« back

KAAF:The Dementia

CTF, CyberSecurity, TryHackMe, hackthebox

Table of contents #

KAAF : The Dementia #

The easiest CTF for beginners #

Download

Note*:Summary writeup some steps were skipped …

alt text

Task 1: Reconnaissance & Scanning #

Question #1:  #

gobuster dir -u http://10.0.2.5 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Results :

/ftp                  (Status: 301) [Size: 302] [--> http://10.0.2.5/ftp/]

Manual checking we get

/ftp/upload/

Question #2: #

nmap -T4 -A -v -Pn  10.0.2.5

Results:

ORT     STATE SERVICE       VERSION

21/tcp   open  ftp           vsftpd 2.0.8 or later

| ftp-syst: 

|   STAT: 

| FTP server status:

|      Connected to ::ffff:10.0.2.4

|      Logged in as ftp

|      TYPE: ASCII

|      No session bandwidth limit

|      Session timeout in seconds is 300

|      Control connection is plain text

|      Data connections will be plain text

|      At session startup, client count was 3

|      vsFTPd 3.0.3 - secure, fast, stable

|_End of status

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| drwxrwxrwx    2 33       33           4096 Apr 20 18:36 upload [NSE: writeable]

|_-rw-r--r--    1 33       33             49 Mar 29 22:51 vvv.txt

22/tcp   open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey: 

|   3072 e7:26:d1:3f:6e:7f:cb:f4:34:98:98:33:57:86:1b:8e (RSA)

|   256 38:6a:fc:16:b1:67:f6:ba:96:88:db:09:8e:6a:a8:83 (ECDSA)

|_  256 92:67:9d:d1:c3:0d:1d:b0:84:df:d6:44:7f:6b:c9:60 (ED25519)

80/tcp   open  http          Apache httpd 2.4.41 ((Ubuntu))

| http-methods: 

|_  Supported Methods: POST OPTIONS HEAD GET

|_http-title: Site doesn't have a title (text/html).

|_http-server-header: Apache/2.4.41 (Ubuntu)

3389/tcp open  ms-wbt-server xrdp

Service Info: Host: Fahd; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Conclusion : ftp misconfiguration that allows anon login

Answer:ftp

Question #3: #

Answer:21

Task 2 : Boot To Root #

Question #1: #

Answer:anonymous:anonymous

Question #2: #

Answer: vvv.txt

Question #3:

Answer: www-data

Question #4: #

Check the premission of the above user ,from www-data user  we need to have access with root privileges and capturing flags in user and root .  as we find earlier that we have misconfiguration in sudeors that lead that www-data can run env binary program using sudo without root password

More details:

https://gtfobins.github.io/gtfobins/env/

Trick: To get user flag we need to get the root access first

User flag in

/home/kaaf/

Question #5: #

Root flag :

/root/root.txt