Thursday, December 22, 2016

Vulnhub Walkthrough: 64Base 1.0.1



Capture all 6 flags in flag{base64encoded} format

Initial nmap shows port on 22 (non-ssh), web server on 80, port on 4899 and ssh on 62964

Browsing to the shows base64 clue right off the bat.

Decoding the message reveals to look at source < was going to be next step anyways :)

Looking at the source reveals a long alpha-numeric string

Sending string to burp suite decoder with initial decode as ascii-hex and then base64 reveals flag1


Decoding flag shows a username and password of 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

With nowhere else to go I fallback to dirb, but there is sooo many listings

*snippet of dirb

I remember that the initial nmap revealed a robots.txt file and it's loooong

*snippet of robots.txt

I revert to burp and spider the site, then filter the site map for 4xx responses and find admin

admin page reveals a login, but the credentials revealed in flag1 do not work

Nothing left to go on I try the two unknown ports...

port 22 doesn't respond to ssh and nc gives output, but no way in

port 4899 gives output, but no way in as well

No options I go back to the website and find an interesting portion of the post page

With all those folders in the robots.txt I figure there has to be something else.  Looking at the post page, I notice below the wanted image there is a stanza of "Only respond if you are a real Imperial-Class BountyHunter"

Looking through the site map I notice Imperial-class doesn't get any response like all the other fake directories

Browsing to the directory gives a 404...however

If we look at the stanza though, class is with a capital C...and changing it in the path reveals a page

Looking at the source it seems we have to add BountyHunter to our path

And now another login

Looking at the source reveals nothing, but we have to POST to login.php

Browsing to login.php page changes the path adding index.php. Looking at that source reveals three more alphanumeric strings. Seems there is an index.html and index.php

The strings on their own do nothing, but putting them all together through burp decoder reveals flag2


Decoded flag gives no hints, but rather just a video of darth vader burping...enjoy

At a dead end again, I go back to burp to see if I can't login to that BountyHunter. Looking at the request, it seems we're passing basic authentication already. Hmmm?

I guess there was a hint after all...burp

Sending to burp repeater it becomes apparent that we're not sending a POST to login.php, but rather just a GET to index.php. Simply changing the file is enough and we have flag3


Decoding the flag reveals our 53cr3t5h377 path

Browsing to the path reveals what looks like a shell

Remembering back to the post page instructions, we need to use system and not exec.  This change reveals flag4


Decoding the flag reveals more credentials...

Which do not work on the admin page, nor ssh on port 62964

So now begins trial and error as I find I'm very limited as to what can be done with this shell...

nc reveals grumpy cat

ls with options works

From what I can tell the following commands work
ls (with options)
ls .. < only up one directory
nc < brings up grumpy cat
ps (with options)
locate < revealed using --help
base64 < revealed using --help
xxd < revealed using --help

Also able to pull up files listed from ls is cat

After again much keyboard bashing, locate, find and xargs are my saviors revealing flag5. Was able to browse entire file system, but ended up finding flag in the admin folder that I've been trying to get to since the beginning

Decoding the flag states to look inside

Using a combination of the commands, I tried obvious ways to read the file...with no luck

less response

more response

With no way to read the file, I remember we're able to read files in the BountyHunter directory and xargs allows to copy files. Adding locate admin | xargs find | grep flag | xargs cp -t . copies the flag file to BountyHunter directory

And of course we're not able to view...

Looking at the permissions, it's only read 004

Many tries my friends, many tries and I get the permissions changed. Needed to use all commands originally used. Final string locate BountyHunter | xargs find | grep flag | xargs chmod 777

File reveals an image

Downloading the image and "looking inside" using exiftool reveals another long alphanumeric string
*snippet of exiftool output

Throwing the long string at burp decoder with initial decode as ascii-hex and then base64 reveals a private key. To get a file, I ran the string on command line to file with echo longstring | xxd -r -p | base64 -d > priv.key

Now with a private key, I change the permissions and attempt ssh to host using key. Prompted with a passphrase, I try 'usetheforce' as in the works! revealing flag6


Challenge not over...

Decoding flag first through burp, then through command line for better screenshot reveals one last clue

Running revealed command shows ending credits

*snippet of ending credits

1 comment:

  1. Thanks bruhh, I got stuck on in the shell and you gave me some great insight!