you can download it here: https://www.vulnhub.com/entry/replay-1,278/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
root@kali:~# nmap -p 1-65535 -T4 -A 192.168.227.167
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 05:40 EDT
Nmap scan report for 192.168.227.167
Host is up (0.0011s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 54:35:aa:49:eb:90:09:a1:28:f3:0c:9a:fb:01:52:0d (RSA)
| 256 e7:0b:6e:52:00:51:74:11:b6:cd:c6:cf:25:3a:1b:84 (ECDSA)
|_ 256 3b:38:da:d7:16:23:64:68:8f:52:12:8a:14:07:6a:53 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/bob_bd.zip
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, LPDString, RPCCheck, SMBProgNeg:
| Auth Failed Closing Connection... =-
| CH1:
| Auth Failed Closing Connection... =-
| DNSVersionBindReqTCP, FourOhFourRequest, GetRequest, Help, Kerberos, LDAPSearchReq, RTSPRequest, SSLSessionReq, X11Probe:
| CH1:
| Auth Failed Closing Connection... =-
| GenericLines, NULL:
| CH1:
| HTTPOptions, TLSSessionReq:
| CH1:
| Auth Failed Closing Connection... =-
|_ Auth Failed Closing Connection... =-
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.70%I=7%D=6/11%Time=5CFF770A%P=i686-pc-linux-gnu%r(NULL
SF:,6,"\nCH1:\n")%r(GenericLines,6,"\nCH1:\n")%r(GetRequest,34,"\nCH1:\n\n
SF:\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n
SF:\n")%r(HTTPOptions,62,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\
SF:x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Clos
SF:ing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(RTSPRequest,34,"\nCH1:\n\n\
SF:n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\
SF:n")%r(RPCCheck,62,"\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connectio
SF:n\.\.\.\x20=-\x20\n\n\nCH1:\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\
SF:x20Connection\.\.\.\x20=-\x20\n\n\n")%r(DNSVersionBindReqTCP,34,"\nCH1:
SF:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20
SF:\n\n\n")%r(DNSStatusRequestTCP,62,"\n\n\x20-=\x20Auth\x20Failed\x20Clos
SF:ing\x20Connection\.\.\.\x20=-\x20\n\n\n\nCH1:\n\n\n\x20-=\x20Auth\x20Fa
SF:iled\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Help,34,"\nCH1:
SF:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20
SF:\n\n\n")%r(SSLSessionReq,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Cl
SF:osing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(TLSSessionReq,62,"\nCH1:\
SF:n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\
SF:n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\
SF:x20\n\n\n")%r(Kerberos,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Clos
SF:ing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(SMBProgNeg,62,"\n\n\x20-=\x
SF:20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n\nCH1:\n
SF:\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n
SF:\n\n")%r(X11Probe,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x
SF:20Connection\.\.\.\x20=-\x20\n\n\n")%r(FourOhFourRequest,34,"\nCH1:\n\n
SF:\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n
SF:\n")%r(LPDString,62,"\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connect
SF:ion\.\.\.\x20=-\x20\n\n\n\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closin
SF:g\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(LDAPSearchReq,34,"\nCH1:\n\n\
SF:n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\
SF:n");
MAC Address: 00:0C:29:AA:8D:45 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 1.08 ms 192.168.227.167

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 158.35 seconds

found an interesting zip file in robots.txt, download and inspect

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# wget http://192.168.227.167/bob_bd.zip
--2019-06-11 07:51:31-- http://192.168.227.167/bob_bd.zip
Connecting to 192.168.227.167:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 63784 (62K) [application/zip]
Saving to: ‘bob_bd.zip’

bob_bd.zip 100%[=============================================>] 62.29K --.-KB/s in 0.001s

2019-06-11 07:51:31 (70.3 MB/s) - ‘bob_bd.zip’ saved [63784/63784]

root@kali:~# unzip bob_bd.zip
Archive: bob_bd.zip
inflating: changelog.txt
inflating: client.bin
root@kali:~# binwalk client.bin

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV)
152656 0x25450 Unix path: /home/c0rruptedb1t/MEGA/Projects And Operations/Project Replay/scripts/client.pydataIP: outputAF_INETEnter Password: sendmsgkeye
153947 0x2595B Unix path: /usr/bin/python2

root@kali:~# file client.bin
client.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ad5b9f2d0ceddf3d884a5bb37c6d374ce357c9e2, stripped

client.bin is an executable file, take a look at the changelog.txt first

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@kali:~# cat changelog.txt 
Changelog:

Don't forget

P
S->B->C->D->S
C->B->S
C->E->S

Next Update:
+ Add ASCII art
+ Fix bug where sometimes the backdoor fails to connect (fixed by reopening client.bin)
+ Add ablilty to be able to send more than hardcoded commands again (removed because of beefing up of security)


V4 [*clink* *clink* You will never be able to penetrate my defenses!]:
+ Backdoor will execute any command, too bad it only sends one hardcoded command :P (gonna have to add an input onto client)
+ Security beefed up bet no one can get through this, XOR and b64 is king

End of log

V3 [All wrapped up in a neat bow]:
+ Added a cool security challenge system to stop hackers
+ I am now compiling the python file into .bins
+ Added b64 system to improve security
N.T.S Added 2nd half of password into the backdoor so if you forget that's where it is furture me. End of log

V2 [The no go zone]:
+ Added b64 support
+ Added password check (validated by server)
End of log

V1 [And then there was light]:
+ I made a backdoor :D
+ Now I can access my server from anywhere without using ssh
End of log

some strings in the txt is base64 encoded, I have decoded.

seems that client.bin is an client to communicate with the backdoor on the server. throw it into ida pro, but the pseudo code is too messy, couldn’t get anything, seems to be from some python file. just “strings client.bin” and found this:

1
2
3
4
/home/c0rruptedb1t/MEGA/Projects And Operations/Project Replay/scripts/client.pydataIP: outputAF_INETEnter Password: sendmsgkeyencodexornotes00admincmd;echo Hello World, you are currently running as: ;whoamidecodestring--=======NOTES=======-- +Buy new milk (the current one is chunky) +2nd half of password is: h0TAIRNXuQcDu9Lqsyul +Find a new job +Call mom =====[END]=====commandlettersrecvoschoicesystem-= TERMINATING CONNNECTION =- 
client_socketrandominputstrclearraw_inputCommand to be executed: replacejointimebase64
?exit1230012300admincmd;SOCK_STREAMconnectsleepoutdataappendXORtmpAttempting to connect...(
Definitely the password I swear -> password123 <- Definitely the password I sweartypesbye<module>encodestringnumsHello there you're not being naughty are you? bob_pass123456789rblensumiterlongnameopenreadreprsitelevelrangeformatlocalsxrange__all____cmp____doc__compileglobalsinspect__dict____exit____file____iter____main____name____path__exc_typefromlist__class____enter__bytearrayexc_value__import____module____delattr____getattr____package____setattr__classmethod__builtins__staticmethod__metaclass__exc_traceback/usr/bin/python2
1
Buy new milk (the current one is chunky) +2nd half of password is: h0TAIRNXuQcDu9Lqsyul

this corresponds to the changelog.txt, so I need to find the first half of the password.

it is here:

1

so the password would be

qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul

give it a try

2

see stated in the changelog.txt, the command is hardcoded in the client.bin, so I have to modify client.bin to execute customized command.

4

just to make sure the whole trunk of commands remains the same lengths.

get a shell of bob, and found his password in /home/bob/Documents/users.passwd, check the sudoers file and bob is allowed to execute sudo without any restriction. easily get a root shell.

3