.
To carry out ethical hacking tasks, we are situated with our attacking machine in the same network segment as the victim machine. To achieve this, we have deployed both machines (victim and attacker) in VMware Workstation Pro, connected via “NAT” (Network Address Translation).
To carry out this practice, you will need to have at least some basic knowledge of ethical hacking.
2. Phases of Professional Ethical Hacking
Before proceeding with the resolution of the CTF, let’s briefly explain how to carry out a professional “Ethical Hacking” task, what are the phases to be carried out, and the definition of each of them.
Here are the phases that must be followed in every ethical hacking audit:
- Phase 1. Preparation: The parameters of the test are defined. These include objectives, scope, responsibilities, contact persons, rules, time, success/failure criteria, and documentation approving the test.
- Phase 2. Reconnaissance: The test begins by gathering as much target information as possible. This step is crucial as a better understanding of the target allows for more effective actions.
- Phase 3. Scanning: In this phase, we become active by sending packets to the target’s network to identify ports, services, and vulnerabilities they may present.
- Phase 4. Exploitation: Exploitation of the identified vulnerabilities begins to gain access to the target.
- Phase 5. Analysis: All information gathered throughout the previous phases is analyzed to identify risks, prioritize them, determine mitigations, etc.
- Phase 6. Reporting: Various executive and technical documents will be created, detailing the entire test: results, risks, etc. The documents should be well-detailed and tailored to the intended reader.
3. Preparation Phase: Laboratory Setup
To set up the LAB, you only need to have VMware Workstation installed to create the virtual machines listed below.
- Auditor/Attacker Machine: A computer system with an up-to-date Kali Linux operating system. Kali Linux is a Debian GNU/Linux-based distribution primarily designed for auditing and general computer security. It was founded and is maintained by Offensive Security Ltd. This specific distribution has been redesigned with certain features by Jaymon Security S.L.
Official download link: https://www.kali.org/get-kali/
- CTF Deloitte-CyberAcademy Linux VM: This virtual machine contains various challenges to overcome.
4. Internal Reconnaissance Phase
In this phase, we proceed to locate the assets within the network to be audited using techniques for discovering hosts, ports, services, and more.
To do this, we use tools such as:
- Nmap: It is the premier software for discovering all the hosts within one or multiple network segments, as well as the open ports on a specific host. It also allows us to determine the service behind a given port in listening mode, and even identify if there are any known vulnerabilities. This program is also capable of detecting the type and version of the operating system running on a specific host, all in a very easy and rapid manner.
- Zenmap: It is the official GUI for Nmap. It’s a free and open-source cross-platform application that aims to make Nmap easier to use for beginners while providing advanced features for experienced users.
- Dirsearch or Dirbuster: These are two tools capable of discovering files and directories on web servers. This allows the auditor to map out how the target website is configured.
With the execution of these tools, you can observe the following results:
5. Scanning and Vulnerability Analysis Phase of the CTF Machine with IP 192.168.174.170
After collecting information from the previous phase, we move on to the scanning and vulnerability analysis phase. The objective is to discover possible flaws in input parameter processing in web forms, configuration errors in service access, etc.
In this phase, we will actively send packets to the victim machine, so we should be cautious and measure the scanning aggressiveness to avoid raising suspicions. Everything will be recorded in the various logs of each victim machine’s system, and there might also be SIEM systems monitoring network activity and WAFs that could potentially block our connection.
After identifying vulnerabilities, we need to analyze them and organize the results. This will help us plan the most suitable attack method for the exploitation phase.
To carry out this phase, we will use the following tools, focusing on exploring vulnerabilities at the web level:
- Vega: It is a web application vulnerability scanner. It’s free and open-source. It combines vulnerability scanning and proxy functionality to conduct both automated and manual testing.
- OWASP ZAP: It is an open-source web application security scanner. It is designed to be used both as a security tool and a professional penetration testing tool.
From the execution of these two tools, the following results are gathered:
The information gathered up to this point, between internal reconnaissance and the vulnerability scanning results, is as follows:
- Four services running: Vsftpd 3.0.3 (port 21), OpenSSH 7.2 (port 22), JAMES 22.214.171.124 (ports 25, 110, 119, and 4555), APACHE httpd 2.4.18 (port 80).
- Linux Ubuntu operating system.
- FTP service accepts anonymous login.
- JAMES service version 126.96.36.199 has several vulnerabilities: https://vk9-sec.com/apache-james-server-2-3-2-cve-2015-7611/
- The website hosted on the APACHE httpd (Web server) presents medium and high severity vulnerabilities, including command injection and SQL injection, as detected by Vega and OWASP Zap.
With the obtained results, we can now proceed to the next phase.
6. Exploitation phase of the CTF machine with IP 192.168.174.170
In this phase, we will exploit the vulnerabilities found so far. By exploiting each vulnerability, we will capture the flags corresponding to each challenge.
a) First flag
Analyzing the source code of the main webpage, we find the first flag.
b) Second flag
By inspecting the source code of the “Login_1” directory found with “Dirsearch,” we discover its username and password for access.
After entering the username and password, we discover the second flag.
c) Third flag
Another vulnerability identified by Vega is “http authentication over unencrypted http.” This means that login data travels in the HTTP header without encryption.
Analyzing the website with “Live HTTP headers,” we can see the “WWW-Authentication: Basic” header tag.
By modifying this header, that is, changing the information sent via GET to any other, we can bypass the authentication form. This is due to a misconfiguration.
Taking advantage of this vulnerability, we discover the next flag.
d) Fourth and fifth flag
We continue examining directories and find the following flags in the “cyberacademy” and “uploads” directories.
This indicates that by looking at the “robots.txt” file, we were able to find it.
This indicates that by using a directory enumeration tool like “dirsearch” or “dirbuster,” we were able to find it.
e) Sixth flag captured
As shown in Zenmap, we know that there is an FTP service and that it has “anonymous” as an authorized access user. This way, we access the FTP server of the victim machine to obtain the next flag.
f) Seventh flag captured
Through the “Command Injection” vulnerability found in the “ping” directory, we can obtain the next flag. As we can see below, by running the “ls” command, we can see the following file:
If we run the command “cat estonoesunaflag.txt,” we will see our seventh flag:
g) Eighth flag captured
Searching in the home directory of the user “deloitte” that we saw in the “passwd” file, we find another flag. It should be noted that this is not the most appropriate way to reach this flag, but as we can see, it is one of the allowed methods. It’s worth mentioning that possibly the most “legitimate” way to reach this flag would be either by cracking the hashes of the “passwd” and “shadow” files or by finding some other clue through the exploitation of another service, such as the database (DB) that presents an SQL injection (SQLi) vulnerability.
h) Ninth flag captured
In the list of processes, we find the James messaging service. We search in the system log /var/log/syslog to view system events and locate that James is running in the /opt/ directory.
Reviewing the /opt/ directory, we find another flag. In this case, it’s encoded in base64, and we need to decode it to UTF-8.
It should be noted that the vulnerable JAMES service can be exploited as indicated in the following article. It is highly likely that new flags and clues to further exploit the system can be found there: https://vk9-sec.com/apache-james-server-2-3-2-cve-2015-7611/
i) Escalating privileges to discover the tenth (root) flag
By exploiting the “Command Injection” vulnerability discovered in the “ping” directory, it’s possible to obtain information about the victim system, which is necessary for performing privilege escalation.
To view kernel information about the system, I use the command “uname -a,” and to determine the running distribution, I use “lsb_release -a.”
With this information, we now know the operating system of the victim machine, allowing us to search directly on Google to see if there are vulnerabilities that can be exploited for privilege escalation. And indeed, we find the following potential exploits for escalating privileges.
Before we proceed, let’s obtain a “reverse shell” from the victim machine. This way, we can perform privilege escalation more comfortably. To do this, we will use the Metasploit framework, utilizing its “web delivery” exploit located in “exploit/multi/script/web_delivery”. This exploit is specifically designed to exploit remote command execution (RCE) or injection vulnerabilities.
In the exploit’s configuration, we will set the payload to PHP, as we are certain that the victim machine can execute PHP files. In the following image, you can see how to load and execute the exploit. The command it returns needs to be executed via the command injection vulnerability on the victim’s side using the GET request.
As shown in the previous image, we have successfully established a “meterpreter” session.
At this point, we are ready to introduce the compiled exploit into the victim machine to perform privilege escalation. To compile the exploit correctly, we need to study it and identify the libraries it requires for compilation. You might need to add the flags “-pthread” and “-lcrypt” during compilation. The compilation command would look something like this:
- gcc exploit.c -o exploitcompilado -pthread -lcrypt
To introduce the exploit into the victim machine, there are several methods you can use:
- Using the meterpreter shell, you can upload the compiled exploit using the “upload” command (this is the simplest method).
- You can also download the exploit hosted on an FTP server or your own Apache web server and use the “wget” command from the victim machine’s command shell (cmd) to fetch the exploit.
So, we will choose the second option and use “wget” to download the exploit to the “/tmp/” directory. This is important because if I download it to another directory, I won’t have write permissions and the download will fail.
Once the file is downloaded, we give it executable permissions using the “chmod +x” command and then execute it.
At this point, we are now “root” and have obtained the flag that was located in the “/root/” directory.
With the power granted by “root” privileges, we could make any changes to the victim system, such as changing passwords of existing users, setting up a graphical access scenario, launching new services, creating new users, etc.
However, we conclude this CTF here, keeping in mind that there are still challenges to be solved, such as the SQL injection vulnerability highlighted by Vega and the exploitation of the JAMES service for your enjoyment.
At the end of the article, it is mentioned that the SQLi vulnerability and the JAMES service exploitation remain unresolved, for the enjoyment of the CTF player. SQLi, as per OWASP, is one of the most widespread types of vulnerabilities, making it highly advisable to study it thoroughly. To tackle this type of vulnerability, the use of the “SQLmap” tool is recommended, along with reading our article https://jaymonsecurity.com/script-sql-injection.
Regarding the vulnerable JAMES service, you can continue studying its exploitation in the following article:
If you’re interested in acquiring introductory knowledge in ethical hacking, you can enroll in our basic ethical hacking course. Alternatively, if you prefer to gain more advanced knowledge in offensive cybersecurity, you can opt for our advanced course.