After getting this fired up virtualbox, the first thing I did and like to do is run an nmap scan.

Huh, only http(s) ports open.


PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd

When first visiting the site, I found this in the index source code
`USER_IP='208.185.115.6'`
I was hungup on this for quite a while. I kept thinking I could get more access if my ip address matched this but I finally moved on.

Next up, robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

key 1 of 3
073403c8a58a1f80d943455fb30724b9

The first key, sweet! And a dictionary, the first thing I thought to do with this was to use it with dirb to find some secret directories/files. It found some things, like a zip file 'robot' which contained part of the site but it was called 'robot.com'. Based on that I updated my hosts file but it didn't make any difference.

After some time puzzling about this, I decided to try it in a dictionary attack (using the fsociety.dic) against 'wp-login.php' but what is the username? elliot! Damn! That was pretty simple actually. Finally bumped into the password in there but it was towards the end.

Now that I'm into wordpress, I went straight for the theme editor. I chose to modify the '404.php' file in this case. I removed its current code and placed in a reverse shell from pentestmonkey and with that I have access to the box and I'm in as the user 'daemon'. Not the greatest but I have access, now I had a look at the other users cat /etc/passwd. After that I browsed the home directory and found that there's some interesting looking files in the 'robot' users home directory.



In particular the password file, but it's md5 encoded. In no time at all I have the password for the robot user and the 2nd key

key 2
822c73956184f694993bede3eb39f959

Now I need to make my way to the root user. I can't use the same password to get there (sudo su) so I need to look for something else. There's nothing else really laying around that looks like it could be helpful. I thought let me look for files with the setuid set for root

find / -perm +4000



There were some interesting looking files that popped up here and after some quick googling I was able to find an exploit for nmap. Let me see if it works...

nmap --interactive

followed by ! sh gives me root access.

Sweet! Let me grab the last key...

key 3
04787ddef27c3dee1ee161b21670b4e4

And I'm done here.

Labels:

I had some time to play on the computer this weekend, so I decided that I would look into finding a CTF. After poking around reddit for a bit I finally remembered Vulnhub, how could I have forgotten. Any how, I found this challenge on the first page and thought it looked pretty interesting. Now let's take a look at solving it.

After booting it up on virtualbox it shows the assigned ip address, perfect. Using that I started an nmap port scan nmap 192.168.56.102 -O -sV -p- -T4 From this I can see a number of ports I can get to work on and also the first flag!



I thought cockpit looked pretty interesting so I tried looking at that first, another flag but beyond that there doesn't really seem to be anything else to do there. From there I decided to go have a look at port 80, still nothing really there...bummer..but it's early still. Firing up dirbuster, I used the "directory-list-2.3-small.txt" list to search for directories. Pretty quickly robots.txt popped up, I could've kicked myself for not thinking to look if this existed on my own.



But oh well it's here now and there's some very interesting looking stuff in there! Trying root_shell.cgi first I find that it's under construction. Next up the tracertool.cgi, I immediately think that this looks
juicy. It's pretty easy to combine commands and I find out that it's running as the "apache" user so writing anything useful to the server is out of the
question. But I am able to list files, hmm maybe I could get a list of users on the system? It turns out that someone has replaced the output of cat with a ascii cat, this made me laugh. So I guess I'll have to use head but this gets me what I was looking for, sweet!



By this time dirbuster showed that there's a directory called passwords, that looks pretty promising. And being that directory listing is turned on it's easy to see that there's another flag and then looking at the source of the passwords.html a password that's also a season (matching the summer username). Could it be?
Sure enough, I am able to log right in to the Summer user.



At this point I starting poking around the other users home directories. The safe executable (in RickSanchez's directory) looks pretty interesting, so I copied it back to Summer's home directory. But, I can't find anything useful. I tried suppling various command line arguments but I wasn't getting anywhere.
So I moved over to Morty's directory, there are a few interesting looking things in here. I copied the "journal.txt.zip" to Summer's home directory and tried to unzip it but it needs a password. So I move back over and start poking at the "Safe_Password.jpg". My first thought was to run strings on it but strings isn't installed on the server. So I end up just executing "more" against it. Turns out I was pretty lucky not have strings available; I would've been banging my head against the wall awhile longer.



After unzipping the journal I find another flag and the command line argument that needs to be supplied to the safe executable. Sweet! Another flag and hints on how Rick's password is setup.



I'm not familiar with Rick & Morty so I had to look up the "old band name". It's called "The Flesh Curtains". So throwing together a quick script to build a list of passwords and then using hydra to run through the list I was able to find Rick's password.

After logging into Rick's account I started thinking what would roots password be but then I remembered that it said "sudo is wheely good" in the output of safe. Based on that I tried "sudo su" and was able to get root! In the root directory I find another flag. Awesome, but I missed some flags along the way...because I only have 110 points even though I have root.

Going back for the missed flags

I didn't even bother with port 60000 before, I just so happened to choose the right path and kept finding useful information so I kept going with it. But in order to collect the missing flags I telnet to the port and was able to cat the FLAG.txt which is great but I'm still 10 points away. While I was in there I decided to poke around some more just to make sure I didn't miss an easier path to root, I concluded that I didn't really miss anything by not going that way before.

On to the next flag..maybe try the ftp port? But Kali doesn't have ftp installed by default and I have it set to host only network connection and I'm feeling lazy about rebooting just to install it, especially at this point. But I had root already so I decided to just run a find for files with the name of flag, and I see one under "/var/ftp"; the final flag!

Labels: