Friday, April 12, 2019

DC-1: 1 Vulnhub CTF Walkthrough

1.  Well, here we go.  nmap scan for the ip address and then, do a full scan for the available ports.
2.  We have SSH, HTTP, and RPC protocols.  Well, that means I should think about possible credentials for SSH authentication, web application exploits or possible NFS share that can be accessed.  I started with the web application.
3.  Looks like a Drupal site.  Let’s look at the page source and see if we have anything interesting.
4.  So we have Drupal, let’s use a scanner called droopescan and see what we get.  
5.  Looks like we have information on plugins, possible plugins and paths.  
6.  Ok, so a quick google search for Drupal 7 exploits gave a lot of results.  Enter Drupalgeddon2.

7.  With Metasploit ready to aim and shoot, the only thing left is to exploit.  
8.  Success.  Now, let’s start to enumerate and get all we can.  
9.  Looks like we have a user name flag4 and it has flag4.txt. Time to take note of that.
10.  Ok, I hate this shell.  Time to see if we can get a better one.  Time to use the python trick hopefully. Again, learned this watching IppSec channel (https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA).  If you are not watching it, you should be.  
11.  With a better shell, we find another flag in the webroot directory.  It is pointing us to look thru the config files which we should do anyway for settings and credentials.  We see flag2 and mysql credentials.
12.  I did more searching around and finally decided to use the mysql credentials.  Possibly flag4 passwords are in the database.
13.  We see the drupaldb database.  Time to look through the tables.  We have credentials in the users tables.  Of course, I could not a single password for these:  
admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg

14.  Now, I went looking for any possible kernel escalation exploit for the Debian version and Linux kernel level.  Nope. Time to look for “sticky” permissions.

15.  Now, the find command seemed weird to have on this list.  I even had to do a double check on my own executable. Yup, that’s weird.  We can run “find” as root.
16.  Looking good.  I can see another flag too.  Let’s google what else we can do with the find command.  
/usr/bin/find . -exec cat /root/thefinalflag.txt \;
17.  Well I got the flag, but I am not sure I got all of them.  Let’s start digging more. We have flag5, flag2, flag1.
18.  Now, we have flag4. So where is flag3?  I went back into mysql and only found this:
I assume that it was in Drupal page somewhere.  Just because I was curious, I looked at the shadow file and tried to check for passwords.  I found the password for flag4, which was orange. (THE END).













Wednesday, April 10, 2019

UnknownDevice64 v1.0 Vulnhub CTF Walkthrough


1.  nmap scan for the IP address.  Then, we do a full scan for ports.  
2.  Looks like we have ssh and python using SimpleHTTPServer module servicing the server.  I took a look at port 31337 using Firefox and Burp. It gives a page that is all black except wherever your mouse lands.  I have to say the effects were very cool. Let’s look at the page source.
3.  There seems to be something to look at.  
<!-- key_is_h1dd3n.jpg -->
Let’s try to browse for it.
4.  After having a little bit of nostalgia of watching Sneakers, I downloaded the jpeg. Maybe there is something there.  I can check using the commands (strings, file, exif, steghide, etc).
5.  Using steghide, I used “h1dd3n” as the passphrase.  It did hint that it was the key. It gave a text file called h1dd3n.txt.
6.  Well, I recognize those strings from previous CTF’s.  Time to go to https://copy.sh/brainfuck
C:\Users\jmoney\AppData\Local\Microsoft\Windows\INetCache\Content.Word\screenshot9.png
7.  Well, we have what seems to be a username and password.  We did see the service SSH on port 1337. Let’s try to use: ud64:1M!#64@ud
8.  We have a login but… with a limited/restricted shell.   There’s an app trick for that:
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
ssh ud64@192.168.126.133 -p 1337 -t "bash --noprofile"
9. Welp, we are in and we can run commands.  
10.   Let’s do some digging and find out about this server.  Run the usual commands (id, uname, ls, etc)
11.  After looking around for a couple of minutes, thought to find out about sudo.
12.  What the heck is that file.   
13.  Oh, so this is just strace command.  Maybe it was just renamed. Anyway, I just kept playing with the command in order to get root or view root level files.
14.   Looks like you can view the contexts of /root.  There is a flag.txt file there. Let’s see if we can view it.


15.  Well, I can view but I need to get root on this box.  After searching for strace sudo, I came across this tid bit.
https://news.ycombinator.com/item?id=5277241
sudo /usr/bin/sysud64 -fe execve sudo -s

Monday, November 26, 2018

Matrix 1: Vulnhub CTF Walkthrough

https://www.vulnhub.com/entry/matrix-1,259/

1.   We do the usual scan for the IP address.  Then, we do the service scan.

2.   I went to do a nikto scan while I was using burp suite to investigate the page presented on port 80.
3. Also, I went to dirb to get a directory scan to find anything weird in the folder structure.  I found the assets folder and it only had a few folders in it.

4.  Inside of the IMG folder, there was an image that pointed me in the direction to use another port.  “FOLLOW the WHITE RABBIT”.
5.  We see the different web page.  Let’s check out the page source.  Looks like there is hash to decode.  



6.  Once we decode the hash, we have a Matrix quote.  I remember seeing that in the theater. Anyway, it looks like it is telling us there may be a file of some kind created from the “>” symbol.


7.  There is a file called Cypher.matrix there.  Now, once you download it, and try to read it, you find more encoded information.  Now the only reason I knew where to go is that I have seen it before on previous CTFs.
8.  I went to https://copy.sh/brainfuck/ and decoded it.




9.  Well we have the message:
You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

10.  Ok. So we have a clue to the password for guest.  We just need to hit the correct combination of the last two characters.  Enter crunch and hydra. You can use the man pages for the commands but the short of it is, you can give it characters to start with and it will keep add combinations of characters that you give it.  It will output to a file. With that file, you can use hydra to test ssh for a successful login.
11.  We have a successful login but it looks like it is to a restricted shell.  We do not have access to a lot of the usual commands.
12.  Looked up if there was a way around it.  Have to love Google.
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
13.  We are out of the restricted shells.  Let’s run some commands. We should look at version, folder structure, files, etc.  

14.  We have found a few things.  There is a weird python executable.  Also, I checked the “guest” bash history.  It seems like the account was creating ssh keys to login?





15.  I didn’t get anywhere trying to figure out what they were doing for SSH.  I moved on to linux priv checker script to gather more info. It reminded me to check out “sudo –l”.  See if there is any commands that guest can run.

16.  Looks like guest can run any command as root.  Let’s give it a try. That worked and there’s the flag.