Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

DefCon

Introduction

After a first challenge, which can be found on tryhackme.com, this is my second challenge which is dubbed “DefCon”.
The challenge will walk through some of the basic skills and will cover typical CTF-like skills.
I will post parts of the entire solution so people can go forward when stuck after some time, without spoiling everything.

[UPDATE]: next part added…..from Nicky to Smith

Recon

First finding open ports and running services:

Web-server

When directing the browser to IP 192.168.2.23 there is an error: Server not found and the URL has changed

The browser doesn’t know where to go, because there is no DNS. To solve this add an entry to the /etc/hosts file.

Now the browser knows where to go.
Because the SSL certificate is self-signed there is a warning.

When accepting the risks the website is shown.

On this page there are 3 crypto puzzles.

Puzzle 1

Puzzle 2

Puzzle 3

SSL

When checking the SSL certificate there is some information about an mail address which has another domain name.

This indicates that there is probably several virtual hosts active on the remote web-server.
To browse the other domain name, we adjust the /etc/hosts file again.

By altering the line: 192.168.2.23 nsa-server.net nsa-secretserver.net, the browser can be directed to the other domain.

There is a terminal on the main page that informs about the status of the system.
When waiting long enough it looks like there is something wrong with the system and at the end, there is some code being exfiltrated.

The sequence is Morse code. The forward slash is functioning as letter delimiter and the backslash as word delimiter.
The website https://gchq.github.io/CyberChef/ can help with the deciphering.

There is a problem with the result. It is missing parts.
When taking another look at the source code of the page with the Morse, there is a problem with the Morse code.
It looks like there is a character encoded. To solve this problem a side step is needed.

After another try with the corrected string the result on cyberchef is better.

WordPress – Graham

The WordPress dashboard holds a menu called plugins. Here there is a plugin called WPTerm, which offers a terminal for the system.

EoP1 – Graham > John

In the /home/graham folder there is some mail.

In the Trash folder there is a deleted note.

The new password of John is hidden inside this message in plain sight.
The last line has some uppercase letters, when separating them from the string they form the password.

With the username + password su-ing as john would be the next step.

That is not going to work. Normally now would be a good time to SSH to this system as John.
But the SSH running on port 22 is a honeypot. So that would be a waste of time.
Instead a reverse shell to get a proper TTY shell is better.

First start a listener on your machine with netcat

Then connect from the remote machine to your machine with netcat.

Now the connection is established and there is a reverse shell running.

Now to get a proper TTY.

After this switch to user John.

EoP 2 – John > George

First see what this user can do.

It looks like user john can start a proper ssh server.

But port 22 was already used for the honeypot, so let´s check which port is used for the SSH server.

Looks like port 222 is listening for a connection.

There is a file on the Documents folder.

When looking at the extension, it looks like it´s picture.
But when checking the type of file, Linux says it´s a PDF.
To get a better view of the file, we transfer it to the local machine.

When we try to open the file like a picture, there is nothing to show.
Let´s copy the file and rename it to a PDF file.

Also nothing.
When looking at the file in hexeditor, the important part to check is the header.

There are several lists with the hex file headers.
When looking at the hex header for PDF we see this is similar to our file.

But the file wasn´t named .pdf
It was .png

As we can see the first 5 bytes are that of a PDF header.
But when looking a bit further, we see the 6th, 7th and 8th byte looks similar like the PNG header.
Let´s overwrite the header to match the PNG file header.

As we look to the ASCII section of hexeditor, we see this hex header is the one of PNG.

The file is now readable as a picture and when opening it, there is a string.
A password maybe? But for who?

To get the correct name with the found password, there are several ways to go about.
In this writeup, we´re going to try one of the following three:

First one – because it´s a small list of names, we can do it by hand or try a small bash one-liner.

Pretty simple, but with a very long list of names it becomes an annoying task to perform.
The second options is to use a tool called sshpass.

This option was quit faster and didn’t need any form of manual input for the password.
The final option is to use Metasploit:

This option also works fast when you have a very long list of usernames.
It also works very fast if you also have a list with passwords and you need to compare it.

EoP 3 – George > Samantha

The recon section starts over when logging in as a different user.
In this case user george has also some rights on this system.

This user can run Vi editor with the rights of user Samantha.
We can abuse this, but you need to run Vi as user Samantha.

Inside Vi editor there is an option to run a command:

Use Python again to get a proper TTY.

EoP 4 – Samantha > Nicky

Back in the home folder of this user, there is something of interest.

There is an executable with the SUID flag enabled.
Let’s see what the program does.

It runs the ss command and shows a list of the current connections.
If the program is using a relative path to execute the command we can manipulate PATH and fool the program in running something in our favor.

To do this, we first create our own version of ss.

Then we make the file executable.

Because we want the program to execute our ss file instead of the correct one, we alter the PATH variable.

This way whenever the system is going to look for a program it will cycle through the PATH variable.
Normally it will start in /usr/local/bin and then go to /usr/bin and keeps on going until it finds the program.
Or not and then you get an error that the program can´t be found.
When executing the check program, the system will cycle through the PATH variable, but it will start in /tmp first.
It will find our ss executable and thinks it found the correct one and will run it.

Running the program resulted in executing our ss version and elevated our rights to….nicky (not root – bummer).

EoP 5 – Nicky > Smith

When looking at the connections earlier there was another connection that has some interest.
There is running a MariaDB instance locally.
As it seems, user nicky has access.
To log in to MariaDB, you need a password.
Lucky for you, user Nicky stores hers in a hidden file.

When looking at all the network connections, it looks like there is running a mysql server with a local only connection.

List all databases.

Select the database to use.

Show all tables.

Select the desired columns to show.

Crack it with either hashcat or just run a Google search for a site with a list of known hashes.
There is one hash that is a known one and that is the password hash of user smith.

Now to exit mysql and switching to user smith.

And that’s it for this part.
Good luck…

24 thoughts on “DefCon

  1. hi bro,why did I add nsa-server.net nsa-secretserver.net resolution under hosts, or redirect to nsa-server.net.
    in hosts:
    192.168.123.19 nsa-server.net nsa-secretserver.net

    1. the /etc/hosts file is used by your system to lookup hosts when connecting to them through domain name instead of IP address.
      when your system wants to connect to another system by the use of a domain name and it doesn’t know the IP address, it uses the name-servers that are available in its configuration (DNS).
      but before it looks for the name-servers, it will check the hosts file first.

  2. Hi,
    I’d like to get a tiny nudge / push in the right direction for user “Smith”. Spend already more than a day on this user but nothing. None of the common tools or manual enumeration helped me.
    Thanks!

          1. In this phase…..a basic recon is required.
            You need to know what is happening on this machine and who has access to what.
            When you figure that out, the solution is in front of you.

  3. The only thing I found is:

    Both John and Smith are member of the group ‘mail’. I read a comment between John and Graham about Smith is possibly reading their email. So maybe send some malicious email from John to Smith ?`

    I already have tried something like that but untill now not managed to get that worked and I am not sure it Smith is reading his mail every one and then?!

    P.s.: If this message is too much spoiler then please reply by email to me please !

      1. Bedankt voor de email. Heb je mijn reactie daarop ook gehad (ik zag dat je een tijdelijk emailadres gebruikte) ?!

        Ik vermoed dat jouw hint ging over Smith -> Root (dat zal via [SPOILER] gaan?!), maar ik moet eerst Smith zien te worden via een van de andere gebruikers (Nicky, Samantha, John of Graham) en daar zou ik graag een hint over willen 🙂

          1. I have the same question, I’m with user “Nicky” and I’m looking for a way to pass to user “Smith”, could you give me some hint? (Do it by mail to avoid the spoiler). Thanks in advance.

          2. With a basic recon, you will find something on the system that user Nicky has access too.
            To get access you need a piece of information you probably don’t have yet, because of the way you escalated to this user.
            Once you find those 2 things, the way to user smith will become clear.

  4. why is user smith that hard to escalate to?
    ive been turning every stone in this machine and apparently i must have missed something…
    connecting with v.. to that desktop didnt reveal anything that i havent seen from the terminal session.
    im really stuck and would appreciate a small nudge to proceed

    1. Escalating to user smith isn’t that hard (I know it’s easy for me to say), but the path to take is relatively easy when you have all the information.
      Look for files, then look for a service (you really need the file or no access to this service, enumerate your findings and escalate to user smith.

      I just added escalating from Samantha to Nicky and I’ll be posting getting to smith next week.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.