zh3r0 CTF - Hacking Machine Challenges

NOTE: I wrote most of this before they added flags 6 and 7, so those are not written up here.

At the start of the challenges we aren’t given much information, other than we are looking for five flags, and they are all on hackit.zh3r0.ml. First things first, let’s run an nmap scan.

root@kali:~# nmap -T4 -p- -v -A hackit.zh3r0.ml
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 11:55 EDT
Scanning hackit.zh3r0.ml (139.59.3.42) [65535 ports]
Discovered open port 22/tcp on 139.59.3.42
Discovered open port 4994/tcp on 139.59.3.42
Discovered open port 324/tcp on 139.59.3.42
Discovered open port 99/tcp on 139.59.3.42
Completed SYN Stealth Scan at 12:02, 437.57s elapsed (65535 total ports)
PORT      STATE    SERVICE      VERSION
22/tcp    open     http         Apache httpd 2.4.43 ((Unix))
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.43 (Unix)
|_http-title: Site doesn't have a title (text/html).
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
99/tcp    open     ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 70:78:8f:70:79:59:72:5f:05:c9:2a:63:b4:34:c1:52 (RSA)
|   256 08:6d:42:16:2a:47:ae:b4:d7:fa:35:28:91:67:ab:63 (ECDSA)
|_  256 e4:89:6b:09:37:64:c2:47:01:bd:c2:32:d8:cd:06:2d (ED25519)
324/tcp   open     ftp          vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp            22 Jun 15 15:05 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:98.235.69.163
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
4994/tcp  open     unknown
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions: 
|     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|     ||Employee Entry||
|     ----------------------------------------------------------
|     Sherlock Holmes Inc.
|     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|     Here's a free flag for you, just for finding this door! Flag 1: zh3r0{pr05_d0_full_sc4n5}
|     Heyo, Watcha looking at? Employee ID yoo! : 
|     away kiddo, huh, Kids these days!

So we can see only a few services running. First thing that will notice is we’ve already found our first flag, just for doing a full scan. Another thing that you should notice pretty quickly is that port 22 is open, but it is not running SSH. There is a web server hidden there. Firefox will not let you visit port 22 because it is not a standard HTTP port, so we’ll check it out with curl.

root@kali:~# curl http://hackit.zh3r0.ml:22                                                 
z3hr0{shouldve_added_some_filter_here}

That was pretty easy! You’ll notice it didn’t include what flag number it is, but we can narrow that down pretty easily after we get the rest of the flags. Next up, let’s check out that FTP server running on port 324, another non standard port.

root@kali:~# ftp hackit.zh3r0.ml 324
Connected to hackit.zh3r0.ml.
220 (vsFTPd 3.0.3)
Name (hackit.zh3r0.ml:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pass
Passive mode on.
ftp> ls -la
227 Entering Passive Mode (139,59,3,42,115,114).
150 Here comes the directory listing.
drwxr-xr-x    3 ftp      ftp          4096 Jun 15 15:05 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 15 15:05 ..
drwxr-xr-x    3 ftp      ftp          4096 Jun 15 15:05 ...
-rw-r--r--    1 ftp      ftp            22 Jun 15 15:05 test.txt
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
227 Entering Passive Mode (139,59,3,42,124,177).
150 Here comes the directory listing.
drwxr-xr-x    3 ftp      ftp          4096 Jun 15 15:05 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 15 15:05 ..
drwxr-xr-x    2 ftp      ftp          4096 Jun 15 15:05 ...
-rw-r--r--    1 ftp      ftp            46 Jun 15 15:05 .stayhidden
-rw-r--r--    1 ftp      ftp            22 Jun 15 15:05 test.txt
226 Directory send OK.
22 bytes received in 0.00 secs (57.7537 kB/s)
ftp> get .stayhidden
local: .stayhidden remote: .stayhidden
227 Entering Passive Mode (139,59,3,42,25,94).
150 Opening BINARY mode data connection for .stayhidden (46 bytes).
226 Transfer complete.
46 bytes received in 0.00 secs (176.8578 kB/s)
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
227 Entering Passive Mode (139,59,3,42,92,135).
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 15 15:05 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 15 15:05 ..
-rw-r--r--    1 ftp      ftp            34 Jun 15 15:05 .flag
-rw-r--r--    1 ftp      ftp            22 Jun 15 15:05 test.txt
226 Directory send OK.
ftp> get .flag
local: .flag remote: .flag
227 Entering Passive Mode (139,59,3,42,242,25).
150 Opening BINARY mode data connection for .flag (34 bytes).
226 Transfer complete.
34 bytes received in 0.01 secs (3.1604 kB/s)

So as you can see, they had some data hidden in … directories, but we were able to find everything thanks to the -la flags we used on ls. You can see I downloaded the .stayhidden and .flag files. I also downloaded all three test.txt files, just to make sure I didn’t mess anything. They all turned out to be nothing. Let’s check out what is in the other files.

root@kali:~# cat .stayhidden
Employee ID: 6890d90d349e3757013b02e495b1a87f
root@kali:~# cat .flag
Flag 2: zh3r0{You_know_your_shit}

We found our third out of five flags, as well as an employee ID. That looks like it could be useful on that other port we found open, 4994. Let’s go try it out!

root@kali:~# nc hackit.zh3r0.ml 4994

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                     ||Employee Entry||

----------------------------------------------------------
                     Sherlock Holmes Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here's a free flag for you, just for finding this door! Flag 1: zh3r0{pr05_d0_full_sc4n5}
Heyo, Watcha looking at? Employee ID yoo! : 
6890d90d349e3757013b02e495b1a87f
Hey I know you! You work here!
Books are a uniquely portable magic. - Stephen King

Flag 4: zh3r0{y0ur_s4l4ry_wa5_cr3dit3d}

Four flags down, only one to go! At this point in the challenge I spent a little too much time trying to access SSH on port 99. I had found a flag on all of the other services so far, so I figured that must be where the last flag is hidden. I tried various combinations of book related usernames and password due to the Sherlock Holmes and Stephen King references. After a little while I took a break and decided to run dirb against the webserver running on port 22.

root@kali:~# dirb http://hackit.zh3r0.ml:22 /usr/share/wordlists/dirb/common.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Jun 16 21:35:50 2020
URL_BASE: http://hackit.zh3r0.ml:22/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://hackit.zh3r0.ml:22/ ----
+ http://hackit.zh3r0.ml:22/robots.txt (CODE:200|SIZE:157)                                                                                                           
                                                                                                                                                                     
-----------------
END_TIME: Tue Jun 16 22:38:36 2020
DOWNLOADED: 4612 - FOUND: 1

root@kali:~# curl http://hackit.zh3r0.ml:22/robots.txt
Hmmm you shouldnt be here.... 2yryYz3sx16kWt72agdFZJqxZ5kqqvocsnU416bULtVs63Cvwmvr6f34Ck8sSHQU1PPnQqD7bqW9q

As you can see we found a robots.txt, and downloaded it. It contains an encrypted string, which Cyber Chef will tell us is a base58 when using the magic function. When decoded it sends us to a text file on the server. Let’s go download it.

I tried to hide this, anyway, check out /clue3349203.txt

root@kali:~# wget http://hackit.zh3r0.ml:22/clue3349203.txt
--2020-06-16 22:21:31--  http://hackit.zh3r0.ml:22/clue3349203.txt
Resolving hackit.zh3r0.ml (hackit.zh3r0.ml)... 139.59.3.42
Connecting to hackit.zh3r0.ml (hackit.zh3r0.ml)|139.59.3.42|:22... connected.
HTTP request sent, awaiting response... 200 OK
Length: 38023 (37K) [text/plain]
Saving to: clue3349203.txt™

2020-06-16 22:21:32 (148 KB/s) - clue3349203.txt saved [38023/38023]

This is probably the trickiest part of the whole challenge. The file is full of what turns out to be JSFuck code. Trying to track down some of these esoteric programming languages can be a real pain, especially since so many look alike. After looking at a long list of example “Hello World” programs in different languages, I figured out what it was and used a decoder I found on the web to get a string out of the mess. It’s another employee ID! Let’s head over the port 4994 again and see what happens.

console.log('Employee ID: 865151c643cbbb7e3bf4fd5dbb71354e')

root@kali:~# nc hackit.zh3r0.ml 4994

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                     ||Employee Entry||

----------------------------------------------------------
                     Sherlock Holmes Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here's a free flag for you, just for finding this door! Flag 1: zh3r0{pr05_d0_full_sc4n5}

Heyo, Watcha looking at? Employee ID yoo! :
865151c643cbbb7e3bf4fd5dbb71354e 
Hey I know you! You work here!
If you don't like to read, you haven't found the right book. - JK Rowling

Flag 3: zh3r0{y0ur_b0nu5_i5_p4id}

So that was a fun set of challenges. We got all five of the original flags with just some basic scanning and utilities. Overall I didn’t do great at the zh3r0 CTF but I had a lot of fun with these hacking machines.