Today we’re going to solve another boot2root challenge called “Mnemonic “. It’s available at TryHackMe for penetration testing practice. This lab is of medium difficultly if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to villwocki. Let’s get started and learn how to break it down successfully.
Level: Medium
Penetration Testing Methodology
·
Network Scanning
o
Nmap
·
Enumeration
o Enumerating Robots.txt
o Directory Bruteforce using Dirb
o Cracking ZIP Password using John the Ripper
o Bruteforcing FTP Login
·
Exploitation
o Extracting id_rsa file from FTP
o Enumerating James User
o Cracking SSH Password using John the Ripper
o Enumerating Condor User
o Reading User Flag
o Getting Mnemonic Image
o Downloading Mnemonic Project
o Decoding Mnemonic encoded Password
·
Privilege Escalation
o Enumerating Sudo Permissions
o Enumerating Source Code of Python Script
o Exploiting Sudo Permission to root
o Reading Root Flag
Walkthrough
We will start with booting up the machine
from the TryHackMe:
Mnemonic Page, we will be provided with a Target IP Address.
IP Address: 10.10.169.103
This room has some specified tasks that we
need to fulfil to complete the Machine. There are a total of 4 Tasks with 3
Questions in Task 2, 5 Questions in Task 3, 2 Question in Task 4 that we are
supposed to answer. Task 1 is a YouTube Link to watch a fun video.
Network Scanning
We will start with a nmap scan with -sC for
Default Scripts and -sV for Scanning Versions.
nmap -sC -sV -p- 10.10.169.103
The Nmap Scan gives us some services to
enumerate. It gave us the FTP service on port 21 but unfortunately, we don’t
have a set of credentials to access the machine and Anonymous Login is Disabled.
Next, we had the HTTP Service on port 80, which we will take a look at. We will
also see the entry inside the robots.txt that nmap crawled. Then came the SSH
service on port 1337, which we don’t have credentials for yet.
Q.2:
How many open ports?
Ans: 3
Q.3: what is the ssh port number?
Ans: 1337
Enumeration
As we have the HTTP Service Running, it is
a good thing to check out the webpage that is hosted using a Web Browser. We
know from nmap that there is a robots.txt file on the server. Let’s take a look
at it first.
http://10.10.169.103/robots.txt
We have a entry
inside the robots.txt. It says to disallow /webmasters/. Let’s see whats inside
this directory that the author wants to hide from us.
http://10.10.169.103/webmasters/
That’s quite disappointing. It is blank. We
checked the source code too if something is commented but no the file was
completely empty. Moving on, we perform a Directory Bruteforce using dirb to
enumerate further.
dirb http://10.10.169.103
This led us straight to the backups
directory. It seemed interesting enough to check. If we browse it directly,
there is a chance that we might not able to see anything unless Directory
Listing is enabled (It isn’t). So, we modified our dirb command to search for
php, png and zip files inside the backups directory.
dirb http://10.10.169.103/webmasters/backups/
-X .php,.png,.zip
This gave us the backups.zip file. This
also serves as the answer to the question.
Q.4 What is the name of the secret
file?
Ans. backups.zip
We used the wget command to download the
backups.zip file to our local machine. Here, we tired to extract the contents
of the compressed file to find that it is password protected. To crack the
password using John the Ripper, we need to use the zip2john binary. It is
located inside the /usr/share/zip2john. This gave us a hash to crack. When ran
John the Ripper against the hash using rockyou as a wordlist. We found the
password to be 00385007.
wget
http://10.10.169.103/webmasters/backups/backup.zip
/usr/sbin/zip2john backups.zip > hash
john
--wordlist=/usr/share/wordlists/rockyou.txt hash
Now that we have the password for the
compressed file, let’s extract the contents of it. We found a note inside. It
tells us that the FTP service can be accessed using ftpuser username.
Q.5 FTP user name?
Ans. ftpuser
unzip backups.zip
cat backups/note.txt
Now that we have the username, we can use
the THC-Hydra to Bruteforce the password using the rockyou wordlist. After
running for a while, we got the password “love4ever”.
Q.6 FTP Password?
Ans. love4ever
hydra -l ftpuser -P
/usr/share/wordlists/rockyou.txt 10.10.169.103 ftp
Now that we have the credentials for the
FTP service, let’s login and enumerate. After listing contents of the
directory, we see that the data4 directory has different permissions. It has an
executable permission. This intrigued us to check it. We found an id_rsa key
inside the directory. We also found a note. We downloaded both to our local
machine to take a closer look.
ftp 10.10.169.103
ftpuser
love4ever
ls
cd data-4
get id_rsa
get not.txt
bye
We read the note to find that a user by the
name of james has changed the ftp password. It is possible that james is a user
that has SSH access and id_rsa key would help us to login as james user via SSH.
Q.7 What is the ssh username?
Ans. james
cat not.txt
james
cat id_rsa
We changed the permission of the key to use
it. We then tried to login as james user on the SSH service. The id_rsa file
didn’t work. The SSH still asks us for a password.
So, now we will try to extract a password
from this encrypted id_rsa key. For this we have to use the ssh2john python
script. It is located inside /usr/share/john/ directory. We used this python
script to get a crackable hash from the id_rsa file. Then we used the John the
Ripper to crack that hash. The password turned out to be bluelove.
Q.8 What is the ssh password?
Ans. bluelove
/usr/share/john/ssh2john.py id_rsa >
hash
john hash
--wordlist-/usr/share/wordlists/rockyou.txt
bluelove
Since we have the ssh credentials for the james
user, we used it to gain the ssh session on the machine. Remember to use the
port 1337 to login.
ssh james@10.10.169.103 -p 1337
bluelove
We listed the contents of the directory we found a text file 6450.txt and a note file. We read the notes to see that there is a new kind of encryption at play here. We also see that there is a user condor whose password is recently created. We open the 6450-text file to find random strings of numbers that doesn’t seem to make any sense. We need to search for that Mnemonic Encryption.
We start some manual enumeration of users
which gave us condor. We remember condor user from that note. We tried to list
the files inside the condor user’s home directory to see that the access is
denied but still we have the name of directories which seem to be base64
encoded.
ls /home
ls /home/condor
We copy both the file names and put them
inside text files as shown in the image below. Then we used the cat command to
read the file contents with concurrently using the base64 -d command to decode
the encoding. Here, we find a THM Flag and a link for an image by the name of
maxresdefault.jpg.
Q.9 User.txt?
Ans. THM{#############################}
nano text
cat text | base64 -d
nano text2
cat text2 | base64 -d
We download the image. Now we read about
the Mnemonic Image encryption online. A simple google search gave us a GitHub
project. It is based on the Pixel position of an image.
We clone the repository to our local
machine. Then we move into the cloned directory and tried to run the python
script.
git clone
https://github.com/MustafaTanguner/Mnemonic.git
cd Mnemonic
python3 Mnemonic.py
We provided it 2 files. First was the image
file named maxresdefault that we just downloaded. Then it asked us the action
to perform. We chose decryption. Then it asked us for the decryption file. This
is where the 6450.txt file that we found earlier comes into picture. We provide
the path for it as well. It decodes the password as pasificbell1981.
Q.10 What is the condor password?
Ans. pasificbell1981
/root/maxresdefault.jpg
2
/root/6450.txt
pasificbell1981
We used the credentials for condor to login
via SSH. Since we have already found the user flag, instead of enumerating for
it, we decided to enumerate for ways to elevate this access to root. We began
with checking the sudo permissions using sudo -l command. This gave us a python
script by the name of examplecode.py. To understand what this script does, we
tried to read the code.
ssh condor@10.10.169.103 -p 1337
pasificbell1981
sudo -l
cat /bin/examplecode.py
Upon close inspection, we observe 2 things. First that it prints a list in front of the user. The number 5 entry on the list says “#Root Shell Spawn” But if we take a closer look, we can see that it is a rabbit hole placed very nicely. If the user selects number 5 it shutdowns the machine and terminating the access of the user. The option 0 which asks the user if they want to quit? It asks the user for a confirmation. If the answer is a dot (.), the program will display “Running…..” message. But it is not running anything but actually waiting for an input. That will execute system commands.
Time to run the script using sudo.
sudo python3 /bin/examplecode.py
We get the list of choices that we talked
about. We choose 0 option. When asked for confirmation, we provided dot (.). It
displayed the Running message. This is where we executed the shell command to
get the root shell. Immediately we got the root shell. All that is left is to
read the root flag and conclude this machine.
sudo python3 /bin/examplecode.py
0
.
/bin/bash
id
cat /root/root.txt
Q. 11 root.txt
Ans. THM{###############################}
This machine was quite interesting and We
had quite fun while solving it.
Things that we learned, A quick recap.
Enumerating robots.txt, Extension based
Directory Bruteforce, Cracking ZIP file Password, Bruteforcing FTP Login,
Cracking SSH Password from id_rsa, Decrypting Mnemonic Encoding, Escalating
Privilege using Sudo permissions on a script.
0 comments:
Post a Comment