[ Penny ] - PT-0x00 - Configure your own vulnerable CTF machine

linux
beginner
tutorial
config
pentesting

#1

What’s up, everyone?

This tutorial will show you how to configure your own vulnerable CTF server manually. There exist some scripts which do this job for you but it’s much better when you understand why these vulnerabilities work. :wink:
Before we start I recommend you document every change/step. Write it down like a script. So you will be able to set it up again if required just by paste all of the commands. I will mark some words strong for important information we have to document.

Content:

  1. Preparation
  2. Installation
  3. proof.txt & local.txt
  4. First Snapshot
  5. Privilege Escalation
  6. Second Snapshot
  7. Exploitation
  8. Third Snapshot
  9. Complexity

1. Preparation

First things first, we need to know what we want to teach the people. There are some questions we have to answer for this. For example:

  • What should they learn from this machine?
  • Which steps are required to pwn it?
  • Which exploitation techniques should be used?
  • Which knowledge is required to succeed?
  • What kind of vulnerability should be used?
  • How many methods for each phase are possible?
  • Which passwords?
  • How many users?
  • What OS is required?

The creation of a vulnerable machine looks like the penetration testing process but backward. This includes mainly the following:

  1. Privilege Escalation
  2. Exploitation
  3. Enumeration

We have to create a rough walkthrough of how the way has to look like. Based on this we will get a picture of how to configure this machine. Before we start to download the image let us search for a local privilege exploit. For this, you can use the Exploit-DB or the preinstalled tool “searchsploit” in Kali Linux:

I chose this one: “Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - ‘overlayfs’ | 37292.c
with the Ubuntu 14.04 version. For the Exploitation phase, we will configure the vulnerability manually.

2. Installation

Let us download the image:
wget http://old-releases.ubuntu.com/releases/14.04.0/ubuntu-14.04-server-amd64.iso

You can use VirtualBox or VMware. That’s your choice. I will use my VMware Workstation. Here are some of my settings by creating a new VM:

  • VM name: Crybuntu
  • Maximum Disk Size: 10 GB
  • [x] Store virtual disk as a single file
  • Memory: 2048 MB
  • Number of processors: 2
  • Number of cores: 2
  • New CD/DVD: /(path-to)/ubuntu-14.04-server-amd64.iso

Now we can start the VM. That’s the basic installation process. So use whatever you like.
My settings:

  • Hostname: Crybuntu
  • Username: cryalot

  • User password: cry4moon (contained inside the rockyou.txt wordlist)

To ensure our VM doesn’t update itself automatically we need to set the “tasksel” for “No automatic updates”.

Now we reached the part for software selection.

Here you can choose whatever you like. My selection:

  • OpenSSH server
  • LAMP Server
  • Mail Server
  • Samba file server

After the installation, we want to login into this VM using SSH as root. For this, we have to edit the line to “PermitRootLogin yes” inside the “/etc/ssh/sshd_config” file. In addition, we have to set a root password:
sudo su
passwd
[rockit]
[rockit]

Further, we have to be able to compile the local privilege escalation exploit on this machine. Therefore we need to install GCC on it.

apt-get install gcc -y


What kind of vulnerabilities do we have so far?

  • Old release of Ubuntu Linux with the version 14.04
  • Weak password for cryalot
  • Weak password for root
  • Vulnerable kernel version
  • SSH root login enabled

3. proof.txt & local.txt

Now let us generate some hashes for the proof.txt and local.txt.
date | sha1shum > proof.txt

6

proof.txt = 7de08ccab8ef837d7041918bf6e890b13e728769

date | sha1shum > local.txt

7

local.txt = fbc7a8d44951efe8f9a3bf6d029be077a14523e7

4. First Snapshot

Now we configured the basic setup so far. Let us take a snapshot for this before we test the local privilege escalation exploit. We will be able to go back to this state if something doesn’t work as we like or we broke the system. I wrote all the steps we did so far as a comment.

  • LAMP
  • Mail
  • Samba
  • OpenSSH - PermitRootLogin yes
  • root:rockit
  • cryalot:cry4moon
  • GCC
  • proof.txt = 7de08ccab8ef837d7041918bf6e890b13e728769
  • local.txt = fbc7a8d44951efe8f9a3bf6d029be077a14523e7

5. Privilege Escalation

We have to ensure that the people will be able to find this exploit we chosen before. I tested it with the kernel version of the vulnerable VM.

searchsploit linux kernel 3.13

And it works perfectly:

Let’s test this exploit. I used netcat to transfer the exploit.

Nice. Now you can revert the machine to the previous snapshot you created before to ensure that the execution of this exploit didn’t break anything for another execution. Let us create a further vulnerability to obtain root privileges. For this, I will create a simple BASH-script called .update.sh owned by root with full privileges.

echo “echo 'Updating...'; apt-get update -y &gt; /dev/null”
chmod 777 .update.sh

Also, I will configure the sudoers-file for the user “cryalot” to let him run only one command as sudo.

10

6. Second Snapshot

Here we can edit this script to execute a reverse shell and create our second snapshot.

7. Exploitation

Now comes the really interesting part. I chose the Samba server for the exploitation phase. It will be configured for Metasploit and manual exploitation. The Metasploit module for this will be the “is_known_pipename”.
Let us create a new sharing folder and edit the smb.conf:

cd /home/cryalot/
mkdir Sharing
chown cryalot:cryalot Sharing/
cd Sharing
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
nano /etc/samba/smb.conf

I added the following lines at the end of the file:
[Sharing]
comment = Sharing
path = /home/cryalot/Sharing
browseable = yes
guest ok = yes
writable = yes
create mask = 0644
directory mask = 0777

The configuration of the smb.conf then looks like the following:

11

Now we have to restart the Samba server test the configuration file for syntax errors:
service smbd restart
testparm

The “testparm” will show you which configurations are active for the Samba server. It should show all these lines we added to the smb.conf.

Now let us run “enum4linux” against this server to enumerate the new sharing folder:
enum4linux -S xxx.xxx.xxx.xxxx

12

And we want to check if the metasploit modules work too:

8. Third Snapshot

Nice. So everything works fine and we can create another snapshot for this VM.

9. Complexity

This was a really basic configuration. It should give you an idea of where to start and how to move on. You can make it much more complex. Add things like rabbit holes. Harder passwords. Add firewall rules to block nmap scans. Do whatever you like. It’s not important how hard the machine will be but it’s important what the people will learn from it!

A word about enumeration:
Make sure the people will be able to obtain the information to get into. That’s really important here. Test all the changes you did. For example, if there is a password file which is required to successfully exploit this machine but there is no way to read it for a beginner she/he will not be able to learn the things you want. Do all the enumeration steps and ensure you will be able to find the information.

Don’t forget to TRY HARDER. :wink:

Regards,
Cry0l1t3