[VulnHub] 64Base Boot2Root

Hi guys back again with another walkthrough, i successfully managed to crack [VulnHub] 64Base Boot2Root so lets head on and see how the CTF is played.

[VulnHub] 64Base Boot2Root

Introduction to the machine and the owner:

This is my very first public Boot2Root, It’s intended to be more of a fun game than a serious hacking challenge. Hopefully anyone interested enough to give it a try will enjoy the story with this one.
It is based on the StarWars storyline and is designed to Troll you in a fun way.
Just be warned, it’s littered with more than a few “Red Herrings” ;D

Difficulty Rating
[BEGINNER – INTERMEDIATE]
Capture The Flags
There are 6 flags to collect. Each in the format of flag1{ZXhhbXBsZSBmbGFnCg==} Beat the Empire and steal the plans for the Death Star before its too late.
I Hope You Enjoy It.
v1.0 – 05/12/2016 v1.0.1 – 07/12/2016
Solution:-

Okay so our target is to grab hold of 6 flags as a part of the ctf and they will be in the format mentioned above , looks base 64 to me .
Lets run a quick nmap .


Okay we have 4 ports open , lets access them one after the other keeping http for the last.

First the ssh , the service hangs when you try to access using ssh command , however on telneting the same the below was observed. No commands executed though.

Then we try and access port 4899 using telnet and we get the following .

Great but nothing to do here , it was unresponsive post this message , nothing else could be done on this port.After some time the connection was closed .

Then another unknown port showed it was running ssh service

Okay so haven’t come across any flags yet. Im assuming the whole thing will be in the http service itself.

The website looks like this.

My first rule is to always go to the source code and it has rarely failed me .

Our first string , lets change the hex to string and then decode it till we get readable string.

Interesting a username and password already nice, so I tried the same on ssh but it did not accept , so I assume that it will be used somewhere for sure. Proceeding further I went through the articles , it had major story line of Star wars , and there was a little hint in the bottom of one blog post .

Use system instead of EXEC to run the secret shell , great so there is a shell uploaded somewhere on the application. Since this is a different page again ensure you lookup for the source code. Nothing interesting was found in the source code. Moving on, stumbled across the contactus html page with an interesting comment

On accessing the page

Nothing in particular could be found.

Kinda hit a road block here on the hint so went back and ran nikto.

Tons of folders mentioned in the robots.txt , however on accessing a few of them there was either a blank page with no information or server error.

So I manually started going through the files and folders one after the other to see if the words made any sense with the given star wars theme , much to be honest wasted a lot of time and finally came across the Imperial-Class which was also a mention on the same blog post we read . in response it gave us something really interesting.

So I enter bountyhunter post the imperial-class

Source code reveals another Flag

Basic token lets convert hex to string and then base 64 decode

It ended up giving me half string and invalid input , then after analyzing more all the id values of text , password and basic token were copied together as one string , and we received a youtube video.

It was a darth vader video , however login panel  , default instinct sql injection .

And we get our third flag in response

Flag 3 decodes to .

Ah the shell ..

But no output , earlier if you remember initially there was a clue to use system and not exec to get output. Lets do the same.

There we go flag 4 and it corrensponds to

Okay so we got our command working , now I tried to nc to my machine with a listener on however we got this .

Dayum this is not good , now what ?

I think it’s a better idea to upload your own shell and see whats happening since much of the commands were being blocked and filtered. I took one of the shells from the webshells directory of our Kali machine and configured to back connect on our 4444 port listener , nothing happened though , problem being the web app was filtering characters and was not allowing to use most of the special characters on a bit of googling I figured out there is a function in php called as var_dump that allows you to debug.

So now that nc show this sneaky little cat what next ? go for the wget. On using var_dump for wget we get the following.

It looks like the “ : “ and “ / “ are being filtered , crap what now , this got me thinking how about giving a recursive to my hosted webserver , the connection was received however the files were not pulled

, so finally after quite a few hours of random string passing stumbled upon the “| “ sign being allowed , passing the wget post “|” sign allowed for the download of my shell file which could be later accessed to get a reverse shell.

Since we had an access I already felt this was an  achievement , so I ran a dirty command to directly search for the flag , shamelessly it was a jack pot and I got the 5th flag.

The base64 decode for the same is

Look inside , so went in the folder of flag5

It was a file

 

Hosting a simple httpserver and downloaded the same

On checking the information using the file command there was a comment.

On running the exiftool on the file , it was observed that there was a huge comment , on converting it to string and base64 decoding the string following was observed.

An rsa key after the conversion of hex to string using the xxd and then using base64 decode function. also ensure you change the permission of the file to root only and that too readable else it will end up giving warnings specifying that the permissions are too weak .

Now when I tried to ssh using the given file on the ssh port it prompted for password

Damn never have cracked that before , on a quick google “ cracking ssh key passphrase” I was redirected to pentestmonkey blog which referred to phrasendrescher tool , it is a password cracking utility and it cracks pkeys too . so using the same and providing the rockyou.txt , we successfully managed to get the password.

Now we login to the ssh,

Well we have our 6th flag

Funny how they multiple encoded and hexed the string more than once , surely to take a toss on someone. LoL . in the end the decoded value pointerd to a command .

On running the command , boom goes the dynamite , we got to the secrets location .

All in a review this was a tricky one because it did take me quite a lot of time , rephrase quite a few days to figure out the “|” sign trick for bypass rest was a fun activity .

Post which I performed a little bit of root analysis to see what were the underlying tricks .

Remember the login.php page that had the 5up3r5h377 here is the filter .

A regex to replace everything that does not match the given set with null char.

Few of you must have also noted other ports like 4899 and 22 were also open but nothing happened , so here is what was running in the background .

A crontab that initiated nc.real file and pointed at the two given locations.

Lets check out the info in those files too to verify the same.

The banner one got on port 4899 and the ssh banner one got on port 22

Also there was a login for admin folder with http authentication well here is the password.

Now we are left with password of the root user , and base64 well I tried to find any hints inside if I could but in wait also ran john on the shadow file creds however the attempt was unsuccessful if anyone figures a way in using the credentials please feel free to ping me , would love to know if there is any other way to break into the system.

And we end our walkthrough here, hope it was a fun time cracking 🙂