VulnHub: Connect The Dots Walkthrough
Connect the Dots is a beginner to intermediate level VM created by Sumit Verma and can be found here
Objective: get /home/user.txt and /root/root.txt
It has been a while since I have done any CTF/WriteUp’s so I may be a bit rusty! be gentle! :)
Step 1: Enumeration
As we all know, there is only one way to begin, a nice verbose nmap scan of the host:
nmap -O -A -sT -sV -p- -T4 192.168.56.105 -vv
This gives us some nice info
We look to have a website hosted on port 80, an ftp service running on 21, rpcbind service running on 111, and most interesting are the nfs service and ssh service running on 2049 and 7822 respectively.
First lets check out the website being hosted on the box.
Okay subtle hints in there pointing to possible username ideas etc, a mention to backups but nothing interesting in the source code of the index, I also downloaded both images for safe keeping as they jump out at me and might point to some steg stuff!
Next, I fired up Nikto and Wfuzz to see if they could bring back anything juicy:
interesting directories:
/hits.txt — is interesting at first, but then it turns out it is just a nice motivational message:
/images/ — Does not hold anything interesting bar the images hosted on the index.
/javascript/ — Dir exists but we get a 403 on it
/backups/ — ohh what do we have here…
trolled again..
/manual/ and /icons/ — Default apache manual and icons readme, nothing interesting
Nikto has pointed out there is both an index.html and index.htm, on the surface they do not look any different, but checking the source of the index.htm file I see some comments:
lets take a look at that register form and make a note of the second comment.
Cool, a registration form.. testing out a number of parameters and checking the source it looks like this form does not really function!
Checking out the /mysite/ directory it only looks to hold some bootstrap styling files for the site, nothing really interesting (for now…..)
After going over the site again a couple of times, I moved on to the services we seen earlier.
21: vsftpd, telnet reveals a not so informative banner
Tried a couple of random logins here God, doG, Jesus etc.. nada.
7822: OpenSSH_7.9p1, no interesting banner
2049: NFS, there looks to be an nfs share configured here :)
Step 2: Getting one foot in
Sweet, once the nfs share mounted we cant access anything.. we can only see the uid of the file owners but not the username
Knowing linux, uid 1000 is normally the uid of the first new user created on the system, so we go ahead and create a user with that id to see if we can access anything …bingo!
After snooping around in the folders, there is nothing of value bar an ssh private key in the .ssh folder, trying to ssh as morris@192.168.56.105 with the key, it still prompts me for a password.. after a couple of James bond reference guesses.. still no dice.
Looking over at the ftp service now.. having a look around for vsftpd vulnerabilities, I find there is a backdoor for a newer version, but trying this it tells me ‘The service is running with anonymous login enabled’ so the exploit fails..
I try a bunch of different creds to get in, but still nothing.. I remember what is on the index page (about M and N) and try to log in with the username norris and password sorrin.. still not able.. but a different message confirms that there is a user with the username norris:
At this point, I am feeling a bit frustrated like I am missing something simple.. but I continue and take a look for info hidden in the images I downloaded earlier.
Running strings on the the game.jpg image doesn’t reveal anything (the other image is a gif and cant be used for steg), but then kicking off stegahide, I get prompted for a pass!
After another countless number of guesses, I finally relent and try crack the image pass with Stegcracker and the rockyou password list (last act of a desperate man)
While that is running, I pour back over the NFS stuff and frantically google a million different ways to exploit NFS.. but I cant find anything that can help me out in this instance.
I fire up DirBuster (to the detriment of my vm) and try smash back over the website to see if I am missing anything.. no new dirs found! WHAT AM I MISSING!!!
I have a word with my inner enumeration demon and tell him we need to go over everything on the website.. after an hour or so I get back to the /mysite/ directory (the one from earlier with all the bootstrap styling stuff in it).
Going through each of the files I find something strange in the bootstrap.min.cs file:
I have not seen this before, definitely looks like some sort of encoding!
Looking at the browser console, it never actually compiles or executes, and after 15–20 mins of googling I see it turns out to be JSFuck, a strain of javascript written only using six different characters.. oh boy! This makes me feel good :)
After eventually decoding the string we get:
Awesome! this spurred me on, now we SSH to the vm as norris with this password and we have one foot into the host!
Boom — as soon as we are in, checking in the home dir we can see the user flag:
Step 3: Getting The Root Flag
There are some other interesting files in /home/norris/ftp/files
At this point I went off on a tangent trying to get root in many number different ways, for about 3- 4 hours I was reading into different SUID binary exploits, again NFS exploits and further apache exploits.
A similar thing happened as in the beginning of this challenge, I stopped for a couple minutes and said “there is something I am missing” and thought there is something right in front of me that I am not using.. So I went back over everything, including running a number of different exploit suggester scripts on the host that flagged up false positives.. (sigh..)
I went back to the files in /home/norris/ftp/files copied them all down to my kali host and started to analyze them one by one.
backups.bak — revealed nothing of interest
hits.txt.bak — pointed to a pastebin link with the salty motivational message :/
m.gif.bak — did not reveal anything
game.jpg.bak — Running the strings command on this file revealed something interesting indeed..
dots and dashes can only mean one thing! MORSE CODE! :) I was happy with myself for recognizing this right off!
Then we decode it:
Awesome.. no root flag but it is still a clue.. “In a secret place which is publicly accessible” I took this as referring to some directory in the /var/www/ folder and took a look:
There we go — The secret file does not actually read much..
Bummer.. but then we take a look at the .secretfile.swp and get a permission denied error… :(
I scrambled around for about 30 minutes before figuring everything in this directory is actually served up by the website… duh..
YESSss… I downloaded the swp file and ran the strings command on it — and we got a pass for the morris account:
Awesome — at this point, I felt I was so close to this vm so I did not want to stop!
After logging in with the morris account — it looks like the account is not root and does not have sudo access or anything neat.. this section was the most frustrating part..
I read so many articles on privilege escalation, tried so many kernel/SUID exploits that the words lost all meaning.. it was educational but I felt like I was never going to get this challenge done.. queue my last gasps googling phrases like “stealing root directory remotely”, “what programs can access root directory”.. and then I came across an IOS article/book preview related to stealing live filesystem data.. with tar.. (line 4)
I thought “if this works.. it will be amazing!! :DD “.. I tried to tar the /root directory with the morris account.. and got a permission denied error (I cried a bit inside at this point)
Then I tried the same commands with the initial norris account I had…
SWEET BLACKHAT JESUS.. IT WORKED! I was ecstatic at this point.. but did not want to get ahead of myself.. as there were so many rabbit holes in this vm..
But after the archive was created, we could extract it in norris home directory.. and get the ROOT flag!!!1!
This challenge was pretty good.. although I wanted to bang my head against the wall at every turn.. it defintely was worth the dopamine release after it was completed!
My 4 Takeaways from this challenge:
- This CherryTree template is a must have for note taking
- Check Everything in front of you, every single small file or folder.. check it! then check it again!!
- Set time limits on how long you want to go down a rabbit hole for, multiple times I was spending an hour or so on trivial non-related stuff when I could have stood back for a minute and re-evaluated after a certain period
- ENUMERATE MORE, AND MORE AND MORE, AND TRY HARDER! :)
Cheers for reading,
Barry
