TBBT2
is made by emaragkos. This boot2root machine is part of the TBBT Fun with Flags series
and it is themed after the famous TV show, The Big Bang Theory and has really
strong CTF elements. It's more like solving a set of interesting CTF challenges
as a puzzle than facing these in a real-life scenario.
Goal: Hack Sheldon and get user and root
flag
Since
these labs are available on the Vulnhub Website. We will be downloading the VM
Machine from this link.
Penetration Methodologies
Network Scanning
·
Netdiscover
·
Nmap
Enumeration
·
Examine HTTP web pages
·
Web Directory Enumeration (Dirb)
·
De Obfuscate Js Code
·
Decoding ROT13
·
Dictionary Generating (CRUNCH)
Exploiting
·
Brute forcing (HYDRA)
·
Steganography (Stegsnow)
·
Port Knocking
·
Spawning TTY Shell
Privilege Escalation
·
Abusing Path Variable
Walkthrough
Network Scanning
Let’s start by scanning the network for targets using Netdiscover.
netdiscover
We
found the target IP Address 192.168.1.105. Let’s begin with basic port scanning
with NMAP.
nmap -sV 192.168.1.105
Enumeration
For
more details, we will navigate to a web browser for exploring HTTP service
since port 80 is open. It clearly is not enough for a clue to proceed.
Again, a secret from Sheldon on this page. We knew Sheldon wants
us to check the source code of this page.
So, on checking the source code we found this html code that is
using an interesting JS File. Let’s find out what’s inside it.
It’s very clear that we need to DEobfuscate this code. To do that we need to bring up the console in the browser.
We
copied the code and pasted in the console of the browser, also change the last
line document.write(em) with console.log(alert)em);
This
gaves us an alert in the browser. And there we see the ROT13 string. Time to
Decode!
Using an online ROT13 decoder, on decoding the code we found a
secret directory.
On browsing the directory, we saw the directory is protected with
HTTP Basic Authentication. Since we have no idea about the credentials. We
thought of proceeding with further enumeration.
On enumerating using DIRB, we found the password text file. Hope
it will hold some password that might help us login.
Another hidden password along with some hint. Since it has 3 “*”
which denotes 3 lower case letters. It’s time to generate password
dictionary using crunch tool.
Exploitation
Using crunch, we made a dictionary and tried to Brute forced the
Login credentials using HYDRA. So, after few minutes HYDRA gave us the password
as “oldtrain”.
crunch 8 8 -t @@@train > password.txt
hydra -l sheldon -P password.txt http-get://192.168.1.105/the_real_secret_dir
-e nsr
And successfully we found password “oldtrain” for user “sheldon”
After successfully logging in, we got a /p4ssw0rd.txt file
hint, and notice the thing that caught our eyes was these symbols on the webpage.
On reading the p4aaw0rd file. We saw some strange spaces in
between the text.
So, after a lot of thinking, we thought of performing “white space
steganography”. So, we save the whole content a text file and used the tool
called “stegsnow” and obtain the password “ilikeklingon”. May this could a hint
that s Sheldon like Klingon which is also a type encryption which might used as
shown in above web page.
stegsnow -C stegno.txt > result.txt
Ongoing through the source of the page we saw another hint. The
Knock term want us to perform port knocking that is for sure. Let us see what’s
in the secret image.
So, on browsing the Secret image file, we saw some symbols shown
in the image. They are hiding some secret behind them using Klingon encryption.
Since Sheldon is fond of Klingon. We found a Klingon Language
decoder. And got the result as 1000,2000 and 3000 ports.
As you can observe that we got hint for port knocking, so on
knocking the ports. It shows the SSH port 22 get opened 😊.
knock -u 192.168.1.105 1000 2000 3000
nmap 192.168.1.105
Since we have everything now, it’s time to login SSH using the
Password- ilikeklingon. And further digging in we found our first flag.
id
ls
cat flag.txt
Further we used python one liner to spawn the TTY shell. There we
found a program having SUID permission for a program “iliketrains” which is C
compiled program. We found a C program where we got to know that SL is running
everytime we execute the program “iliketrains”.
cd Desktop
python -c 'import
pty;pty.spawn("/bin/bash")'
cd Desktop
ls -al
cat .iliketrains.c
Privlege Escalation
So now we are overwrinting the “SL” with
/bin/bash and giving full permission and changing envieonment varible which
known as abusing path variable that you can read from here. Also
exporting the current directory into Path Variable. On executing the program
“iliketrains”. We made it to the root. Read the final flag.
echo “/bin/bash” >
sl
chmod 777 sl
export
PATH=/home/sheldon/Desktop:$PATH
./iliketrains
cd /root
cat flag.txt
0 comments:
Post a Comment