How did I solve Jeopardy-style CTF challenges to exploit security vulnerabilities to find the flags and prepare the report for my undergrad Skill Test?

Hello Everyone!! I hope you’re all having a good time. Welcome back to my blog channel. Today, I will write a write-up about how I solved jeopardy-style CTF challenges to exploit security vulnerabilities to find the flags and prepare the report for my undergrad Skill Test.

In this CTF challenge, we were given three machines/boxes, namely “EH2Skilltest.ova,” “ubuntu.ova,” and “win.ova.” All three machines have various security flaws/vulnerabilities that we must detect and exploit to acquire access to important information within the time restriction. In this test, we have to follow a CTF style where the sensitive information will be represented as flags and must be submitted as proof of exploitation.

The marking will be dictated by the points of each flag. The points may differ based on the technical difficulty in exploiting the vulnerability of the flag.

If you’re ready, Let’s get started with our first machine/box.

The Commence:

The “first box” of Skill Test:

1. EH2Skilltest.ova

Well, starting with the first box of the Skill Test, in which we have to find the four flags regarding web challenges.

Figure 1. EH2Skilltest.ova file

First Flag (Examining Directory)

Figure 2. Image Fetch

I’ve accessed the IP address of the target machine and used ways to retrieve the picture.

Figure 3. Intercept data from the Burp Suite

In this case, I have the Burp Suite program active in the background with an interceptor enabled to intercept data from the Burp browser.

Figure4. First flag of EH2Skill test.ova box

As seen in the above picture, I located the first of four flags in the “EH2Skilltest.ova” box. To identify the first flag, I examined and researched the system for the files and folder in the root directory, and then after, I examined the directory using the command line in which the flag is located in the root section.

Then after, I accessed the Ubuntu IP address in the Kali browser and intercepted it using the burp suite. Using the picture “path traversal” and pressing the fetch button

Second Flag (Regarding Web)

Figure 5. Registering username, Email, and password for login as admin

Registered successfully message

Figure 6. Second flag of EH2Skilltest.ova box

In the above figure, I have found the second flag of the “EH2Skilltest.ova” box. This is one of the web challenges and for this challenge, I have opened localhost via the web browser to exploit if we found any type of “login page” or “login in as admin.” After opening localhost, I saw the register option in which I have registered and after registering, I logged in with the given username and password as we can see in the above figure no. 6. Then, I found the flag after login in as admin.

Third Flag (Regarding Web)

Figure 7. Third Flag of EH2Skilltest.ova box through CMD

Figure 8. Third Flag of EH2SKilltest.ova file

In the above figure, I have found the flag of the “EH2Skilltest.ova” box. In the above figure no. 7, I have analyzed and researched the system through cmd and examined the directory. I have found the flag in the “admin.php” file in the backup directory.

In the above figure no.8, I found the flag through the web, by just entering the “localhost/backup/admin.php” in the URL, and after that I have found the flag.

Fourth Flag Using SQLmap

Figure 9. Fourth Flag of EH2Skilltest.ova box

To capture the flag, I have used “SQLmap” to inject SQL and hack the database.

The “Second box” of skill test:

2. Ubuntu.ova

In the second box of the Skill Test, we have the same things to uncover, namely the web regarding challenges, but there is only one flag in this box as opposed to our first box.

Figure 10. Ubuntu.ova

Figure11. Net discovery of the entire network to get the internal IP address and MAC address of live hosts in the network

Figure 12. Network discovery result of the entire network

In the above figure no. 11, I have performed the “Netdiscovery” of the entire network “192.168.1.0/24” to get the internal IP address and MAC address of live hosts in the network. In the above figure no. 12, I have found the result net discovery result of the entire network in which I have found the two open ports which are “21/tcp and 80/tcp.” Attempting to see whether there is an FTP anonymous login.

Figure 13. php-reverse-shell.php file

After downloading the “php-reverse-shell.php” file I opened and edited the file with a mousepad. During editing, I edited the IP address and put the IP address of my Kali machine which is “192.168.1.79,” and also, changed the Port number to “2345,” as shown in the below figure.

Figure 14. Editing of IP address and Port number with mousepad

Figure 15. ftp connection and execution

In the above figure no.15, have executed the following “ftp <IP address>” command. The connection was established with the given network to the Ubuntu IP address and the TLS dialog box welcomed us. And then, I logged into the system as “Anonymous,” and the remote system type is “UNIX.” After that, I executed the command “put php-reverse-shell.php” to upload the file to the Anonymous folder.

Then, we use the Netcat tool to listen on the same IP address and port that we specified in the reverse shell.

Figure 16. php-reverse-shell.php file uploaded in the anonymous folder

After that, I opened the “URL 192.168.1.82/FTP/,” which is the IP address of the Ubuntu system. We can now listen in the Netcat tool after clicking on the php-reverse-shell.php file in the web browser.

Figure 17. First Flag of Ubuntu.ova box

We can now access the terminal of the Ubuntu system using a reverse shell script. We can see the “flag.txt” file and look at the flag. While looking through additional folders, I discovered another flag.txt in the “/home/test/” directory. And we can observe both flags mentioned previously.

The “Third box” of skill test:

3. Win.ova

In the third box of the Skill Test, we have the same things to uncover, namely the web regarding challenges, but there are two flags in this box as opposed to our first box and second box.

Figure 18. Win.ova file

Figure 19. Target System (Win 7)

This is our target system, and I need to pwd it in order to highlight any instances where a password has not been provided.

Figure 20. Full scan of Windows 7

In this case, I utilized Nmap tools to scan the IP address of a Windows system.

Figure 21. Use Metasploit to exploit eternalblue

As we all know, Windows 7 is vulnerable to the “eternalblue attack,” so I just used Metasploit to exploit the exit. I utilize one of the exploit modules that is already in the database.

Figure 23. set RHOSTS

Figure 23. Exploit

I’ve configured the remote host machine, i.e., the target system’s IP address, and exploited it. Finally, a meterpreter session for Windows 7 is available.

Figure 24. First Flag of win.ova file

In the above figure, I have found the first flag of the “win.ova” box by performing with cat command. Then, I tried to capture the flag of “flag_admin.txt” but after performing to capture the flag it showed a message “cannot access a file/permission denied.” Then after, I allowed permission for the “flag_admin.txt file.”

Figure 25. Second Flag of win.ova box

We eventually got the flag after we established the permission.

Final Reflections:

Participating in the “CTF” challenges was a genuinely great experience, and we learned a lot. As you can see we have accomplished all the boxes/machines containing various security flaws/vulnerabilities that we have detected and exploited to acquire access to important information which is provided by our Ethical hacking Prof “Suyash Nepal” in our undergrad skill test. I hope you enjoyed it and learned new techniques.

You can follow me on Social Media:

Linkedin: https://www.linkedin.com/in/rohit-ray-19284b232/

GitHub: https://github.com/rohit273

Twitter: https://twitter.com/RHittttt

Instagram: https://www.instagram.com/ro_hit.exe/

Please follow and subscribe for more awesome upcoming blogs.