64Base: 101

[ vulnhub  boot2root  walkthrough  ]

Goal

Capture all 6 flags in flag{base64encoded} format

Download

https://www.vulnhub.com/entry/64base-101,173/

Walkthrough

Initial nmap shows port on 22 (non-ssh), web server on 80, port on 4899 and ssh on 62964
alt text

Browsing to the shows base64 clue right off the bat.
alt text

Decoding the message reveals to look at source < was going to be next step anyways :)
alt text

Looking at the source reveals a long alpha-numeric string
alt text

Sending string to burp suite decoder with initial decode as ascii-hex and then base64 reveals flag1
alt text

flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}
alt text

Decoding flag shows a username and password of 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

With nowhere else to go I fallback to dirb, but there is sooo many listings
alt text

*snippet of dirb

I remember that the initial nmap revealed a robots.txt file and it’s loooong
alt text

*snippet of robots.txt

I revert to burp and spider the site, then filter the site map for 4xx responses and find admin
alt text

admin page reveals a login, but the credentials revealed in flag1 do not work
alt text

Nothing left to go on I try the two unknown ports…

port 22 doesn’t respond to ssh and nc gives output, but no way in
alt text

port 4899 gives output, but no way in as well
alt text

No options I go back to the website and find an interesting portion of the post page
alt text

With all those folders in the robots.txt I figure there has to be something else. Looking at the post page, I notice below the wanted image there is a stanza of “Only respond if you are a real Imperial-Class BountyHunter”

Looking through the site map I notice Imperial-class doesn’t get any response like all the other fake directories
alt text

Browsing to the directory gives a 404…however
alt text

If we look at the stanza though, class is with a capital C…and changing it in the path reveals a page
alt text

Looking at the source it seems we have to add BountyHunter to our path
alt text

And now another login
alt text

Looking at the source reveals nothing, but we have to POST to login.php
alt text

Browsing to login.php page changes the path adding index.php. Looking at that source reveals three more alphanumeric strings. Seems there is an index.html and index.php
alt text

The strings on their own do nothing, but putting them all together through burp decoder reveals flag2
alt text

flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}

Decoded flag gives no hints, but rather just a video of darth vader burping…enjoy

At a dead end again, I go back to burp to see if I can’t login to that BountyHunter. Looking at the request, it seems we’re passing basic authentication already. Hmmm?
alt text

I guess there was a hint after all…burp

Sending to burp repeater it becomes apparent that we’re not sending a POST to login.php, but rather just a GET to index.php. Simply changing the file is enough and we have flag3
alt text

flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}

Decoding the flag reveals our 53cr3t5h377 path
alt text

Browsing to the path reveals what looks like a shell
alt text

Remembering back to the post page instructions, we need to use system and not exec. This change reveals flag4
alt text

flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Decoding the flag reveals more credentials…
alt text

Which do not work on the admin page, nor ssh on port 62964
alt text

So now begins trial and error as I find I’m very limited as to what can be done with this shell…

nc reveals grumpy cat
alt text

ls with options works
alt text

From what I can tell the following commands work ls (with options) ls .. < only up one directory nc < brings up grumpy cat ps (with options) locate < revealed using –help base64 < revealed using –help xxd < revealed using –help id whoami

Also able to pull up files listed from ls command…here is cat
alt text

After again much keyboard bashing, locate, find and xargs are my saviors revealing flag5. Was able to browse entire file system, but ended up finding flag in the admin folder that I’ve been trying to get to since the beginning
alt text

flag5{TG9vayBJbnNpZGUhIDpECg==}

Decoding the flag states to look inside
alt text

Using a combination of the commands, I tried obvious ways to read the file…with no luck

less response
alt text

more response
alt text

With no way to read the file, I remember we’re able to read files in the BountyHunter directory and xargs allows to copy files. Adding locate admin | xargs find | grep flag | xargs cp -t . copies the flag file to BountyHunter directory
alt text

And of course we’re not able to view…
alt text

Looking at the permissions, it’s only read 004
alt text

Many tries my friends, many tries and I get the permissions changed. Needed to use all commands originally used. Final string locate BountyHunter | xargs find | grep flag | xargs chmod 777
alt text

File reveals an image
alt text

Downloading the image and “looking inside” using exiftool reveals another long alphanumeric string
alt text

*snippet of exiftool output

Throwing the long string at burp decoder with initial decode as ascii-hex and then base64 reveals a private key. To get a file, I ran the string on command line to file with echo longstring | xxd -r -p | base64 -d > priv.key
alt text

Now with a private key, I change the permissions and attempt ssh to host using key. Prompted with a passphrase, I try ‘usetheforce’ as in the picture…it works! revealing flag6
alt text

flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}

Challenge not over…

Decoding flag first through burp, then through command line for better screenshot reveals one last clue
alt text

Running revealed command shows ending credits
alt text

*snippet of ending credits

Written on December 22, 2016
Share on: