arkanoid-thewall1

14
The Wall 1 - Cracking Challenge 1 VulnHub Cracking Challenge The Wall 1 By arkanoid aka Emmanouil Gavriil Email: ([email protected]) Soundtrack: Pink Floyd Playlist 01/12/2015

Transcript of arkanoid-thewall1

Page 1: arkanoid-thewall1

The Wall 1 - Cracking Challenge 1

VulnHub Cracking Challenge The Wall 1

By arkanoid aka Emmanouil Gavriil

Email: ([email protected]) Soundtrack: Pink Floyd Playlist

01/12/2015

Page 2: arkanoid-thewall1

The Wall 1 - Cracking Challenge 2

This is one of the best cracking challenges I have ever played. Why? First of all because I am a big fan of Pink Floyd. I was at the age of 14 (back at 1989) when I saw them live in Athens and I had my first "real" music experience. My father insisted to go to the concert in order to hear real musicians. "There is music and there are Pink Floyd" as he used to say. The whole game was a nice travel back in time and memories for me. I kept the game as another piece in my Pink Floyd collection! The riddles were just fantastic and it was really clever to use some real stories in the game. Excellent work from Xerubus and a big thanks to vulnhub team for this nice game once more! Keep up the good work. Let the fun begin!

Stage 1 – Is there anybody out there? Most Wargames start with an open port. Not this time. No port is open. Challenging. Default ports or full scans reveal nothing. Try to find what is happening with what else? Wireshark:

It seems that the target machine is trying to communicate to port 1337 to anybody!

So here I am listing for you:

Cool. Hope something changed;-)

Page 3: arkanoid-thewall1

The Wall 1 - Cracking Challenge 3

Stage 1 – Syd Barrett Port scan again:

A http (80) port is open. With this nice intro the game starts! Hello Floyds!

Source code view. Is there a Magic Number?

Page 4: arkanoid-thewall1

The Wall 1 - Cracking Challenge 4

It seems like a decimal number but if you look slightly better there is a d letter which makes the whole thing a hex. Let's translate. Attention that the riddle above was actually pointing to search inside the picture of Pink Floyd group. Hex2ascii = "steg=33115730dbbb370fcbe9720fe632ec05" <---- Word steg = another hint here! Is that an md5? Yes it is. Crack it. Easy: 33115730dbbb370fcbe9720fe632ec05 => divisionbell Now the tricky part. Where this password goes? Well as I said before the riddle gave the hint about the use of steganography in the image of the website. Make use of steghide tool:

Good. I have a key and another hint as well ;-). That is a base64. Decode:

Ok Syd. I got it. The other part of string is an md5. Here we go again. Crack it. Easy. f831605ae34c2399d1e5bb3a4ab245d0 => pinkfloydrocks Ok. Get in! Hmmm...where? Let's scan again...(The 1965 hint year is the SSH port)

Page 5: arkanoid-thewall1

The Wall 1 - Cracking Challenge 5

Finally let's get into the system! SSH!

Ok no SSH. SFTP is just fine.

By reading the sent-items we get another hint about scalpel:

Page 6: arkanoid-thewall1

The Wall 1 - Cracking Challenge 6

It's time for forensics! Recover some data by using scalpel. I didn't know that tool but I am glad I learnt about it. By modifying the configuration file (only images to recover) it was possible to extract the one and only:

..and here it is! hi Roger:

and the password of RogerWaters is hello_is_there_anybody_in_there

Page 7: arkanoid-thewall1

The Wall 1 - Cracking Challenge 7

Stage 2 – Roger Waters Roger successfully connects through SSH and his directory has nothing that can elevate privileges. I searched a little bit in his home but nothing useful about hacking. Of course all information like bio.txt and his secret-diary is quite amusing! After some more testing outside of his home directory I spotted this very cool file;-) Another brick in the wall?

The correct answer was easy: Nick Mason

Stage 3 – Nick Mason Becoming Mason was easy. But now things go harder. Searching his home directory (read the bio again!) and one can easily spot that his profile picture is not actually an image but a sound file. Hmm..

Get the file (upload through SCP) and listen to it. A music theme overlapped with an audio of morse code. Do not believe that here are two audio channels so you can split them and listen

Page 8: arkanoid-thewall1

The Wall 1 - Cracking Challenge 8

at morse code only. Not that easy! Audacity here is your best friend. I am curious though if someone found an easier solution than that probably something with visualization :-)

Try to change speed and temp in order to have better audio results but also visual ones that can help. For example:

Here obviously and easily can be identified the last three letters: .. ... ._ = ISA After decoding everything the user is RichardWright and the password is: 1943farfisa

Page 9: arkanoid-thewall1

The Wall 1 - Cracking Challenge 9

Stage 4 – Richard Wright Under /usr/local/bin there is a shineon (You crazy diamond!) program with sgid permissions of RichardWright. When executed loads a menu and each option executes a system command by using system function. Quite dangerous if not in absolute paths!

Run strings on the binary and spot the exact path of the commands:

All the commands are using the absolute path except the mail one. This is a path vulnerability and it is possible to be exploited by modifying the configuration of shell in order to set the environmental PATH variable to the current working directory. With that it is possible to execute any program of choice but with the permissions of David. For me was easier to change the already existing configuration of CSH by adding the . directory in the PATH.

Page 10: arkanoid-thewall1

The Wall 1 - Cracking Challenge 10

Then I created in the /tmp/ directory the appropriate exploit code. The plan is simple. An executable which spawns a shell with setuid of the user (gg.c) and a shell script (mail) in order to set the correct permissions after being executed from shineon!

Then jump to CSH and execute again the shineon by selecting the fourth option:

Page 11: arkanoid-thewall1

The Wall 1 - Cracking Challenge 11

The password of David is hidden inside his profile image! Strings once more!

Stage 5 – David Gilmour As David is the last man standing, the target now is just to get root. Looking into his directories revealed another brick in the wall!!

Visit the new web site and celebrate the 50 Years of Pink Floyd!

Page 12: arkanoid-thewall1

The Wall 1 - Cracking Challenge 12

At the bottom of the source code of the page one can find a useful hint:

I actually spotted the hint after I found that the image is hiding something!

Play with zoom, brightness and contrast and boom!

welcometothemachine 50696e6b466c6f796435305965617273 The latter is an md5! But actually is the real password! Where to enter it? David is in the following groups:

Page 13: arkanoid-thewall1

The Wall 1 - Cracking Challenge 13

As being member of www, David can enter the web server directory. After getting in, a new directory reveals which hides the PinkFloyd executable. Answer the question with the md5 password!

David was just added to the sudoers club;-) What he is permitted to do? ALL. IF all then su is the key to the kingdom! Go for it!

Page 14: arkanoid-thewall1

The Wall 1 - Cracking Challenge 14

Stage 6 – Got root? Sure and the flag is:

Thanks again for this fantastic game!

Keep hacking!