Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Kali Linux CTF Blueprints
  • Table Of Contents Toc
Kali Linux CTF Blueprints

Kali Linux CTF Blueprints

By : Cameron Buchanan
4.5 (6)
Buy this Book
close
close
Kali Linux CTF Blueprints

Kali Linux CTF Blueprints

4.5 (6)
By: Cameron Buchanan
Buy this Book

Overview of this book

Taking a highly practical approach and a playful tone, Kali Linux CTF Blueprints provides step-by-step guides to setting up vulnerabilities, in-depth guidance to exploiting them, and a variety of advice and ideas to build and customising your own challenges. If you are a penetration testing team leader or individual who wishes to challenge yourself or your friends in the creation of penetration testing assault courses, this is the book for you. The book assumes a basic level of penetration skills and familiarity with the Kali Linux operating system.
Table of Contents (9 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Reading guide
Icon
A warning
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. Microsoft Environments
chevron up
Icon
1. Microsoft Environments
Icon
Creating a vulnerable machine
Icon
Creating a secure network
Icon
Hosting vulnerabilities
Icon
Scenario 1 – warming Adobe ColdFusion
Icon
Scenario 2 – making a mess with MSSQL
Icon
Scenario 3 – trivializing TFTP
Icon
Flag placement and design
Icon
Post-exploitation and pivoting
Icon
Exploitation guides
Icon
Challenge modes
Icon
Summary
2
2. Linux Environments
Icon
2. Linux Environments
Icon
Differences between Linux and Microsoft
Icon
Scenario 1 – learn Samba and other dance forms
Icon
Scenario 2 – turning on a LAMP
Icon
Scenario 3 – destructible distros
Icon
Scenario 4 – tearing it up with Telnet
Icon
Flag placement and design
Icon
Exploitation guides
Icon
Summary
3
3. Wireless and Mobile
Icon
3. Wireless and Mobile
Icon
Wireless environment setup
Icon
Scenario 1 – WEP, that's me done for the day
Icon
Scenario 2 – WPA-2
Icon
Scenario 3 – pick up the phone
Icon
Exploitation guides
Icon
Summary
4
4. Social Engineering
Icon
4. Social Engineering
Icon
Scenario 1 – maxss your haxss
Icon
Scenario 2 – social engineering: do no evil
Icon
Scenario 3 – hunting rabbits
Icon
Scenario 4 – I am a Stegosaurus
Icon
Exploitation guides
Icon
Summary
5
5. Cryptographic Projects
Icon
5. Cryptographic Projects
Icon
Crypto jargon
Icon
Scenario 1 – encode-ageddon
Icon
Scenario 2 – encode + Python = merry hell
Icon
Scenario 3 – RC4, my god, what are you doing?
Icon
Scenario 4 – Hishashin
Icon
Scenario 5 – because Heartbleed didn't get enough publicity as it is
Icon
Exploitation guides
Icon
Summary
6
6. Red Teaming
Icon
6. Red Teaming
Icon
Chapter guide
Icon
Scoring systems
Icon
Setting scenarios
Icon
Reporting
Icon
CTF-style variations
Icon
Scenario 1 – ladders, why did it have to be ladders?
Icon
Scenario 2 – that's no network, it's a space station
Icon
Summary
7
A. Appendix
Icon
A. Appendix
Icon
Further reading
8
Index
Icon
Index

Exploitation guides

The following are the exploit guides for the scenarios created in this chapter. These are guidelines, and there are more ways to exploit the vulnerabilities.

Scenario 1 – traverse the directories like it ain't no thing

The brief provided for this exploitation guide is assumed to be:

Use the common web framework vulnerability to capture the RFLAGG's finances spreadsheet from his documents directory.

The following are the steps to be performed for this scenario:

  1. So, first of all, we boot up Netdiscover or Nmap to discover/map the hosts on the network. We then use Nmap once again to enumerate the ports on the host and look at the output. We look for an output that either defines the PC as belonging to a variation on RFLAGG or a web framework that may be vulnerable. You can see in the following screenshot that there's a high port running as an HTTP server:
    Scenario 1 – traverse the directories like it ain't no thing

    The great thing about this scenario is that the vulnerable package runs on a high port, which means that a user who only runs quick Nmap scans won't find it.

  2. Browse to the site in the browser of your choice, and you're presented with the screen we saw earlier when we were setting up the ColdFusion installation. (It should be the ColdFusion directory; that wasn't a trick.)

    This looks vulnerable in itself, containing installation files, so we can make a note of it and move on. There's an admin directory, so we click on that, and we are presented with a login page.

  3. A quick Google search shows that ColdFusion doesn't appear to have package-specific default credentials, and so we try the following standard ones just to be sure:
    • admin:admin
    • admin:password
    • guest:guest
    • administrator:administrator
    • admin:coldfusion
    • coldfusion:coldfusion
  4. If one of these credentials has been set, we have passed the first step and gained administrative access to the web framework.
  5. If they haven't, checking the version will show that RDS can be used for a login without credentials as they are blank by default on earlier packages. We can also find that there's a Metasploit module for this (exploit/multi/http/coldfusion_rds) that can deliver Meterpreter payloads. If you take this route, Meterpreter will carry you the entire way in a canoe, and the usage of Meterpreter is found in the next exploitation guide.
  6. We'll assume here that we've taken the first route and found that the default credentials had been set. While browsing around, we can see there is limited functionality, but there are some rather suspicious-looking URLs, as shown in the following screenshot:
    Scenario 1 – traverse the directories like it ain't no thing

    That looks vulnerable to the might of URL-based directory traversal. By supplying a directory that goes up as well as down the directories, as shown in the preceding screenshot, we can potentially access sensitive files. So, in this example, we're going to go after the Excel sheet with RFLAGG's finances in it. We supply the following URL:

    192.168.0.5:8500/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.accessmanager&path=../../../../../../../../../users/Rflagg/Documents/finances.xls

  7. And we'll see what comes out. It may take some variation in the filename, but we can make it work with experimentation.

The vulnerabilities shown are:

  • Network-facing installation pages and administrative portals
  • Default credentials
  • Directory traversal vulnerability in ColdFusion

Scenario 2 – your database is bad and you should feel bad

The brief provided for this exploitation guide is assumed to be:

Using a vulnerable database, become an administrative user on The Wizard's computer and describe the desktop picture.

The following are the steps to be performed for this scenario:

  1. The first step is to profile all of the devices using Nmap and locate one matching The Wizard as a description.
  2. Then, use Nmap to enumerate all the open ports, preferably with -A to detect the currently running service, as shown in the following screenshot:
    Scenario 2 – your database is bad and you should feel bad

    As we were informed that it's a vulnerable database we are to attack, we can assume that the MSSQL service is the target.

    Hex0rbase is the tool of choice for testing usernames and passwords.

    Using the inbuilt username and password list for MSSQL, we can test default credentials pretty quickly, as shown in the following screenshot:

    Scenario 2 – your database is bad and you should feel bad
  3. Once we've got the username and password, we can browse the table for any credentials or alternatively boot up Metasploit. The fastest option here is to use Metasploit.
  4. The module you want is exploit/windows/mssql/mssql_payload, which (provided the antivirus isn't on the box) will give us a Meterpreter payload on the box. It needs to be configured as shown in the following screenshot:
    Scenario 2 – your database is bad and you should feel bad

    The preceding screenshot sets the Metasploit values as:

    • METHOD = cmd
    • PASSWORD = sa
    • RHOST = the target
    • RPORT = 1433 (default for MSSQL)
    • USERNAME = sa
    • USE_WINDOWS_AUTHENTICATION = false
  5. The payload is in and you are in. Experiment with Meterpreter; there are many things it can do. It takes a lot of time to become fully familiar with the tool and learn what's appropriate in different situations.
  6. To satisfy the flag conditions, we need to view the wallpaper. In order to do that, we will need to secure a graphical login, so the easiest method will be to enable remote desktop. We launch the server and change the password to enable a login.

The vulnerabilities shown here are:

  • Default MSSQL credentials
  • Lack of antivirus on hosts

Scenario 3 – TFTP is holier than the Pope

The brief provided for this exploitation guide is assumed to be:

Use the vulnerable service to extract the user Jay Bacon's secret file stored at C:/Bearnaisesauce.txt.

The following are the steps to be performed for this scenario:

  1. First, identify the live hosts on the network with a ping sweep. On Kali Linux, there are two straightforward options: Netdiscover and Nmap. Netdiscover will use a combination of ARP traffic and ping sweeps to identify the live machines. It presents this data as shown in the following screenshot and is a generally reliable form of host discovery:
    Scenario 3 – TFTP is holier than the Pope

    However, since Nmap is useful for port identification anyway, you can use the -Pn operator to perform a ping sweep on the range given.

  2. Once the host(s) is/are identified, the next thing to do is to ensure that it is the targeted host. An aggressive scan with Nmap will identify the ports open, the services running, fingerprint the device, and also retrieve the name of the computer. If the name matches the brief, such as Jay-PC, Bacon-PC, JayBacon, or something similar, we know we're on the right track.
  3. The standard output of a Windows 7 machine without a firewall enabled looks like the examples we've seen before, except this time there are no vulnerable services. Junior testers may scratch their heads (but Nmap finds everything!), but they need to scan for UDP ports. A quick search of the top 1,000 UDP ports (nmap –sU<IP>) will show that port 69 is open.
  4. After a quick Google search, your testers will find that TFTP runs on port 69/UDP. TFTP, we know, is accessible with the tftp command from the Kali terminal, and so we connect.

    There's no way to know which folder TFTP is built into. So, the methods we try are:

    • get Bearnaisesauce.txt
    • get ../../../../../../../ Bearnaisesauce.txt
    • get C:/ Bearnaisesauce.txt

    The file should be retrieved and the challenge is completed.

The vulnerabilities shown here are:

  • TFTP in use
  • TFTP in use in a privileged folder
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Kali Linux CTF Blueprints
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon