This is a beginner level box. From the introduction there is a big reference to a rabbit hole that we must not fall down.
Let’s start by scanning the system for open ports using nmap:
So we have an FTP server on port 21, SSH on port 22 and a web server running on port 80. Unfortunately it looks like anonymous login is not available on port 21 FTP.
Port 80: Web Server
So the website greets us with the standard Apache default page. There appears to be nothing hidden in the source code either.
I will run a gobuster scan to see whether there are any directories we can brute force.
There is a directory call /assets that we can take a look at:
Style.css:
Checking the style sheet we see a comment:
Nice to see someone checking the stylesheets.
Take a look at the page: /************
Let’s navigate to this file — It takes us to a Youtube and a video of Rick Astley — Never Gonna Give You Up.
Using wget to download the php file we can get some more information:
Within the file it points to the location of the RickRolled.mp4 that we previously saw in the /assets directory. Let’s download that file for closer inspection. Again we can use wget to download the file.
RickRolled.mp4:
I decided to run the mp3 file through Binwalk and as can be seen below, there appears to be many files contained within the mp3 file
After spending ages extracting and messing around, I came to the conclusion that this was one hell of a rabbit hole for a beginner box.
Back to plan A and follow what it tells me to do, switch off Java. This time it redirects and embeds the RickRolled.mp3 into the page. Being from the 80’s I had to listen to the song and almost a minute in we get a clue that points towards Burp Suite, so let intercept the web request to see if there is any further information.
So we intercepted the request and forward it and can see a hidden directory in the header.
Navigating to this hidden directory we see the following:
Let’s download the Hot_Babe.png and run the file through strings:
strings Hot_Babe.png
Now we are getting somewhere, there is hidden text in the file giving us a username for the FTP and a potential list of passwords. We will copy and paste the password list to a file called password.txt using Vim and then use Hydra to brute force the password from the list.
We now have our username and password for the FTP login:
We can see a text file Eki’s_Creds.txt, let’s download it and have a look at it.
Oh boy, this looks like some kind of encoding or cypher, time to head to CyberChef. OK, so that was a waste of time, it looks like this is not a normal cypher. After some research, I found out that this is an esoteric programming language called Brainfuck.
We can assume that this is the SSH credentials for Eli, so let’s try and log into the SSH server as Eli.
“Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I’ve left you a hidden message there”
So we have a new potential user “Gwendoline”
We can use the find command to search for the directory “s3cr3t”
find / -type d -name "s3cr3t 2>/dev/null
Looking at the /etc/passwd file we can see that Gwendoline is a user:
Let’s see if we can change user to Gwendoline:
su gwendoline
Using the password we can change to user Gwendoline. Let’s explore further and navigate to the /home/gwendoline directory:
Great we have the user.txt flag.
Let’s check out wither user Gwendoline has any sudo privileges:
OK, so this looks like a very simple privesc. The vi file is owned by root and we can use a simple privesc exploit for the binary vi using /bin/sh.
Wait, this does not work!!!!!!
From the above we can see RunAsUsers: All, !root
So although we have sudo rights to run /usr/bin/vi /home/hwendoline/user.txt, we cannot run it as root, as we can see !root in the RunAsUsers. This was clever on behalf of the developer and I had not come across this before. There is an exploit in sudo CVE-2019–14287 prior to version 1.8.2.8.
Basically changing to a user with a value of -1 causes it to default to 0 which is root.
To get root we can simple use this exploit:
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
And then use the conventional vi shell exploit as given in GTFOBin
Once the above is entered into vi we get the root shell:
All we need to do now is head over to /root and grab the root flag.
A great box that introduced me to a new exploit I was not aware of. Many thanks to the developer of this box MuirlandOracle
