Ransom

  • HTB
  • Easy

Phases:

  • Recognition.
  • Intrusion.
  • Privilege escalation.

Recognition:

We start the recognition by knowing the OS and if the vuln machine is online with the following command:

ping -c 1 10.10.10.10

With that command, we send an ICMP package and if the TTL is in a range of 64 is a Linux machine and if it is in a range of 128 is a Windows machine. In this case, we are against a Linux machine.

The next step that we are going to perform is a scan with Nmap to search for open ports in the victim machine with the next command:

 sudo nmap -p- -sS --open --min-rate 5000 -n -v -Pn 10.10.11.153 -oG allPorts
  • -p –> This will search all the ports in the victim machine.
  • -sS –> This will do a TCP-SYC scan that only makes half the connection of the three-way handshake with the target. (This will scan the target very fast).
  • –open –> It will only report the open ports.
  • –min-rate 5000 –> It will send 5000 packages per second.
  • -n –> It won’t do a DNS scan.
  • -Pn –> This won’t do an ARP host resolution scan.
  • -oG –> This will save the scanned ports in a regex format to then use a script to get the ports more quickly and do a more intense scan.

We extract the ports of the file allPorts with the following script. You must put it in your .zshrc or .bashrc and install xclip. (The owner of this script is S4vitar.)

function extractPorts(){
	ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
	ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
	echo -e "\t[*] IP Address: $ip_address"  >> extractPorts.tmp
	echo -e "\t[*] Open ports: $ports\n"  >> extractPorts.tmp
	echo "nmap -sCV -p$ports -oN targeted " | tr -d '\n' | xclip -sel clip
	echo -e "[*] Ports copied to clipboard\n"  >> extractPorts.tmp
	cat extractPorts.tmp; rm extractPorts.tmp
}

We do a ctrl + v to paste the following command and only need to put the IP address.

 sudo nmap -p80,22 -sCV 10.10.11.153 -oN Targeted
  • -sCV –> This will show the version of the services running in the target’s open ports. Also, it will show us some vulnerabilities that we could exploit if it finds some.

This scan doesn’t give us much information. :(

We see port 80 open, so we do the following to get more info:

  • whatweb 10.10.11.153

This will show us the version of CMS and more information that could be useful for further steps. (Also, we could use the addon named Wappalizer in our web browser.) with this, we see the web redirecting to a /login page; viewing the page is asking for a password we don’t have.

The web looks like this:

We tried slqi, but no luck :(

We tried fuzzing the web but nothing interesting.

We open burpsuite to look at what is sending and if we can exploit some parameters.

We see that the data we provide like the password, is being sent to a /api/login. If we change the request method to POST and send it, we get an error of method not allowed, and now we see that the password field is now on the lower part of the request.

If we change the method again to GET, but with the password on the lower part of the request, we get a different error, but this is time indicating unprocessable content.

In the response, we see that the content-type is using a json format so we put it like this:

{
 "password": "test"
}

And also, we need to change the content-type to application/json in our request.

And this time we get an error indicating that the password is incorrect, but we are going in a rigth way :)

Intrusion:

Searching for ways to exploit the page, we get this article: Link it tells us that we can bypass the password input, providing a boolean.

So we pass a bolean in our json format password input.

{
 "password": true
}

This way we get access to the page :)

We see the user flag and a zip file.

We download the zip file and use unzip to try to decompress it but we need to provide a password and for now we don’t have it, so I used zip2john and fcrackzip to try to crack it but none of this work.

We start to search for more information about the zip, we can use 7z l uploaded-file-3422.zip to see the content of the file, the file contents a id_rsa that we could use to connect to the victim machine, we use 7z l uploaded-file-3422.zip -slt to get even more information.

This will list more attributes of the zip files and we see that the method is ZipCrypto Deflate searching for this method and how to crack a zip file we see an interesting post: Link

This attack can be used to crack the zip file, but we need a similar/same file that is in the encrypted zip and also that we have the content without encryption, looking at the previous image, we see a .bash_logout file and searching in our machine we find a file named like it, and maybe it could be the same, to make sure we can compare the size, we can do this with the command wc -c bash_logout and we see that the size is the same as on the previous image that is 220 same as the encrypted file:

Link of the tool: Link

So we can do the following to perform the attack:

First, we clone the tool with the command git clone https://github.com/kimci86/bkcrack and install it, then we go where the executable is, and there we are going to copy the encrypted zip and the .bash_logout that we have in plain text, to then do the this:

We create a zip with the .bash_logout that we have in plain text:

zip plain.zip .bash_logout

Then we do this:

bkcrack -C uploaded-file-3422.zip -c ".bash_logout" -P plain.zip -p "bash_logout"

We pass the uploaded-file-3422.zip and also indicate the file’s name in the encrypted zip file that we have the copy in plain text.

Then we pass the zip file we created with the bash_logout that we have in plain text. (It could be other names, it doesn’t matter what matter is the content that needs to be the same or very identical)

Then we need to wait until it gives us the keys that we could use to get the content of the encrypted file.

bkcrack -C $encrypted_zip_file -k $key $key $key -U new.zip password

We created a new zip file with a password that is “password” and will have the duplicated files as uploaded-file-3422.zip thanks to the three keys we get.

And then, we decrypt it with the password we put and get the content.

We get the id_rsa, but we need a user. To get the user see the id_rsa.pub, and the user is htb.

So now we put the permissions to the id_rsa chmod 600 id_rsa and connect to the machine ssh -i id_rsa htb@101.01.01.101

Privelege escalation

In the web page we see that there is a login requesting a password and maybe that password could be reuse for the root user, so we start to search, but in the standard path “/var/www/html” there is nothing.

When we used whatweb, we saw that the page is using apache and knowing that we could search this path /etc/apache2/default/sites-enabled/000-default.conf to get information, and in fact, we see the root page is in the route /srv/prod/public.

We go to the path and start looking for where password could be, but there are too many files to explore, to decrease the scope do this:

You need to be in this path: /srv/prod/

grep -r login

And we find a login string that looks interesting “routes/api.php”.

Viewing the api.php we see something interesting “AuthController::class”.

Viewing the file “app/Http/Controllers/AuthController.php” we get the password.

We test it with the root user and that’s his password.

su root

And now we are root :)