The King of Clubs

Metasploitable 3

The King of Clubs

From the meterpreter I found in the Elasticsearch vulnerability, I used the search command to look for files that start with king:



meterpreter > search -f king*

Found 5 results...

    C:\Windows\System32\kingofclubs.exe (824563 bytes)

    C:\vagrant\resources\flags\kingofclubs.exe (824563 bytes)

    C:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds-150x150.png (46738 bytes)

    C:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds-214x300.png (130832 bytes)

    C:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds.png (585695 bytes)

I downloaded the file:

meterpreter > download kingofclubs.exe

[*] downloading: kingofclubs.exe -> kingofclubs.exe

[*] download   : kingofclubs.exe -> kingofclubs.exe

I examine the file, as expected it’s a Windows executable, and 32bits.



root@igor-kali:~/metasploitable3# file kingofclubs.exe

kingofclubs.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed

root@igor-kali:~/metasploitable3# binwalk kingofclubs.exe

DECIMAL       HEXADECIMAL     DESCRIPTION

--------------------------------------------------------------------------------

0             0x0             Microsoft executable, portable (PE)

I ran it with wine



root@igor-kali:~/metasploitable3# wine kingofclubs.exe

Could not load wine-gecko. HTML rendering will be disabled.

Could not load wine-gecko. HTML rendering will be disabled.

wine: configuration in ‘/root/.wine’ has been updated.

Who are you? What is your true identity?

root@igor-kali:~/metasploitable3# wine kingofclubs.exe

Who are you? What is your true identity?

OK…hmmm....

I decompressed the UPX Exec file and copied it to my Windows host and used OllyDbg to take a look at the code.



root@igor-kali:~/metasploitable3# upx -d kingofclubs.exe

                       Ultimate Packer for eXecutables

                          Copyright (C) 1996 - 2013

UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name

   --------------------   ------   -----------   -----------

    962291 <-    824563   85.69%    win32/pe     kingofclubs.exe

Once I skipped the whole ntdll module all the way to the kingofcl module part, I noticed the stack was showing me some ASCII data that looked like the same header as the three_of_spades.png I already did.

 

PNG Header XOR 0x0F

I ran an hexdump on the new decompressed exe file and searched for the characters I found in the three_of_spades.png



root@igor-kali:~/metasploitable3# hexdump -C kingofclubs.exe | grep -A 1 _AH

0003e000	86 5f 41 48 02 05 15 05  0f 0f 0f 02 46 47 4b 5d	|._AH........FGK]|
0003e010	0f 0f 0d 06 0f 0f 0d d6  07 09 0f 0f 0f 32 53 bd	|.............2S.|

So I ran my byte_xor.py script again with the same key 0x0f

root@igor-kali:~/metasploitable3# cat byte_xor.py

#!/usr/bin/python

input_file = ‘kingofclubs.exe’

output_file = input_file+’.out’

b = bytearray(open(input_file, ‘rb’).read())

for i in range(len(b)):

    b[i] ^= 0x0f

open(output_file, ‘wb’).write(b)

Now binwalk shows me a PNG file in 0x3E000, same address my hexdump|grep did

root@igor-kali:~/metasploitable3# binwalk kingofclubs.exe.out

DECIMAL       HEXADECIMAL     DESCRIPTION

--------------------------------------------------------------------------------

253952        0x3E000         PNG image, 521 x 729, 8-bit/color RGBA, non-interlaced

254014        0x3E03E         Zlib compressed data, best compression

Now I use foremost and extract the file

 

root@igor-kali:~/metasploitable3# foremost kingofclubs.exe.out -o king_of_clubs

Processing: kingofclubs.exe.out

|*|



root@igor-kali:~/metasploitable3# file king_of_clubs/png/00000496.png

king_of_clubs/png/00000496.png: PNG image data, 521 x 729, 8-bit/color RGBA, non-interlaced

Ready to party!

And that's it! All 15 flags done!

 

Caught Them All!!

I won second place 😃

The results are in for the #Metasploitable3 CTF. Check out the winners: https://t.co/Yv7gaKcjUS

— Rapid7 (@rapid7) January 4, 2017

The Seven of Hearts

Metasploitable 3

The Seven of Hearts

For this one I used SSH with the Administrator account with the password that I guessed for another flag/card.

I remembered there was a flag in the C:\inetpub\wwwroot folder and went to take a look at the folder:
 

root@igor-kali:~/metasploitable3# ssh Administrator@10.20.10.23

Administrator@10.20.10.23’s password:

Last login: Sat Dec 17 12:41:58 2016 from 10.20.10.18

-sh-4.3$ pwd

/cygdrive/c/Users/Administrator

-sh-4.3$ cd ../../inetpub

-sh-4.3$ pwd

/cygdrive/c/inetpub

-sh-4.3$ cd wwwroot

-sh-4.3$ ls

aspnet_client  caidao.asp  hahaha.jpg  index.html  seven_of_hearts.html  six_of_diamonds.zip  welcome.png

I used Burp Suite to intercept the response with the whole URL generated by the JavaScript embedded in the HTML file

Burp Suite showing base64 URL

I saved the output to text file in my system and ran a quick perl script with a regex to extract only the base64 data

root@igor-kali:~/metasploitable3# cat seven_of_hearts2.url | perl -ne 'print $1 if(/GET \/(.*)HTTP/g)' > seven_of_hearts.b64

and then decoded the base64 string to binary

root@igor-kali:~/metasploitable3# cat seven_of_hearts.b64 | base64 -d > seven_of_hearts.png

base64: invalid input

Even though it gave me an invalid input message it still did it

root@igor-kali:~/metasploitable3# file seven_of_hearts.png

seven_of_hearts.png: PNG image data, 521 x 729, 8-bit/color RGBA, non-interlaced

Johnny Bravo? 

The Jack of Hearts

Metasploitable 3

The Jack of Hearts

I ssh'ed into the server with the Administrator credentials previously found.

root@igor-kali:~# ssh Administrator@10.20.10.19

Administrator@10.20.10.19’s password:

Permission denied, please try again.

Administrator@10.20.10.19’s password:

-sh-4.3$

-sh-4.3$ pwd

/cygdrive/c/Users/Administrator

I started navigating through the folders and ended up in Users/Public/Documents and looking at the list of files I found a Word .docx file.

-sh-4.3$ cd Public

-sh-4.3$ ls

Desktop  Documents  Downloads  Favorites  Libraries  Music  Pictures  Videos  desktop.ini

-sh-4.3$ cd Documents/

-sh-4.3$ ls

My Music  My Pictures  My Videos  desktop.ini  jack_of_hearts.docx  seven_of_spades.pdf

I downloaded the file with scp and doubled click on the file in Kali Linux and since I don’t have any Application to read .docx files, it saw it as a Zip file and opened in the Archive Manager applications

Archive Manager

Happy guy!

The Four of Clubs

Metasploitable 3

The Four of Clubs

Using the meterpreter’s search command I looked for the four of clubs and downloaded a WAV file.

meterpreter > search -f four_of_clubs*

Found 3 results...

    C:\Program Files\OpenSSH\home\Public\Music\four_of_clubs.wav (550302 bytes)

    C:\Users\Public\Music\four_of_clubs.wav (550302 bytes)

    C:\vagrant\resources\flags\four_of_clubs.wav (550302 bytes)

meterpreter > cd Users

cmeterpreter > cd Public

meterpreter > cd Music

meterpreter > dir

Listing: C:\Users\Public\Music

==============================

Mode              Size    Type  Last modified              Name

----              ----    ----  -------------              ----

40776/rwxrwxrw-   0       dir   2009-07-14 00:57:55 -0400  Sample Music

100777/rwxrwxrwx  380     fil   2009-07-14 00:57:55 -0400  desktop.ini

100776/rwxrwxrw-  550302  fil   2016-11-25 20:47:41 -0500  four_of_clubs.wav

meterpreter > download four_of_clubs.wav

‘binwalk’ showed me there was a PNG file attached to the WAV file



root@igor-kali:~# binwalk four_of_clubs.wav

DECIMAL       HEXADECIMAL     DESCRIPTION

--------------------------------------------------------------------------------

58            0x3A            PNG image, 521 x 729, 8-bit/color RGBA, non-interlaced

120           0x78            Zlib compressed data, best compression

I used ‘foremost’ this time to separate all the files



root@igor-kali:~# foremost four_of_clubs.wav

Processing: four_of_clubs.wav

|*|



root@igor-kali:~# cd output/

root@igor-kali:~/output# ls

audit.txt  png  wav

root@igor-kali:~/output# cd png/

root@igor-kali:~/output/png# ls

00000000.png

Serious guy!

Jack of Diamonds - Broken flag and how to fix it

Metasploitable 3

The Jack of Diamonds

This card is broken, remember my post about Broken Flags?

Anyway, this one is pretty interesting because I've never seen this case before.

If you remember, in my post about the Queen of Hearts I spotted a file called jack_of_diamonds.png in the root of the C:\ drive with a zero (0) size.

C:\>dir
dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is 1475-561C

 Directory of C:\

11/25/2016  07:33 PM    <DIR>          glassfish
11/25/2016  07:25 PM    <DIR>          inetpub
11/25/2016  07:54 PM                 0 jack_of_diamonds.png
11/25/2016  07:50 PM               103 java0.log
11/25/2016  07:50 PM               103 java1.log
11/25/2016  07:50 PM               103 java2.log
11/25/2016  07:48 PM    <DIR>          ManageEngine
11/25/2016  07:37 PM    <DIR>          openjdk6
07/13/2009  07:20 PM    <DIR>          PerfLogs
11/25/2016  07:53 PM    <DIR>          Program Files
11/25/2016  07:48 PM    <DIR>          Program Files (x86)
11/25/2016  07:54 PM    <DIR>          tmp
11/25/2016  07:38 PM    <DIR>          tools
11/25/2016  07:25 PM    <DIR>          Users
11/25/2016  07:32 PM    <SYMLINKD>     vagrant [\\vboxsrv\vagrant]
11/25/2016  07:36 PM    <DIR>          wamp
11/25/2016  07:54 PM    <DIR>          Windows
10/07/2015  06:22 PM               226 __Argon__.tmp
               5 File(s)            535 bytes
              13 Dir(s)  48,041,852,928 bytes free

Some times a simple DIR command doesn't show all the information about the files we are looking at, and certainly it doesn't show hidden files. In this case we need to look at other attributes of the files.

This is the output of DIR /? showing other options we have:

DIR /?

The /R option seemed interesting, it shows alternative data streams of the file, what's that?

I didn't know there was such a thing, (haven't finish that book I bought about malware 😞) and now I know this is specific for NTFS filesystems

Here's a link from Microsoft explaining what it is.

So, if we run a DIR /R on the jack_of_diamonds.png file we get:

C:\>dir /R jack_of_diamonds.png

 Volume in drive C is Windows 2008R2

 Volume Serial Number is 1475-561C

 Directory of C:\

12/15/2016  07:48 PM                 0 jack_of_diamonds.png

                                 8,191 jack_of_diamonds.png:jack_of_diamonds.txt:$DATA

               1 File(s)              0 bytes

               0 Dir(s)  51,540,779,008 bytes free

C:\>

And there's the alternative data stream, but the size seems too small compared with other text formats.

To extract it we can just use a more command, we can also use the Get-Item cmdlet from PowerShell.

C:\>more < jack_of_diamonds.png:jack_of_diamonds.txt:$DATA

iVBORw0KGgoAAAANSUhEUgAAAgkAAALZCAYAAAA9XLLXAAAACXBIWXMAABcRAAAXEQHKJvM/AAAgAElEQVR42uy9Waxl6XUe9u29/z2e+Zw71q2hq0ey1RQpUoIGm4IVS7IUSKaTOAkMGLCflAc9WA9GnvSgQEkejBiggUSCCBihJSQwFMqxYg2JTEoUZYviIFKcutns6u6qrqpbdzr3jHue8vB/6+yzm3YiWZRkkecHGrfr3nP2/vc/7bW+9a1vGXVd4y+yffbXf+67izz9oevpxXeH69n7LMvEan55POj3AQCu5QEAFqs1AEB19O/9bgcAEC2XAADLNPQFjQoAkBf6Z4efBwDHdgAAq1Bfy3GU/kw3AADYtg0ASJMIACBDs1qG+u+O/r7X9fXfoe9ZVWbzQJX+UlkUvIe+pm3peyVpovur2F9eoyhK/T1+XylX/2SfwnC5uYXv6THJ00zfQ+l+lbm+Z8nPRVmqPx/o/iqYfC79CcNiX6uK1/E39yirks/IfpX6Mxb0c+SZvvd41AMArMO5vibH32Efk5j34vx4djNWlqmvVdQyd/pvZV1xTHL9OcPgWOoxqUuTY2Tpe69XHCt9PcsymvkwZX3XXAN6PAuOlcXvgGNj2fqaeZ5tzQ5QVvrf7Bqq0mrGqqxb45yEEfuhPxPFsV7Lnp6notTP1e90W5+Ls7y1Fhzlbe6Rcz0pdteU23OyQ96z4qKVftYc95rPb/CJhoMxnzPf3COM9Dp3uS/KsuSzVq09W/PilqE7UVtOq98yarKfsqI5YxZXMwDAbHqu189kAAB46tlb7MOan+T6556Tvvi+395nslbQ9NHkOornel24rr7Ww8eP9Ae4bm7evMN143D5KX7f4B5O+TRVa/62nzXP9d8y7jXH1t81N+NuttZmmiV420ICAHS7+pwKs2asHMfn+ZJvrVDAMrlP2IflcqHXE89Mx3Va81aUGe+t11AQ9JrnYP9NngXyHcu0+Rz6c8u13t+ … etc

We can now store it in a file

C:\>more < jack_of_diamonds.png:jack_of_diamonds.txt:$DATA > jack_of_diamonds.b64

I had to clean up the file before decoding it back to binary and add an ‘=’ to the end

…

jFj/+zD4TLJz85GA2wjhflnh9+zXOsSFufLEDCWNPb0YmDwz1a+/OWlSmWvrZPycxlrHh8eLN1LfHGTk6e0ZYV2Z6S3SAxvzE1EEp67otlk3cp8cubT92lU6itMGFQS+54UwCp7fVLnrJI3kp+e1k2XuWcrPeSXqR4lRK7ExRAvBp5vkgKo0i8ioiE8Af2Rp0G/pF+M0690TDgT/Fq6oJesGQJkJMgHp7EagOiBUnWRIsUc/xFLVDywm1auhPG4TNmSETM+BBURcasNtyWd+dt5WjbXDA11QzFMo/oQUtuP5QUgqFHRa9BtAokritFv0a9g2Y+Lpf06LKWNyzeY0gPtksUbLmaci0TIaEln8VJy672gqZw2IJ50EOiXpIxMbuYt70t122tf8dc0VvWY1LSo5KCULbbzHmaiPyh2erHRn6c+yMlT2VF9rbkvdv0QGyPHA2iSp7bsNBlziTu32Gc9mtf+apeg0QAb93Re/OcWQ9ffPk17s3jFqKyydPfOg5ERlnENOdcwwP5vRQBcvutdSfZT7JfRD1RCqYNxk3RItGnWMz1GIw5t6LPIplSQz6feMsb5MRrI1lmTW2QQZNtIh6n7MU+veQFM6IIisHiejM2KKDLdUVUhlyYBTUZhKUPAEOeZRYzvDYF0XjWyboSDYmI6IWE1YV3E1OjoTaEM9Lco0dU0TaEF8Rzi+eneLIFeUMxUQf^M

And then just use base64 to convert it into png, but as you know the flag is broken so the image, we only got the top part of the border, maybe because of the way the alternative data stream was built.

Broken Jack of Diamonds

And it's supposed to look like this

Correct card

The issue with how this card was built is that the install_flags.bat tries to build it using an echo command of the whole base64 string into the alternative data stream, this not just doesn't work, it also makes the install_flags.bat file hard to edit. To fix this, the team at Rapid7 could put the base64 content in a separate file and use the type command instead of echo in the install_flags.bat.

C:\Users\iguar\blog\metasplotable3>type jack_of_diamonds.b64 > jack_of_diamonds-test.png:jack_of_diamonds.txt

C:\Users\iguar\blog\metasplotable3>dir /r jack_of_diamonds-test.png

 Volume in drive C is Windows

 Volume Serial Number is 4085-5A70

 Directory of C:\Users\iguar\blog\metasplotable3

2017-01-05  11:57 AM                 0 jack_of_diamonds-test.png

                               834,089 jack_of_diamonds-test.png:jack_of_diamonds.txt:$DATA

               1 File(s)              0 bytes

               0 Dir(s)  675,664,252,928 bytes free

834,089 Bytes is the same size of the base64 text file.

The Six of Diamonds

Metasploitable 3

The Six of Diamonds

Still using the same meterpreter session exploited in Elasticsearch we can use the search command to find cards if we know their names.

meterpreter > search -f *diamonds*

Found 6 results...

    C:\jack_of_diamonds.png

    C:\Program Files\OpenSSH\home\Public\Pictures\ten_of_diamonds.png (406134 bytes)

    C:\Users\Public\Pictures\ten_of_diamonds.png (406134 bytes)

    C:\inetpub\wwwroot\six_of_diamonds.zip (384916 bytes)

    C:\vagrant\resources\flags\six_of_diamonds.zip (384916 bytes)

    C:\vagrant\resources\flags\ten_of_diamonds.png (406134 bytes)

meterpreter >

Looking at the path it seems the six_of_diamonds.zip file is probably on the main IIS website on port 80 so I downloaded it from there.



root@igor-kali:~# wget http://10.20.10.19/six_of_diamonds.zip

--2016-12-09 23:37:15--  http://10.20.10.19/six_of_diamonds.zip

Connecting to 10.20.10.19:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 384916 (376K) [application/x-zip-compressed]

Saving to: ‘six_of_diamonds.zip’

six_of_diamonds.zi 100%[================>] 375.89K  --.-KB/s    in 0.003s 

2016-12-09 23:37:15 (105 MB/s) - ‘six_of_diamonds.zip’ saved [384916/384916]

 I proceeded to use ‘unzip’ but it prompted me for a password, I tried a couple and failed, then I guessed the password. (tip: it's always the same password)



root@igor-kali:~# unzip six_of_diamonds.zip

Archive:  six_of_diamonds.zip

[six_of_diamonds.zip] six_of_diamonds.png password:

password incorrect--reenter:

password incorrect--reenter:

 extracting: six_of_diamonds.png     

That's a creepy looking dude

The Three of Spades

Metasploitable 3

The Three of Spades

How did you get access to the machine?

I guessed the password of the Administrator account in an SSH login prompt.

How did you spot the file?

Once I had a SSH console on the server I went into the Windows folder and listed the files.



root@igor-kali:~# ssh Administrator@10.20.10.19

Administrator@10.20.10.19’s password:

Last login: Thu Dec 15 21:01:49 2016 from 10.20.10.50

-sh-4.3$ cd / ../

-sh-4.3$ pwd

/cygdrive/c/Users

-sh-4.3$ cd ..

-sh-4.3$ pwd

/cygdrive/c

-sh-4.3$ ls windows

AppCompat              TSSysprep.log

AppPatch               Tasks

Boot                   Temp

Branding               Vss

Cursors                Web

DigitalLocker          WindowsShell.Manifest

Downloaded Program Files  WindowsUpdate.log

DtcInstall.log         assembly

Fonts                  bfsvc.exe

Globalization          bootstat.dat

Help                  debug

HelpPane.exe           diagerr.xml

IME                   diagnostics

Installer              diagwrn.xml

L2Schemas              en-US

LiveKernelReports      explorer.exe

Logs                   fveupdate.exe

Media                  hh.exe

Microsoft.NET          iis7.log

ModemLogs              inf

Offline Web Pages      mib.bin

PFRO.log               msdfmap.ini

PLA                   regedit.exe

Panther                rescache

PolicyDefinitions      schemas

Registration           security

RemotePackages         securitynew.sdb

Resources              servicing

SchCache               setupact.log

ServerStandard.xml     setuperr.log

ServerWeb.xml          splwow64.exe

ServiceProfiles        system

Setup                  system.ini

SoftwareDistribution   three_of_spades.png

Speech                 tracing

SysMsiCache            win.ini

SysWOW64               winhlp32.exe

System32               winsxs

TAPI                   write.exe

But if you try to do the same on a CMD console, you cannot see it unless you look for hidden files

 -sh-4.3$ bash

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>cd\

C:\>dir /AH windows

 Volume in drive C is Windows 2008R2

 Volume Serial Number is 1475-561C

 Directory of C:\windows

12/15/2016  06:53 PM    <DIR>          Installer

11/25/2016  05:47 PM           519,696 three_of_spades.png

07/13/2009  08:57 PM               749 WindowsShell.Manifest

How did you extract the file?

I  downloaded it with scp

root@igor-kali:~# scp Administrator@10.20.10.19:/cygdrive/c/Windows/three_of_spades.png .

Administrator@10.20.10.19’s password:

three_of_spades.png          

root@igor-kali:~/metasploitable3# file three_of_spades.png

three_of_spades.png: data

I noticed the file is not in PNG format, but it still has a PNG extension so maybe something was done to the content.

Since I know how a good PNG starts I decide to compare both files headers:

BAD	00000000	86 5f 41 48 02 05 15 05  0f 0f 0f 02 46 47 4b 5d	|._AH........FGK]|
GOOD	00000000	89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52	|.PNG........IHDR|
BAD	00000010	0f 0f 0d 06 0f 0f 0d d6  07 09 0f 0f 0f 32 53 bd	|.............2S.|
GOOD	00000010	00 00 02 09 00 00 02 d9  08 06 00 00 00 3d 5c b2	|.............=\.|

If you do a XOR byte to bad between good and bad, you get 0f so that’s our encryption key

I made a pyhton script:

root@igor-kali:~/metasploitable3# cat byte_xor.py

#!/usr/bin/python

input_file = ‘three_of_spades.png’s;

output_file = input_file+’.out’;

b = bytearray(open(input_file, ‘rb’).read())

for i in range(len(b)):

    b[i] ^= 0x0f

open(output_file, ‘wb’).write(b)

Ran my script

root@igor-kali:~/metasploitable3# file three_of_spades.png

three_of_spades.png      three_of_spades.png.out 

root@igor-kali:~/metasploitable3# file three_of_spades.png.out

three_of_spades.png.out: PNG image data, 521 x 729, 8-bit/color RGBA, non-interlaced

Good doggy!