Acid Server 1 – Solution Walk-through
Mukarram Khalid • August 19, 2015
ctf vulnhubI love to solve CTF challenges. Even though, most of the time these challenges are far from the actual real world scenarios but still I really enjoy them. These are like Games & Scavenger Hunts where at the end, You get to see a (very cool) Flag ..
You can find the Challenge here. It's a vulnerable VM. You can set it up using VMplayer or VMWare Workstation.
For this VM, I'm going to assume that we don't have any physical access to the target machine. We have to Get Root privileges remotely.
I used the following DHCP settings on my VMware virtual network.
So,
Target Machine : 192.168.91.128
Local Machine : 192.168.91.129
First thing first, I entered the target in the browser to see if it's running any web application. To my disappointment, it wasn't running any web App on the default HTTP port 80
.
I ran an nmap scan against the target to see if there are other services running on any other port.
And I saw there was an Apache service running on port 33447
. I entered the URL http://192.168.91.128:33447
in the browser to quickly verify this and it worked.
There was nothing on the page just a fancy background and a welcome note. So, the next step was very obvious. I checked the source of the page. Which lead us to our very first clue.
The string was encoded. I decoded the string HEX to ASCII and Base64 decode resulted in wow.jpg
which was our second clue.
Next clue was hidden in this image. There are many ways to do steganalysis of an image but I preferred the old manual way. I simply opened the image in a text editor and looked for ASCII characters (Cool eh !!).
Again another encoded string. which when decoded gave an MD5 hash 7aee0f6d588ed9905ee37f16a7c610d4
which can be easily bruteforced to the actual string 63425
.
I tried lots of stuff with this 63425
. But I couldn't find it of any use. (This was actually used later in the challenge.)
After some struggle, I ran a quick dirbuster scan (recursive) against the target. Which happened to be very useful.
Dirbuster scan found a directory Challenge and some other files in it index.php
, include.php
, cake.php
etc. Index.php
had a login form. I tried some basic authentication bypass tricks which didn't work. Next I checked the file include.php
which had a file inclusion vulnerability. I tried to escalate this LFI to RCE but it didn't work.
Plus, the source of this file had our next clue. Another encoded string 0x5933566a4c6e4a34626e413d
. I decoded the string by Hex to ASCII -> Base64 Decode -> ROT13 -> Reverse String and the final string was cake.php
. cake.php
was not directly accessible so I used file inclusion vulnerability to read the source.
Some hints lead me to another directory Magic_Box/tails.php
which asked for a secret key.
The secret key was 63425
(from wow.jpg
) and the next page was a Web App to ping any host which lead to command execution vulnerability.
wget
didn't work so I used PHP (command line) to spawn a shell. My final payload was:
http://192.168.91.128:33447/Challenge/Magic_Box/command.php
POST:
IP=;echo '<pre>';
php -r 'file_put_contents("/var/www/html/Challenge/mk.php",base64_decode("PAYLOAD_HERE"));';
echo '</pre>'&submit=submit
And Voila ..
Successfully opened a back connect session using netcat.
I tried some public exploits to root this box like CVE: 2015-1328, 2015-1325 and 2015-3643. But none of them worked.
I looked around and saw some hints in different files.
So apparently, I had to find the culprit :S and this hint.pcapng
file was our next clue. PcapNG is short for 'PCAP Next Generation Dump File Format' and it's basically a packet capture dump file which can be analysed using WireShark. So I fired up my WireShark and saw this session between 192.168.0.44
and 192.168.0.46
which leads us to our final clues. You can see the data exchanged between these two IPs.
What was the name of the culprit??
saman and now a days he's known by the alias of 1337hax0r.
And here's the fun part. 'saman' was actually a user on this machine and later I came to know that he was in Sudoers list (No kidding :D) and his password was 1337hax0r
(buhahahaha).
Rest was simple. Take a look.
Pwned and 0wned .. (That's how cool kids say it these days :S)
Thanks for reading.