Tovi Jaeschke

Links:

Recent posts:

unknowndevice64 v1.0 walkthrough

Walkthrough for the unknowndevice64 v1.0 ctf, by Ajay Verma.

Recon

I started by scanning ny network with nmap, to find the vm.


nmap -sn 10.1.1.1/24
...
Nmap scan report for 10.1.1.60
Host is up (0.00035s latency).
MAC Address: 08:00:27:A9:EA:F9 (Oracle VirtualBox virtual NIC)
...

After finding the IP adress of the machine, I ran nmap again to discover what ports were being used, and which services were running.


nmap -sV -p- 10.1.1.60
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-30 14:33 ACST
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 14:34 (0:00:06 remaining)
Nmap scan report for 10.1.1.60
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
1337/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
MAC Address: 08:00:27:A9:EA:F9 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.37 seconds

I opened http://10.1.1.60:31337 in the browser, and discovered an interesting looking website, with a glaringly obvious clue in red. I then looked at the source code, and found a comment that also seemed quite intriguing, which I then downloaded.

Unknowndevice website Unknowndevice website

wget 10.1.1.60:31337/key_is_h1dd3n.jpg
--2019-04-30 15:42:47--  http://10.1.1.60:31337/key_is_h1dd3n.jpg
Connecting to 10.1.1.60:31337... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5386 (5.3K) [image/jpeg]
Saving to: ‘key_is_h1dd3n.jpg’

key_is_h1dd3n.jpg   100%[==================>]   5.26K  --.-KB/s    in 0s

2019-04-30 15:42:47 (1.25 GB/s) - ‘key_is_h1dd3n.jpg’ saved [5386/5386]

Stenography

I had to assume some type of stenography was being used on the file, and after a bit of investigating with various tools, I decided to try extract some data with steghide, with the password "h1dd3n".

key_is_h1dd3n.jpg stenography

The key_is_h1dd3n.jpg file contained a brainfuck program which I compiled and executed, which gave me the username and password for the ssh login.

ssh login

After loggin in, I realised the default shell for user ud64 was rbash (restricted bash). However, I also realised that I had access to the vi text editor, which I opened and spawned a proper bash shell from. I then changed the $PATH variable, so I had easy access to a few more programs. I found that the ud64 user had sudo access to a single program; /usr/bin/sysud64

/bin/bash from vi Finding the privesc vuln

After discovering that /usr/bin/sysud64 was just a copy of the program strace, I uploaded a small botnet I have been writing (as it was a good opertunity to test it), and executed it with /usr/bin/sysud64. This gave me root access.

Uploading malware to be executed with sudo sysud64 Downloading malware to be executed with sudo sysud64
Owned Flag