d0not5top: 1.2 – Walkthrough

Overview

CTF Challenge attempted – https://www.vulnhub.com/entry/d0not5top-12%2C191/

Walkthrough is incomplete – I’ll update as I go.

Tips found from the setup:

  • Initial import attempt of .ova file failed on VMWare Fusion – needed to retry with relaxed conditions

Flags found are:

Flag NameFlagWhere found
FL46_1urh8fu3i039rfoy254sx2xtrs5wc6767whtml source of http://address/control/index.html
FL46_239931r42q2svdfsxk9i13ry4f2srtr98h2Encoded in http://address/control/js/README.MadBro
FL46_329dryf67uheht2r1dd4qppuey474svxyaEncoded in the smtd header information via hex
FL46_4n02bv1rx5se4560984eedchjs72hsusu9inside FLaR6yF1nD3rZ_html captured using brainfuck
FL46_509k87h6g4e25gh44wa1rybyfi898hncdtBackground of pz.jpg & nz.jpg images shown as Octal

Reconnaissance & Scanning

First we find the host (extra output removed)

A quick nmap scan turns up the following:

A summary of what was found is shown below. Further investigations of each area to follow.

PortApplicationNotes
22OpenSSH 6.7p1 Debian 5+deb8u3
25Exim smtpdSupports commands AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
53PowerDNS 3.4.1
80Apache httpdRobots.txt file indicates we may have a Wordpress site running
111rpcbind 2-4Suggests that ports 38784 & 45486 are also open

Exim SMTPD

Those numbers after the connection look interesting. To be investigated further later, nothing obvious is jumping out at me.

PowerDNS

A quick review of the above yields PowerDNS is out of date (current versions available at 4.x). Running dig against the name server gives us:

Further investigation to be done here later, nothing immediate is jumping out at me.

Apache httpd

Throwing a dirb scan at port 80 reveals a large number of hits.

Cutting those down we have:

  • A main (index.html) page with poor html formatting
  • A control panel for something called startmin
  • An Apache2.0 License file
  • Apache 2.4 server documention
  • A phpmyadmin demo page

Dirb returned a large number of valid pages (CODE:200) with no data. Thinking this is either a red herring or something to investigate later in the challenge.

Initial review of the main index.html yields some poorly formatted html.

Moving onto the startmin page things get a little more interesting. From reviewing the source of the startmin page, appears we have our first flag & an interesting comment:

FL46_1:urh8fu3i039rfoy254sx2xtrs5wc6767w
M3gusta said he hasn’t had time to get this w0rKING. Don’t think he’s quite in the 20n3 these days since his MadBro made that 7r4n5f3r, Just Couldnt H@cxk Da D0Not5topMe.ctf

A further review of the source reveals that there are three sub directories, css, fonts & js. Manually browsing into the js page gives us the file README.MadBro.

###########################################################
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #
# M4K3 5UR3 2 S3TUP Y0UR /3TC/H05T5 N3XT T1M3 L0053R… #
# 1T’5 D0Not5topMe.ctf !!!! #
# 1M 00T4 H33R.. #
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #
###########################################################

FL101110_10:111101011101
1r101010q10svdfsxk1001i1
11ry100f10srtr1100010h10

At a glance FL101110_10 is FL46_2 – our second flag. Encoding seems to be strings mixed in with binary.

Applying the same concept to the second chunk gives us 111101011101 (binary), 1 (binary), r, 101010 (binary), q, 10 (binary), svdfsxk, 1001 (binary), i, 1 (binary), 11 (binary), ry, 100 (binary), f, 10 (binary), srtr, 1100010 (binary), h & 10 (binary). Combining the strings with converted binary (done using python >>> int(“binary here”, 2)) gives us 39331r42q2svdfsxk9i13ry4f2srtr98h2 – the second flag.

Things learnt up until here:

  • Some of the flags will be encoded using different means, time to re-visit that odd stream of characters from the smtpd header
  • We have our first domain (D0Not5topMe.ctf) and a suggestion users should add this to their host file. Domain captured for later testing
  • Two potential usernames noted, MadBro & M3gusta. Usernames captured for later testing.

Now is the time to circle back around to a few things.

Revisiting Exim

Taking into account learnings about the previous flag being encoded, let’s revisit the SMTPd response we received earlier.

220 46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874 327231646434 717070756 5793437 347 3767879610a EXIM SMTP

From consulting http://www.greenend.org.uk/rjk/tech/smtpreplies.html we know that the 220 code at the start tells the service is ready. The remaining elements all fall inside the range of hexidecial characters – running these through a basic decode in python yields:

Our third flag (FL46_3) – 29dryf67uheht2r1dd4qppuey474svxya

While we are here throwing a metasploit smtp_enum at it yields:

Additional usernames added to the file along with MadBro and M3gusta.

Revisiting PowerDNS

Given we have a domain now, let’s see if PowerDNS resolves that.

Oh-well, can’t have everything 🙂

D0Not5topMe.ctf domain

Taking the hint from Readme.Madbro – I add D0Not5topMe.ctf to my kali /etc/hosts and set the IP to the challenge VM. Now browsing to D0Not5topMe.ctf I’m presented with a new website – a phpBB board.

Browsing around the site – it has an existing user of Megusta (added to the username list) & I pickup a sid value of 31e7e77e78cc475f00c88be362d88d4c. Throwing that through a base64 decode gives me:

Breaking this up we have df (hex), W, bb (hex), {, bedeefc71ce3be (hex), _\, d3, G<\, f1b7b7eb (hex), g|\, f1de1c (hex). Browsing around the site while filtering everything through burpsuite I notice an interesting parameter being passed (found when trying to register for a new user account).
agreed=I+agree+to+these+terms&FLaR6yF1nD3rZ_html=&creation_time=1500964677&form_token=c3272c5e6e17beaa91bf5a060e54a0c7669d8fb3

Given previous encoding items, loading up http://d0not5topme.ctf/FLaR6yF1nD3rZ_html yields the below chunk of text. At a wild stab I’m guessing this is the next flag, now to work out the decoding method.


+++++ +++[- >++++ ++++< ]>+++ +++.+ +++++ .<+++ +[->- ---<] >---- ----.
++.<+ +++++ [->++ ++++< ]>+++ ++.<+ +++++ [->-- ----< ]>--- ----. +++++
+.<++ +++++ [->++ +++++ <]>++ +.<++ +++++ [->-- ----- <]>-- ----- -----
-.++. <++++ ++[-> +++++ +<]>+ +++++ +++++ +.<++ ++[-> ++++< ]>+++ +.<++ +++++ +[->- ----- --<]> ----- .<+++ +++++ [->++ +++++ +<]>+ .++++ ++.<+ +++++ ++[-> ----- ---<] >---. <++++ +++[- >++++ +++<] >++++ +++++ ++++.
<+++[ ->--- <]>-- ---.< +++++ ++[-> ----- --<]> .+.+. ----- -.+++ +++++
+.-.- ---.< +++++ ++[-> +++++ ++<]> ..-.- .++++ +.++. +++++ ++++. <++++ +++[- >---- ---<] >---- ----- --.-- ---.< +++++ ++[-> +++++ ++<]> +++++
.<+++ [->++ +<]>+ +.++. --.++ .<+++ ++++[ ->--- ----< ]>--- ----- ---.<

From a visual check we have 10 lines of 12 blocks per line. Each block seems to be 5 ASCII characters. We know previous flags had a length of 40 (flag 1), 41 (flag 2) & 40 (flag 3). Note – must re-check calculation for Flag_2 (odd that it’s length is different).

After leaving this one alone for a while I stumbled across asciidots on a motherboard article. That led me to brainfuck and the solution to the above.

Running the above characters through an online brainfuck decoder, we have FL46_4:n02bv1rx5se4560984eedchjs72hsusu9 – the 4th flag.

Digging into the source code of the board we find

Perhaps a third host? Adding to our domains list and hosts file, firing up a web browser now yields a brand new page.

Nice game – after several attempts to beat it and losing, time to dig further. Reviewing the game source files – something of interest pops in http://g4m35.ctf/src/game.js. When the game is over the user is passed another string, H3x6L64m3.

Loading up http://g4m35.ctf/H3x6L64m3/ into the browser now yields another game.

Playing the game a few times shows a few interesting observations:

  • What looks to be encoded ASCII in the background of the game
  • The image shown on the original website of a smiling face
  • At the close of the game a URL flashes up on the screen with a new URL – noted it ends in .ctf.

No easy way to grab the URL or the ASCII characters while playing the game, so off to mirror the website and search using conventional tools.

t3rm1n4l.ctf now added to the domains list and hosts file.

Looking at the layout of the actual game files at https://github.com/BKcore/HexGL it’s noted that the game textures are stored in the /textures folder.

Manually browsing those directories yields us:

http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/pz.jpg & http://g4m35.ctf/H3x6L64m3/textures/skybox/dawnclouds/nz.jpg (cropped image of this below).

Background text in both images is the same, so off to try and decode it.

This doesn’t tell me anything immediate. The text file gives me 40 characters – the length of our previous flags. Now to look at other encoding schemes.

After some searching around the table at http://www.asciitable.com. Following it’s listing, the encoding scheme used is Octal (the first four collected characters were 106, 114, 64, 66 – in Octal these correspond to FL46.

After a bit of tinkering with python we have:

And now we have flag five.

Off now to investigate the new url found earlier – http://t3rm1n4l.ctf. Adding this to the hosts file and opening up a browser yields another virtual host and what appears to be a terminal of sorts.

Leave a Reply