Thursday, December 22, 2016

Vulnhub Walkthrough: 64Base 1.0.1



Capture all 6 flags in flag{base64encoded} format

Initial nmap shows port on 22 (non-ssh), web server on 80, port on 4899 and ssh on 62964

Browsing to the shows base64 clue right off the bat.

Decoding the message reveals to look at source < was going to be next step anyways :)

Looking at the source reveals a long alpha-numeric string

Sending string to burp suite decoder with initial decode as ascii-hex and then base64 reveals flag1


Decoding flag shows a username and password of 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

With nowhere else to go I fallback to dirb, but there is sooo many listings

*snippet of dirb

I remember that the initial nmap revealed a robots.txt file and it's loooong

*snippet of robots.txt

I revert to burp and spider the site, then filter the site map for 4xx responses and find admin

admin page reveals a login, but the credentials revealed in flag1 do not work

Nothing left to go on I try the two unknown ports...

port 22 doesn't respond to ssh and nc gives output, but no way in

port 4899 gives output, but no way in as well

No options I go back to the website and find an interesting portion of the post page

With all those folders in the robots.txt I figure there has to be something else.  Looking at the post page, I notice below the wanted image there is a stanza of "Only respond if you are a real Imperial-Class BountyHunter"

Looking through the site map I notice Imperial-class doesn't get any response like all the other fake directories

Browsing to the directory gives a 404...however

If we look at the stanza though, class is with a capital C...and changing it in the path reveals a page

Looking at the source it seems we have to add BountyHunter to our path

And now another login

Looking at the source reveals nothing, but we have to POST to login.php

Browsing to login.php page changes the path adding index.php. Looking at that source reveals three more alphanumeric strings. Seems there is an index.html and index.php

The strings on their own do nothing, but putting them all together through burp decoder reveals flag2


Decoded flag gives no hints, but rather just a video of darth vader burping...enjoy

At a dead end again, I go back to burp to see if I can't login to that BountyHunter. Looking at the request, it seems we're passing basic authentication already. Hmmm?

I guess there was a hint after all...burp

Sending to burp repeater it becomes apparent that we're not sending a POST to login.php, but rather just a GET to index.php. Simply changing the file is enough and we have flag3


Decoding the flag reveals our 53cr3t5h377 path

Browsing to the path reveals what looks like a shell

Remembering back to the post page instructions, we need to use system and not exec.  This change reveals flag4


Decoding the flag reveals more credentials...

Which do not work on the admin page, nor ssh on port 62964

So now begins trial and error as I find I'm very limited as to what can be done with this shell...

nc reveals grumpy cat

ls with options works

From what I can tell the following commands work
ls (with options)
ls .. < only up one directory
nc < brings up grumpy cat
ps (with options)
locate < revealed using --help
base64 < revealed using --help
xxd < revealed using --help

Also able to pull up files listed from ls is cat

After again much keyboard bashing, locate, find and xargs are my saviors revealing flag5. Was able to browse entire file system, but ended up finding flag in the admin folder that I've been trying to get to since the beginning

Decoding the flag states to look inside

Using a combination of the commands, I tried obvious ways to read the file...with no luck

less response

more response

With no way to read the file, I remember we're able to read files in the BountyHunter directory and xargs allows to copy files. Adding locate admin | xargs find | grep flag | xargs cp -t . copies the flag file to BountyHunter directory

And of course we're not able to view...

Looking at the permissions, it's only read 004

Many tries my friends, many tries and I get the permissions changed. Needed to use all commands originally used. Final string locate BountyHunter | xargs find | grep flag | xargs chmod 777

File reveals an image

Downloading the image and "looking inside" using exiftool reveals another long alphanumeric string
*snippet of exiftool output

Throwing the long string at burp decoder with initial decode as ascii-hex and then base64 reveals a private key. To get a file, I ran the string on command line to file with echo longstring | xxd -r -p | base64 -d > priv.key

Now with a private key, I change the permissions and attempt ssh to host using key. Prompted with a passphrase, I try 'usetheforce' as in the works! revealing flag6


Challenge not over...

Decoding flag first through burp, then through command line for better screenshot reveals one last clue

Running revealed command shows ending credits

*snippet of ending credits

Sunday, December 18, 2016

Vulnhub Walkthrough: DC416 Dick Dastardly


Capture all 4 flags in flag{} format

Initial nmap reveals ssh on 22, web server running on 80 and irc on 6667

Running dirb against site shows two separate index pages, index.html and index.php

index.html is the default DC416 rules

index.php shows a guestbook and login area

Preparing the site to run through burp suite to attempt a SQLi attack, flag 1 is revealed


With no known credentials, I setup burp to run a SQLi attack

After a short while, a payload of  ' or 0=0 # is revealed and shows admin is logged into the site

Using the SQLi payload on index.php, admin.php page is revealed

With three options, I decide to act on all of them
Adding IP to IRC whitelist simply refreshes the page, but burp shows a post to activate

I add a simple supybot owner with username yoyo and password 1234

After adding a user, I activate supybot

Knowing IRC port is open, I attempt connecting using irssi with command /connect and it's successful

No channels or users are known, so I send a /list command which reveals the channel #vulnhub

Joining the channel reveals the user vulnhub-bot

Using the added username yoyo, I message the user with /msg vulnhub-bot user identify yoyo 1234 and it's successful

Running list reveals various commands that can be run including unix shell which allows system access, directory listing and reveals flag 2


Being able to run system commands I attempt a reverse shell...

...and it's successful

Some initial file enumeration shows a file xss.js stores the credentials for the admin.php page


Some additional enumeration shows mysql root credentials by running crontab -l


Using the mysql credentials reveals nothing special

Additional enumeration by running ps -aux reveals an interesting ping command being run as root with a pattern (-p) option

After running ps -aux several other times it seems that the pattern changes every so often

On a whim I start wireshark and notice icmp traffic from the system. Filtering traffic to icmp only reveals the ping pattern seen from ps -aux. Each packet has text data which when put together reveals flag 0





So now I only have one additional flag as they apparently started at zero :)

Additional enumeration shows that current user rasta can sudo as vulnhub with no password for a specific command

Running the command reveals nothing as it's a limited shell. After many various attempts, the letter q actually quits the program and reveals the menu

Option 1 reveals the user, which is vulnhub, Option 2 didn't do anything at first, but after several attempts it seems you have to specify the directory you would like listed. This reveals that /home/vulnhub holds the last flag

Option 3 actually holds coffee :)

After several failed attempts, I found the correct way to reveal flag 3