Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

64Base: 1.0.1

Location

https://download.vulnhub.com/64base/64Base_3mrgnc3.ova

Introduction

Author: @3mrgnc3
This is the first public Boot2Root of this author. It’s intended to be more of a fun game than a serious hacking challenge. It is based on the StarWars storyline and is designed to troll you in a fun way. Before starting there is a friendly warning about being littered with more than a few “Red Herrings”.
The difficulty rating is beginner – intermediate.
The main goal is to capture 6 flags, each in the format of flag1{ZXhhbXBsZSBmbGFnCg==}.

Getting started

Starting with a nmap scan.

Looks like the website has a ‘robots.txt’, the SSH server is behind an alternate port and 2 ports are tcpwrapped. Let’s start with some banner grabbing.

A login from the future.  010.101.010.001……..binary perhaps? It should then read   2521. Another port? After a while I think there is nothing here and I get my first taste of some trolling.

Port 80 seems ok. Nothing special here.

Nice banner.

And no banner with the SSH server.
On to the webserver.
When I browse to the website I spot a string that looks like base64.

Looks like I find the first ‘beginners hint’ LOL. In the source code I find a string that looks like hex. Time for another round of decoding.

Got my first flag which also could be a set of crendetials for further down the road.
When I look at the rest of the pages I noticed that there were some random placed words with indentation. When I collect these words and put them after each other, they form:
everybody with must die
With what? There wasn’t another word with the same indentation. So for now I move on.
On the   /post.html page there is a cool ASCII art poster with an interesting bottom.

A ‘real Imperial-Class BountyHunter’? Maybe a hint for changing my user-agent?
The rest of the pages didn’t look like they had something of value.
Next is the ‘robots.txt’. It’s a big list and from the looks of it, most pages are empty. To make things a bit more easy I copy the list from ‘robots.txt’ and paste them in a file. With the ‘cut’ command I remove the first 11 chars and run the file through wfuzz to eliminate the useless pages. As a result I get 2 pages that seem to be worth investigating.

But after checking the complete result of the wfuzz scan I noticed that there where a lot of 404 (that’s why I filtered them in the first place). But why would there be 404 errors in a ‘robots.txt’ list? I re-run wfuzz, but this time focusing on the 404 errors.

(Another way of doing this was to spider the site with burpsuite. Should give a similar result.)
Because I’m getting nowhere with the 404 results, I start with the found admin site. Maybe the clues and credentials I collected earlier will pay off.

I used the credentials from flag1, but that didn’t work. So I tried it again, but this time with the clue about being an imperial-class bountyhunter. After I changed my user-agent and try to log in again it still wouldn’t let me in. Guess I was missing something.
Being stuck at the moment I went over my notes and after a while (a long while), I noticed that the use of the word Imperial-Class in the clue and in the ‘robots.txt’ list where slightly different. It was a difference in just 1 letter – lower case / upper case.
With the use of cURL I checked the folder ‘/Imperial-Class/’ and this time I got more information.

Another login site. The found credentials worked just fine.

Checking the source code it seems I was still missing something.

To help me with my search I used cewl to create a wordlist from all the words on the mainsite and ran it through dirb.

As the comment said……wow.

When I check the source code of ‘/login.php/’ I get some additional information.

3 hex strings.

Looks like I have 1 part of the entire string. After I copied them together I got the second flag.

Time for some videos on YouTube.

Darth Vader belching……..didn’t see that one coming. Nice way of saying I need to use burpsuite.
When I login with the same credentials as before I get the third flag.


The decoded content of the third flag looked like something I’ve already seen in a previous hint
(IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377).

And there is the fourth flag thanks to remote code execution.
flag4{64base:64base5h377}
Looks like more credentials.
There are a few commands I can execute like ps, netstat, ls.  This way I can get some information about the system.

When I try to use netcat I get another troll.

Later on I found out there was another command I could use, namely  wget.
With this command I tried to upload a test file onto the machine. But that didn’t worked out so well. After a while it was clear that there was a filter in place. But what kind I didn’t know….yet.
Because the ‘f’ parameter could run several functions (e.g. exec, system) I tried the function ‘var_dump’. This function is used to display structured information about variables. With it I can hopefully find out what chars are being filtered.


Bummer. Looks like all the used chars got filtered. I need to find a bypass. The only char that isn’t getting filtered is the ‘|’ (pipe) char. And because it looks like I’m stuck inside this ’64base’ binary file, I need to break out and execute the ‘wget’ command to upload a file to the remote system.

When trying the ‘uname’ command it wouldn’t work because I was trapped in the 64base file. But because of the pipe char not being filtered I could tried to use this char to get myself out and with success.

Now to upload a reverse shell script onto the machine. For this I used the reverse shell script from pentestmonkey. After uploading it to the system and running it I got a shell.

Found the troll from earlier.
And when using the more function I get trolled again 🙂

After some more searching I found flag number 5.

A picture. I could try and download it to my machine, but instead I use strings and found a big string at the top that looks like hex. After some decoding I get base64 and when I’ve decoded that I get a RSA private key.

The only thing I haven’t tried is the ssh server on port 62964.

Wrong permission.

A passphrase. Time for some cracking.
Because I need a properly formatted password hash I use ‘ssh2john’ to extract the password hash from the private key.

Now to load up the file into John password cracker and use the well known rockyou wordlist to hopefully crack the password.

And after a split second I got the password being  usetheforce.
For this task i also could have used Phrasen|drescher instead. But John worked out just fine.

After some final trolling I get the 6th and final flag.

Conclusion

This was an awesome challenge which had a lot of tricks up its sleeve.
When I finally thought I was on the right track I hit a dead end. After a while it felt like a maze in which I needed to find my way.
A great job of building this challenge and many thanks to 3mrgnc3 and vulnhub.com.
Can’t wait for the next challenge.
 
 
 
 
 
 
 
 
 
 
 

2 thoughts on “64Base: 1.0.1

  1. It is not my first time to go to see this web site, i am visiting this web site dailly and obtain good information from here all the time.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.