Monday, June 6, 2016

Sidney 0.2

Hello World. Today i am going to be offering up a guide to completing the Sidney 0.2 VM hosted on VulnHub. The VM was produced by @knightmare2600


Welcome to my third boot2root / CTF this one is called Sidney. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag, and being me, it's never where they normally live... B-)
If you are having trouble with the NIC, make sure the adapter is set to use the MAC 00:0C:29:50:14:56
Some hints for you:
  • If you are hitting a wall, read
  • The flag is audio as well as visual
SHA1SUM: 114ABA151B77A028AA5CFDAE66D3AEC6EAF0751A sidney.ova
Many thanks to Rasta_Mouse and GKNSB for testing this CTF.
Special thanks and shout-outs go to GKNSB and Rasta_Mouse, hopefully he streams this one live too! Also a shout-out to g0tmi1k for #vulnhub and offering to host my third CTF.

Here We Go:
1. Host Discovery
2. Service Enumeration

Host Discovery:

Discovery of the IP: netdiscover -r

Our target is

Service Enumeration:
Now that we have our target ( we can use nmap to discover any running services.
NOTE: nmap could have also been used to discover the host also, but i like using netdiscover purely to speed up the process

Hmm only 80 open. Looks like we will be looking for LFI/RFI or a file upload to drop a malicious php script containing either command injection or reverse shell.
Nikto to the rescue:
Using nikto.... nikto -host
Relatively standard information. We note Apache 2.4.18 and we move on. dirb/dirbuster to the rescue.
Personally i always run a dirb with the defaults. When needed i will run a dirbuster with the /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt
After running dirb -host
Yikes... not much going on here. Time to pull up the site and see what we are working with. I am still going to hold off on dirbuster for now (i love trying to look at the html/css and figure out other directories/pages first)

 "Give Ben Daglish a call. I'm sure he's know the login B-)" I will add Ben Daglish to my notes as I smell some OSNIT (Open-source Intelligence) coming up.
Viewing the source we are presented with the following:

Sweet the location of the image is in a folder named commodore64. Wonder if that folder has directory listing enabled... directory browsing. but we are greeted by a Commodore64 gif and a message... the source tells us...

We have a second name: "robhubbard" and a clue as to the password:
"password is the C=64 sound chip lowercase...3letters4digits no space..."

geez....might as well just write the password....or so i thought... So i went off and used wikipedia (based on the search results for "c=64 sound chip")...long story short i found chips with the prefix of sid and mod...

Which is great and all... but where the hell is a login screen? Before i use dirbuster on the commodore64 folder i decide to try and figure out what im dealing with... attempting index.php displays...

A login were we looking at before...using just index without a suffix returns us to the commodore64 gif...hmm...
Anyhow, PHPFM...the hell is that... after a quick search we can see that PHPFM is a php based filemanager (uploading a php revshell is looking pretty promising).

Using sqlmap -u "" --forms: yielded no results. damn...
Ok so what we know already from discovery is that Ben Daglish knows the login. and an assumed user "robhubbard" who seems very willing to give up a password.
Time to make a brute forcer using python:

NOTE: You can also use a proxy like BurpSuite (specifically intruder) to attack the form. But i am a coder at heart...and it always seems much more gratifying to create a tool to accomplish a task.

Running python

NOTE: Using the bruteforcer too much had caused the Sidney VM (atleast on my machine) to have some funky errors. (Session was not stored properly upon logging on and i had to reset the VM to get it to function correctly again)

Judging by the output the length of the page increased from 1840/1841 to 18438 think we got a hit on:

username: robhubbard
password: mos6518

Trying robhubbard/mos6518 we are authenticated into the PHPFM site.
 ooooo...."Upload Files" looks pretty sweet.
Time to use a PHP Reverse shell that i found from

The reverse shell uploaded without an issue... i figured the site would have fought me alittle more but, hey, thats probably why ive never heard of PHPFM lol..
Anyhow, firing up a netcat listener on port 666( nc -lvp 666) and visiting the revshell.php that i uploaded i get a reverse shell. w00t!

NOTE: I have modified the payload to be executed slightly to make it display the id/whoami/cat etc/passwd upon connection

The output from the cat /etc/passwd shows us that the 2 users of the system are root and rhubbard .... Wait.... as in robhubbard? Wonder if the doofus is using the same password. Before we can attempt a su (attempting a su robhubbard at this stage gives us a "su: must be run from a terminal" error), we must get a different shell easy enough. We will use a jailbreak trick found on g0tmi1k's blog python -c "import pty;pty.spawn('/bin/bash');"

Using python -c "import pty;pty.spawn('/bin/bash');" results in a "/bin/sh: 2: python: not found" error...python is missing.. hrmmm... I decide to go looking to see whats up with python.
hmmm. can i replace python with python3.5? Sure can.

Ok... now lets see if numbnuts uses the same password. using "su rhubbard" and "mos6518" as the password we successfully switch users to rhubbard...

Can we get lucky with sudo? sudo -l results in the following:

rhubbard has the permissions to run any and everything as root. Lets get our root permissions using sudo su

Lets get our flag.
I forgot @knightmare2600 said we need to work to get the flag...
As you can see we are presented with a hint.gif and a hidden folder called .commedore64. I will skip the hint for now and traverse the .commodore64 path.

using CP i was able to copy the to /var/www/html and get the zip file on my local. Of course it is password protected so using fcrackzip we get the following output

Sweet so we have a flag.d64 now which can be run with an emulator.

NOTE: I am lazy ATM so i will not attempt to get the emulator working. but doing a strings on the file tells me everything i need to know.

Awesome VM from @knightmare2600 and a special thanks to VulnHub for hosting it.

No comments:

Post a Comment