64base 1.0.1 Vulnhub VM Write-up
64Base 1.0.1 is a Boot2root VM which can be downloaded from here.
Introduction
The Vulnhub victim was run in a VirtualBox VM with Host-only adapter interface IP 192.168.56.101 assigned to it.
The attacker machine also had a Host-only adapter interface IP 192.168.56.1 assigned to it.
Note that a general trick to locate a Vulnhub VM in a network if an IP is not displayed by the VM is to run an Nmap search for common ports. E.g. the network interface has a name vboxnet0 on the attacker machine, and has IP 192.168.56.1. Then, we should perform a network scan of network range 192.168.56.0/24 on:
nmap -sS -p22,80,443 192.168.56.0/24
We can then investigate all the machines with open ports to identify the machine which could be a possible victim.
Flag 1
Once we start the VM, we see that 3 ports are open — 80,22, 4899, 62964.
Ports 22, 4899 are presumed to be trolled attempts — I tried to check for buffer overflow, but saw no visible response. The command used was:
python -c ‘print “A”*20000’ | nc 192.168.56.102 4899
On port 80, we access /index.html, and view the source code of the app. We notice a strange comment in the source code:
dmlldyBzb3VyY2UgO0QK
This translates to “View Source Code ;D” in base64. Note that we will use Burp’s Decoder module to perform different types of decoding.

Typical ones in this challenge were ASCII Hex and Base64.
5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a
This translates via ASCII Hex → Base64 to flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}. The value within the flag is 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4. So we have a set of credentials which we will require for Flag 4.
An important clue which proves to be crucial in a later stage is the message in the picture on /post.html page.
use SYSTEM instead of EXEC to run the secret 5H377
Flag 2
To get the next of flags, we have to prepare a wordlist from the various web pages. So, we use cewl to generate a wordlist, and john: —
cewl -m5 -d5 http://192.168.56.102/ > wordlist.txt
john — wordlist=wordlist.txt — stdout — rules=Wordlist > wordlist_out.txt
We use the following command to find hidden pages on the server:
dirb -r http://192.168.56.102/ wordlist_out.txt
When we try to brute-force a page on the server, we find a page for /Imperial-Class. The message on the page is “[☠] ERROR: incorrect path!…. TO THE DARK SIDE!”. On reviewing the source code again, we see a hint:
<!-- don't forget the BountyHunter login -->
So, we just try to force access to /Imperial-Class/Bounty Hunter page and are presented with a login screen. I tried to brute-force with various dictionaries but nothing worked. When I looked closely at the page, I noticed that the ID attributes and the comment could be combined to make an encoded message.

By applying ASCII hex → Base64 decoding on the following message,
5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a
we get:
flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}
On Base64 decoding the flag value, we get a link to the following image:
Flag 3
In burp, we review the login POST request in the Proxy HTTP History module. We notice that the 302 response to the username, password POST actually has a flag as well!

flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}
On base64 decoding of the flag, we get:
53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id
Flag4
So we access the page /Imperial-Class/BountyHunter/login.php?f=exec&c=id, where we find a page called “64Base Command Shell”. From the previous flag 1, we are now able to get a shell at /Imperial-Class/BountyHunter/login.php?f=system&c=id.

Flag 4 is also displayed, which translates to the following on applying base64 decoding: —
64base:64base5h377
These are the second set of credentials - from these we can derive the ssh credentials. The username is still 64base, and the password is base64 encoding for 64base5h377 which is NjRiYXNlNWgzNzcK.
On connecting via SSH to the vulnhub VM, we discover that we are actually in a restricted bash shell — this we can check through the command ‘export | grep SHELL‘. We are able to bypass this through the following command:
ssh -p 62964 64base@192.168.56.102 -t “bash — noprofile”
Flag 5
The first thing I do after getting a shell is to check the web folder for any hidden pages/content that I couldn’t see/detect through a browser or determine via dirb.
I notice a file called flag5{TG9vayBJbnNpZGUhIDpECg==} in the directory /var/www/html/admin/S3cR37. This is actually a JPG file which on display shows the following picture:

We notice something strange about the JPEG. On running ‘file’ command on the file to determine the file type, we notice that there is a comment which appears to be an ASCII Hex comment. On viewing the file, we can see a large section of the ASCII Hex Comment. Using Burp and applying ASCII Hex → Base64 decoding, we get a private encrypted key file which we assume provides us root access.
Flag 6
On running following ssh command, we are requested to provide a password — the password turns out to be “usetheforce”.
ssh -p 62964 root@192.168.56.101
We are able to retrieve the final flag from message of the day itself:
flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}
By applying Base64 → ASCII Hex → Base64 → ASCII Hex → Base64 decoding, we get a file path which contains the congratulations message:
base64 -d /var/local/.luke|less.real

Acknowledgements
Great Challenge! Loved every second of it — thank you 3mrgnc3!
THE END
