First let's start to discovering infos about the host using Nmap. Here we choose to search for all the opened ports and its services, with the -p- and -sV arguments, and an agressive scan with -A, all with the verbosity spitting with -vv, all with a SYN Scan -sS (note : some non-useful infos has been removed from the output) :
# nmap -vv -p- -sV -A -sS 10.10.113.169
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-15 15:19 CET
Initiating Parallel DNS resolution of 1 host. at 15:19
Completed Parallel DNS resolution of 1 host. at 15:19, 0.01s elapsed
Initiating SYN Stealth Scan at 15:19
Scanning 10.10.113.169 [65535 ports]
Discovered open port 21/tcp on 10.10.113.169
Discovered open port 22/tcp on 10.10.113.169
Discovered open port 80/tcp on 10.10.113.169
Discovered open port 8080/tcp on 10.10.113.169
SYN Stealth Scan Timing: About 40.28% done; ETC: 15:20 (0:00:46 remaining)
Completed SYN Stealth Scan at 15:20, 59.67s elapsed (65535 total ports)
Initiating Service scan at 15:20
Scanning 4 services on 10.10.113.169
Completed Service scan at 15:20, 6.65s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.113.169
Retrying OS detection (try #5) against 10.10.113.169
Initiating Traceroute at 15:20
Completed Traceroute at 15:20, 0.07s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:20
Completed Parallel DNS resolution of 2 hosts. at 15:20, 0.01s elapsed
NSE: Script scanning 10.10.113.169.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:20
NSE: [ftp-bounce 10.10.113.169:21] PORT response: 500 Illegal PORT command.
Completed NSE at 15:20, 12.74s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:20
Completed NSE at 15:20, 0.56s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:20
Completed NSE at 15:20, 0.00s elapsed
Nmap scan report for 10.10.113.169
Host is up, received echo-reply ttl 63 (0.065s latency).
Scanned at 2022-12-15 15:19:10 CET for 93s
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.23.112
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 65534 65534 25 Nov 27 11:41 file.txt
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ba0de89e97c5f0f141334db7b2f88c77 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnyqpWcorTau5fARjuGtFnSz+p/ci9Vak5u2EKo9Kgc5FWpyG9x+72+MUPjOumD46nF4nh+wUtbfXzqDRXwMt1RAGlBMB+QWaLWQHFp/iIjFG6YBEo0CK5MkR1gzHWpdTKOhBaamzIrSCGkIyyZ6O7aZTXi9C7P8DWPKhQSVtyqYdObgU+99aa6ZnqiT6xU2Il6SBzD1k0C6Ev63iFTlIAwdkqP2vkBdpOkEEPcTBccaZK5WpeSQnzr/0izAF9BjzbvQNdBf3be0yWINBpCTDwzVRV+jEK87Pvwb2yiqLsSc0o7D27Vwo9g4IXc+JV2xM8RmeE5VImcmpfqSdrpaII3PXVEzYVFr8eUMEXnevhL3zKFs3Gfq7i47xwS7jbHJ1hUEKPyduArvlcCedHUiaOoa9hEQm+YdhLx3/8c9uxAFCdWxupqe955eemcWNN2O5ZEs88qn+cJrYA04mdH46kMu0gnjINJ4Kp+OfvIqERiEU4MO7fwDU7/I0I/d2WHvs=
| 256 a8b923323b9b2beb6d53f168cc7318e3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI+ivRfgkc0rhx+u68ey8K8wXn36EEusbdoqsJtHokVQ0BLOyplXHtNsfrJl1iaCnSm90nslwYeeTDTnC2xdAY8=
| 256 ac92265c9007e266444acd10d57230b7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKPZem8XUWDBaJ6fnUV6uEPPfGfqyw8gLzIojm8JnTG
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 227 disallowed entries (40 shown)
| /search /sdch /groups /index.html? /? /?hl=*&
| /?hl=*&*&gws_rd=ssl /imgres /u/ /preferences /setprefs /default /m? /m/ /wml?
| /wml/? /wml/search? /xhtml? /xhtml/? /xhtml/search? /xml?
| /imode? /imode/? /imode/search? /jsky? /jsky/? /jsky/search?
| /pda? /pda/? /pda/search? /sprint_xhtml /sprint_wml /pqa
| /palm /gwt/ /bm9vb29vcGU= /NXVwM3JfYzRjaDM= /local?
|_/local_url /shihui?
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 227 disallowed entries (40 shown)
| /search /sdch /groups /index.html? /? /?hl=*&
| /?hl=*&*&gws_rd=ssl /imgres /u/ /preferences /setprefs /default /m? /m/ /wml?
| /wml/? /wml/search? /xhtml? /xhtml/? /xhtml/search? /xml?
| /imode? /imode/? /imode/search? /jsky? /jsky/? /jsky/search?
| /pda? /pda/? /pda/search? /sprint_xhtml /sprint_wml /pqa
| /palm /gwt/ /bm9vb29vcGU= /NXVwM3JfYzRjaDM= /local?
|_/local_url /shihui?
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
Interesting stuffs here, we have services running on common ports
FTP (21) on vsFTPD 3.0.3 :
SSH (22) on OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 along with the public keys of the server
HTTP Server (80, 8080) on Apache 2.4.41
We can see that nmap found a file called "file.txt" on the server. This has been possible by trying to connect to it using Anonymous. Assuming that the FTP server accept Anonymous connection, let's try to get the file on it ! :
# ftp Anonymous@10.10.113.169
Connected to 10.10.113.169.
220 (vsFTPd 3.0.3)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||8712|)
150 Here comes the directory listing.
-rw-r--r-- 1 65534 65534 25 Nov 27 11:41 file.txt
226 Directory send OK.
ftp> get file.txt
local: file.txt remote: file.txt
229 Entering Extended Passive Mode (|||26615|)
150 Opening BINARY mode data connection for file.txt (25 bytes).
100% |***********************************| 25 8.08 KiB/s 00:00 ETA
226 Transfer complete.
25 bytes received in 00:00 (0.62 KiB/s)
ftp> exit
221 Goodbye.
βββ(rootπel-huervo)-[~/others_stuff/thm/5up3r_53cur3]
ββ# cat file.txt
Naaaah ! Not that fast !
....Would have been to easy. Let's try to go on the web page despite it :D :
When we see it, it obviously looks like a base64 string. If we aren't sure, we can still pass it to CyberChef , the swiss army knife for encoded strings, URIs, zip... Absolute needed for CTFs. We can use the "magic" option to optain instant recognition of the string got if we still aren't sure of what type of string it is. Let's try the first one :
That's some good trolling. And what about the second ? :
Here we got it ! Another subdirectory called 5up3r_c4ch3, let's paste it and search for it !
Uh, nice... White page. Let's be serious for a minute, if we look into the source code :
We're on a good path ;) Let's feed this to cyberchef one more time :
2 - Getting an access :
jeannoobie@sup3r-s3cur3:~$ history
1 su - root
2 su - root
3 ls -la
4 echo 'set +o history' > .bashrc
5 ls -la
6 bash
jeannoobie@sup3r-s3cur3:~$
Holy noobo :D
To remeditate this, just do the opposite of the "echo" and redirect it to your .bashrc ;) Don't forget to do "source .bashrc" to reload the modifications :
jeannoobie@sup3r-s3cur3:~$ echo 'set -o history' > .bashrc
jeannoobie@sup3r-s3cur3:~$ source .bashrc
jeannoobie@sup3r-s3cur3:~$ echo "Now we're good"
Now we're good
jeannoobie@sup3r-s3cur3:~$ history
1 su - root
2 su - root
3 ls -la
4 echo 'set +o history' > .bashrc
5 ls -la
6 bash
7 su - root
8 su - root
9 ls -la
10 echo 'set +o history' > .bashrc
11 ls -la
12 bash
13 echo "Now we're good"
14 history
jeannoobie@sup3r-s3cur3:~$
3 - Getting the first flag :
Now let's check for some files. I've put an alias to avoid typing "ls -l" all the time (and no, I'm not lazy) :
jeannoobie@sup3r-s3cur3:~$ alias 'll=ls -l'
jeannoobie@sup3r-s3cur3:~$ ll
total 8
-rw-rw-r-- 1 jeannoobie jeannoobie 65 Nov 27 14:08 RouteToRoot.txt
-rw-rw-r-- 1 jeannoobie jeannoobie 20 Nov 27 13:26 user.txt
jeannoobie@sup3r-s3cur3:~$ cat user.txt
n***{*************}
jeannoobie@sup3r-s3cur3:~$
And we got the flag, hidden here but it start with the "n" character ;)
3 - Becoming r00t :
Now that we have our first user flag, we may want to acquire the super-root powers, right ? Let's start it by checking the other interesting file, "RouteToRoot.txt" :
jeannoobie@sup3r-s3cur3:~$ ll
total 8
-rw-rw-r-- 1 jeannoobie jeannoobie 65 Nov 27 14:08 RouteToRoot.txt
-rw-rw-r-- 1 jeannoobie jeannoobie 20 Nov 27 13:26 user.txt
jeannoobie@sup3r-s3cur3:~$ cat RouteToRoot.txt
Cherche les GET requests et tu trouveras le flag, jeune Padawan.
jeannoobie@sup3r-s3cur3:~$
"Search for the GET requests and you will find the flag, young Padawan"
"GET Requests", sounds like some networking stuffs for us right ?
Maybe we can take a look at the requests on the web server, using our favorite network-sword Wireshark :
Nothing on the page where we found the SSH creditentials. Maybe in the robots.txt page ?
jeannoobie@sup3r-s3cur3:/var/log/apache2$ ll
total 150348
-rw-r----- 1 root adm 10799 Dec 17 17:37 access.log
-rw-r----- 1 root adm 153906428 Nov 27 16:57 access.log.1
-rw-r----- 1 root adm 688 Dec 17 16:35 error.log
-rw-r----- 1 root adm 11042 Nov 28 00:36 error.log.1
-rw-r----- 1 root adm 14364 Dec 17 17:58 other_vhosts_access.log
-rw-r--r-- 1 root adm 1540 Nov 28 00:36 other_vhosts_access.log.1
jeannoobie@sup3r-s3cur3:/var/log/apache2$ cat error.log.1
[Sun Nov 27 14:01:44.236975 2022] [core:error] [pid 2184:tid 140150269007616] [client 192.168.30.157:32776] AH00126: Invalid URI in request GET /../../../../../../../../../../../../etc/shadow HTTP/1.1
[...]
[Sun Nov 27 14:01:45.939389 2022] [core:error] [pid 2183:tid 140150260614912] [client 192.168.30.157:34034] AH00126: Invalid URI in request GET /../../../../../../../../../boot.ini HTTP/1.1
[Sun Nov 27 14:01:45.942934 2022] [core:error] [pid 2184:tid 140150578464512] [client 192.168.30.157:34188] AH00126: Invalid URI in request GET /../../../../winnt/repair/sam._ HTTP/1.1
[Sun Nov 27 14:01:45.963024 2022] [core:error] [pid 2184:tid 140150419977984] [client 192.168.30.157:34190] AH00126: Invalid URI in request GET ////./../.../boot.ini HTTP/1.1
[Sun Nov 27 14:01:46.028399 2022] [core:error] [pid 2183:tid 140150419977984] [client 192.168.30.157:34198] AH00126: Invalid URI in request GET /DomainFiles/*//../../../../../../../../../../etc/passwd HTTP/1.1
[Sun Nov 27 14:01:46.181120 2022] [core:error] [pid 2183:tid 140150461941504] [client 192.168.30.157:34260] AH00126: Invalid URI in request GET /../../../../../../../../../../etc/passwd HTTP/1.1
[Sun Nov 27 14:01:46.201075 2022] [core:error] [pid 2184:tid 140150478726912] [client 192.168.30.157:34426] AH00126: Invalid URI in request GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini HTTP/1.1
[Sun Nov 27 14:01:46.203644 2022] [core:error] [pid 2184:tid 140150378014464] [client 192.168.30.157:34428] AH00126: Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Sun Nov 27 14:01:47.856118 2022] [core:error] [pid 2183:tid 140150478726912] [client 192.168.30.157:35614] AH00126: Invalid URI in request GET /file/../../../../../../../../etc/ HTTP/1.1
[client 192.168.30.157:44452] AH01630: client denied by server configuration: /var/www/html/.htpasswd
[Sun Nov 27 14:01:51.771853 2022] [authz_core:error] [pid 2183:tid 140150436763392] [client 192.168.30.157:44452] AH01630: client denied by server configuration: /var/www/html/.htaccess
[Sun Nov 27 14:01:51.818572 2022] [core:error] [pid 2183:tid 140150386407168] [client 192.168.30.157:44452] AH00126: Invalid URI in request GET ////../../data/config/microsrv.cfg HTTP/1.1
[Sun Nov 27 14:01:51.821260 2022] [core:error] [pid 2184:tid 140150394799872] [client 192.168.30.157:44790] AH00126: Invalid URI in request GET ////////../../../../../../etc/passwd HTTP/1.1
[Sun Nov 27 14:01:52.361710 2022] [negotiation:error] [pid 2184:tid 140150586857216] (2)No such file or directory: [client 192.168.30.157:45054] AH00683: cannot access type map file: /var/www/html/index.html.var
[Sun Nov 27 14:02:04.271525 2022] [core:error] [pid 2183:tid 140150411585280] [client 192.168.30.157:43340] AH00126: Invalid URI in request GET /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/vmware/hostd/vmInventory.xml HTTP/1.1
[Sun Nov 27 14:02:04.906543 2022] [core:error] [pid 2183:tid 140150461941504] [client 192.168.30.157:43864] AH00126: Invalid URI in request GET /../../windows/dvr2.ini HTTP/1.1
[Sun Nov 27 14:02:04.911716 2022] [core:error] [pid 2184:tid 140150445156096] [client 192.168.30.157:44106] AH00126: Invalid URI in request GET /htdocs/../../../../../../../../../../../etc/passwd HTTP/1.1
[Sun Nov 27 14:02:04.953817 2022] [core:error] [pid 2184:tid 140150428370688] [client 192.168.30.157:44112] AH00126: Invalid URI in request GET /help/../../../../../../../../../../../../../../../../etc/shadow HTTP/1.1
[Sun Nov 27 14:02:33.491800 2022] [core:error] [pid 2183:tid 140150260614912] [client 192.168.30.157:45000] AH00135: Invalid method in request QIOT / HTTP/1.1
[Sun Nov 27 14:26:42.138572 2022] [mpm_event:notice] [pid 2182:tid 140150597483584] AH00491: caught SIGTERM, shutting down
[...]
Looks like there are some juicy informations here ! Someone tried to access to important ressources, like trying the "/../../../../../../etc/shadow" famous way to access hashed passwords stored on Unix OSs, or even the bootfile boot.ini, a text file that contains the boot options for computers with BIOS firmware running NT-based operating system prior to Windows Vista ! That's funny somehow :D
But, trying these path on the web page doesn't work, we're still stuck :/
No base64 or encoded string in the file. Maybe if we take a look at the other_vhosts_access.log file ?
Without waiting no more, let's feed it to CyberChef !
Yup, that looks nasty guys, let's get it over with ! :
jeannoobie@sup3r-s3cur3:/var/log/apache2$ su - root
Password: #Type the password obtained here ;)
root@sup3r-s3cur3:~#
root@sup3r-s3cur3:~# ll
ll: command not found
root@sup3r-s3cur3:~# ls -l
total 12
-r-x------ 1 root root 131 Nov 27 17:12 rabbitHole.sh
-rw-r--r-- 1 root root 31 Nov 27 17:18 root.txt
drwx------ 4 root root 4096 Nov 27 11:42 snap
root@sup3r-s3cur3:~# cat root.txt
n***{*********************}
root@sup3r-s3cur3:~#
Conclusion :
That was an easy and funny box to complete, thanks to @Noobosaurus_r3x for making and publishing it on THM ;) You can joing his Discord server, it's a real gold-mine (only in French of course :D) :
