Acid Server 1 – Solution Walk-through

MakMan • August 19, 2015

ctf vulnhub

I love to solve CTF challenges. Even though, most of the time these challenges are far from the actual real world scenarios but still I really enjoy them. These are like Games & Scavenger Hunts where at the end, You get to see a (very cool) Flag ..

You can find the Challenge here. It's a vulnerable VM. You can set it up using VMplayer or VMWare Workstation.

For this VM, I'm going to assume that we don't have any physical access to the target machine. We have to Get Root privileges remotely.

I used the following DHCP settings on my VMware virtual network.

DHCP

So,

Target Machine : 192.168.91.128

Local Machine : 192.168.91.129

First thing first, I entered the target in the browser to see if it's running any web application. To my disappointment, it wasn't running any web App on the default HTTP port 80.

I ran an nmap scan against the target to see if there are other services running on any other port.

nmap

And I saw there was an Apache service running on port 33447. I entered the URL http://192.168.91.128:33447 in the browser to quickly verify this and it worked.

Apache

There was nothing on the page just a fancy background and a welcome note. So, the next step was very obvious. I checked the source of the page. Which lead us to our very first clue.

First Clue

The string was encoded. I decoded the string HEX to ASCII and Base64 decode resulted in wow.jpg which was our second clue.

Second Clue

Next clue was hidden in this image. There are many ways to do steganalysis of an image but I preferred the old manual way. I simply opened the image in a text editor and looked for ASCII characters (Cool eh !!).

Third Clue

Again another encoded string. which when decoded gave an MD5 hash 7aee0f6d588ed9905ee37f16a7c610d4 which can be easily bruteforced to the actual string 63425.

I tried lots of stuff with this 63425. But I couldn't find it of any use. (This was actually used later in the challenge.)

After some struggle, I ran a quick dirbuster scan (recursive) against the target. Which happened to be very useful.

DirBuster

Dirbuster scan found a directory Challenge and some other files in it index.php, include.php, cake.php etc. Index.php had a login form. I tried some basic authentication bypass tricks which didn't work. Next I checked the file include.php which had a file inclusion vulnerability. I tried to escalate this LFI to RCE but it didn't work.

File Include

Plus, the source of this file had our next clue. Another encoded string 0x5933566a4c6e4a34626e413d. I decoded the string by Hex to ASCII -> Base64 Decode -> ROT13 -> Reverse String and the final string was cake.php. cake.php was not directly accessible so I used file inclusion vulnerability to read the source.

File Include

Some hints lead me to another directory Magic_Box/tails.php which asked for a secret key.

tails.php

The secret key was 63425 (from wow.jpg) and the next page was a Web App to ping any host which lead to command execution vulnerability.

Command Execution

wget didn't work so I used PHP (command line) to spawn a shell. My final payload was:

http://192.168.91.128:33447/Challenge/Magic_Box/command.php

POST:
IP=;echo '<pre>';

php -r 'file_put_contents("/var/www/html/Challenge/mk.php",base64_decode("PAYLOAD_HERE"));';

echo '</pre>'&submit=submit

And Voila ..

Web Shell

Successfully opened a back connect session using netcat.

Reverse Connection

I tried some public exploits to root this box like CVE: 2015-1328, 2015-1325 and 2015-3643. But none of them worked.

I looked around and saw some hints in different files.

Fourth Clue

So apparently, I had to find the culprit :S and this hint.pcapng file was our next clue. PcapNG is short for 'PCAP Next Generation Dump File Format' and it's basically a packet capture dump file which can be analysed using WireShark. So I fired up my WireShark and saw this session between 192.168.0.44 and 192.168.0.46 which leads us to our final clues. You can see the data exchanged between these two IPs.

Fifth Clue

What was the name of the culprit??

Sixth Clue

saman and now a days he's known by the alias of 1337hax0r.

And here's the fun part. 'saman' was actually a user on this machine and later I came to know that he was in Sudoers list (No kidding :D) and his password was 1337hax0r (buhahahaha).

Rest was simple. Take a look.

Root

Flag

Pwned and 0wned .. (That's how cool kids say it these days :S)

Thanks for reading.