The Purge was created by strata, and I can tell you it’s a hassle to complete. But I did, and here’s how !
What’s Running
I don’t want to tell you how to do this bit, so here’s the output
123456789101112
root@kali:~# nmap -sS -p- -T5 -Pn 172.16.231.134
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-06 22:17 GMT
Nmap scan report for thepurge (172.16.231.134)Host is up (0.00027s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:AD:9E:6C (VMware)Nmap done: 1 IP address (1 host up) scanned in 52.91 seconds
root@kali:~#
Visiting the HTTP server without specifying a hosts entry will provide you with some instructions… however once a hosts entry is created, you can reference the VM correctly.
So, I hit it with a browser to see what I was faced with.
thepurge_001
None of the links work on this page, so I’m stuck just looking at this. Using nc, I saw that the page is hosted via Varnish.
123456789101112131415
root@kali:~# nc 172.16.231.134 80
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 06 Jan 2015 22:21:12 GMT
Server: Apache
Last-Modified: Fri, 02 Jan 2015 22:52:51 GMT
ETag: "82a-50bb3334896c0"GovPurGe: Blessed be our New Founding Fathers and America
Content-Type: text/html;charset=UTF-8
X-Varnish: 3
Age: 0
Via: 1.1 varnish-v4
Connection: close
Accept-Ranges: bytes
Varnish is a caching server, and has a PURGE HTTP option which cleans out any caches. Also note the GovPurGe header.
My next step was to do some enumeration on the page. There are 3 reviews, one of which is in pseudo-latin. However, there are 4 words that immediately stood out to me due to strange captitalisation. Steg, Hide, Varnish, and Purge.
I already know the server is Varnish, and I know about the PURGE option. However, steghide implies that something is hidden in an image…
So, an ominous message… I’ll note that down for later as it is not required right now.
There’s nothing else on this page of interest, so I decided to see what would happen if I send a PURGE request to the main page using curl
Once the PURGE completed, I visited the page again with a browser, and was presented with different page content.
thepurge_002
Interesting. I also discovered that the image at the bottom of the page, which I previously ran through steghide had a different filename. Maybe there’s something different inside it ?
Different data - that’s interesting. The Youtube video linked is Knocking on Heavens Door by Guns N Roses, however the random characters after the URL are HEX, which decode to 2005, 31337, 1995, and 22 in decimal. Sounds like port knocking to me which opens SSH access, but I don’t have any usernames, passwords, or private keys to use.
Remember the message we obtained from the first JPEG file ? The reviewers are fortunate to have homes in today's purged economic climate.. This implies that we might be able to browse the home folders of the various reviewers. Looking at the original, and purged versions of the front page, it is possible to obtain a list of possible users. Bill Williams0n, Zoey Sand1n, James Holmes, Charlie Hanger, and Bin Ladin. Of these users, only two home folders are accessible.
<html><head><title>Bill Williamson</title></head><bodybgcolor="black"><center><embedwidth="840"height="620"src="http://www.youtube.com/v/vca7c04r95I"></center></body><!--For the glory of sshaitan, of course!-->
This didn’t tell me much, so I decided to PURGE it too using the curl command from earlier. This resulted in the following page being made available
thepurge_004
The Youtube video is even weirder, but the source changed too.
That, to me, looks like a private key. So, back to port knocking.
Who’s There
Once the private key has been saved into a file and chmodded correctly (600), I use knocker to knock the ports, which allows SSH access.
So, now I have a shell. More enumeration required ! Wandering around the file system identifies that bwilliams0n has access to /home/zsand1n. Within that folder is an archive encrypted with PGP.
Could I use my old friend PURGE and see if the file changes ? Why yes, yes I can… and yes, it does change - I now have a private key instead of a public one.
This can now be imported into GPG and used to decrypt the archive found earlier. Remember the GovPurGe header from earlier ? It contains the passphrase required to use the key.
I spent a lot of time looking through the files from this archive, and eventually found a password of “vi.isforleeth@xxors” hidden in .bash_history in the jholmes directory.
This allowed me to su as the jholmes user and discover that he is able to run the /usr/bin/varnishadm application via sudo. I also discovered that, with a few tweaks, you can get varnishadm to compile inline C and run commands as the user varnishd is running as. The last video shows me switching to the jholmes user, creating a malicious shell script to grab a copy of the dash binary from my attacking VM (dash does not drop privileges like bash does, therefore is a much better option for suid shells), running sudo varnishadm, and configuring varnish to run as root instead of the varnish user. I then configure the cc_compiler parameter to run the malicious script I created earlier, which allows me to drop to a root shell and read the /FLAG.txt file.