THM: En-Pass
En-pass
Get what you can’t
Think-out-of-the-box
Yeah, if you say so.
This released yesterday and I haven’t completed it; I probably won’t. It’s SSH and HTTP only, and you do a series of repetitive but not very interesting dirbuster/gobuster/dirsearch whatever to find an encrypted private SSH key, at:
/web/resources/infoseek/configure/key
The passphrase isn’t in rockyou; you can get it by sending a nonsensical string to /reg.php, and you can figure that out because it includes the source code. Don’t bother with the nonsense, the passphrase is:
cimihan_are_you_here?
We still need a username to connect though, and none of the ones that we might think that are scattered about seem to work.
What else do we have? A zip directory filled with 100 identical zipfiles, all of which contain the word sadman. A 403.php file that I suspect has some relevance. A hideously ugly frontpage with some ROT13 and Base64 encoded stuff that may or may not be trolling. Several images that probably don’t contain stego things but you wouldn’t know.
All in all, this seems like the sort of ‘gotcha’ CTF I despise, with nothing novel or realistic. I’m not going to persist with it any further. I note that when it was released the difficulty was rated easy but it’s since been bumped to medium. Whatever.
I will amend this if and only if the challenge turns out to have some interesting parts to it.
Hopefully I’ll have something more interesting to write about later.
Addendum
Hints and writeups are out so I went for a look. It turns out that you get the username from the 403.php file; I suspected it may have been relevant. By requesting a specific url, you get the page. The url is:
http://10.10.46.222:8001/403.php/..;/
This isn’t some PHP filter bypass, the room creator literally hardcoded it into the source:
$url_path = urlPath();
$bypass_url = "http://$host/403.php/..;/" ;
if ( $url_path === $bypass_url){
echo "<h3>Glad to see you here.Congo, you bypassed it. 'imsau' is waiting for you somewhere.</h3>";
}Seems like my judgement about this room was on point.
Putting my conspiracy theory hat on for a second, most of the accepted writeups used the same tool from github to fuzz the page. Hmmmmmmmmmm.
Anyway, we can see if the string we needed was in seclists:
┌──(root💀kali)-[/usr/share/seclists/Fuzzing]
└─# grep -Fr '..;'
fuzz-Bo0oM.txt:;/..;/
fuzz-Bo0oM.txt:..;/..;/
fuzz-Bo0oM.txt:status/..;/
fuzz-Bo0oM.txt:..;/x
fuzz-Bo0oM.txt:login;/..;/admin
fuzz-Bo0oM.txt:..;/
User-Agents/software-type-specific/web-browser.txt:Mozilla/5.0 (...; rv:14.0) Gecko/20100101 Firefox/14.0.1
User-Agents/layout-engine-name/gecko.txt:Mozilla/5.0 (...; rv:14.0) Gecko/20100101 Firefox/14.0.1
User-Agents/software-name/firefox.txt:Mozilla/5.0 (...; rv:14.0) Gecko/20100101 Firefox/14.0.1So yes, it’s in fuzz-Bo0om.txt. Let’s run ffuf. Oh wait, I can’t because my Kali VM shat itself and I lost my tools. Fine, let’s install it and then run it.
──(root💀kali)-[/opt/ffuf]
└─# git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build
# etc
──(root💀kali)-[/opt/thm/enpass]
└─# ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://10.10.46.222:8001/403.php/FUZZ -fs 1123
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.46.222:8001/403.php/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 1123
________________________________________________
..;/ [Status: 200, Size: 917, Words: 168, Lines: 71]
:: Progress: [4288/4288] :: Job [1/1] :: 124 req/sec :: Duration: [0:00:38] :: Errors: 0 ::I’m not doing this for THM points, so I’m not going to do the root on this one.