Open in app

Sign in

Write

Sign in

Vulnhub — R-TEMIS writeup

This is a write-up of the R-TEMIS: 1 virtual machine challenge by RootNik Labs. The challenge was completed in March 2021.

John Bush
10 min readApr 5, 2021

https://www.vulnhub.com/entry/r-temis-1,649/

What you will learn: Directory and file enumeration, modifying file headers, light steganography, text encoding, MySQL databases, and some password brute-forcing.

What you will need: The standard Kali Linux install, Gobuster, a good wordlist for both directory and file enumeration, and a hex editor such as Okteta (free).

My Setup: VMware was used for this virtual machine, with both the Vulnhub and attacker machine (mine) set to “Host only” within the network adapter settings.

Disclaimer: The author’s of this challenge included objectionable/vulgar language in this VM. My write-up will exclude the language so that it can be used in teaching environments. For reference the language is present in the mention of the Brain**** coding scheme and content within the pass.txt and user.txt files on the target system.

Let’s get started!

Step 1 — Discovery

Running “ip route” in terminal shows we are on the 172.16.98.0/24 network
As a standard practice, Nmap is run on the target network to identify devices.

sudo nmap -e eth0 -sn 172.16.98.0/24

Step 2 — Scanning and Enumeration

The results of the above scan show the R-TEMIS target on the IP 172.16.98.133. Now that we know the IP address of of our target let’s use Nmap to perform a quick scan of all open TCP ports.

sudo nmap -n -sS -p 1–65535 172.16.98.133

The results are a web server on port 80, a MySQL instance on 3306, and an unknown service on 7223. Let’s look at the web server in our browser and see what is there.

In your browser visit:

http://172.16.98.133

We find a landing page left by the authors confirming the R-TEMIS challenge. In the upper right of the page there is a link for a “HINT”.

On the HINT page the authors provide the following clues:

  1. “Sometimes Hackers left a simple text file and image files on the target system to give their foothold’s information and presence”.
    Notice “simple text file” and “image files” are both italicized which is likely and indication we need to search for these file types on the target.
  2. “But instead of normal text, they left encrypted message that gives Brain**** to decode for a normal person.”
    Notice Brain**** is also italicized and is capitalized like a name. Not only is this a strange choice of words in the sentence, it is also the name of a programing language.
    https://en.wikipedia.org/wiki/Brain%66%75%63%6B
  3. Sometimes repairing a corrupted JPEG File Header gives perfect result.
    This is obvious that something is corrupted and we will have to repair it.
  4. Cryptography, Steganography, SSH, and MySQL are mentioned, likely meaning we will likely encounter these technologies.

We’ll start with Hint #1. Using Gobuster (or your preferred enumeration tool) perform directory enumeration to find content on the web server.

gobuster dir -w /home/tea/my_CTF_Directory-ENUM_short.txt -u http://172.16.98.133:80 | grep -v “403”

Note: For easier reading I grep the results with a NOT (-v) to remove 403 errors for items we don’t have access to.

We see the following directories are found:

As we are on the hunt for images from Hint #3, we’ll look first at the “/img” and “/Image” directories. On initial glance at the /img directory appears to contain the pictures used by the authors for creating the webpage on this machine, while the /Image directory contains multiple pictures related to the 2005 film “V for Vendetta”.

Let’s look further at the /Image directory.

Simply clicking each image will open the file in your browser. While doing so you’ll notice that the very first image “flag1.png”, doesn’t open in the browser as an actual picture.

Let’s download the photo and try opening it on our local system.

Still no luck. This looks like the corrupted file we were searching for.

Step 3 — File Analysis

While flag1.png is not a JPEG file as mentioned in Hint #3, we will inspect it further and see if it can be repaired. Let’s open flag1.png in Okteta, a free hex editor.

sudo apt install okteta

A quick explanation on file headers: While our flag1.png file ends in .PNG, this doesn’t guarantee it is actually a .PNG file, or even an image file. The .PNG extension only tells your operating system what program to use when attempting to open flag1.png (ex: such as an image viewer). For the appropriate application to actually read the file, then that file must contain the correct headers (and sometimes trailers) so that the application can correctly parse the file. In the example of .PNG files, the first eight bytes of the file itself must begin with 89 50 4E 47 0D 0A 1A 0A, and the file must end with 49 45 4E 44 AE 42 60 82.

A great list used by the forensics community for referencing file headers can be found at Garry Kessler’s website here:
https://www.garykessler.net/library/file_sigs.html

Using Okteta open both flag1.png and img1.png (a working .PNG file on the target in /Images) and compare the two side by side.

You can see (in red) the first four bytes of flag1.png do not mach the correct .PNG file format as img1.png does. Let’s change the first four bytes of flag1.png to have the correct header.

After the header has been correct, let’s verify there are no issues with the trailer.

Everything looks good on the trailer. Let’s save flag1.png and now try to open it.

The file opens! On viewing the image we notice text in white embedded at the bottom: “1RY_H4RD34

On first instinct this may look like a password, but in fact we are being trolled by the authors with an OSCP reference (https://www.offensive-security.com/offsec/what-it-means-to-try-harder/). This is likely an unfortunate time waste so let’s move on.

Step 4 — Further enumeration and cipher decoding.

Hint #1 also referenced a hidden text file on the webserver. Since we don’t know the name of the file we will need a good wordlist of possible filenames and try them all with gobuster. The google-10000-english.txt file at https://github.com/first20hours/google-10000-english is a list of the top 10,000 words searched in Google and is a great list to start with.

Using the tool “wordlist_mod” you can easily append “.txt” to every entry in the google-10000-english.txt file. You can find wordlist_mod on my own Github page at https://github.com/jhnbsh/wordlist_mod

Let’s now run gobuster with our new wordlist to find possible .txt files on the server.

gobuster dir -w Documents/google-10000-english_mod.txt -u http://172.16.98.133:80

Gobuster finds one text file named easy.txt. Let’s open this in our browser and see what it says.

At first glance this may look like random text, however, look more closely and you will notice its not random, the same characters (+,-,<,>, etc) are reused. This isn’t encryption, it some type of encoding. Let’s find out what it is.

The site dcode.fr is great for identifying ciphers.
https://www.dcode.fr/cipher-identifier

Dcode.fr identifies the text as Brain****.
https://en.wikipedia.org/wiki/Brain%66%75%63%6B

On the same website you can decode the message with the following link.
https://www.dcode.fr/brain%66%75%63%6B-language

Note: If you try to decode the entire message at once you will get some garbage. You need to decode two different messages separated by the line spaces in easy.txt, for example:

Message 1
+++++ +++++ [->++ +++++ +++<] >++++ +++++ +++++ .++.< +++[- > — -< ]> — -
— -.+ +++++ ++. — — .<+ ++[-> +++<] >+.<

Message 2
+++++ +++++ [->++ +++++ +++<] >++++ +++++ +++++ ++.<+ +++++ +[->- — — -
-<]>- — ..< +++++ ++[-> +++++ ++<]> +.<++ ++[-> — — < ]>.<+ ++++[ -> — -
— <]> — — — — — . <++++ +++[- >++++ +++<] >++.. <

The messages decode as:
Message 1 = rtemis
Message 2 = t@@rb@ss

Step 5 — Brute forcing MySQL credentials

These certainly look like credentials. The hint page also mentioned SSH. Although we didn’t see port 22 open in our previous scan, SSH could be running on an uncommon port. Remember the unknown port 7223 which was open? Maybe it is SSH. Let’s try it with our now newly discovered credentials.

ssh rtemis@172.16.98.133 -p 7223

Success!

Viewing hidden files in the user’s home directory shows a folder named “.hint”. Sounds like a good place to start.

ls -a
ls .hint

Inside .hint we have two files, “pass.txt” and “user.txt”. You can view the contents of these files with the following commands.

cat .hint/pass.txt
cat .hint/user.txt

After using “cat” copy/paste the contents of each file onto your local system into two new files for easy access.

As we haven’t yet made use of the MySQL database on port 3306, my guess is the contents of pass.txt and user.txt are a list of possible passwords and usernames to access it.

Luckily, rather than do this manually Metasploit has a module to automate testing each combination of username and password from the discovered lists

Here is my configuration, just start msfconsle and type the following. (Note: the below pass_file and user_file are the paths to the files you saved on your local machine earlier using cat). Be sure to start msfconsole in a new terminal window, we will need to come back to your SSH session later.

use mysql_login
set rhosts 172.16.98.133
set pass_file /path/to/pass.txt
set user_file /path/to/user.txt
set stop_on_success true
run

Go grab a cup of tea, this will take upwards of an hour. Otherwise skip to the next step to see the brute-forced credentials.

Metasploit finds that the correct username is “somu” with a password of “toor123

Step 6 — MySQL database access

Return to our SSH session on the target machine to attempt accessing the MySQL database.

A quick note on MySQL permissions: Technically, you could login to the database from your attacker machine, the command you would use would be mysql — host=172.16.98.133 — user=somu -p. However, while you would successfully authenticate and login, you wouldn’t be able to complete the next step in the exercise. That is because you would be logged in to MySQL as somu@attacker-IP-address. However, in this example the permissions to user somo are only assigned for connecting from @localhost. Therefore, you must be logged in to the target machine via SSH, and specify the host IP address as 127.0.0.1 in order to view the necessary databases.

Connected to the target machine via SSH then access the MySQL database using the credentials “somo” and “toor123

mysql -h 127.0.0.1 -u somu -p

Showing the available databases, there is a database named “secret” which looks promising. Here is how to view its contents.

show databases;
use secret;
show tables;
select * from secret;
exit

The table in database “secret” gives us a username of “root”, with a password “H@ckMe”.

Having exited from the MySQL database we should be back to our SSH session. Using the newly discovered “root” credentials we can view the final flag as root.

su -c “ls /root” root
su -c “cat /root/flag2.txt” root

The final flag contains “R777N1k”, the name of the authors.

We are done! Thanks RootNik Labs for the challenge.

Some learning points: A few things that caught my eye while completing this challenge.

  1. Cipher Identification: https://www.dcode.fr/ is a great resource. I was very impressed with its ability to correlate cipher text to the appropriate algorithm being used. While Brain**** is not actually an encryption algorithm, decode.fr correctly identified what method was used to encode the text and is a great resource to be mindful of in future CTF challenges.

Hope you enjoyed the write-up! Good luck in your future challenges!
John Bush

Vulnhub
R Temis
Hacking
Stegin
Infosec

--

--

John Bush

Written by John Bush

0 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams