Ok, port 80 open with Apache httpd 2.4.18 running, I open a browser to see what’s running.
Hahaha, a scottish Wullie from The Simpsons.
The source code of the page has some interesting comments:
I visit the URL http://192.168.56.139/gallery/ and I find a series of images, with comments for each on the source code.
I find http://192.168.56.139/flicks/phpinfo.pht, but it gives me an internal server error when I open it.
I do some google research and I find out that there’s a particular backdoor that is affecting the .pht files, especially on the “extract” function. I get some details from this URL which explain the vulnerability: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html
So I manage to get a reverse shell using the following URLs:
Check that the vulnerability works
I get “www-data”, so it works. Time to get a reverse shell.
Download Netcat and put it “/tmp/” and make it executable
Execute a reverse shell
Once got a reverse shell I look for a way to get a stable shell. There’s python installed, so I spawn a shell through it:
Now that I have a shell, I go to the /home and I see that I can access to the “jkerr” page, where there’s a file called “login.txt” with a hint to a password:
I thought there would be a password within the image, but actually it comes out that it was the name of the file, which I found out thanks also to a list of passwords generated by a wordlist retrieved from the web application. The password of jkerr was “breakfastclub”, as also mentioned in the comment on the web application.
Once got into jkerr, I download the images and I see that the file “promisedyouamiracle.jpg” contains some information within the “Copyright” section which I’ve retrieved using “exiftool”:
The string “Z2VtaW5pCg==” is a base64 encoded string for “gemini”. This is the password for the user “proclaimers”.
I login as proclaimers and I get into the folder “/home/proclaimers” and see the list of files.
That “semaphore” file is a copy of the “dash” shell, and it has the SUID but set. At this point I suspect there must be a cronjob, so I search for something that might use “semaphore”
Ok, this means that a cronob will add the SUID bit to semaphore if the file exists. I can replace the file with a script that I write where I run a bash as root:
After a minute, I see that the new script has the SUID set, so I run it and I’m root:
Got root, now it’s time for a flag.
Well, tipical of Knightmare. It’s not over. There’s a folder called “re-record-not-fade-away”. I get in and after a few folders I find a zip file:
I download the zip file, which is protected by password. The password is “teuchter”.
Once unzipped, theres a vmdk file called TeuchterESX.vmdk.
I mount it on my Kali machine and restart the machine, and mount it with vmfs-fuse. I find an iso within this folder, so I mount it too:
This image is just a picture of Irn-Bru (glass cheque). There’s nothing else in this folder, so I suppose there’s something hidden in the image which I could retrieve using “steghide”.
I read the hint into the Teutcher.vmdk that I’ve mounted through vmfs-fuse, and this is what I find:
I get back on the web application, and on the /telly source code there’s a hint on the second video:
At this point I watch the video again, and at the end of the video it says “Made in Scotland from girders”. I search on the wikipedia page the advertisements’ titles, and the one of the video that I’ve watched is indeed “Made in Scotland from girders”. This title, without spaces, is exactly 25 characters. so, I try to use “steghide” using the passphrase “madeinscotlandfromgirders”, and I get the flag:
Thank you to Knightmare for the VM and Vulnhub for hosting it.
For any information or comment, please do not hesitate to leave a comment.