0x6f0

After getting this fired up virtualbox, the first thing I did and like to do is run an nmap scan.

Huh, only http(s) ports open.

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd

When first visiting the site, I found this in the index source code
`USER_IP='208.185.115.6'`
I was hungup on this for quite a while. I kept thinking I could get more access if my ip address matched this but I finally moved on.

Next up, robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

key 1 of 3
073403c8a58a1f80d943455fb30724b9

The first key, sweet! And a dictionary, the first thing I thought to do with this was to use it with dirb to find some secret directories/files. It found some things, like a zip file 'robot' which contained part of the site but it was called 'robot.com'. Based on that I updated my hosts file but it didn't make any difference.

After some time puzzling about this, I decided to try it in a dictionary attack (using the fsociety.dic) against 'wp-login.php' but what is the username? elliot! Damn! That was pretty simple actually. Finally bumped into the password in there but it was towards the end.

Now that I'm into wordpress, I went straight for the theme editor. I chose to modify the '404.php' file in this case. I removed its current code and placed in a reverse shell from pentestmonkey and with that I have access to the box and I'm in as the user 'daemon'. Not the greatest but I have access, now I had a look at the other users cat /etc/passwd. After that I browsed the home directory and found that there's some interesting looking files in the 'robot' users home directory.



In particular the password file, but it's md5 encoded. In no time at all I have the password for the robot user and the 2nd key

key 2
822c73956184f694993bede3eb39f959

Now I need to make my way to the root user. I can't use the same password to get there (sudo su) so I need to look for something else. There's nothing else really laying around that looks like it could be helpful. I thought let me look for files with the setuid set for root

find / -perm +4000

There were some interesting looking files that popped up here and after some quick googling I was able to find an exploit for nmap. Let me see if it works...

nmap --interactive

followed by ! sh gives me root access.

Sweet! Let me grab the last key...

key 3
04787ddef27c3dee1ee161b21670b4e4

And I'm done here.

I had some time to play on the computer this weekend, so I decided that I would look into finding a CTF. After poking around reddit for a bit I finally remembered Vulnhub, how could I have forgotten. Any how, I found this challenge on the first page and thought it looked pretty interesting. Now let's take a look at solving it.

After booting it up on virtualbox it shows the assigned ip address, perfect. Using that I started an nmap port scan nmap 192.168.56.102 -O -sV -p- -T4 From this I can see a number of ports I can get to work on and also the first flag!



I thought cockpit looked pretty interesting so I tried looking at that first, another flag but beyond that there doesn't really seem to be anything else to do there. From there I decided to go have a look at port 80, still nothing really there...bummer..but it's early still. Firing up dirbuster, I used the "directory-list-2.3-small.txt" list to search for directories. Pretty quickly robots.txt popped up, I could've kicked myself for not thinking to look if this existed on my own.



But oh well it's here now and there's some very interesting looking stuff in there! Trying root_shell.cgi first I find that it's under construction. Next up the tracertool.cgi, I immediately think that this looks
juicy. It's pretty easy to combine commands and I find out that it's running as the "apache" user so writing anything useful to the server is out of the
question. But I am able to list files, hmm maybe I could get a list of users on the system? It turns out that someone has replaced the output of cat with a ascii cat, this made me laugh. So I guess I'll have to use head but this gets me what I was looking for, sweet!



By this time dirbuster showed that there's a directory called passwords, that looks pretty promising. And being that directory listing is turned on it's easy to see that there's another flag and then looking at the source of the passwords.html a password that's also a season (matching the summer username). Could it be?
Sure enough, I am able to log right in to the Summer user.



At this point I starting poking around the other users home directories. The safe executable (in RickSanchez's directory) looks pretty interesting, so I copied it back to Summer's home directory. But, I can't find anything useful. I tried suppling various command line arguments but I wasn't getting anywhere.
So I moved over to Morty's directory, there are a few interesting looking things in here. I copied the "journal.txt.zip" to Summer's home directory and tried to unzip it but it needs a password. So I move back over and start poking at the "Safe_Password.jpg". My first thought was to run strings on it but strings isn't installed on the server. So I end up just executing "more" against it. Turns out I was pretty lucky not have strings available; I would've been banging my head against the wall awhile longer.



After unzipping the journal I find another flag and the command line argument that needs to be supplied to the safe executable. Sweet! Another flag and hints on how Rick's password is setup.



I'm not familiar with Rick & Morty so I had to look up the "old band name". It's called "The Flesh Curtains". So throwing together a quick script to build a list of passwords and then using hydra to run through the list I was able to find Rick's password.

After logging into Rick's account I started thinking what would roots password be but then I remembered that it said "sudo is wheely good" in the output of safe. Based on that I tried "sudo su" and was able to get root! In the root directory I find another flag. Awesome, but I missed some flags along the way...because I only have 110 points even though I have root.

Going back for the missed flags

I didn't even bother with port 60000 before, I just so happened to choose the right path and kept finding useful information so I kept going with it. But in order to collect the missing flags I telnet to the port and was able to cat the FLAG.txt which is great but I'm still 10 points away. While I was in there I decided to poke around some more just to make sure I didn't miss an easier path to root, I concluded that I didn't really miss anything by not going that way before.

On to the next flag..maybe try the ftp port? But Kali doesn't have ftp installed by default and I have it set to host only network connection and I'm feeling lazy about rebooting just to install it, especially at this point. But I had root already so I decided to just run a find for files with the name of flag, and I see one under "/var/ftp"; the final flag!

I remember when bing used to do this on their mobile site, it would load then I would go to tap on the search box to focus my cursor and just as I was about to do that it would pop in an ad for their mobile app. Then I would have to close out of the play store and get back to actually searching.
Now it seems that protonmail is doing something similar in that I navigate to their mobile site, wait for it to load. Once it's loaded I go to tap the menu icon and just before I do the pop in for their app appears and again off to the play store I go.


I'm not sure though is this considered a dark pattern? But, whatever it is, does this actually end up benefiting them? Do more people end up installing their apps? And if more people do install their app, what is the benefit for them? Is it to save bandwidth or are they able to track their users more closely? If it's the later, why would a company based on privacy and security want or need more information about their users?

A more in depth look at what I did when checking out the PornHub popunder. I don't know that I went about things in the right manner it's what I did. Also, I want to note that I did all the analysis using an ubuntu virtual box with chrome installed.
First, I opened the site and clicked around until I experienced a popunder, that didn't take long but I did notice that it wasn't showing me another one. At this point I knew that they were somehow tracking that one had already been shown one. So I went to take a look at the cookies, but I noticed at that point that they were keeping things in local storage. So I reset those values and tried browsing again and sure enough another popunder. I continued with this process a couple more times just to see if anything would change but everything remained the same.
At this point I decided to start digging into the source to see what I could find. Right away I saw this juicy looking bit on top

var puTargetURLvalue = localStorage.getItem('puTargetURL'); but I didn't see any place where it was used right away plus I still needed to find where the other 2 local storage variables were stored. So I started poking around at some of the scripts but there were a total of 24. To me this seemed to be a lot and not something I really wanted to dig through manually, so I created a quick python script using BeautifulSoup to download all the JavaScript. Now with all the scripts stored locally I was able to search through all of them easily. I quickly found where everything was being set and then used. I didn't really want to keep clicking around pornhub so I began creating a little sandbox with these scripts. I'm going to go over this process now.
As I mentioned searching for puTargetURL above I'll keep searching for it now. To do this I ran this in the same directory as all the scripts.
grep -rnw '.' -e 'puTargetURL'

In the screenshot I can now see that I can start looking in application.js, it was minified so I took some time to make it more readable. I tried using a couple beautification tools but none of them seemed to be able to handle it, with these I ended up with a lot of errors each time. Anyway, after making it more readable I was able to see an init function initPopUnderLinks I thought this looked interesting and wanted to look for this next; but first I wanted to finish looking at the rest of this file.
From the screenshot there's a few interesting things, the first thing I noticed were the classes where the popover click event was getting attached. At this point I can start creating my sandbox html and create div's with the following classes (.menuSection, .videoWrapper, .logoWrapper, .pagination) and make a link within each of those. And then oh! I totally missed it a Math.ceil call and what exactly is it doing? Looking at it, it is checking if the pop_under_initial_date localstorage variable is already set and if it is how long ago. It seems that if it was set more then 28800 milliseconds (8 hours, unless I'm confused) ago they will show us another popunder.
One last thing to note here, I didn't realize until later but the addEventHandler function wraps and implements addEventListener in this case it gets passed 2 parameters, one is the element it should listen to and the other is the event it should listen for.
So now let me look for the init function in the other files and hopefully get a better feel for what's going on.
grep -rnw '.' -e 'initPopUnderLinks'
Running this I see that the function is called from footer.js, from looking through this file I can see that a lot of information is stored in varObj_footer so I'll make a note that I want to look at that later.

I guess I don't fully understand what exactly they're doing here but they seem to be checking if the browser supports localstorage and then calling the 2 init functions from application.js which adds the listeners if needed.
Before continuing to setup my sandbox page, I decided to have another look at the pornhub page for the varObj_footer object:
After looking at it; that it looked pretty interesting and that trafficJunkyurl sitting down there looked suspect; maybe I should have a look for that getting used somewhere.
grep -rnw '.' -e 'trafficJunkyurl'

Hmm, popunder-build.js why hadn't I noticed that before? Anyway, it seems to be building the URL that will open in the popunder tab. Now it's time, let me finish building the sandbox page and see if it works.
Let me recap my sandbox page, I needed those div's with those classes specified in application.js. I'll need jquery (2.0.3) is what they are using, jquery cookie, and the page seems to be using mg_utils to check the browser and to set the event listeners. Finally I'll need application.js, popunder-build.js, and footer.js.
At this point I'm feeling pretty good that I have something together that's testable but nervous that it won't work at all. So I open it in the browser and oh no; the console is complaining that there's a missing function isAndroid, what the? Where did I miss that? So I go back and have a quick look for it, but I can't seem to find any obvious signs of it anywhere. Hmm, at this point I just want to get it working so I decide to fake it. I see that mg_utils returns a boolean using this MG_Utils.browser.isAndroidMobileDevice; so I quickly wrap it in the function isAndroid and move on. Finally here :-D first click (tap) and everything goes according to plan, well..almost anyway. The new tab didn't redirect it just stayed on the current page of the original tab. What did I miss this time? Oh yeah that bit of javascript from the very beginning. I put that on the top of my sandbox page, clear the localstorage variables and try again. Awesome! Everything is working so now I'm ready to dig into what's actually happening.
For this part, I know that I'm looking for click events. So I used chrome dev tools to set an event listener breakpoint (on the sources tab look for event listener breakpoints). In there I decided to look for click events; by setting this chrome will automatically pause execution whenever one of these events fire. So now let me try this again.

This time I can see that it pauses on application.js line 1, column 782 (I decided to use the minified version for testing). The script checks that it hasn't already shown me a popunder and in this case it hasn't so it continues on and checks the browser type and phone type again, in this case I have it set to chrome and android so it continues on to the else clause and stores the current window location in o, then opens a new window and stores that in t. From there it replaces the location of the new tab with the current location of the original tab. Next it updates the original tabs location to the trafficjanky url, they use some regex to get the url setup from it's stored format. Finally the localstorage variable puTargetURL that was set earlier is used to redirect the new tab to the page that the user (me in this case) actually wanted, it used the bit of javascript I showed at the begining of the post to redirect on the actual new tab page as it can't be done from the original tab.

Conclusion

In conclusion the whole thing is really simple in operation if not very annoying. However, whoever came up with this; they are ridiculously clever and I'm very impressed that they were able to come up with this. Also, I see parts of the application.js looking for FireFox. The code looks much simpler but I think I'll take the time to check that out and see exactly how it works. I don't know if that will be worthy of a post though.

Super Minimal Example

I setup a very stripped down version that uses these concepts, it works on Chrome 61.0.3163.100 for linux (I was running on Ubuntu). Feel free to check out the minimal demo code here.
I hope everyone found this useful and also if you happen to have answers to my questions above or just know of a better way to go about this, please let me know in the comments below or any other contact method. I'd really appreciate it.

What better place to find shady practices that wouldn't be tolerated on more mainstream websites than porn sites. In this case we'll check out PornHub and how they use popunders to display ads that may lead to malware? In the cases I found during my research it lead to an android app, I haven't yet finished my analysis of the app. Also of note, I only looked at the mobile site and using chrome on Android. Although this also seems to happen on the full size site but from my very brief look at it; it uses a different method. Looks more like the Chrome 60 live0verflow reverse engineering video.

Let's take a closer look at what happens in the mobile version of the site.

• First it looks for the useragent and checks if it's chrome, from there it checks to see if it's on Android mobile.
  
• They attach the on click listener to the links on four different elements of the page. These happen to be places where someone would tap to navigate the site or to watch a video.
  
• After clicking on the link the pop under code fires and sets a local storage variable "puTargetURL" which keeps track of what the user is doing and or going.
  
• Next it opens a new tab and sends it to the path stored in the variable in the above step.
  
• Meanwhile underneath the original tab is sent to an ad url that is stored in varObj_footer.trafficJunkyurl.
  
  • This is the page I was describing in the introduction that when clicked on sent me to a suspicious looking Android app. People can also be seen asking about these ads on reddit that contain messages of having illegal stuff on your phone or computer and the FBI or some other agency being on the way to arrest you for it if you don't use their app to remove it immediately.
• If the user was navigating to a new page they might not notice anything because it happens so fast. However, if the user was going to play a video they might notice something isn't right because they'll have to tap the play button again.
  
• They seem to only show the pop under once per session, they track this by setting a couple localstorage variables.
  
• after a pop under is shown 2 new local storage variables are set
  
  • pop_under_already_shown - this is a boolean value
  • pop_under_initial_date - the date in the form "Fri Oct 06 2017 08:30:47 GMT-0400 (EDT)"

If you were expecting a more in depth technical analysis, I apologize. I did really dig into the code to find what was going on but nothing was obfuscated so it was relatively straight forward to find what was going on. During this analysis I did stumble on some obfuscated code so I will probably check that out next. I found a post saying that rarbg[.]to also has popunders, so I think I might give that a look too.