Covfefe – CTF Hacking Challenge Walkthrough

Covfefe is available at VulnHub. This machine is for beginners, if you’re new to pen-testing, you’ll learn some great enumeration & cracking skills. Getting the first shell is easy but you must have at least basic knowledge of buffer overflows to get root.

I’ll be using Parrot Security OS throughout the Walkthrough but you can use Kali Linux or any other distro you want.

Turn on the machine and use netdiscover to find the machine on your network

sudo netdiscover -i wlan0 -r 192.168.8.1/24

 

Now register this IP address (192.168.8.153) in your DNS configuration file “/etc/hosts”. Enter

sudo nano /etc/hosts

and then add the following line

192.168.8.153      covfefe.local

You can use this domain name instead of IP address. Now run a full Nmap scan

nmap -p- covfefe.local

 

We found one SSH port open and two HTTP Servers running. We’ll first check the Web Server on port 80.

Nothing in the source code. Now check the robots.txt file, it doesn’t exist. Our last try is to brute-force some directories. I’ll be using gobuster but you can use dirb or any other tool. Run the following command,

gobuster -u http://covfefe.local:80 -w /usr/share/wordlists/dirb/common.txt -e

 

Nothing here. Our next option is to enumerate the second web server. Now check the robots.txt file.

 

“/.bashrc” and “.profile” have nothing useful but “/taxes” has our first flag

 

 

Now we’ll brute-force directories. Enter the following command in the terminal,

gobuster -u http://covfefe.local:31337 -w /usr/share/wordlists/dirb/common.txt -e

 

There’s nothing in “/.bash_history”, “/.bashrc” and “/.profile”, but “/.ssh” may contain some login keys. The file “id_rsa.pub” in “/.ssh” directory contains Public SSH Key for user “simon”. Just download the file using curl,

curl http://covfefe.local:31337/.ssh/id_rsa.pub > publickeys

 

Now download the private key “id_rsa” and attempt an SSH login.

 

First, you’ll have to change file permissions. Then attempt an SSH login, unfortunately it says the file is encrypted. Next, we’ll brute-force the encrypted file using John The Ripper. Run the following

ssh2john privatekey > private.john
john --format=SSH private.john --wordlist /usr/share/wordlists/rockyou.txt

 

As you can see, we successfully cracked the password. Now, time to log in and perform some “Post-Exploitation”.

 

Checking the “/root” directory reveals a flag and a C code file.

 

We don’t have sufficient permissions to read flag.txt, but we can read and run the file “read_message.c”. In the source code, we get our second flag and some vulnerable looking code.

 

Here comes the Buffer Overflow part. As you can see from line No.10, it allocates 20 bytes for the buf[20] string. This line is the main cause of Buffer Overflow. When you provide input of more than 20 characters, the buffer will overflow. We can change the flow of the buffer. After entering the name “Simon”, we’ll give it garbage input until 20 characters, then we’ll change the flow of the program to “/bin/sh”. This will cause to run BASH as root.

 

And finally we’re ROOT!!

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients