BlackMarket: 1 – walkthrough

Walkthrough for BlackMarket: 1 (https://www.vulnhub.com/entry/blackmarket-1,223/)

Summary

Flags

FlagWhere it was foundDe-encoded value
flag1{Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}Source of the main Black Market login pageCIA - Operation Treadstone
flag2{Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}IMP.txt file obtained from ftp serviceCongrats Proceed Further
flag3{RmluZCBKYXNvbiBCb3VybmUgRW1haWwgYWNjZXNz}flag table of BlackMarket database - stored in ASCIIFind Jason Bourne Email access
flag4{bm90aGluZyBpcyBoZXJl}BlackMarket logon page when using admin credentialsnothing is here
Flag5{RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}Found in drafts folder of squirrelmail loginEverything is encrypted
flag6{Um9vdCB0aW1l}Stored in the backdoor web folderRoot time

Credentials

ServiceUsernamePasswordNotes
ftp, sshnickyCIACredentials only work for ftp, accepted for ssh then system auto-logs out.

Walkthrough

A basic nmap sweep finds the machine.

Throwing a nmap scan across the box shows up ftp (vsftpd 3.0.2), ssh (OpenSSH 6.6.1p1), web (Apache httpd 2.4.7), along with pop3 & imap (Dovecot) services. A quick CVE search on the published version numbers doesn’t yield anything of interest. Login attempts via ssh appear to accept username & password. A review of robots.txt from the web server doesn’t yield much of interest either.

Opening up the web browser window shows a reasonably generic login page.

Reviewing the source of the main page provided the first flag – flag1{Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}.

Throwing a dirb scan at the web server then yielded a few more things (output truncated to what I found interesting).

The scan tells us there is a squirrelmail install & subdirectories for admin, supplier & user. To help with further digging these values are added to my usernames.txt, passwords.txt & directories.txt. Idea is to add keywords to these files as they are found for use in later scanning.

Throwing the initial usernames and passwords against the other available services didn’t yield any results.

Poking around the web site didn’t yield much either. Looking at the traffic using ZAP gave no clues that may be easily exploited, neither did the links I could access. At this point I became stuck and shelved digging against this VM for a while.

I picked this up again after having a brainwave. Looking at the flag made me realise it looked like a hash value – checking it on md5hashing.net gave me the answer – base64.

And with that, I was off again. The clue suggested this challenge was modelled around the Jason Bourne series. Off to the wiki page on Operation Treadstone I start pulling out new keywords to add to my usernames, passwords & directories. Character and organisation names went into usernames, all the other keywords went into passwords and directories.

Re-running ncrack now gives me the first set of credentials and the initial entry point onto the system.

SSH credentials work but immediately boot me from the system after logging in (=== WARNING CIA: THIS ACCOUNT IS LIMITED TO FTP ACCESS ONLY ====), so off to ftp I go.

Reading the downloaded file gives us the second flag and next clue.
[text]
flag2{Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}

If anyone reading this message it means you are on the right track however I do not have any idea about the CIA blackmarket Vehical workshop. You must find out and hack it!
[/text]

Decoding the flag gives us the words of encouragement (Congrats Proceed Further), but not much in the way of clues.

Given the success against the FTP site I return to the main web form and have a go at throwing hydra at it. Unfortunately with no luck:

Returning to the flag clue I start adding values similar to vehicle workshop into directories.txt and re-running dirb.

And we have a winner.

Interacting with the site functionality and reviewing the source doesn’t yield any hits. Changing direction I have a go at tampering with the URL parameters. From testing sqlmap, we have a hit.

Rest of write-up to be completed later

Leave a Reply