This is my write up of the “CherryBlossom” CTF, a rather well-written set of challenges by MuirlandOracle, it emphasises on Cryptography, password cracking and Steganography - a very refreshing approach to the traditional aims and techniques of rooting, whom in this case, are only obtainable from the forementioned techniques.
Standard practice ain’t it. Good ol’ NMAP.
nmap -sV --script vuln 10.10.200.187
The things of interest is that it is running SAMBA, the
--script vuln has identified a vulnerability where it is capable of being DoS’d, but that’s not really helpful for us…Lets dig deeper into this whole SAMBA thing. NMAP has a script just for that!
nmap --script smb-enum-shares 10.10.200.187
Exploitation via SAMBA
Now that’s interesting, we have Anonymous access to a SAMBA share AND read/write. Lets connect!
Here is where I’ll start to blank out certain things, so as not to spoil it for yourself…
There’s a file of interest there, let’s download it using
smbmap. Specifying the share and then the filename discovered above.
The Beginnings of Steganography
Opening it..mhm..Certainly nothing of a flag yet.
But, notice the = at the end of the file? It tells me this is possibly base64 encoded…So lets decode it!
cat downloadedfile.txt | base64 -d > decodedfile
Oh! The result of decoding is a PNG file, okay - lets have a look!
And…It’s a blossom tree - how fitting. Remember how I mentioned Steganography etc? Here’s where we crack the knuckles and get to work. Maybe there’s more to this tree then what we see…
I had a Year’s module worth of digital forensics here, where Steganography was part and parcel - so I’d like to of thought I had a some-what upperhand here. But that was two years ago, I read through a quick cheatsheet I had to hand.
Hiding contents in files isn’t new, and there’s Tools to find out! After a bit of trial-and-error, I ended up using
stegpy to extract contents of this PNG file.
It manages to extract a zip file, sweet! Lets
Oh..Okay. Invalid zip file? Perhaps it’s corrupt. However, we’re told that the header is an invalid signature - so it’s more probable that someone has tampered with it.
I won’t cover file headers/trailers, but think of them like so:
- File Header: Identifier of type of file
- File Trailer: End of Identifier of the type of file
Anything inbetween these values is the actual content itself!
Opening the file in a hex editor, we can see there’s something odd…
The file header of a ZIP file is
50 4B 03 04 not whatever that file has - that’ll explain why we can’t unzip it.
So..What if we change it to the correct file headers?
Notice the “PK” added in Hex, but also the Hex values that we’ve replaced - now this should be a zip file.
unzip it again.
Password? Uh oh! I haven’t come across something that could be a password.
Letsa get crackin’!
fcrackzip and the CTF-Standard RockYou as the wordlist.
fcrackzip -D -u -p <path to rock you> journal.zip
We get a password! Which results in the extraction of
file we notice it’s a
7zip file. Lets have a crack at that.
Blast! Another password, and the previous one didn’t work. I used
7z2John to be able to compute a hash from this 7zip file to a John the Ripper supported format for cracking.
And then using standard John syntax, lets have a crack, again using rockyou.
We’ll get a password to unlock the file in CherryTree, which holds a lot of information including the Journal Flag.
The document also mentions another user and some super-unique password list that the Author has created. Mhhm. I smell a SSH Hydra attack?
Eventually, we’ll get a result. We can login as the User eventually! Where you’ll find the user flag very quickly…
On towards User flag
I cheated a little bit with this one, but essentially I uploaded the linuxpeas.sh vulnerability script to the host via a simple python HTTP server on my Kali machine.
But obviously you do the usual,
sudo -l to see what permissions you have, or
crontab -e to see if there’s any scripts that may be exploitable. In this case, the user
lily is not a sudoer, so we can’t escalate using her!
Using this script, we get a load of interesting things, for example, we can see there’s another user on the System (besides Root)
Perhaps he’s a sudoer?
Well, I used John to combine both the entries for Johan in
/etc/shadow and the file we previously discovered to format a crackable hash for John!
You can use other tools like hashcat as you desire, this was just my preferred approach / most successful approach!
Then again, cracking
johanhash with john appropriately..
Ta-dah! We can now login as Johan
Let’s see what we can do with him, e.g.
sudo -l for a start
Ah! So he is a sudoer, but not only that, when we put in put in his password, the input is displayed as asterisks - albeit not plaintext, this isn’t standard behaviour!!
I will end the walkthrough / write-up there as it is a rather simple exploit to complete - consider it homework!
Once you’ve executed this, the root flag is very easy to get.
At the risk of repetition, it was a really refreshing approach of CTF. Sure, people hide files in JPEG’s sometimes, but obfuscating the necessary information to even begin considering rooting the box this way was certainly challenging and refreshing!
Well played MuirlandOracle - I look forward to future content of this esque!
So long and thanks for all the fish! ~CMNatic