Creating vulnerable machines was not something my partner and I imagined we were capable of at this point in our career…well we were wrong.
Introduction
Let us start off by saying that we are both aware of how much we still have to learn in this field, probably why we didn’t think we were capable of getting this done. This would also explain why being tasked with creating a network of VMs to be exploited as a final project was initially daunting. After 12 –13 hour days the last 11 days, we’re happy to report that it’s possible for anyone who has just begun to exploit vulnerable machines.
One of the first challenges we faced was simply starting the task. It was easy to get caught in not knowing where to begin. So we started with basics. Who was our target audience? New students to cybersecurity pentesting. What kind of OS did we want? Linux. What type of vulnerabilities did we want to showcase? Web exploits. Theme? Well who doesn’t love Harry Potter or at least know the story of Harry Potter. We also knew that we wanted to incorporate capture the flag questions within the boxes. As a way to keep students on their toes, and help them stay on the right path, a hand holding of sorts. Why? Well when we first started our journey we were introduced to the Alpha box through OffSec and while we learned a lot, we were still overwhelmed and defeated.
From our experience during our hack-a-thon, CTFs provided structure and confirmation that we were on the right track. We wanted to make sure the student wouldn’t necessarily end up in a rabbit hole and feeling defeated on their first attempt at practicing their new skills.
Voldemort’s back
Our story begins with the student being informed that they are to assume the role of Voldemort and that they are on the hunt for Harry Potter. He’s located the Gryffindor common room with the ip address 192.168.107.7. This is where the student will begin their journey.
Proper reconnaissance will require the student to “view page source,” in doing so they will find the follow clue.
A quick click over to cyber chef to decrypt the message using ROT13-22 turns it into, “have_you_found_the_magickal_portal_yet.” A quick play on words will hopefully push the student to head over to their trusty tool nmap, dirb and nikto — if they haven’t done so already to figure out what services are running on their “portals”.
The student will then find that there are few services open, along with a web server. VSFTP is open on port 21, SSH is open on port 22, Port 80 seems to have Apache httpd running, Port 8080 seems to be where the Gryffindor Study room is located, and port 27016 seems to have a login page.
I know we said we wanted to keep it simple but isn’t half the fun of a vulnerable machine figuring out your entry point? I mean as long as it doesn’t end up down a rabbit hole….
A quick recon of “view page source” leads them to their next flag, “sometimes things don’t start how you expect.”
Being that a web server is running, it should prompt the student to use dirb to enumerate the directories and perform a nikto scan to discover any vulnerabilities within the web server.
The dirb scan will not reveal any new directories to inspect but their nikto scan will reveal a humans.txt, unfortunately they will not locate any flags or clue there.
Should the student pay attention to the url bar while clicking through the study room buttons in 192.168.107.7:8080, they will notice that the study rooms are only listed by number not the study room name, and should prompt them to check for hidden pages. They will arrive to this by either editing the url to view the study room directory where the directory listing has not been disabled and stumbled upon a file named “7”. This is meant to teach the student that having directory listings enabled, allows unintended users to access sensitive files.
Heading over to page 7 and “view page source” leads them to their next clue.
A quick click over to their best friend cyber chef, a magic wand or simply morse code to hex and another click will get them “neville, please update the charms on marauder’s map. You’ll need your REMEMBRALL to write your spells.” HMM interesting, we know have a possible user Neville and a possible password. Exposing students to this information shows them how information can be encrypted and in plain sight, but that anyone can find a way to decrypt the message and access the sensitive information.
The student now has credentials to test, with either ssh or ftp, showing how a system is vulnerable to an attack due to user error. Reusing passwords is a legitimate problem and often the way attacks gain access to a system. The student does have access to log in through FTP but won’t find anything of importance.
The student will then attempt to log into ssh, and be taken to directory for port 27016. After some enumeration with “ls -la” they will notice that directory 27016/files is writeable. They will also notice 2 hidden files “.aparecium” and “.portkey”, that read and write permission but are only accessible to Potter.
At this point the student should begin to think about privilege escalation, and recall that the clue that provided the credentials also mentioned that he needed to write spells. After a deeper inspection of the files in the directory, the student should realize they have the ability to write files in that directory. A file “example.php” has been provided with a flag to help nudge them in the right direction. It should set a light bulb off and have them start thinking about how to get a shell with php in this directory, a local file inclusion.
To exploit this Local File Inclusion vulnerability the student will first need to serve a php-reverse-shell.php file over a python simple server from their host machine, and use the “wget” command to retrieve the file.
Once the file has been edited it, the student will set up a listener on the host machine and execute the file in the url bar to initiate the reverse shell.
Their new shell will not provide them access to the “.aparecium” or “.portkey” files but through further enumeration they will find that they have access to both the /etc/passwd and etc/shadow files.
The student is now faced with figuring out how to use the information provided to them. A quick search should lead them to using John the Ripper to crack the hash. After proper execution they will get the password for potter, demonstrating how commonly used passwords are easy to crack.
The student has finally gained access to Potter’s credentials, and therefore access to the “.aparecium” and “.portkey” files.
The student is informed that while they made it to a privileged account, they are unfortunately too late. The file “.aparecium” informs the student that Potter has been moved and are being told to locate Marauder’s map. Dumbledore’s Pheonix — Fawkes is also mentioned.
The file “.portkey” nudges the student towards an “entrance” that will “PULL” them over to the safehouse, and on the side displays the numbers “4444”.
Upon further inspection of the current directory “var/www/html/27016” the student locates the “map”, yet inspecting it through the command line would be too much.
The student would then head over to 192.168.107.7:27016. A login page will distract them a bit and take them down a small rabbit hole, as they attempt to use the credentials they’ve located but will not lead them to anything.
Another inspection of the “view page source” will provide them with another hint to nudge them back into the right direction.
“Sounds like dobby”, a hint nudging another dirb scan except with port “27016" at the end.
The dirb scan will display the map and password files. A nikto scan would also reveal the file.
Once the student heads to 192.168.107.7:27016/map they will locate the Marauder’s map. The map reveals a second brand new ip, 192.168.197.222 which happens to be crossing paths with the Potter vulnerable machine.
Next, the student should head to 192.168.107.7:27016/password. The student will find a closed Marauder’s map, and after inspection of the page source code they find another flag.
After converting the hint from decimal to braille to Reverse, they receive a message; “By now you should know who potter is meeting and where. How to catch up with them? Maybe you can get aunt sester to crack and squawk.”
After reading the files in Potter’s directory, the student should realize the “who” Potter is meeting is Fawkes, and after finding Marauder’s map they should now know the “where”. The only question left to solve is the how. The reference to “Aunt Sester” is actually “ancestor” which is a clue to an image from port 8080’s History of magic. If they follow the clue to the “view page source”, they’ll find another clue.
Cyber chef will only give them half the clue, they are provided what looks like a username and a hash. A quick google search of a hash cracker gives them the final piece. A password. Yet again showing the student how even hashed passwords without proper salting can be cracked through brute force.
A new username, password and a new path sets our student on the final leg of their journey.
With a new vulnerable machine the student is to begin reconnaissance again.
An nmap scan reveals a single service running, Port 21 is running FTP and has anonymous FTP being enabled. The student will naturally enter anonymous FTP first, but unfortunately for them will find that they have limited access. The student will then attempt the new credentials they’ve found “Pheonix:Wizards” and will gain access.
Looking through the directory and pulling the files will provide them with a few clues on their next step, and easter eggs for their CTF.
The file “bashtheforgetdont” provides them with a message, “Potterwatch is being consistently monitored for information that is not being reported by the Wizarding Wireless Network or the The Daily Prophet. A charm has been put into place to pull any important information passing through every 2 minutes…” Along with an encrypted message.
The encrypted message is another hint at the next step, “Neville! Don’t forget to configure it properly so it actually executes this time.”
The title of the file is reversed and should be read as “don’t forget the bash.” All of these clues are to suggest to the student that there is a cron job scheduled every 2 minutes that pulls a file with a script and executes a command in relation to it. The student will also see a file name “potterwatch.sh” which should suggest it’s the file to be used. The code we used to get a shell is as follows.
Once the student successfully gains a shell, they will have to first get an interactive shell. The student will then have to perform some initial reconnaissance in their new environment to figure out what privileges they have. After a quick “whoami” the student will realize they still have to escalate privileges.
The student should then run the sudo command follow by the -l flag. This will list the allowed commands permitted by the security policy for the current user. The student will notice they have access to “bin/rm”, and “bin/nmap”. A quick click over to GTFO Bins will lay out the exact next steps to break out of their limited shell and finally achieve root status as Dumbledore.
After locating proof.txt and using cyberchef, Voldemort realizes he has once again lost his battle with Harry Potter but he did manage to reach root and compromise the boxes. A few bonus flags have been set up for the student, “How many ascii art files can you locate?” Four. “Have you located and been able to execute the image?” The commands “xdg-open” or “eog” will help you with that task.
Our intention been to provide you with a fun, engaging and yet slightly challenging vulnerable machine experience, we hope that piecing together the portal of secrets didn’t push you too close to the edge of tossing in the towel. And we truly hope you’re walking away more knowledgeable and excited to keep learning in this field.
