We covered the first part solution to D0not5top Vulnhub lab by using a combinations of active information gathering techniques along with directory traversal and browsing to gather all the flags.
We covered the second part solution to D0not5top Vulnhub lab by using JohnTheRipper & Metasploit to gather the challenge flags.
Directory traversal is another name for path traversal. An attacker can read any file on the server that the program is executing on thanks to these vulnerabilities.
An attacker may occasionally be able to write to any file on the server, which would give them the ability to alter application behavior or data and eventually seize total control of the machine.
A Java program called DirBuster uses several threads to search through directories and file names on web and application servers. These days, it’s common to come across something that appears to be a web server in its normal installation state but actually contains hidden pages and applications. DirBuster searches for these.
These kinds of programs, meanwhile, are frequently limited to the file list and directory that they include. An other method was employed to produce this. The directories and files that developers actually use were gathered by searching the Internet and creating the list from scratch! With nine distinct lists included, DirBuster is incredibly efficient at locating those hidden files and folders. If that wasn’t enough, DirBuster additionally offers the ability to use a pure brute force approach, which eliminates all potential hiding places for hidden files and directories.
1. Initial Setup & Reconnaissance
I started by running an nmap scan on the target machine to identify open ports and services. Key services found included SSH, SMTP, and HTTP. I emphasized the importance of taking thorough notes throughout the entire process.Conceptual nmap command: nmap -sV -p- <target_IP>
2. Flag 1 (SMTP)
The first flag was found by connecting to the SMTP server (port 25) using netcat.Command: nc <target_IP> 25
A string was returned, which, when decoded, revealed the first flag.Conceptual decoding: Once the string is obtained, I would typically use echo "string" | base64 -d or a similar decoding method depending on the encoding.
3. Flag 2 (Directory Traversal – Control Page)
The second flag was obtained through directory traversal using a tool like Dirbuster. Although I didn’t run it live due to time constraints, Dirbuster, with a “big wordlist,” was used to find a directory named “control”.Conceptual dirbuster or gobuster command: gobuster dir -u http://<target_IP> -w /path/to/wordlist.txt
Navigating to this “control” page in a browser and viewing the page source revealed the second flag hidden within the HTML.
4. Flag 3 (Directory Traversal – Control.js)
The third flag was found by navigating to a file named “control.js” within the “control” directory (again, discoverable with Dirbuster). The flag was located directly within this JavaScript file.
5. Discovering a New Domain (don'tstop.me.ctf)
While exploring the “control.js” file (or through further Dirbuster scans), a new domain was discovered: don'tstop.me.ctf. This domain needed to be added to my local /etc/hosts file to be accessible.Conceptual command to edit /etc/hosts: echo "<target_IP> don'tstop.me.ctf" | sudo tee -a /etc/hosts
Accessing this domain in a browser revealed a forum.
6. Exploring the Forum & Finding Another Domain (missile.dontstop.me.ctf)
I mentioned trying XSS and SQL injection on the forum, but it wasn’t vulnerable to SQL injection. The forum also had a login attempt limit to prevent brute-forcing.
By forcing SQL error messages (e.g., using Burp Suite’s Intruder to send various SQL payloads), a new domain was revealed in the error output: missile.dontstop.me.ctf. This new domain also needed to be added to the /etc/hosts file.Conceptual Burp Suite Intruder usage: Send a request to the forum’s login, select the username/password fields as insertion points, and use SQL injection payloads from a wordlist. Look for error messages in responses.
7. Flag 4 (Missile Game & Octal Code)
Navigating to missile.dontstop.me.ctf led to a missile game. Playing the game wasn’t necessary to find the flag. Using Dirbuster on this new domain revealed a directory, likely “textures”.
Within the game’s JavaScript file (game.js, found via Dirbuster), a path was revealed that the server redirects to upon failing the game. Following this path led to a new page. Running Dirbuster again on this new path revealed another “textures” directory.
Inside “textures”, navigating to skybox/down_clogs_and_peas.dat (or a similar path) revealed an octal encoded string. Decoding this octal string (using an online tool like “Fox Editor”) yielded the fourth flag.
8. Discovering Yet Another Domain (hexgl.dontstop.me.ctf)
After getting the fourth flag, exploring the directories found by Dirbuster (specifically a directory found alongside “textures”) led to a file hexgl/game-playing.js. Inspecting this JavaScript file revealed another domain: hexgl.dontstop.me.ctf. This domain was also added to the /etc/hosts file.Conceptual /etc/hosts update: echo "<target_IP> hexgl.dontstop.me.ctf" | sudo tee -a /etc/hosts
9. Accessing a Terminal & Finding an Image
Navigating to hexgl.dontstop.me.ctf presented a terminal-like interface that required a password. The password was simply the domain name itself (hexgl.dontstop.me.ctf). Once authenticated, I could run commands. I used grep * to list directories, which revealed another domain/path.Command (in the web terminal): grep *
Navigating to this new path showed a page that refreshed every second, displaying different images. One of these images, “King Mecosta,” was important.
10. Extracting Credentials from Image & Hash Cracking (Towards Flag 5)
The “King Mecosta” image contained a Base64 encoded comment. Decoding this Base64 string revealed a username and a password hash.Conceptual decoding of image comment: echo "base64_string_from_image_comment" | base64 -d
I saved this hash to a file and used John the Ripper (with the rockyou.txt wordlist) to crack it.Conceptual john command: john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
The cracked password was “tenstars”.
