Acid Server 1 – Solution Walk-through

I love to solve CTF challenges. Even though, most of the time these challenges are far from the actual real world scenarios but still I really enjoy ’em. These are like Games & Scavenger Hunts where at the end, You get to see a (very cool) Flag ..

You can find the Challenge here. It’s a vulnerable VM. You can set it up using VMplayer or VMWare Workstation.

For this VM, I’m going to assume that we don’t have any physical access to the target machine. We have to Get Root privileges remotely.

I used the following DHCP settings on my VMware virtual network.

dhcp

 

So,

Target Machine : 192.168.91.128

Local Machine : 192.168.91.129

First thing first, I entered the target in the browser to see if it’s running any web application. To my disappointment, it wasn’t running any web App on the default HTTP port 80.

I ran an nmap scan against the target to see if there are other services running on any other port.

nmap1

And I saw there was an Apache service running on port 33447. I entered the URL http://192.168.91.128:33447 in the browser to quickly verify this and it worked.

apache

There was nothing on the page just a fancy background and a welcome note. So, the next step was very obvious. I checked the source of the page. Which lead us to our very first clue.

clue1

The string was encoded. I decoded the string HEX to ASCII and Base64 decode resulted in wow.jpg which was our second clue.

clue2

Next clue was hidden in this image. There are many ways to do steganalysis of an image but I preferred the old manual way. I simply opened the image in a text editor and looked for ASCII characters (Cool eh !!).

clue3

Again another encoded string. which when decoded gave an MD5 hash 7aee0f6d588ed9905ee37f16a7c610d4 which can be easily bruteforced to the actual string 63425.

I tried lots of stuff with this ‘63425’. But I couldn’t find it of any use. (This was actually used later in the challenge.)

After some struggle, I ran a quick dirbuster scan (recursive) against the target. Which happened to be very useful.

dirbust

Dirbuster scan found a directory Challenge and some other files in it ‘index.php’, ‘include.php’, ‘cake.php’ etc. Index.php had a login form. I tried some basic authentication bypass tricks which didn’t work. Next I checked the file ‘include.php’ which had a file inclusion vulnerability. I tried to escalate this LFI to RCE but it didn’t work.

include

Plus, the source of this file had our next clue. Another encoded string 0x5933566a4c6e4a34626e413d. I decoded the string by Hex to ASCII -> Base64 Decode -> ROT13 -> Reverse String and the final string was ‘cake.php’. ‘cake.php’ was not directly accessible so I used file inclusion vulnerability to read the source.

include1

Some hints lead me to another directory Magic_Box/tails.php which asked for a secret key.

tails

The secret key was ‘63425’ (from wow.jpg) and the next page was a Web App to ping any host which lead to command execution vulnerability.

commandexec

‘Wget’ didn’t work so I used php (command line) to spawn a shell. My final payload was:

http://192.168.91.128:33447/Challenge/Magic_Box/command.php

POST:
IP=;echo ‘<pre>’;

php -r ‘file_put_contents(“/var/www/html/Challenge/mk.php”,base64_decode(“PAYLOAD_HERE”));’;

echo ‘</pre>’&submit=submit

And Voila ..

shell2

Successfully opened a back connect session using netcat.

netcat

I tried some public exploits to root this box like CVE: 2015-1328, 2015-1325 and 2015-3643. But none of ’em worked.

I looked around and saw some hints in different files.

clue4

So apparently, I had to find the culprit :S and this hint.pcapng file was our next clue. PcapNG is short for ‘PCAP Next Generation Dump File Format’ and it’s basically a packet capture dump file which can be analysed using WireShark. So I fired up my WireShark and saw this session between 192.168.0.44 and 192.168.0.46 which lead us to our final clues. You can see the data exchanged between these two IPs.

clue5

What was the name of the culprit??

clue6

saman and now a days he’s known by the alias of 1337hax0r.

And here’s the fun part. ‘saman’ was actually a user on this machine and later I came to know that he was in Sudoers list (No kidding :D) and his password was ‘1337hax0r’ (buhahahaha).

Rest was simple. Take a look.

root

flag

Pwned and 0wned .. (That’s how cool kids say it these days :S)

Thanks for reading.

MakMan