Acid Server 1 – Solution Walk-through
Mukarram Khalid • August 19, 2015ctf vulnhub
I love to solve CTF challenges. Even though, most of the time these challenges are far from the actual real world scenarios but still I really enjoy them. These are like Games & Scavenger Hunts where at the end, You get to see a (very cool) Flag ..
You can find the Challenge here. It's a vulnerable VM. You can set it up using VMplayer or VMWare Workstation.
For this VM, I'm going to assume that we don't have any physical access to the target machine. We have to Get Root privileges remotely.
I used the following DHCP settings on my VMware virtual network.
Target Machine :
Local Machine :
First thing first, I entered the target in the browser to see if it's running any web application. To my disappointment, it wasn't running any web App on the default HTTP port
I ran an nmap scan against the target to see if there are other services running on any other port.
And I saw there was an Apache service running on port
33447. I entered the URL
http://192.168.91.128:33447 in the browser to quickly verify this and it worked.
There was nothing on the page just a fancy background and a welcome note. So, the next step was very obvious. I checked the source of the page. Which lead us to our very first clue.
The string was encoded. I decoded the string HEX to ASCII and Base64 decode resulted in
wow.jpg which was our second clue.
Next clue was hidden in this image. There are many ways to do steganalysis of an image but I preferred the old manual way. I simply opened the image in a text editor and looked for ASCII characters (Cool eh !!).
Again another encoded string. which when decoded gave an MD5 hash
7aee0f6d588ed9905ee37f16a7c610d4 which can be easily bruteforced to the actual string
I tried lots of stuff with this
63425. But I couldn't find it of any use. (This was actually used later in the challenge.)
After some struggle, I ran a quick dirbuster scan (recursive) against the target. Which happened to be very useful.
Dirbuster scan found a directory Challenge and some other files in it
Index.php had a login form. I tried some basic authentication bypass tricks which didn't work. Next I checked the file
include.php which had a file inclusion vulnerability. I tried to escalate this LFI to RCE but it didn't work.
Plus, the source of this file had our next clue. Another encoded string
0x5933566a4c6e4a34626e413d. I decoded the string by Hex to ASCII -> Base64 Decode -> ROT13 -> Reverse String and the final string was
cake.php was not directly accessible so I used file inclusion vulnerability to read the source.
Some hints lead me to another directory
Magic_Box/tails.php which asked for a secret key.
The secret key was
wow.jpg) and the next page was a Web App to ping any host which lead to command execution vulnerability.
wget didn't work so I used PHP (command line) to spawn a shell. My final payload was:
http://192.168.91.128:33447/Challenge/Magic_Box/command.php POST: IP=;echo '<pre>'; php -r 'file_put_contents("/var/www/html/Challenge/mk.php",base64_decode("PAYLOAD_HERE"));'; echo '</pre>'&submit=submit
And Voila ..
Successfully opened a back connect session using netcat.
I tried some public exploits to root this box like CVE: 2015-1328, 2015-1325 and 2015-3643. But none of them worked.
I looked around and saw some hints in different files.
So apparently, I had to find the culprit :S and this
hint.pcapng file was our next clue. PcapNG is short for 'PCAP Next Generation Dump File Format' and it's basically a packet capture dump file which can be analysed using WireShark. So I fired up my WireShark and saw this session between
192.168.0.46 which leads us to our final clues. You can see the data exchanged between these two IPs.
What was the name of the culprit??
saman and now a days he's known by the alias of 1337hax0r.
And here's the fun part. 'saman' was actually a user on this machine and later I came to know that he was in Sudoers list (No kidding :D) and his password was
Rest was simple. Take a look.
Pwned and 0wned .. (That's how cool kids say it these days :S)
Thanks for reading.