We demonstrated a simple boot2root CTF walkthrough named, Covfefe, where we performed an initial Nmap scan followed by directory discovery. We found an SSH private key accessible publicly so we used it to gain an initial SSH shell. We exploited a buffer overflow vulnerability in binary we found to elevate privielges to root.
Description
Covfefe is my Debian 9 based B2R VM, originally created as a CTF for SecTalks_BNE. It has three flags.
1. Initial Reconnaissance and Accessing the Web Server
My first step was to identify the target machine’s IP address. I used the nmap
command for this, although the specific command used to find the IP wasn’t explicitly shown. I did note that the target IP ended with 136
. The nmap
scan revealed three open ports: SSH, HTTP (port 80), and another port, 31337
. Navigating to the web server on port 80 showed a default nginx welcome screen with no apparent vulnerabilities.
2. Deeper Enumeration with Nmap
To get more detailed information about the services running on the target, I performed a more aggressive nmap
scan. The command I used was: nmap -A <target_IP>
. This scan revealed disallowed entries on port 31337
, including /taxes
, /profile
, and robots.txt
(though robots.txt
was mentioned as “flagged orbs are flagged as disallowed entries that’s our C profile taxes”).
3. Finding the First Flag
Navigating to the /taxes
directory on port 31337
(for example, http://<target_IP>:31337/taxes
) immediately revealed the first flag.
4. Directory Brute-forcing with DirBuster
To find more directories on port 31337
, I employed DirBuster
. I set the target URL to http://<target_IP>:31337/
and used the big.txt
wordlist. DirBuster
quickly found several directories, including .ssh
.
5. Obtaining SSH Credentials
Navigating to the .ssh
directory (for example, http://<target_IP>:31337/.ssh/
) revealed three crucial files: id_rsa
(private key), id_rsa.pub
(public key), and authorized_keys
. I downloaded all of these files. Opening authorized_keys
showed me that the username was cmyk
. I also noticed that the private key (id_rsa
) was encrypted with a passphrase.
6. Cracking the SSH Key Passphrase with John the Ripper
An initial attempt to log in via SSH using the private key failed because of the passphrase. The command I tried was: ssh -i id_rsa cmyk@<target_IP>
. I also used a chmod
command to give the correct permissions to the key, likely chmod 600 id_rsa
.
To crack the passphrase, I turned to John the Ripper
. First, I converted the SSH private key into a format John could understand with a command like: ssh2john id_rsa > pass
. Then, I ran John the Ripper on the generated hash file: john pass
. To display the cracked password, I used: john --show pass
. The cracked passphrase was “starwars.”
7. Logging in via SSH and Finding the Second (Inaccessible) Flag
With the passphrase, I successfully logged in via SSH using the command: ssh -i id_rsa cmyk@<target_IP>
and entered “starwars” when prompted. I was now logged in as cmyk
. I attempted to navigate to the /root
directory using cd /root
. Inside /root
, there was a file named flag.txt
. However, when I tried to read flag.txt
using a command like cat flag.txt
, I received a “Permission denied” error because my current user cmyk
did not have root privileges.
8. Examining a Program for Potential Privilege Escalation
I found a read_message
program in the /root
directory. Viewing its content with cat read_message
showed that it was a small C program that took user input (a name) and compared it to “cmyk.” The video concluded by stating that the next step (which will be covered in a subsequent video) would be to exploit a buffer overflow vulnerability in this read_message
program to gain root access and retrieve the final flag.