Skip to main content

Impact Hunt Solution

CTF

Network Scanning

Let's discover the target machine IP using the Information Gathering RPT.

Now we have our IP address 10.27.34.75, and the test has also discovered the target machine open ports and running services.

Since we saw the target machine port 80 is open, let's explore the IP machine address in the browser.

CTF

Nothing interesting there, just a hint asking us to dig deeper into the source.

CTF

Web Application Information Gathering

Let's go back to Core Impact and move to the Web Apps vector, we're gather the information about the available websites:

  1. Launch the Web Applications Information Gathering RPT
  2. Create a new scenario named Legendary Kings

CTF

  1. Choose Crawl a known web application. Click Next

CTF

  1. Choose Automatic Web Crawling with the URL http://10.34.27.75. Click Next

CTF

  1. Continue with the default options through the wizard. Cllick Finish

  2. A single URL is discovered: http://10.34.27.75

CTF

  1. Remember the hint. Right click on the url and select the option Request Page

CTF

  1. You will find some more information in the source code

CTF

  1. You just discovered the first flag Get my name: arthur

Enumeration: Find the Lock

Now it's time to find the lock we need to open with that user. As the Network Information Gathering RPT just discovered the 80 port, let's look deeper to check if there's any other hidden port that we missed.

  1. Let's go back to the Network tab and Drag and Drop the Information Gathering Network RPT over the 10.27.34.75 host
  2. In the Network Scan type wizard screen select Custom. Click Next

CTF

  1. Check the option Port scanning options. Click Next

CTF

  1. Select the tcp-all port range in the TCP Ports selection option. Click Finish

CTF

CTF

  1. You just discovered the second flag Find the hidden lock: 19239

Attack: Penetrate the System

Let's perform a brute force attack on that port with the user arthur

  1. Drag and Drop the SSH Identity Verifier module on the host 10.27.34.75
  2. Set the parameter Deploy Agent to true.

CTF

  1. Configure the parameters for identities selection. Click Ok

CTF

  1. A new agent has been deployed on the target asset using the user arthur and the password england

CTF

  1. Let's connect through shell and grab the flag a. Right click on the new agent deployed and select the option Shell b. Access the bash shell using su - arthur with the password: england c. Enumerate the files using ls d. Display the flag using cat excalibur-flag

CTF

  1. You just discovered the third flag Open the lock: excalibur

Privilege Escalation: Gain the Throne

It's time to gain the throne and get root access to the system.

  1. Drag and Drop the Local Information Gathering module on the host 10.27.34.75 using the default options
  2. The system is a Linux Ubuntu 14.04. Let's look for local exploits for that system:

CTF

  1. Let's use the Linux Overlayfs Local Privilege Escalation Exploit to get root access to the system

CTF

  1. Now it's time to get the flag a. Right click on the new agent deployed and select the option Shell b. Navigate to the /root folder c. Enumerate the files using ls d. Display the flag using cat root-flag

    CTF

  2. You just discovered the fourth flag Gain the throne: Welcome to Camelot!