HTB

Category: Hack The Box

Number of flags: 8 total

Description:

Description: Here’s the url ;)

hackit.zh3r0.ml

Author : Mr.Holmes

Writeup

This was a pretty unique challenge set for a CTF competition. Despite the fact most players get a lot of practice from the HackTheBox website and their challenges, we don’t see too many of them for a CTF.

For those who know, Nmap is practically the first tool that comes to mind when only given a host. You can find links in the Resources section below. Kali has this loaded already, but for linux, it’s a quick install. I also realized that it isn’t possible on Windows Subsystem for Linux :( #rip

I personally used Zenmap for Windows because it is what I had at the time. here is the command I ran:

nmap -sC -sV -p- hackit.zh3r0.ml

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-18 09:25 Eastern Daylight Time
Nmap scan report for 139.59.3.42
Host is up (0.27s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE  VERSION
22/tcp    open     http     PHP cli server 5.5 or later
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)

99/tcp    open     ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 70:78:8f:70:79:59:72:5f:05:c9:2a:63:b4:34:c1:52 (RSA)
|   256 08:6d:42:16:2a:47:ae:b4:d7:fa:35:28:91:67:ab:63 (ECDSA)
|_  256 e4:89:6b:09:37:64:c2:47:01:bd:c2:32:d8💿06:2d (ED25519)

324/tcp   open     ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp            22 Jun 18 09:06 test.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:173.120.119.45
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

4994/tcp  open     unknown
| fingerprint-strings:
|   GenericLines, GetRequest, HTTPOptions:
|     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|     ||Employee Entry||
|     ----------------------------------------------------------
|     Sherlock Holmes Inc.
|     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|     Here's a free flag for you, just for finding this door! Flag 1: zh3r0{pr05_d0_full_sc4n5}
|     Heyo, Watcha looking at? Employee ID yoo! :
|     away kiddo, huh, Kids these days!
|   NULL:
|     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|     ||Employee Entry||
|     ----------------------------------------------------------
|     Sherlock Holmes Inc.
|     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|     Here's a free flag for you, just for finding this door! Flag 1: zh3r0{pr05_d0_full_sc4n5}
|_    Heyo, Watcha looking at? Employee ID yoo! :

11211/tcp filtered memcache
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4994-TCP:V=7.80%I=7%D=6/18%Time=5EEB6FE7%P=i686-pc-windows-windows%
SF:r(NULL,18C,"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SF:~\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\|\|Employee\x20Entry\|\|\n\n--------------------------
SF:--------------------------------\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20Sherlock\x20Holmes\x20In
SF:c\.\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nHere's
SF:\x20a\x20free\x20flag\x20for\x20you,\x20just\x20for\x20finding\x20this\
SF:x20door!\x20Flag\x201:\x20zh3r0{pr05_d0_full_sc4n5}\nHeyo,\x20Watcha\x2
SF:0looking\x20at\?\x20Employee\x20ID\x20yoo!\x20:\x20\n")%r(GenericLines,
SF:1B1,"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:0\x20\x20\|\|Employee\x20Entry\|\|\n\n---------------------------------
SF:-------------------------\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20Sherlock\x20Holmes\x20Inc\.\n~~
SF:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nHere's\x20a\x
SF:20free\x20flag\x20for\x20you,\x20just\x20for\x20finding\x20this\x20door
SF:!\x20Flag\x201:\x20zh3r0{pr05_d0_full_sc4n5}\nHeyo,\x20Watcha\x20lookin
SF:g\x20at\?\x20Employee\x20ID\x20yoo!\x20:\x20\nGo\x20away\x20kiddo,\x20h
SF:uh,\x20Kids\x20these\x20days!\n")%r(GetRequest,1B1,"\n~~~~~~~~~~~~~~~~~
SF:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\|Employee\x2
SF:0Entry\|\|\n\n---------------------------------------------------------
SF:-\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20Sherlock\x20Holmes\x20Inc\.\n~~~~~~~~~~~~~~~~~~~~~~~~~~
SF:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nHere's\x20a\x20free\x20flag\x20for\x2
SF:0you,\x20just\x20for\x20finding\x20this\x20door!\x20Flag\x201:\x20zh3r0
SF:{pr05_d0_full_sc4n5}\nHeyo,\x20Watcha\x20looking\x20at\?\x20Employee\x2
SF:0ID\x20yoo!\x20:\x20\nGo\x20away\x20kiddo,\x20huh,\x20Kids\x20these\x20
SF:days!\n")%r(HTTPOptions,1B1,"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SF:~~~~~~~~~~~~~~~~~~\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\|\|Employee\x20Entry\|\|\n\n---------
SF:-------------------------------------------------\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20Sherloc
SF:k\x20Holmes\x20Inc\.\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SF:~~~~~~~~~\nHere's\x20a\x20free\x20flag\x20for\x20you,\x20just\x20for\x2
SF:0finding\x20this\x20door!\x20Flag\x201:\x20zh3r0{pr05_d0_full_sc4n5}\nH
SF:eyo,\x20Watcha\x20looking\x20at\?\x20Employee\x20ID\x20yoo!\x20:\x20\nG
SF:o\x20away\x20kiddo,\x20huh,\x20Kids\x20these\x20days!\n");
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1391.93 seconds

We see a lot of information here. Where to start!

Let’s start with port 22. The information given to us in the output suggests that there is a website standing on this port, which is odd considering 22 is reserved for SSH.

I went ahead and ran a curl on the website on port 22:

$ curl hackit.zh3r0.ml:22
z3hr0{shouldve_added_some_filter_here}

Sweet. First flag!

Let’s now take a look at port 324. The information from our output shows us that FTP is running at this port. This is not usual as well because FTP’s default and reserved protocol is 21. We also notice that “Anonymous login” is enabled for FTP, which means we can login as anonymous with an empty password and poke around.

$ ftp hackit.zh3r0.ml 324
Connected to hackit.zh3r0.ml.
220 (vsFTPd 3.0.3)
Name (hackit.zh3r0.ml:itsecgary): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> _

Now we are logged in. Typing help is a good way to see what commands we can run.

ftp> help
Commands may be abbreviated.  Commands are:

!               dir             mdelete         qc              site
$               disconnect      mdir            sendport        size
account         exit            mget            put             status
append          form            mkdir           pwd             struct
ascii           get             mls             quit            system
bell            glob            mode            quote           sunique
binary          hash            modtime         recv            tenex
bye             help            mput            reget           tick
case            idle            newer           rstatus         trace
cd              image           nmap            rhelp           type
cdup            ipany           nlist           rename          user
chmod           ipv4            ntrans          reset           umask
close           ipv6            open            restart         verbose
cr              lcd             prompt          rmdir           ?
delete          ls              passive         runique
debug           macdef          proxy           send
ftp> _

Nice. Let’s try some:

ftp> dir
500 Illegal PORT command.
425 Use PORT or PASV first.
ftp> ls
500 Illegal PORT command.
ftp> _

Looks like an illegal command. After doing some research, I learned that being in passive passes these commands through.

ftp> ls -la
227 Entering Passive Mode (139,59,3,42,143,73).
150 Here comes the directory listing.
drwxr-xr-x    3 ftp      ftp          4096 Jun 18 09:06 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 18 09:06 ..
drwxr-xr-x    3 ftp      ftp          4096 Jun 18 09:06 ...
-rw-r--r--    1 ftp      ftp            22 Jun 18 09:06 test.txt
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
227 Entering Passive Mode (139,59,3,42,159,1).
150 Here comes the directory listing.
drwxr-xr-x    3 ftp      ftp          4096 Jun 18 09:06 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 18 09:06 ..
drwxr-xr-x    2 ftp      ftp          4096 Jun 18 09:06 ...
-rw-r--r--    1 ftp      ftp            46 Jun 18 09:06 .stayhidden
-rw-r--r--    1 ftp      ftp            22 Jun 18 09:06 test.txt
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
227 Entering Passive Mode (139,59,3,42,233,178).
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 18 09:06 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 18 09:06 ..
-rw-r--r--    1 ftp      ftp            34 Jun 18 09:06 .flag
-rw-r--r--    1 ftp      ftp            22 Jun 18 09:06 test.txt
226 Directory send OK.
ftp>

Looks like we have a couple files!! .. is for the directory before and . is for the current directory. They tried to be sneaky with the directory. We can retrieve these files using get <file> <new_file_name>, which tranfers these files to our machine (hence File Transfer Protocol). I grabbed each of the test.txt files and renamed them as test1, test2, and test3 in case they were different content-wise.

Let’s see what we are working with:

$ ls -la
total 0
drwxrwxrwx 1 gary gary 512 Jun 18 09:09 .
drwxrwxrwx 1 gary gary 512 Jun 18 09:09 ..
-rw-rw-rw- 1 gary gary  34 Jun 18 09:05 .flag
-rw-rw-rw- 1 gary gary  46 Jun 18 09:08 .stayhidden
-rw-rw-rw- 1 gary gary  22 Jun 18 09:06 test1
-rw-rw-rw- 1 gary gary  22 Jun 18 09:07 test2
-rw-rw-rw- 1 gary gary  22 Jun 18 09:09 test3

$ cat .flag
Flag 2: zh3r0{You_know_your_shit}

$ cat .stayhidden
Employee ID: 6890d90d349e3757013b02e495b1a87f

$ cat test1
LOL Nothing here. ;-;

$ cat test2
LOL Nothing here. ;-;

$ cat test3
LOL Nothing here. ;-;

Welp we got another flag. Note: While writing this writeup, I didn’t realize there was another directory in the first directory so I only extracted the first two test.txt files and the .stayhidden file so #rip me for missing out on 419 points lol. We also retrieved an Employee ID which may be useful later!

Let’s take a look at the open port on 4994

$ nc hackit.zh3r0.ml 4994

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                     ||Employee Entry||

----------------------------------------------------------
                     Sherlock Holmes Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here's a free flag for you, just for finding this door! Flag 1: zh3r0{pr05_d0_full_sc4n5}
Heyo, Watcha looking at? Employee ID yoo! :
6890d90d349e3757013b02e495b1a87f
Hey I know you! You work here!
Books are a uniquely portable magic. - Stephen King

Flag 4: `zh3r0{y0ur_s4l4ry_wa5_cr3dit3d}`

Looks like they gave us a flag right away. We also got a prompt for the Employee ID, which is what we found above. After entering it in, we get Flag 4!

This is all I found for these challenges. Flags 3, 6, 7, and 8 were all somewhere on the host. https://github.com/sidchn/zh3r0CTF-writeup is another writeup that kind of hits on Flags 3 and 6.

Flags

Flag 1: zh3r0{pr05_d0_full_sc4n5}

Flag 2: zh3r0{You_know_your_shit}

Flag 4: zh3r0{y0ur_s4l4ry_wa5_cr3dit3d}

Flag 5: z3hr0{shouldve_added_some_filter_here}

Resources

Nmap/Zenmap - https://nmap.org/download.html