THM - Year of the Rabbit
Can you hack into the Year of the Rabbit box without falling down a hole?
This is an easy rated box, and I’m a bit concerned that it’s an easy exploit hidden behind some annoyingly difficult to find folder on a website; we’ll see if that’s true.
So this one has FTP, SSH and HTTP on port 80. There is no anonymous login on the FTP. It’s running vsftpd 3.0.2, which isn’t apparently a vulnerable version.
The webserver is just showing the default apache page, so we’ll try a basic gobuster with the dirb ‘big’ wordlist; we quickly find a folder called /assets. This contains two files:
[VID] RickRolled.mp4 2020-01-23 00:34 384M
[TXT] style.css 2020-01-23 00:34 2.9K
The style.css file contains a link to /sup3r_s3cr3t_fl4g.php, which in turns links to Never Gonna Give You Up on Youtube.
There is also a message:
This is happening whether you like it or not… The hint is in the video. If you’re stuck here then you’re just going to have to bite the bullet!
We can download the RickRolled video file, and about 1 minute in the audio fades and a voice says that you’re ‘looking in the wrong place’. So presumably the /assets directory was one of the ‘rabbit holes’.
One of the nice things about Burp Suite is the ‘target’ tab, where it collates a list of links on the host. When we take a look there we can find this:
Presumably this link was hit when we followed the sup3r_s3cr3t_fl4g.php link earlier.
Going there reveals a picture:
Ahhh my favourite, stego. I often find myself referring back to this for these CTF stego things. In this case:
So we’ve got an FTP user name and a bunch of potential passwords (about 80 of them).
I put the passwords into a file called plist.txt and ran it through FTPBruter:
We’ve got one file:
When we get the file, it’s BrainF*** code. Um….yeah.
We can paste the code into this site and extract the credentials:
So these are SSH creds for eli, and when we log in we see this:
1 new message Message from Root to Gwendoline:
“Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I’ve left you a hidden message there”
When we cat /etc/passwd, we can see there is indeed a user called gwendoline, and it seems like we need to find a message left for her.
Search by date
No doubt there are a few ways to find this, but looking around we can see that many of the files were created on Jan 23 2020, so let’s search for that:
What does it say?
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just MniVCQVhQHUNI
So with this information we can su as gwendoline.
Running sudo -l we can see this:
The version of sudo we have is 1.8.10p3, which is vulnerable to CVE-2019-14287 and that means we can do this:
And once we’re in vi, we can do :!/bin/sh - and we’ve got a root shell.