Introduction
Lately, I’ve been enjoying creating hacking challenges for the security community. This new challenge encapsulates a company, entitled – The Ether, who has proclaimed an elixir that considerably alters human welfare. The CDC has become suspicious of this group due to the nature of the product they are developing.
The Goal
The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag. The flag will contain more information about The Ether’s ominous operations regarding this medicine.
Any Hints?
This challenge is not for beginners. There is a relevant file on this machine that plays an important role in the challenge, do not waste your time trying to de-obfuscate the file, I say this to keep you on track. This challenge is designed test you on multiple areas and it’s not for the feint of heart!
Last Words
Whatever you do, do not give up! Exhaust all of your options! Looking forward to have OSCPs take this challenge. As always, good luck, have fun, God bless, and may the s0urce be with you.
http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip
f1re_w1re
Security Shards 
Have any tips on theEther? I”ve tried a bunch of RFI stuff and can’t get anywhere. I even changed user-agents, looked for lots of different directories with dirb/dirbuster etc…
I’d love a hint if you were so kind. ๐
Although it’s not RFI, you’re in the right track. You will need to know how to bypass some filters to make progress.
Ugh. OK. I guess I’ll try harder. lol. I feel stupid…, but I know it’s right in front of me. ๐
Don’t feel that way! You got this!
Appreciate the encouragement. I’ll come back to it later. All out of ideas…
Good challenge so far, I’m playing around with the ‘file’ and a little stuck at how to use it, hoping for some guidance. I sent you a tweet don’t want to spoil things.
I replied.
I sent you a reply, I think it might be a bit broken because python won’t actually get permissions from a suid script file. I’m trying to read into the y file in /home/evilscience/ using a symlink named auth.log but I just see something like cat: Permission Denied. I assume this is because the process is running as www-data? Any help?
It’s not broken. Yes, Python itself won’t inherit any permissions from that script file. That Python file is used to access system files as root – there is a way to access other files and ways to run alternate code. I think (and I may be wrong here) that you are fixated in trying to read a file to get you root access. There is nothing you can read that will give you root. I will post a solution after 6 months if no one gets it. You are very close!
Ok I’ll keep trying, I just don’t get how it reads anything as root :/. It doesn’t even read the presented files because of lack of permissions. If you escape it shell and run I’d you’re still www-data.
That Python file reads the auth.log file. Www-data, cannot read that. From that, you know that file accesses other system files that cannot otherwise be read. You have good questions
I wish I was at my PC, fairly certain that was group owned as www-data or set to read ALL otherwise how could php read it?
The Python file yes, but not the auth.log. You can only read it (auth.log) because of the SETUID bit. Everyone can read the Python file
You can read auth.log regardless of the python program as www-data, but you cant read other priviledged files like /var/log/apache2/access.log or other root owned files even if you can trick it to read it by symlink or just breaking out of the cat command and running something else. It sounds like you’re saying that should work?
Lol yes, that’s what I’m saying without saying it (don’t want spoilers here). Www-data will not be able to read an auth.log with 640 on its permission. It can only read that file from the Python script due to the SETUID as root. If you’re www-data and do “cat /var/log/auth.log”, it will not work.
You can delete my comments and email me at agexuve@gmail.com or the one I posted with here if you want to remove the spoilers. I don’t receive the expected behavior on my end and I don’t think it should should on almost any nix os because setuid only applies to compiled code, not interpretered sripts for security reasons. Unless you raised permissions within the python code. I cant test anything more but it wasn’t working this morning. Can you double check it works with the VM?
I really think you have a problem with the python script.
The /var/log/auth.log file is readable by the www-data without any modification.
Moreover, due to the fact the python interpreter donโt inherit of the permission of the executed script we are not able to execute command with another privilege.
Can you contact me in me email address?
Will do. I will also double check on my end as well.
Any extra hints you want to share? I’m still stuck at the ‘file’ part myself. ๐ You can always hit me up on my Gmail if you don’t want to spoil…
[โฆ] f1re_w1re Series: The Ether Web page: https://securityshards.wordpress.com/2017/10/26/the-ether-a-new-boot-2-root-hacking-challenge/ Link: The [โฆ]
Thanks for the VM mate! ๐
https://lukeanderson.com/2017/11/29/the-ether-evilscience-vulnhub-walkthrough/
Nicely done Sir
Hi, I think the VM has some sort of flaw. First, the python script cannot be invoked directly as it is missing the appropriate bang and hence /bin/bash is invoked (output might be a spoiler).
$ /var/www/html/theEther.com/public_html/xxxlogauditorxxx.py
http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html) and makes the setuid bit actually useless.
Finally the solution suggested in the walkthrough does not work either as the famous command used prompts for a password for the www-data user:
XXXX: unable to resolve host theEther: Connection refused
[XXXX] password for www-data:
Do you know what’s wrong here? I checked the MD5 of the downloaded zip and it matches the MD5 shown on vulnhub. Thus, I am using the correct vm image!
Download the VM again using the link on the blog. Vulnhub has yet to update the VM
Thx, that did the trick ๐
Although I am still not convinced the setuid bit on /usr/bin/python2.7 and on the py script is needed after all. Imho the xxxx command should be all you need.
[…] If you’re having issues please re-download the updated version from the authors site. […]
The guys from vulnhub really do need the update the machine, I spent hours on this (and it could be days in case I didnt get lazy due to holidays) until I saw on the walkthroughs that the sudo command is actually used to escalate privileges. Figuring out you were actually on the right way getting the wrong result due to a bugos resource is not fun. Especially with your note on the machine – “Whatever you do, do not give up! ”
Despite the experience on the VM I liked that you combined several different areas for this CTF, definitely not a beginner’s one though.
Congratulations on the good job. but be sure to double-check on the next one prior to release;)
Sorry about that. I messaged Vulnhub to update the link and it’s been well over a month without any response. Thanks for checking the source of the challenge to attempt it. Hopefully it did not deprive you from a good learning experience.
Sure, it was a great resource for me! Thank you for taking the time to build it. I also liked that there was actually a story attached to it which provokes curiosity and kind of builds up a bit more motivation than a regular cat file flag CTF.
P.S. > Please note that I actually downloaded it from the magnet link as the mediafire link on vulnhub is actually returning an invalid response. May be that’s why they removed it, so you may need to message them to update both links. As you didnt get get any response I suggest to try messaging them again.
I will do that
They have a twitter POST with an updated link from earlier today so I believe it’s already done.
That’s great, thanks for the update! My head can rest easy now.
Nice work. Offensive Security may want to consider putting this in the labs.
https://limbernie.github.io/articles/2018-02/evilscience-walkthrough/
Nicely done, good method to get to the solution. Kudos.