The Purge was created by strata, and I can tell you it’s a hassle to complete. But I did, and here’s how !

What’s Running

I don’t want to tell you how to do this bit, so here’s the output

1 2 3 4 5 6 7 8 9 10 11 12 root@kali:~# nmap -sS -p- -T5 -Pn 172.16.231.134 Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-06 22:17 GMT Nmap scan report for thepurge ( 172.16.231.134 ) Host is up ( 0.00027s latency ) . Not shown: 65534 filtered ports PORT STATE SERVICE 80/tcp open http MAC Address: 00:0C:29:AD:9E:6C ( VMware ) Nmap done : 1 IP address ( 1 host up ) scanned in 52.91 seconds root@kali:~#

Visiting the HTTP server without specifying a hosts entry will provide you with some instructions… however once a hosts entry is created, you can reference the VM correctly. So, I hit it with a browser to see what I was faced with.

None of the links work on this page, so I’m stuck just looking at this. Using nc , I saw that the page is hosted via Varnish.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 root@kali:~# nc 172.16.231.134 80 GET / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 06 Jan 2015 22:21:12 GMT Server: Apache Last-Modified: Fri, 02 Jan 2015 22:52:51 GMT ETag: "82a-50bb3334896c0" GovPurGe: Blessed be our New Founding Fathers and America Content-Type: text/html ; charset = UTF-8 X-Varnish: 3 Age: 0 Via: 1.1 varnish-v4 Connection: close Accept-Ranges: bytes

Varnish is a caching server, and has a PURGE HTTP option which cleans out any caches. Also note the GovPurGe header.

My next step was to do some enumeration on the page. There are 3 reviews, one of which is in pseudo-latin. However, there are 4 words that immediately stood out to me due to strange captitalisation. Steg , Hide , Varnish , and Purge . I already know the server is Varnish, and I know about the PURGE option. However, steghide implies that something is hidden in an image…

So, an ominous message… I’ll note that down for later as it is not required right now.

There’s nothing else on this page of interest, so I decided to see what would happen if I send a PURGE request to the main page using curl

Once the PURGE completed, I visited the page again with a browser, and was presented with different page content.

Interesting. I also discovered that the image at the bottom of the page, which I previously ran through steghide had a different filename. Maybe there’s something different inside it ?

Different data - that’s interesting. The Youtube video linked is Knocking on Heavens Door by Guns N Roses, however the random characters after the URL are HEX, which decode to 2005, 31337, 1995, and 22 in decimal. Sounds like port knocking to me which opens SSH access, but I don’t have any usernames, passwords, or private keys to use.

Remember the message we obtained from the first JPEG file ? The reviewers are fortunate to have homes in today's purged economic climate. . This implies that we might be able to browse the home folders of the various reviewers. Looking at the original, and purged versions of the front page, it is possible to obtain a list of possible users. Bill Williams0n, Zoey Sand1n, James Holmes, Charlie Hanger, and Bin Ladin. Of these users, only two home folders are accessible.

What an interesting Youtube video

However, the HTML source is much more interesting

1 2 3 4 5 6 7 8 9 10 11 12 <html> <head> <title> Bill Williamson </title> </head> <body bgcolor= "black" > <center> <embed width= "840" height= "620" src= "http://www.youtube.com/v/vca7c04r95I" > </center> </body> <!-- For the glory of sshaitan, of course! -->

This didn’t tell me much, so I decided to PURGE it too using the curl command from earlier. This resulted in the following page being made available

The Youtube video is even weirder, but the source changed too.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 <html> <head> <title> Bill Williamson </title> </head> <body bgcolor= "black" > <center> <embed width= "840" height= "620" src= "http://www.youtube.com/v/uV-V1FqaEk8" > </center> </body> <!-- -----BEGIN DSA PRIVATE KEY----- MIIBvAIBAAKBgQDnNAyaHiNv1SynzOt+E83khP9PRQTmKlyvkx13b/3ARc/WjO9b dAT//ZgAxttQiu1n8fqU+oop562TXvQyOm83YWkxVbf+YdQ4KUWdOMxFWJdbkCRW IUa1XgoCVnIwz4I0fjKtvgNgf/TAmwz9sa2sqV6IYsROj6aTt7SdwXCtnQIVAP3b n9k4O4SZ/8G83X6H/IMcjExRAoGAR2r8Zh/oZx5GOeDBacuy3LcDa3vfpHLfrqCK X3V6I7VvQJcwjjorZQJqkO/7ECpHfrZIqVoN+TjYH2u2unRH56o55x5/rhUUCl1c kFUikPwjwyLCjVT2DRD4WFnZcCa2wnCI9sxK70V+TbjMMS3AowxTBI+BhVXyYxLx ylJw9kQCgYEA0Fggrt1A+DDQ1KS506LKPkT24ny3AMHg1psvjieT9uIO4LvFPq23 4wiZvMLNyapRlNADX/TGRmcC2bgf6P7l9D8zHEqoActThnPfMa05GFFvdF3z9ZEX jRLP1n8BKjjElprmKYrqh8fLEk1gLA+B/GJRDO6+9oq5Ada4/3EEYuACFQDYW9iL RQBGwzv7GW+JTy1Q1cmxew== -----END DSA PRIVATE KEY----- -->

That, to me, looks like a private key. So, back to port knocking.

Who’s There

Once the private key has been saved into a file and chmodded correctly (600), I use knocker to knock the ports, which allows SSH access.

So, now I have a shell. More enumeration required ! Wandering around the file system identifies that bwilliams0n has access to /home/zsand1n. Within that folder is an archive encrypted with PGP.

1 2 3 4 5 6 7 8 9 10 [ bwilliams0n@thepurge zsand1n ] $ ls -la total 964 drwxr-xr-x. 3 zsand1n zsand1n 4096 Jan 1 23:43 . drwxr-xr-x. 7 root root 81 Jan 2 17:57 .. -rw-r--r--. 1 zsand1n zsand1n 18 Sep 25 21:53 .bash_logout -rw-r--r--. 1 zsand1n zsand1n 193 Sep 25 21:53 .bash_profile -rw-r--r--. 1 zsand1n zsand1n 231 Sep 25 21:53 .bashrc -rw-r--r--. 1 zsand1n zsand1n 964832 Jan 1 23:42 homes-backup-20150101.tar.gz.gpg drwxrwxr-x. 6 zsand1n zsand1n 4096 Jan 6 14:45 public_html [ bwilliams0n@thepurge zsand1n ] $

To decrypt this file we’ll need a copy of the private key used by the encrypting user.

There is a file in public_html that includes a public PGP key, but this is no help to us at all.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [ bwilliams0n@thepurge public_html ] $ cat gpg_key.html -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 ( GNU/Linux ) mQENBFSmEy4BCADRTF4zqER6uVJ3II/tDHRIrWpeA8XGoegtTpjSOwjs8HYjPWzV KWQsBj6GpI5zOHGjC7Tbufxn1C0TNotrEpOxCus2s/oaMJ8e1RmmpyP21cMe5Sxn +Nu1O+oRA5QP2IYqnZvShqk2vw3UduMxheKik6EVA7EjZBeIdYhQK2fytbydrTIs y+9GA1/UNBWQh1lQhRSbmQyiiTbQrybyhVZWrPT9E55mGJq4fLFybGRy+zjIsDfT 1gcS+BB6zdwp8YkxLR2DgaaSiTEl1YdUehoEoJMgtEdOqfng16O4ZL3rkIYKdjBi KkB2sxYTH8PhF63D2h6/8w03ra5HZOivsNGVABEBAAG0HlpvZXkgU2FuZGluIDx6 c2FuZDFuQHRoZXB1cmdlPokBOQQTAQIAIwUCVKYTLgIbAwcLCQgHAwIBBhUIAgkK CwQWAgMBAh4BAheAAAoJEEaUeoP/ScSJkZgIAK9xUZWnr1SnshBYawc6xWNPDdLM 8RjEPjgFdEXQe3D0xB16i0WC1153e4o6+L6rSGkkIf2siiY2BAS+yyR5YilA2aXv CdYbYkcqRpXmGMeIiV9yKU3xZkgJUky28q0YNGEYZUGHYaRpS8PbQhX0a2OeVABV vRXhrXju5SHDY4GyrKLheQ1u+pWQjNjeQr4K9jA7oPsB1X1EKzo6w89gZ7RZQCfz bZoS+seodRIM32kGQYBvT0gE1aaKZ5OaASn7ezHOILDvCdYJtiGEcTuZ3TO37j4E 3wONeo6CFT/AJQ6xGGN6dMeCNfvEFJMzjW3ejrfiQyN0z/3BdaIEyAVhMFa5AQ0E VKYTLgEIALFyNyOhUAkcFgXMoldw81Lg9ex34MeOix1LpOqInQU92VkmS1uYqKZJ T4uW5mye2RLg4P3MHm60kmKIRXZYEx96aRgqxLaogQXv0pQ/t5RMNuvLn7wM934U xkct7Ic6B3djnfoYt6UZftOmLmCl2mW8my/07N92Tx6VWbHu/MFgCFnj6EfbX6Vq FER6A/0mtlHGbI0ysl+djB0vVw8g6zYUhxn7lTjEHLa237wuGMkWG7COcWzBBadU DkTnN5692cpny5oEpMFi7E8xO4TNUw6V6mrMjYZGvBHlsF2akozhizU7dqhI+jlp WTXVV2JYyHEM0WGz34ipn1a/kMKUBWMAEQEAAYkBHwQYAQIACQUCVKYTLgIbDAAK CRBGlHqD/0nEiWh6B/4xo4G8vNoTgc4jJRHJ0ZezTS/sXRkfZO2eNDXVgcY7pF5Q EaA/9VMEpDRz53eAt99mpj+eTQM/kVRKExqcAVDwy0YYXnvsjHFwD5dunIq88OSw WLPNMBRgRvggez47zxjKtV6DiL1BYQ0YO3oyDtbA1CKhBHh8KmH0aV+/YE1axnAL Qngh/4fF0E4OZ5vuCBsRrHHrH3r4k0jGRHTHvG3e9gfGcPKgr0P6To5wA4B5XEc1 UgN4YJWe1XeOy7yKCTanvUIrVWolHkao5xdQH8OOBqPQySACcW32T5sQxCqTkeR7 sH2SRodaWIgc9aVKLI1SAW2oYWJJNsqs1fuJtF1w = tVjP -----END PGP PUBLIC KEY BLOCK-----

Could I use my old friend PURGE and see if the file changes ? Why yes, yes I can… and yes, it does change - I now have a private key instead of a public one.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v2.0.22 ( GNU/Linux ) lQO+BFSmEy4BCADRTF4zqER6uVJ3II/tDHRIrWpeA8XGoegtTpjSOwjs8HYjPWzV KWQsBj6GpI5zOHGjC7Tbufxn1C0TNotrEpOxCus2s/oaMJ8e1RmmpyP21cMe5Sxn +Nu1O+oRA5QP2IYqnZvShqk2vw3UduMxheKik6EVA7EjZBeIdYhQK2fytbydrTIs y+9GA1/UNBWQh1lQhRSbmQyiiTbQrybyhVZWrPT9E55mGJq4fLFybGRy+zjIsDfT 1gcS+BB6zdwp8YkxLR2DgaaSiTEl1YdUehoEoJMgtEdOqfng16O4ZL3rkIYKdjBi KkB2sxYTH8PhF63D2h6/8w03ra5HZOivsNGVABEBAAH+AwMCPT4eUY3Vk4/b6au7 6StGV15s0jIxygsFkJPkwEjoE2x5UnN/W6aS9HXm3Y5t67/s0zYpK5SQ+ZcGquRI izcCf8dKQIq8bWsLr0GPaLHrS3Xj4iyTpRb8qInxxIZIsA+0RD54liwzKVRrqn16 y955XJWuFO+5rT2zyI8hBdO8hQlFpsNGRmeWZLbAENDUuMaQLeKfaoU/y9QEhs2T RJuM5B5OzT1RCqnP+clXPh9/Y536afIiqAvQwBn6qQIaZLeCvpscyOhOWPUejVBd ZxNBZ4gVkr4WseYsk3vBkxCc0E52rGEUf3IFpti5y5pWo6BvN1qZtGkFLm+t8Uv/ WXMRLPYTuYDPh8+KtNDXhA5EaW8kMUI9y1jhA3DoxhrDqiD1oGv0OInmJXAA4uwZ GxzRCaY2fVwJ5giQj8X+8QxhMS61ZDbSl8AJNi6Ns8sY3uy96Al0rw3u72WF5CWb nkslDQ4IdZBRYAGOMPLVrQqFO86RaWYMWjiNdm4ZybdgvJzci2jCzKCdevzUQRAZ vKOKBGkLO7klCtgMrWTwusocp3+83OPzoO3jC1gY6r2UQms3otz2evsvZEluBXZQ EKo13tAUy6LPHn/8Pfg29BglkSAdACt6MtSs7PWkoH2x948sU1HBEiMid8rNxTZW d2bOcD+kRcEPPlKUC3ik0IcThAT+DcnWSSaAvugS+9QQhE6Td1SSMiJrUZb9/qBi 7VY/0GCGpMZJe3B8buclm/e8KaTFpnxktIFpXjHW6Lstpl7aPwsUHJ8e12AW6oBV 9CconzbhQeDnkOkK0RHIAX6g+gcPo6dN+Gc2wmamGcQ5Ps3tEtj9ptSERmZGhL+S XYWrPVGFs2xpv/CxPoJMCkzdViY/ScfmhZuizkIdC4SlD6zAbQARD+1Hf+h5K8om Q7QeWm9leSBTYW5kaW4gPHpzYW5kMW5AdGhlcHVyZ2U+iQE5BBMBAgAjBQJUphMu AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQRpR6g/9JxImRmAgAr3FR laevVKeyEFhrBzrFY08N0szxGMQ+OAV0RdB7cPTEHXqLRYLXXnd7ijr4vqtIaSQh /ayKJjYEBL7LJHliKUDZpe8J1htiRypGleYYx4iJX3IpTfFmSAlSTLbyrRg0YRhl QYdhpGlLw9tCFfRrY55UAFW9FeGteO7lIcNjgbKsouF5DW76lZCM2N5Cvgr2MDug +wHVfUQrOjrDz2BntFlAJ/NtmhL6x6h1EgzfaQZBgG9PSATVpopnk5oBKft7Mc4g sO8J1gm2IYRxO5ndM7fuPgTfA416joIVP8AlDrEYY3p0x4I1+8QUkzONbd6Ot+JD I3TP/cF1ogTIBWEwVp0DvgRUphMuAQgAsXI3I6FQCRwWBcyiV3DzUuD17Hfgx46L HUuk6oidBT3ZWSZLW5iopklPi5bmbJ7ZEuDg/cwebrSSYohFdlgTH3ppGCrEtqiB Be/SlD+3lEw268ufvAz3fhTGRy3shzoHd2Od+hi3pRl+06YuYKXaZbybL/Ts33ZP HpVZse78wWAIWePoR9tfpWoURHoD/Sa2UcZsjTKyX52MHS9XDyDrNhSHGfuVOMQc trbfvC4YyRYbsI5xbMEFp1QOROc3nr3ZymfLmgSkwWLsTzE7hM1TDpXqasyNhka8 EeWwXZqSjOGLNTt2qEj6OWlZNdVXYljIcQzRYbPfiKmfVr+QwpQFYwARAQAB/gMD Aj0+HlGN1ZOP29ALh3I5yyKsdLOC3OTVGg4vlt4CFDyrU7vEMctGnNn9lAf/yLWd s1vWLdzeRJINV8ewRGFPmZvlzAVbipFPw/O6YvayDZA5hKrdGSZHN7/RRf77bLg9 yTWLOQV+tkba0ojjZrn3BjOuelBnR7yuCtDrkb5E9F+wDSxpQKc0TBOrb/5hgwCT 7yoKhwF+aiZRi1qBEh8YRTwKdp2DDPdonR4Z0P8ASne5kjucoUvwXQpDZSp2xfM2 EbyTCxR2zKXr1XRoaJsS6qk8BJkpZuN016SgZh+JvpVaqtW2vzlCkTaSlCZ/Bsgb HWnkQsiJrgNPRcKw7MRCpSb2bhJxXPyIV032EEVe8LHyC7unZe0lzgANZXoSand1 k09t0/Bg53UOZGGgCQbV/6ADshXzqx5QUKbkMpfvAXbBVqn7dYD3Q0ERNF2bXZok 6rO9p0LGs6ujYNJRveZQZMr39PO5timhj7X4xD6Uw/AjkzaJGulHO1xQ0vRU9j5Q vZzy+z/iQa0tyGMljC5r0ps5yKWnN3Eott/TkpL/QontkQBv5ZoVhdijBwP1puSx LpHEHHOjJoan5bI0I/IfDa6Iu8eMYTj2xUJ7jE1RVEimalnEJml3zgTGuLU+Qz6o vt1LyZXfJDrzaVP2iFecmpwX8HVtF6BqULBqJiJuqiLPnu4G0VOTIaCYMGi4KqFX 61uSDyKlguI0gcJHIgscglvbEzgz8lE7EhSboOQ14jjo2RWhoG0B23uHwNvWD0Qk nJBRA3J/uKZHlhknHOCTRQcKBkzXZVjt7m1vJdXrl6N2RIwD7uWuC4IMQYVKRlZC u4YxCZz+gCygIKHejMSUxRWE8paueC5h2kPIz2Bm0qLTHMNf2OfVZVD1DVXgDtoL wWmIawCcsFrP2yrHVwqJAR8EGAECAAkFAlSmEy4CGwwACgkQRpR6g/9JxIloegf+ MaOBvLzaE4HOIyURydGXs00v7F0ZH2TtnjQ11YHGO6ReUBGgP/VTBKQ0c+d3gLff ZqY/nk0DP5FUShManAFQ8MtGGF577IxxcA+XbpyKvPDksFizzTAUYEb4IHs+O88Y yrVeg4i9QWENGDt6Mg7WwNQioQR4fCph9Glfv2BNWsZwC0J4If+HxdBODmeb7ggb Eaxx6x96+JNIxkR0x7xt3vYHxnDyoK9D+k6OcAOAeVxHNVIDeGCVntV3jsu8igk2 p71CK1VqJR5GqOcXUB/Djgaj0MkgAnFt9k+bEMQqk5Hke7B9kkaHWliIHPWlSiyN UgFtqGFiSTbKrNX7ibRdcA == = ZWQm -----END PGP PRIVATE KEY BLOCK-----

This can now be imported into GPG and used to decrypt the archive found earlier. Remember the GovPurGe header from earlier ? It contains the passphrase required to use the key.

I spent a lot of time looking through the files from this archive, and eventually found a password of “vi.isforleeth@xxors” hidden in .bash_history in the jholmes directory.

This allowed me to su as the jholmes user and discover that he is able to run the /usr/bin/varnishadm application via sudo . I also discovered that, with a few tweaks, you can get varnishadm to compile inline C and run commands as the user varnishd is running as. The last video shows me switching to the jholmes user, creating a malicious shell script to grab a copy of the dash binary from my attacking VM (dash does not drop privileges like bash does, therefore is a much better option for suid shells), running sudo varnishadm , and configuring varnish to run as root instead of the varnish user. I then configure the cc_compiler parameter to run the malicious script I created earlier, which allows me to drop to a root shell and read the /FLAG.txt file.

Done.