Challenge Overview

This challenge simulates a real-world scenario where you'll exploit vulnerabilities in a Linux system.

• Platform: HackerDna
• Challenge Name: Learning Lab 102
• Target IP: Provided in your challenge environment
• Objective: Capture two flags:
  • User Flag: Located in /home/user/flag-user.txt
  • Root Flag: Located in /root/flag-root.txt

Step 1: Reconnaissance with Nmap

Why Use Nmap? Nmap helps identify open ports and services on the target machine, revealing potential entry points.

Installing Nmap (if not already installed)

• Linux: Run the following command:

  sudo apt update && sudo apt install nmap -y

• Windows: Download and install from the Nmap Download Page.
• MacOS: Use Homebrew:

  brew install nmap

Running Nmap

Use Nmap to scan the target IP:

nmap -sV -Pn <target-ip>

Command Explanation:

• -sV: Probes open ports to determine service/version info
• -Pn: Treats all hosts as online, skipping host discovery

Expected Output:

PORT   STATE SERVICE VERSION
23/tcp open  telnet

Analysis: This output indicates that port 23 is open and running Telnet, a potential entry point.

Step 2: Connecting via Telnet

Why Try Telnet? With port 23 open, we can attempt to establish a connection. Telnet is often insecure, transmitting data in plaintext.

Connect using:

telnet <target-ip>

You may notice that no password is required to log in as "user". The prompt might look like this:

login: user
Welcome to Learning Lab 102!
$

Security Implication: The lack of password authentication indicates a significant security weakness.

Step 3: Locating the User Flag

In Unix-like systems, user files are typically stored in their home directory. Check the contents of /home/user/:

ls /home/user/

Look for a file named "flag-user.txt". To view its contents, use:

cat /home/user/flag-user.txt

The output will be the user flag. Make sure to note it down.

Step 4: Privilege Escalation

To access root-level files, we need to escalate our privileges. Try switching to the root user:

su root

Deduction Process: In real-world scenarios, we might try common or default passwords. Here, try using "root" as the password.

If successful, your prompt will change to:

#

Security Implication: Weak or default root passwords are a critical vulnerability in any system.

Step 5: Capturing the Root Flag

The root user's files are typically in /root/. List the directory contents:

ls /root/

Look for "flag-root.txt". View its contents with:

cat /root/flag-root.txt

The output will be the root flag. Make sure to capture this flag.

Key Takeaways

• Always start with thorough reconnaissance to identify potential vulnerabilities.
• Be aware that default or weak credentials are common security flaws.
• Understanding system file structures is crucial for efficient information gathering.
• Privilege escalation often exploits misconfigurations or weak password policies.

Real-World Implications: While this challenge uses simplified scenarios, similar vulnerabilities can exist in poorly secured systems. Always prioritize robust security practices in real environments.