Adversarial Strategies Unlocked: Blue Team’s Approach to RootMe CTF

Introduction

Welcome to my new series where I’ll be delving into capture the flag (CTF) hacking challenges with an innovative twist. Throughout this series, I’ll meticulously analyze, solve, and document these challenges from the perspective of a blue team member. The aim is to enrich our comprehension of the adversarial mindset, revealing the practical tactics, techniques, and procedures (TTPs) utilized by hackers in the real world. By immersing ourselves in the complexities of these challenges, we’ll explore the intricacies of cyber threats and defenses, gaining a more profound insight into the methods employed by attackers. This exploration will not only enhance our understanding of cybersecurity from a defensive standpoint but also equip us with the knowledge to anticipate and counteract potential security breaches more effectively. Through this series, we aspire to bridge the gap between theoretical knowledge and practical application, providing a comprehensive guide to navigating the ever-evolving landscape of cyber threats.

Each entry in this blog series will be structured around the MITRE ATT&CK framework, providing a detailed exploration of the various stages through which hackers progress during their attacks. By aligning our discussions with this comprehensive framework, we’ll dissect the intricate processes involved in cyberattacks, shedding light on what occurs at each phase. This approach not only highlights the sequence of actions typically undertaken by adversaries but also delves into the nuances of how these stages are navigated in diverse attack scenarios. Through this lens, we aim to offer insights into the strategies and methods used by attackers, enhancing our defensive tactics by understanding the offensive playbook. This methodical examination will empower us with the knowledge to better anticipate, recognize, and mitigate threats, ultimately strengthening our cybersecurity posture against a wide array of cyber threats.

You can explore the MITRE ATT&CK framework by visiting this website: https://attack.mitre.org/.

The Scenario

This blog entry will walk through completing a Capture The Flag (CTF) challenge on TryHackMe called RootMe. This challenge is available in a free room, allowing anyone to participate, regardless of their membership status. RootMe is designed as a beginner-level CTF, making it an excellent opportunity to learn foundational cybersecurity skills.

For this challenge, I’ll be utilizing my Kali Linux Virtual Machine (VM) connected through a VPN to tackle the task. Alternatively, if you’re unable to use a VM or don’t have VPN access, the AttackBox provided by TryHackMe serves as a viable option as well.

Upon starting the machine, you’ll notice a new section labeled “Active Machine Information.” The IP address displayed in this section is the target IP address you will be focusing your attack on.

Let’s get started!

Reconnaissance

TryHackMe presents a series of questions that we must answer to progress through the challenge.

The initial step you can take is to perform a ping test on the IP address to verify if the system is up and accessible for further operations.

In the context of cybersecurity and penetration testing, this step falls under the MITRE ATT&CK framework’s technique termed “Network Service Scanning” (T1046). This technique is part of the Discovery tactic, where adversaries, or in this case, ethical hackers, seek to uncover information about the network, systems, and services that are available and potentially vulnerable to exploitation. Through network service scanning, testers can identify open ports, running services, and other critical attributes of the target system that could reveal potential entry points for deeper penetration or vulnerabilities that could be exploited in later stages of the test.

Following the initial ping test, the next logical step in our assessment is to conduct an nmap scan on the IP address to identify open ports and services. Nmap, or Network Mapper, is a powerful and versatile tool used in cybersecurity and network administration to discover hosts and services on a computer network, thereby building a “map” of the network. This scan can reveal a wealth of information about the targeted system, including but not limited to:

1. Open Ports: Identifying which TCP or UDP ports are open. Open ports indicate active services that could potentially be exploited.
2. Service Versions: Determining what version of the service is running on each open port. Knowing the version helps to identify specific vulnerabilities associated with it.
3. Operating System Detection: Estimating the operating system (and sometimes, the OS version) of the target based on characteristics of the packets it responds with.
4. Scripts and Vulnerabilities: Utilizing Nmap Scripting Engine (NSE) scripts to discover additional information about the target, including known vulnerabilities, which can be crucial for planning further exploitation strategies.

This step is aligned with the MITRE ATT&CK framework’s “Service Discovery” technique (T1046), which is part of the Discovery tactic. It involves the active or passive scanning of systems to identify services that are exposed to the network. This information is pivotal for understanding the attack surface of the target system, allowing attackers (or ethical hackers, in a testing scenario) to tailor their approaches based on the services and vulnerabilities discovered during the scan.

The initial scan I will employ is as follows: sudo nmap -sS -p- [IP Address].

We can run another nmap scan to gather additional information about the ports that we found by using the -A flag.

The updated command for this scan will be: sudo nmap -sS -p 22,80 -A [IP Address].

The nmap scan has revealed multiple open ports on the network, offering us various pathways for further investigation. Among these, the HTTP port stands out as particularly intriguing due to its common association with web servers and applications, which can often be ripe for exploration. Typically, web servers host a wealth of information and potential vulnerabilities, making them a prime target in penetration testing and ethical hacking exercises. Additionally, it was found that the HTTP port is running Apache 2.4.29 (Ubuntu), providing specific details about the web server’s version and operating system. This information is invaluable for identifying potential vulnerabilities or configuration weaknesses associated with that particular version of Apache and its Ubuntu environment, further guiding our approach to exploring and potentially exploiting the web server.

The nmap scan has also provided us with information that will assist us in answering some of the questions.

To delve into the contents served by the web server on the identified HTTP port, we can proceed by simply opening a web browser and navigating to the URL constructed by appending the port number to the IP address, formatted as [IP Address]:80. This action allows us to directly interact with the web application or service running on the target machine, providing a firsthand look at:

1. Web Application Interface: Observing the web application’s interface can give clues about its functionality, potential entry points for user input, and areas to test for vulnerabilities.
2. Directory Structure: Sometimes, the initial page may hint at the directory structure or reveal directories through hyperlinks, which could be explored further for misconfigurations or sensitive information leakage.
3. Technologies Used: Identifying technologies (e.g., web server software, content management systems) from headers or page content can help in pinpointing specific exploits or weaknesses associated with those technologies.
4. Authentication Mechanisms: Discovering login pages or authentication mechanisms can open avenues for credential testing, session management vulnerabilities, and more.

Exploring the HTTP port is a critical step in the reconnaissance phase of penetration testing, setting the stage for more targeted attacks based on the findings from the web server analysis.

Upon visiting the webpage, here’s what we encounter.

We’re presented with a website that offers no interactive elements, yet it poses the question of whether we can achieve root access.

In this scenario, the following sensible course of action would be to employ a Directory Enumeration script in an attempt to discover potential additional directories on the web server. I plan to utilize DirBuster for this purpose, although there are alternative tools available, such as Gobuster.

When setting up DirBuster, enter the target URL using the format: http://[IP Address]:80 or https://[IP Address]:80. For this exercise, our attention will be on directory enumeration via the HTTP protocol. You will also need to select a wordlist that includes common directory names. On Kali Linux, DirBuster’s directory wordlists are located at /usr/share/wordlists/dirbuster/. Additionally, it’s important to customize the file extensions DirBuster searches for. Commonly, I add extensions such as php, html, txt, and js, though adjustments might be necessary based on the specific context. To enhance the scan’s efficiency, consider increasing the number of threads by selecting the “Go Faster” option, which can significantly speed up the search.

Shortly after initiating the scan, DirBuster will begin to uncover hidden directories. Among the directories discovered, /uploads/ and /panel/ stand out as particularly interesting. We can navigate back to our web browser and explore these pages further to uncover the resources and opportunities they present.

The process of using DirBuster to enumerate directories and uncover hidden resources on a web server aligns with the technique “File and Directory Discovery” (T1083). This involves an adversary attempting to figure out the file and directory structure of a system or server. Directory enumeration with DirBuster fits squarely into this category as it systematically searches for and identifies directories that are not immediately visible or accessible from the web application’s main pages. This can reveal hidden resources, configuration files, or sensitive endpoints that could be exploited.

The uploads directory seems to serve as a repository for viewing files that are stored on the web server.

The panel directory seems to function as a location where files can be uploaded to the web server.

Now, we have the information needed to answer another question.

In this scenario, the first course of action to consider is uploading a reverse shell script. This would prompt the web server to initiate a connection back to our machine, thereby providing us with access to the web server’s internal environment.

Getting a Shell

Kali Linux offers a diverse array of reverse shell scripts that can be tailored to fit specific needs. Located in the /usr/share/webshells/ directory, you’ll find reverse shells in various languages, providing flexibility in choosing the most suitable option for the target web server environment.

Given our earlier discovery that the web server operates on Apache, we know it has the capability to interpret languages such as PHP, Python, Java, and HTML. Therefore, in this context, opting for a PHP reverse shell is a strategic choice, leveraging the server’s inherent ability to execute PHP scripts.

We’ll employ the php-reverse-shell.php script, which requires customization to establish a connection back to our IP address and a port we select. To maintain the integrity of the original file, it’s advisable to copy this file to a different directory. This precaution ensures we have an untouched version to fall back on should any modifications lead to issues.

To configure the reverse shell correctly, you’ll need to modify the script by updating the IP address to match that of your system. There are a couple of ways to ascertain this information. One method is to look at the top right of your screen for an IP address indicating your current connection via VPN—this is the IP address you should use.

If the IP address isn’t visible on your screen, another option is to execute the ifconfig command in the terminal. This command may display multiple connection options. In this case, you’ll want to select the IP address associated with tun0, as this typically represents the network interface used for VPN connections, ensuring the reverse shell communicates over the correct network path.

Once you’ve updated the reverse shell file with your system’s IP address in the designated line, the next step is to specify a port number. For this example, I’ll use port 4444, but feel free to select a different port according to your preference or requirements. Just ensure you remember the port you choose, as it will be important for later steps. After making these adjustments, be sure to save the file to preserve the changes you’ve implemented.

Returning to the /panel/ directory on the website, we now attempt to upload the reverse shell we’ve just customized for our purposes.

However, during this attempt to upload the PHP file to the webserver, we encounter an error message indicating that uploading files with the PHP extension is not permitted.

Given the restriction on uploading PHP files, we can explore several methods to bypass this limitation. One straightforward approach is to change the file extension to another variant recognized by PHP. There are multiple alternative extensions for PHP files, including .phtml, .php5, .inc, .phps, among others, which might not be restricted by the server’s upload filter. For this attempt, I will rename the file extension to .phtml, aiming to see if this allows us to successfully upload the reverse shell to the web server.

Successfully changing the file extension to .phtml has allowed us to bypass the web server’s restrictions on uploading PHP files, illustrating a common technique adversaries use to circumvent security controls. By navigating to the previously discovered /uploads/ directory and refreshing the page, we can locate the file we’ve just uploaded.

This action falls under the MITRE ATT&CK framework’s “Defense Evasion” tactic, specifically the technique “Bypassing Client-Side Controls” (T1200). This technique involves manipulating or circumventing security measures put in place to restrict certain actions, such as file uploads, on the client side. In our context, changing the file extension to bypass server-side filters designed to prevent the uploading of potentially malicious PHP files demonstrates how attackers can exploit web application vulnerabilities to evade detection and achieve their objectives. Once the file is located and executed, it can initiate a reverse shell, giving the attacker control over the web server, which aligns with the “Exploitation for Client Execution” (T1203) technique, showing the practical application of these tactics in compromising server integrity and security.

Before activating the reverse shell by clicking on the uploaded file, it’s crucial to prepare your machine to listen for the incoming connection. This step involves recalling the port number you specified in your reverse shell script, as this will be the channel through which the web server will communicate back to you.

To set up your machine for listening, the command to use is nc -nvlp [port], where [port] should be replaced with the port number you chose earlier, such as 4444. This command configures netcat (nc), a versatile networking utility, to listen on the specified port:

• -n skips DNS resolution to speed up the process.
• -v enables verbose mode, providing more detailed output.
• -l indicates that netcat should listen for incoming connections rather than initiate connections to other hosts.
• -p [port] specifies the port on which netcat will listen.

Executing this command prepares your system to accept the reverse shell connection from the web server when the PHP (or, in this case, .phtml) file is executed. This setup is a critical component of the “Exploit Public-Facing Application” (T1190) technique under the MITRE ATT&CK framework, enabling an attacker—or an ethical hacker, in a testing scenario—to establish a foothold on the target system by receiving connections initiated by the exploited server.

With netcat set up and listening on the designated port, you are now prepared to initiate the reverse shell connection. Clicking on the uploaded file in the /uploads/ directory will trigger the webserver to execute the reverse shell script, attempting to establish a connection back to your machine. This action effectively turns the theory into practice, as you await the incoming connection that grants access to the webserver’s environment.

Having successfully established a connection to the webserver through the reverse shell, you now have the capability to execute Linux commands as if you were directly interacting with the server’s terminal. This access opens up numerous possibilities for exploration and interaction with the server’s file system.

Your immediate goal is to locate the user.txt file, which contains the user flag—a critical piece of information for completing this stage of the challenge. There are two primary approaches to uncovering this file:

1. Manual Directory Navigation: You can manually navigate through the server’s directories using commands like cd (to change directories) and ls (to list directory contents), methodically searching for the user.txt file. This approach might be more time-consuming but can offer a deeper understanding of the server’s directory structure.
2. Using the Find Command: For a more efficient search, you can leverage the find command to scan the entire file system for the user.txt file. The command find / -type f -name "user.txt" is specifically designed for this purpose:
   • find initiates the command.
   • / specifies the root directory as the starting point for the search, ensuring the entire file system is covered.
   • -type f restricts the search to files only, excluding directories.
   • -name "user.txt" defines the exact name of the file you’re searching for.

Using the find command can significantly expedite the process, directly leading you to the location of the user.txt file without the need for manual directory traversal. Once located, you can use the cat command to display the contents of the file and retrieve the user flag. This step is crucial for progressing in the challenge and demonstrates effective use of command-line tools to navigate and interact with a compromised system.

The use of the find command has successfully pinpointed the location of the user.txt file, revealing it to be situated at /var/www/. This discovery is a significant step forward in your exploration of the web server, as accessing this file should provide you with the user flag.

Privilege Escalation

The next phase in this process involves aiming to gain root access to the webserver through privilege escalation. A strategic method to achieve this is by searching for files that have been assigned SUID (Set User ID upon execution) permissions. SUID is a special type of file permission that, when applied to an executable, allows users to run the program with the permissions of the file owner, which, in many cases, is the root user.

The command find / -user root -perm /4000 is employed for this purpose:

• find / starts a search beginning from the root directory (/), ensuring the entire filesystem is covered.
• -user root filters the search results to include only those files owned by the root user.
• -perm /4000 specifies that we’re looking for files with the SUID bit set.

This command effectively scans the entire system for executables with SUID permissions set by the root user. Identifying such files is crucial because they can potentially be exploited to escalate privileges from a lower-privileged user to root. Once a vulnerable or misconfigured SUID executable is found, it may be possible to execute commands with elevated privileges, thereby granting you root access to the server. This step is an essential component of the privilege escalation process, leveraging system misconfigurations to gain a higher level of control over the system.

Identifying Python as one of the executables with SUID permissions is particularly intriguing due to its versatility and the broad range of actions it allows users to perform, making it a prime candidate for privilege escalation attempts. Python scripts and interactive shells can often be manipulated to execute arbitrary commands with the privileges of the file owner, in this case, root.

The GTFOBins website is an invaluable resource in this context. It serves as a curated repository of Unix binaries that can be abused to bypass system security restrictions. For Python, GTFOBins provides specific examples of how to exploit the SUID permissions to escalate privileges or execute commands as another user, typically the root.

To leverage Python for privilege escalation, one would visit the GTFOBins website (https://gtfobins.github.io/), locate the Python page, and follow the instructions or command patterns provided for executing a Python payload that takes advantage of the SUID bit.

By executing the appropriate Python command or script as outlined in GTFOBins, you can potentially escalate your privileges to root, thereby gaining complete control over the webserver. This method underscores the importance of careful binary permissions management and highlights how seemingly benign tools can be leveraged for significant security breaches when not properly secured.

The strategy of leveraging Python with SUID permissions for privilege escalation directly maps to the MITRE ATT&CK framework, specifically targeting the “Privilege Escalation” tactic. Within this category, it falls under the technique “Exploitation for Privilege Escalation” (T1068). This technique involves exploiting vulnerabilities, misconfigurations, or design flaws within a system to gain higher-level privileges.

The use of Python, as identified through SUID permissions, to execute commands or scripts that elevate a user’s privileges from a standard account to a root account exemplifies this technique. It highlights how attackers can take advantage of executable files with insecure permissions to circumvent normal access controls and gain authoritative control over a system or network.

With root permissions now at your disposal, you’ve unlocked the ability to access a broader spectrum of information on the webserver, including the highly sought-after root.txt file, which contains the next flag in this Capture The Flag (CTF) challenge. Leveraging your elevated privileges to locate the root.txt file follows a similar process to how you discovered the user.txt file.

Congratulations on completing the entire Capture The Flag (CTF) challenge!

Conclusion

As we wrap up this comprehensive journey through the Capture The Flag (CTF) challenge on TryHackMe, it’s essential to reflect on the various stages of attack and defense, structured around the MITRE ATT&CK framework. This exploration into RootMe has not only showcased a practical application of cybersecurity skills but also illuminated the depth and breadth of strategies employed by adversaries in real-world scenarios.

MITRE ATT&CK Techniques Employed

Throughout this challenge, we engaged with several key techniques from the MITRE ATT&CK framework, illustrating the multifaceted nature of cybersecurity:

1. Initial Access: Exploit Public- Facing Application [T1190]: In this CTF challenge, we used this technique to exploit vulnerabilities in a publicly accessible web server, allowing us to gain initial access to the target system by uploading a reverse shell script with a modified file extension.
2. Execution: Command and Scripting Interpreter- Unix Shell [T1059.004]: During the challenge, we executed various Linux commands through a reverse shell, enabling us to interact with the server’s terminal and locate critical files, such as user.txt and root.txt.
3. Privilege Escalation: Exploitation for Privilege Escalation [T1068]: In the privilege escalation phase, we identified executables with SUID permissions, specifically Python, and leveraged GTFOBins to escalate our privileges from a standard user to the root user on the web server.
4. Masquerading – Masquerade File Type [T1036.008]: Changing the file extension to .phtml to evade upload restrictions represented a form of masquerading, where we disguised the true file type to bypass server-side controls and upload our reverse shell.
5. Discovery: File and Directory Discovery & System Information Discovery [T1046, T1083]: We used network service scanning (T1046) and directory enumeration (T1083) techniques to discover open ports, services, hidden directories, and files on the target system, enhancing our understanding of its attack surface.
6. Collection: Data from Local System [T1005]: Our actions in the execution and privilege escalation phases involved collecting critical information, such as user flags and root flags, by interacting with the server’s file system and executing specific commands to locate these files.
7. Command and Control: Application Layer Protocol- Web Protocols [T1071.001]: Our interaction with the web server, including uploading files, executing commands, and interacting with web application interfaces, involved the use of web protocols, aligning with this technique in the MITRE ATT&CK framework.
8. Exfiltration: Exfiltration Over C2 Channel [T1041]: We utilized the established reverse shell to exfiltrate critical flags and information from the compromised target system as part of our overall CTF challenge strategy.

Here’s the ATT&CK Navigator designed for this particular circumstance:

Reflection

This series, centered around the MITRE ATT&CK framework, provides a structured exploration into the anatomy of cyberattacks, enhancing our defensive posture through an in-depth understanding of offensive techniques. The RootMe challenge served as a practical application of these concepts, bridging the gap between theoretical knowledge and real-world application.

Thank you for joining this explorative journey through cybersecurity tactics and techniques.

Discover more about the MITRE ATT&CK framework and arm yourself with the understanding necessary to navigate the complexities of cybersecurity.