May 26, 2019

Capture The Flag: Xerxes1 Walk through

Welcome to the Cyber Sploit CTF challenge series. In this article we will solve “Xerxes: 1” Vunnerable VM where we need to compromise the root. 

In this walk through we will see without any exploitation how we can gain the root privilege by using our experience and knowledge.

You can download the VM from the link below.,58/

List of action:

-Network Scanning
-HTTP service enumeration
- Brutforcing Directory
- Decoding
- Find hint in image
- Decryption
- Capture the flags in various phases

Network scanning

We will start with the netdiscover tool to get the VM IP address. So execute the below command in kali machine.

In this case we have got our target VM IP as :

Now lets run the network scan using nmap to discover the services and open ports in the target VM.
nmap –A

From the nmap scan result we have got two open ports 22,80 from the target VM. Those are SSH and HTTP ports respectively. Lets navigate the website running on port 80 from the web browser.

From the above result we did not get any kind of relevant information so we will move to the next step.

In this step we will brute-force the directory and try to find any clue to proceed further.

The below is the scan result.

The above scan result gives us another directory named /dev/
So lets browse the directory and see the result in web browser.

We can see there are multiple links present in the footer. Let’s click on by one and see the result.

The above bar code has come up the moment we have clicked on forgot password link. Now lets try to read the barcode and get the information.

After resolving the QR code we have got a base64 encoded value. Now we let’s decode it and get the string content.

The above value shows us “look deeper”. This is a hint to find something deeply inside the image.
After trying various things with the image finally we have followed the below method to discover some hidden code inside the image. Let’s see how it will work.

First we will download the latest version of the GIMP editor and install it in windows system. And open the image using the Open in Layers from File menu, after that we will deselect all the layers except the alpha layer. The goal is to find out the different pixels in Alfa layer. So Lets start finding those pixels.

After searching for long time finally we have got the different pixel values on the top most pixel row of the image. Let’s collect each and every pixel value and note it down and convert those decimal values to their ASCII values using online tool.

75 121 115 114 75 121 115 114 87 122 52 114 75 121 115 114 75 121 115 114 75 122 119 116 88 84 52 114 75 121 115 114 76 105 115 117 76 83 48 116 76 83 52 116 76 105 52 61

Now we have figured the ASCII value is nothing but the base64 encoded value so lets decode it and see what is inside.

After the decryption we have got one more encrypted value. This using encryption method is called BrainFuck. So let’s try to decrypt the BrainFuck encrypted string.

Finally we have got the value 45100 from BrainFuck encrypted message, which we can use as a password to upload a file. Let’s do this.

I have tried to upload RCE1.php file but it throws Error: illegal file detected, So lets try to change the file extention to pht and try again.

This time we have successfully uploaded the file in the server. Now we have to go to the upload directory and execute the php script with command argument to check whether this web application is vulnerable to RCE(Remote Code Execution) vulnerability.

Bingo!! As we can see the target is vulnerable to RCE after passing the cat command as an argument to read “etc/passwd” file content.
Since the application is vulnerable to RCE now we will run the netcat command to get the remote access from our Kali system. For doing that run the following command inside the VM’s browser.

Simultaneously we need to run the below command inside the Kali system to get the remote session.

The moment we will get the reverse connection, we will execute the below one liner python code to get the limited shell access.

We have successfully got the xerxes user’s command line shell. Now let’s go to the home directory to check the user information available in the current system.

Accordin to the output we have got three users name, amanpour, curtiz, delacroix. So we will start checking the content with amanpour and so on.

Here we have got .bash_history file, next we will check the content of the file.

Inside the file we have got the python command to get new password, so lets execute it in our terminal to get the new password.

We have successfully get the new password. So let’s try to connect the user amanpour using the password we have got.

We have successfully logged inside the amanpour’s account. Now let’s search for the files with suid permission, for doing so we will execute the below command.

Here in the output of the command we have got the file /opt/notes. So let’s go inside the /opt directory and read the content of the file.

After read the content of the script, we have got the pickle module inside which is vulnerable to insecure deserialization. So we can execute any code of our choice. Here we can load the file inside the script so we created on file that executes the “/bin/bash”

Let’s create the below file ‘shell’ in /tmp directory with the below content.

Let’s execute the note file and right after that run the shell file from the /tmp directory

The moment we executed the file we have spawned a shell.  After run the id command in the shell we have got to know that the amanpour is the member of the group curtiz. So lets go to the curtiz home directory. When we have checked the contents we have got a file named as notes. After seeing the content of the notes, got a hint to login with the account name called “Marie”.

After got the hint we tried to find out whether any information present in the /etc/passwd file.

After getting the result we have figured out that Marie is the first name of the user Delacroix and also it has a shell named with /bin/delacroix

Let’s see the content of the /bin/delacroix file using strings function.

From the above output we have got a md5 password. So next we will try to decode the md5 password and get the value.

We have successfully decrypt the hash and the value we have got is “VonBraun”. So let’s try with the password to get the ssh access of the user Delacroix.

But we are unable to login. Now go back to the home directory of /home/curtiz we have got a file name as id_rsa. Lets copy the content of the file and save it in our Kali machine.

Now come back to Kali machine command prompt and try to login with the rsa_id Private Key file through SSH.

Note: Before that set the id_rsa file permission (chmod 400 id_rsa) in our kali system.

We have entered into the Delacroix home directory. Now let’s see the contents of this directory.

Here we have got two files named as and Now let’s read the content of the files one after another and try to understand the information given.

The file generates customized login message and file creates a new .last file and uses the timestamp of the file to generate a unique md5 message.

Now we need to find the md5 hash value of the .last file creation time. So first we will see the timestamp of the last file using stat command.

We have got the timestamp. Now it’s time to convert it into md5 value to get the password.

We have successfully get the md5 hash, using this we will get inside the root directory and capture the flag inside.

Great!!! We have successfully get the root console. After getting the root user privilege we have found the flag inside the /root directory.

When we have tried to see the type of the file, we have found that it is a .png file. Now using netcat we will move the file to our kali machine and open it in image viewer.

Simultaneously we have to run the same netcat comman in our kali system to listen the port 5555.

After that we will open the .png  file and see the content.

Boom!! We have successfully captured the flag from the target machine.

Thank you for reading my article so far, if you still have any doubt on the same please write down in the comment section below. Happy Hacking!!


Post a Comment