Security-minded users today can look online for a seemingly endless catalog of attacks and defenses. I have found the inimitable TryHackMe website [1] to be an indispensable tool that has allowed me to tailor my ethical hacking learning in a way that is both efficient and enjoyable. In my opinion, the presentation of each learning exercise is second to none, and the volume of content is exceptional.

This article describes one of the Capture the Flag (CTF) exercises on the TryHackMe website. A CTF exercise is a ready-made scenario that allows the user to play the role of an intruder, attacking a system and searching for a way to breach security and gain root access. Each time you solve a CTF puzzle, you capture a "flag" and are awarded points that allow you to assess your progress and compete with other users. As you can probably guess, I chose a CTF exercise based on a Linux machine. Before sitting down to write this article, I contacted TryHackMe and received permission to write about this CTF. The Bounty Hacker CTF described in this article is one of the many free CTFs on the TryHackMe website, so create a free account and try it yourself if you are interested.

On Your Marks

TryHackMe provides lots of free content, but if you pay a few dollars a month, you get faster CTF server startup times and dedicated UI attack machines that run in a browser. However, it is also possible to connect into their networks via a VPN without subscribing.

I prefer to use the VPN route for speed, so I can use my own laptop, as it means I get to use my favorite security tools without having to install anything. That said, you will find that the UI-based attack machines have most of the usual security tools available on Kali Linux. To get started, download a VPN file from the Account section of the TryHackMe website and run the following command (on an Apt-based system) after installing OpenVPN:

$ apt install -y openvpn
$ openvpn vpn_name.opvn

If you can ping 10.10.10.10, you have successfully connected and can proceed. Or you can run the following command to check if you have registered on the TryHackMe network. The command will return your laptop's IP address (which is important for a number of attacks):

$ curl 10.10.10.10/whoami
10.9.XXX.XXX

If you get stuck at this point, navigate to the TryHackMe's Advanced Access page [2] for some troubleshooting tips.

Bounty Hacker

In TryHackMe parlance, a room is a training area with a specific challenge. I'll start by focusing on the room called Bounty Hacker. The Bounty Hacker room has a quirky backstory and is designed for beginners. The story goes along the lines of how you boasted in a bar about being the most elite hacker in the solar system, and now is time to prove it. If you are anything like me, I am sure the main graphic will pique your interest too, but I will leave you to visit the site yourself.

The first step is to spin up the virtual machine that I will attack. I will call this the target machine. Simply visit the Bounty Hacker room after a quick search and click Start Machine on the right-hand side. Then wait for 60 seconds until the countdown stops and an IP Address is presented to you – in my case, the address is in the 10.10.XXX.XXX range. I suspect the reason it takes a minute to start is the virtual machine needs to boot up and then DHCP needs to allocate an IP Address that you can attack. The machine will exist for an hour and it is possible to extend the duration once or twice if you need to. One of the clever things about TryHackMe's CTF exercises is that, rather than just spinning up a server for you to attack, you will be prompted to answer a number of questions (in the easier CTFs at least) to guide you in the right direction.

Now that the target machine is almost ready, I should add, as a good Internet citizen, make sure you only attack the IP address you are assigned. Do not annoy other users on the platform (intentionally or accidentally) by attacking a machine outside of your workspace.

To prevent any address confusion, and in the interests of automation, I have a simple script that adds the IP address to my /etc/hosts file with a local alias. That means when I ping the target.local alias, or enter it into a browser, I am actually seeing the target machine that I'm attacking. Of course, you can also edit /etc/hosts manually.

Now that I know the IP address of the target, I'm ready for the enumeration phase of the attack. There is little reconnaissance to do. To check which network ports are open to the outside world, I use two trusty tools, starting with a tool called masscan. Masscan is the most rapid way I have found so far to discover open ports, although it is not always 100 percent accurate.

To install masscan on a Debian-based system, enter:

$ apt install -y masscan

To see what ports the target machine has open, enter the following command. Incidentally, declaring the IP address at the start is specific to the way I use this tool and is the only time I enter the IP address separately. Otherwise, I use target.local alias to specify the address.

$ IP="10.10.XXX.XXX"; masscan -p0-65535 --rate 10000 $IP -etun1 --router-ip 10.9.0.1

See the masscan man page for clarity about the command-line options (man masscan). I found the rate was important, and I add the -router-ip option at the end because I use a VPN, alongside the TryHackMe VPN, which can confuse some tools (see the box entitled "Using a VPN").

10.9.0.0/16 dev tun1 proto kernel scope link src 10.9.2.XXX
10.10.0.0/16 via 10.9.0.1 dev tun1 metric 1000

The abbreviated output from the masscan command is showing in Listing 1.

Starting masscan 1.3.2 (http://bit.ly/14GZzcT)
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 21/tcp on 10.10.XX.XXX
Discovered open port 22/tcp on 10.10.XX.XXX
Discovered open port 80/tcp on 10.10.XX.XXX

Sometimes I add the time command to the start of the masscan line to time the execution, and compared to other more thorough tools, it usually finishes much sooner.

The output in Listing 1 shows a few ports of interest. (If you don't fully believe the masscan output, rerun it or tweak your network settings.) The next step is to see what the exceptional Nmap security scanner makes of these ports. The command I commonly use is the next command, which is easy to memorize:

$ apt install -y nmap
$ nmap -p21,22,80 -A -T4 -Pn target.local > scan

I'm in the habit of saving lengthy scans to a text file so I don't need to run them again. A text file also makes it easy to go back to see if you have missed something. What does the Nmap scan reveal? A heavily abbreviated version of the output appears in Listing 2.

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

Listing 2 turns up some juicy information. Port 80 is running a potentially old version of the Apache web server (which is almost certainly vulnerable to some attacks). The output also shows a version of OpenSSH that might be prone to attack. The thing to check first is the vsftpd server running on port 21 with version 3.0.3. I'll focus on that because apparently anonymous FTP is allowed, which might offer some useful information.

I will check to see if I can find anything interesting on the filesystem of the anonymous FTP server. I'll start by running the following command. In this case, I connected successfully using anonymous when prompted for a username (entering an email address wasn't accepted on this system):

$ ftp target.local
Connected to target.local.
220 (vsFTPd 3.0.3)
Name (target.local:chris): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

For more on FTP connections, see the box entitled "A Note About FTP."

> passive off
> ascii
> bin
> epsv

A simple FTP command for revealing the directory list is as follows (FTP aims to be cross-platform so dir would work too):

> ls -al

Low and behold, two files are visible:

locks.txt
task.txt

Figure 1 shows what a successful file listing looks like.

Figure 1: Two files are visible on the FTP server.

I can fetch both of these files by using the following FTP command:

mget *.txt

Figure 2 shows the abbreviated output.

Figure 2: What to expect when downloading from the FTP server.

First I'll open the file named task.txt. Interesting! The file's contents are as follows:

1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin

Although the note is seemingly innocuous, the author signs off as lin. I'll make use of that information in a moment. All snippets are useful to attackers – you might be surprised at the value of apparently useless data.

What is in the other file? Surprisingly, it is a long list of relatively complex passwords. Obviously, this server is built around a learning exercise and you might be skeptical about the prospect of discovering such a file in the wild. All I would say is that if you spent some time using a few popular enumeration tools, you might be surprised at what people leave lying around on their server filesystems!

I won't show you any of the entries in the password list, so instead the following is an example of the format:

DragoSync#H24
DR_agOSYNcH7
S;ynCh7D@rago

Note that there is some repetition in the passwords, which seem to be generated from three words.

Unhand Me

The next step is to try to figure out which of those passwords could open a door. Go back to the Nmap results. Currently, I have a flat web server homepage with a quirky graphic on TCP port 80 and an open SSH port running OpenSSH. Maybe there is a Content Management System (CMS) on the server, running a database-driven website that I haven't discovered yet?

The tool of choice is gobuster [3], which will allow me to recursively search through subdirectories. There are a number of web-orientated enumeration tools to choose from, but the performance and extensive options make gobuster my favorite.

You can install gobuster using the Apt package manager as follows:

$ apt install -y gobuster

The command I will use, pointing again at the alias for the target server IP address, is:

$ gobuster dir -u target.local -w <wordlist>

I want the tool to iterate as quickly as possible through a long file containing possible directory and filenames. I'm going to use a list of directories only (and not filenames) from GitHub [4] that contains about 1,990 entries. If you navigate a few levels up on the GitHub URL, you can find a massive list of other types of wordlists that you will need in future CTFs.

My gobuster command now looks like the following:

$ gobuster -u http://target.local/ -w wordlists/directories-small.txt

I named the file directories-small because some lists are hundreds of thousands of lines long. Take the dog for a walk or put the kettle on, as this command runs for quite a while. In my case, the command produced the output shown in Figure 3.

Figure 3: The output from gobuster.

Usually, tools like gobuster are extremely noisy and contain lots of juicy bits of output (with many false positives), but in this case, checking the subdirectories in the wordlist doesn't reveal much at all. If this wasn't an easy-rated CTF, at this point, I would use a much longer wordlist because I would be certain that I had missed a crucial directory. This time, it seems there is no CMS. But, I would be remiss not to check the HTTP 200 I received from gobuster for the images/ subdirectory. Visiting http://target.local/images just reveals the homepage graphic, with no other images present. And, the icons/ directory that threw an HTTP 403 error (Forbidden) means I need to authenticate if I want to view that directory. I'm suspicious that it is a false positive (intentional or otherwise), so I will move on.