Thursday, December 22, 2016

Vulnhub Walkthrough: 64Base 1.0.1

Download
https://www.vulnhub.com/entry/64base-101,173/

Goal

Capture all 6 flags in flag{base64encoded} format

Walkthrough
Initial nmap shows port on 22 (non-ssh), web server on 80, port on 4899 and ssh on 62964


Browsing to the shows base64 clue right off the bat.


Decoding the message reveals to look at source < was going to be next step anyways :)


Looking at the source reveals a long alpha-numeric string


Sending string to burp suite decoder with initial decode as ascii-hex and then base64 reveals flag1

flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}

Decoding flag shows a username and password of 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4


With nowhere else to go I fallback to dirb, but there is sooo many listings

*snippet of dirb

I remember that the initial nmap revealed a robots.txt file and it's loooong

*snippet of robots.txt

I revert to burp and spider the site, then filter the site map for 4xx responses and find admin

admin page reveals a login, but the credentials revealed in flag1 do not work


Nothing left to go on I try the two unknown ports...

port 22 doesn't respond to ssh and nc gives output, but no way in


port 4899 gives output, but no way in as well


No options I go back to the website and find an interesting portion of the post page


With all those folders in the robots.txt I figure there has to be something else.  Looking at the post page, I notice below the wanted image there is a stanza of "Only respond if you are a real Imperial-Class BountyHunter"

Looking through the site map I notice Imperial-class doesn't get any response like all the other fake directories


Browsing to the directory gives a 404...however


If we look at the stanza though, class is with a capital C...and changing it in the path reveals a page


Looking at the source it seems we have to add BountyHunter to our path


And now another login


Looking at the source reveals nothing, but we have to POST to login.php


Browsing to login.php page changes the path adding index.php. Looking at that source reveals three more alphanumeric strings. Seems there is an index.html and index.php


The strings on their own do nothing, but putting them all together through burp decoder reveals flag2

flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}

Decoded flag gives no hints, but rather just a video of darth vader burping...enjoy

At a dead end again, I go back to burp to see if I can't login to that BountyHunter. Looking at the request, it seems we're passing basic authentication already. Hmmm?

I guess there was a hint after all...burp

Sending to burp repeater it becomes apparent that we're not sending a POST to login.php, but rather just a GET to index.php. Simply changing the file is enough and we have flag3

flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}

Decoding the flag reveals our 53cr3t5h377 path


Browsing to the path reveals what looks like a shell


Remembering back to the post page instructions, we need to use system and not exec.  This change reveals flag4

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Decoding the flag reveals more credentials...



Which do not work on the admin page, nor ssh on port 62964



So now begins trial and error as I find I'm very limited as to what can be done with this shell...

nc reveals grumpy cat


ls with options works


From what I can tell the following commands work
ls (with options)
ls .. < only up one directory
nc < brings up grumpy cat
ps (with options)
locate < revealed using --help
base64 < revealed using --help
xxd < revealed using --help
id
whoami

Also able to pull up files listed from ls command...here is cat

After again much keyboard bashing, locate, find and xargs are my saviors revealing flag5. Was able to browse entire file system, but ended up finding flag in the admin folder that I've been trying to get to since the beginning
flag5{TG9vayBJbnNpZGUhIDpECg==}   

Decoding the flag states to look inside

Using a combination of the commands, I tried obvious ways to read the file...with no luck

less response

more response

With no way to read the file, I remember we're able to read files in the BountyHunter directory and xargs allows to copy files. Adding locate admin | xargs find | grep flag | xargs cp -t . copies the flag file to BountyHunter directory

And of course we're not able to view...

Looking at the permissions, it's only read 004

Many tries my friends, many tries and I get the permissions changed. Needed to use all commands originally used. Final string locate BountyHunter | xargs find | grep flag | xargs chmod 777

File reveals an image

Downloading the image and "looking inside" using exiftool reveals another long alphanumeric string
*snippet of exiftool output

Throwing the long string at burp decoder with initial decode as ascii-hex and then base64 reveals a private key. To get a file, I ran the string on command line to file with echo longstring | xxd -r -p | base64 -d > priv.key


Now with a private key, I change the permissions and attempt ssh to host using key. Prompted with a passphrase, I try 'usetheforce' as in the picture...it works! revealing flag6


flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}

Challenge not over...

Decoding flag first through burp, then through command line for better screenshot reveals one last clue


Running revealed command shows ending credits

*snippet of ending credits

1 comment:

  1. Thanks bruhh, I got stuck on in the shell and you gave me some great insight!

    ReplyDelete