IMF Walkthrough (Vulnhub)

Geckom uploaded his first vulnerable machine to vulnhub.com.

As posted before you can find a lot of (mostly) virtualbox images which are vulnerable in several ways. Usually there is one goal, find an x number of flags with the last flag being available only when you rooted the system. The vulnerabilities range from insecure web applications to insecure and/or old or self made services, the need to use port knocking, stuff hidden in images, reverse engineering (buffer overflows), cryptography and many more.

The information given @vulnhub about IMF does not tell you how much flags there are ->

There are walkthroughs available in case you get stuck. No walkthrough is posted for the IMF challenge but I did see some tweets from people having solved IMF.

Welcome to “IMF”, my first Boot2Root virtual machine. IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Difficulty: Beginner/Moderate

Can contact me at: geckom at redteamr dot com or on Twitter: @g3ck0m

So let’s see what IMF is about:

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF – Homepage

OS details: Linux 3.2 – 4.4, Linux 4.4
TCP/IP fingerprint:
OS:SCAN(V=7.31%E=4%D=11/2%OT=80%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=5819
OS:934A%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=104%TI=Z%TS=8)OPS(O1=M5B
OS:4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6
OS:=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF
OS:=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)I
OS:E(R=N)

Going to the webpage will show the page below:

IMF Vulnhub

I always download images from websites to see if there is something hidden in them, binaries, strings or other useful artifacts. I use binwalk and Exiftool to get some more information. The IMF logo above has no information in it that is usable.

The image on the project page (brain.jpg) seems to hold some usable information in the IPTC Digest.

Current IPTC Digest : d41d8cd98f00b204e9800998ecf8427e
IPTC Digest : d41d8cd98f00b204e9800998ecf8427e

Trying to crack the MD5 hash i found this hash to be generated using: md5sum /dev/null

I’m not sure if the above hash is something we need to use later on. It’s certainly no flag because after viewing the source of every page I found flag 1 ( YWxsdGhlZmlsZXM= -> Decoded -> allthefiles


<section id="service">

<div class="container">
            <!-- flag1{YWxsdGhlZmlsZXM=} -->

<div class="service-wrapper">

<div class="row">

<div class="col-md-4 col-sm-6">

<div class="block wow fadeInRight" data-wow-delay="1s">

<div class="icon">
                               <i class="fa fa-desktop"></i> 
                            </div>

                            

<h3>Roger S. Michaels</h3>



rmichaels@imf.local



Director

                        </div>


What I also noticed, after a while I must say, is that 3 filenames are parts of a base64 encoded string. flag2{aW1mYWRtaW5pc3RyYXRvcg==} -> decoded imfadministrator


I often find myself puzzling around long enough to forget the previous hint 😉 (allthefiles) I first combined the filenames using the order as found in the BURP target window, not the head section of the index/contact or project.php file.

IMF Vulnhubflag2_decryptedIn the background dirbuster is running. So far, after an hour running, I only find a directory on the webserver called /less which gives me a forbidden message. There are no other open ports so I resume to scroll through the files on the webserver.

Since I have no login page and no other input fields other then the contact form, I decided to just use the “imfadministrator” as a directory. This gives me a login screen.

I have stopped dirbuster because I’m just impatient. In previous CTF’s I found the results to be there quickly. If it takes long, then the probability of getting results using this methods is not that big. Usually this indicates a dead end. Let’s keep the ” less”  directory in the back of the mind.

Vulnhub IMFViewing the source of this page gives us a clue on how to proceed:  <!– I couldn’t get the SQL working, so I hard-coded the password. It’s still mad secure through. – Roger –>

So let’s see. username: Roger, password: madsecure fail, same for imfadministrator, fail….What I notice is that the error message is very specific, namely “invalid username”. Let’s try the 3 names showed at the contact page rmichaels@imf.local, fail, invalid username, now without the @imf.local, invalid password. So rmichaels is a valid username. Let’s check the other 2. estone and akeith are both invalid. So the hamering needs to be done using the rmichaels account

While hydra is brute forcing the login page with rmichaels as a username I also found some other pages http://192.168.1.68/imfadministrator/cms.php (using dirbuster / files only pure brute force no list) and http://192.168.1.68/imfadministrator/uploads/ (403).

After hours of brute force and guessing I decided to check the walk through made by g0blin. I was totally stuck. flag3{Y29udGludWVUT2Ntcw==} /continueTOcms can be received by editing the name of the password field with using inspect element. So far for the hamering 🙁

We take the hint and continue to the CMS which gives the screen below:

IMF Vulnhub

Throwing some garbage @ http://192.168.1.68/imfadministrator/cms.php?pagename=/../../..%27%27/etc/passwd%27%27%27 broke the sql query. So probably we have a SQL Injection point here.

Warning: mysqli_fetch_row() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/imfadministrator/cms.php on line 29

Easiest way to continue is to capture a valid request such as http://192.168.1.68/imfadministrator/cms.php?pagename=home in burp, save the request in a file and start SQLMAP using: sqlmap -r “path to saved file”

IMF Vulnhub

And oops there it is. We have an SQL injection which we can exploit. Let’s poke around in the database!

Making a dump of the admin database I quickly managed to find flag 4 from a QR code in an image (flag4{dXBsb2Fkcjk0Mi5waHA=} -> decoded -> uploadr942.php

The QR code is on the following page -> http://192.168.1.68/imfadministrator/cms.php?pagename=tutorials-incomplete

SQLMAP command: sqlmap -r “path to saved file” -D admin –dump-all

Using the decoded previous flag brings us to the following page:

http://192.168.1.68/imfadministrator/uploadr942.php

IMF VulnhubLet’s see if we can upload some simple shells that come with KALI. Picking a simple backdoor PHP file will throw an error telling me that the filetype is invalid. Let’s try to upload a renamed php file (jpg). Seem that only upload allowed are images.

Trying to append a jpg extension to a PHP gives me: Error: CrappyWAF detected malware. Signature: system php function detected.

I’ll continue with IMF walkthrough on friday/saturday. So flag 5 and 6 are pending. I spent a lot of time getting something out of the Intelligence Upload Form but so far not that much progress. Better to take some distance and have another try in some days. 

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + fifteen =