The Ether: CTF walkthrough
Name: The Ether: EvilScience
Date release: 26 Oct 2017
Note, the VM from Vulnhub have an issue. You have to download the VM from this updated link (from the author website): here
We use arp-scan to find the IP address of the VM.
Then, we scans the VM to find open ports and running services.
Remote commands execution
After few scan and some research with the OWASP-Zap tool I found that we are able to read the content of the auth.log file where are stored SSH connections information.
We can poisoned this log file with this following connection attempt.
Then, to check if we have an RCE we can execute this query.
From RCE to reverse shell
For this CTF I will use the web_delivery exploit from the Metasploit Framework.
I changed the SRVPORT (default 8080 is used by OWASP-Zap), the PAYLOAD (PHP instead of Python), the LHOST and the TARGET (for a PHP payload) parameters.
Finally, we execute the PHP command to gain a reverse shell.
Let’s get a TTY with low privilege.
A weird python script can be found in the /var/www/html/theEther.com/public_html directory.
Moreover, we can execute this script with root privilege without password.
Plus, this script execute the cat command, so we are able to run any commands we want with root privilege.
We upload and we execute a reverse shell on the system.
We read the flag hidden in a PNG file.
Finally, we decode the base64 flag.