Both of these boxes were HTTP and SSH only; I’ll mention Beelzebub first since it is freshest in my mind.
HTTP
Doing a GET on /index.php seemingly returns a 404 but hidden in the source code for that page is a comment. We realise something is different because dirbuster shows it’s actually a 200 status:
[03:10:48] 200 - 271B - /index.php
The page says:
404 Not Found
In the source is:
My heart was encrypted, “beelzebub” somehow hacked and decoded it.-md5
The MD5 of “beezlebub” is d18e1e22becbd915b45e0e655429d487, and this is a directory with a wordpress installation. I should note at this point the box kept trying to redirect to 192.168.1.6, presumably this was the IP the creator used. My DHCP server assigned it 192.168.1.86, and I had all manner of problems. Fortunately I had 192.168.1.6 free, so I assigned it as a static IP for this address.
wpscan
This shows us, amongst other things:
Some manual enumeration leads us to http://beezlebub/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/Talk%20To%20VALAK/index.php where we can enter commands to ‘talk’ to Valak. These just get echoed back and it doesn’t seem like we can inject. However if we check Burp, we do get a cookie:
Password=M4k3Ad3a1
Interesting! The box has phpmyadmin; doesn’t work there. Tried wordpress login; nope. SSH? Yes.
Since we’re here, let’s look at the Valak thing:
Doesn’t seem like we had to do anything special to trigger this.
Privesc
Our user left his bash_history showing how to privesc - not sure if intentionally or not! Anyway, we have Serv-U installed, and we can get root with it:
There is actually a Metasploit module for this exploit too. Linpeas didn’t make a big deal out of Serv-U being present but it did notice some files associated with it, e.g.
/usr/local/Serv-U/Serv-U.Archive
Vikings
So this one you had to fuzz for a hidden file (war.txt) which led you to another path, which was a bunch of gibberish. Actually it was a password protected ZIP file which had then been base64 encoded. I downloaded it with curl, then decoded it and sent it through zip2john before cracking the password. I didn’t take notes while I was doing it, but that was the process.
By the way, someone asked me for a hint on this via discord after I posted to root proof lol. Anyway, inside the ZIP file was a JPEG, which then had another ZIP file hidden inside which you could extract with binwalk.
And there are our SSH creds, for floki.
privesc
Now it seems the creator of this box probably intended for us to do this move to another user with some more CTFy stuff, but he/she also left our user as part of the LXD group. So why not use it?
Now I suppose this was unintended, but hackers gonna hack, amirite? The only funny thing was both curl and wget didn’t seem to work on this machine. scp was fine though….