2024 Business CTF - Vault of Hope: Survivor

#htb #ctf #fullpwn #web-exploitation #linux

Challenge Information

AttributeDetails
Event2024 Business CTF - Vault of Hope
CategoryFull Penetration Test
ChallengeSurvivor
DifficultyHard

Summary

Survivor is a full penetration test challenge targeting an Ubuntu Linux server with SSH and HTTP services exposed. The challenge requires port scanning, service enumeration, vulnerability identification, and exploitation to achieve remote code execution and system access. Participants must navigate through multiple attack vectors to compromise the target system.

Analysis

Initial Reconnaissance:

  1. Port Scanning:

    Terminal window
    nmap -sC -sV 10.129.231.187

    Results:

    • Port 22: OpenSSH 8.9p1 Ubuntu 3ubuntu0.7
    • Port 80: nginx 1.18.0 (Ubuntu)
    • Service info: Ubuntu Linux

  2. Service Details:

    • SSH running on standard port 22
    • HTTP server redirecting to survivor.htb hostname
    • nginx 1.18.0 (potential version-based vulnerabilities)

  3. Port Discovery:

    • Full TCP port scan reveals only ports 22 and 80 open
    • No obvious RDP or other remote access services

Solution

Phase 1: HTTP Enumeration

  1. Virtual Host Resolution:

    Terminal window
    echo "10.129.231.187 survivor.htb" >> /etc/hosts
    curl http://survivor.htb

  2. Web Content Discovery:

    Terminal window
    nmap -sC -sV 10.129.231.187
    # Analyze HTTP response headers and content

  3. Directory Brute-Forcing (if needed):

    Terminal window
    gobuster dir -u http://survivor.htb -w /usr/share/wordlists/dirb/common.txt

Phase 2: SSH Enumeration

  1. SSH Banner Grabbing:

    Terminal window
    ssh -v survivor.htb
    # Reveals: OpenSSH 8.9p1 Ubuntu 3ubuntu0.7

  2. Check for Known SSH Vulnerabilities:

    • OpenSSH 8.9p1 is relatively recent with limited known exploits
    • Password-based brute-forcing may be necessary

  3. Username Enumeration:

    Terminal window
    # Attempt common usernames: root, administrator, ubuntu, survivor

Phase 3: Web Application Exploitation

Depending on the web application discovered:

  1. Identify Technologies:

    • nginx 1.18.0
    • Backend technology (PHP, Node.js, Python, etc.)

  2. Look for Common Vulnerabilities:

    • SQL Injection
    • Cross-Site Scripting (XSS)
    • Command Injection
    • Arbitrary File Upload
    • Path Traversal

  3. Exploit Web Vulnerabilities:

    • Execute remote code if applicable
    • Establish reverse shell connection

Phase 4: Credential Discovery

  1. Default Credentials Testing:

    • Common default credentials for services found
    • Weak password patterns

  2. Credential Extraction:

    • From web application databases
    • Configuration files
    • Application source code

Phase 5: Initial Access

Options depending on discovered vulnerabilities:

  1. Web-Based RCE:

    Terminal window
    # Execute command injection or PHP injection
    # Establish reverse shell

  2. SSH Access:

    Terminal window
    # Use discovered/brute-forced credentials
    ssh user@survivor.htb

  3. File Upload Exploitation:

    Terminal window
    # Upload shell if file upload vulnerability exists

Phase 6: Privilege Escalation

  1. Initial User Enumeration:

    Terminal window
    whoami
    id
    groups

  2. Sudo Capabilities:

    Terminal window
    sudo -l

  3. Kernel Exploits:

    Terminal window
    uname -a
    # Check for known Linux kernel vulnerabilities

  4. SUID Binaries:

    Terminal window
    find / -perm -4000 2>/dev/null

  5. Privilege Escalation Methods:

    • SUDO misconfiguration exploitation
    • Kernel vulnerability exploitation
    • SUID binary abuse
    • Cron job hijacking

Phase 7: Proof of Compromise

Capture system flags:

Terminal window
cat /root/root.txt
cat /home/*/user.txt

Key Techniques

  • Port scanning to identify exposed services
  • Virtual host enumeration for web applications
  • Service fingerprinting to identify software versions
  • Vulnerability research based on identified versions
  • Exploitation of discovered vulnerabilities
  • Reverse shell establishment for interactive access
  • Privilege escalation through system misconfiguration or kernel exploits

Key Takeaways

  • Initial reconnaissance is critical for understanding attack surface
  • Default credentials and weak passwords should be checked first
  • Service-specific vulnerabilities depend on version information
  • Both web and network-based attack vectors must be considered
  • Privilege escalation often involves finding system misconfigurations
  • Proof of exploitation requires capturing sensitive system files
  • Ubuntu systems typically have ssh and web services as primary entry points
  • Kernel version identification is essential for privilege escalation planning