Update Hackathon-OS.md

2024-11-10 06:34:17 +00:00 · 2021-09-26 23:38:36 +05:00 · 2021-09-26 23:38:36 +05:00 · 6e3617c561
commit 6e3617c561
parent 339ca86d44
1 changed files with 120 additions and 1 deletions
--- a/Ignite-Hackathon/Hackathon-OS.md
+++ b/Ignite-Hackathon/Hackathon-OS.md
@ -1 +1,120 @@
-meh
+# Hackathon-OS
+
+## NMAP
+
+```bash
+PORT    STATE SERVICE     REASON         VERSION
+22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 8.4p1 Ubuntu 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)                                               
+80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.46 ((Ubuntu))
+| http-methods:                                                           
+|_  Supported Methods: GET POST OPTIONS HEA                          
+| http-robots.txt: 6 disallowed entries          
+|_/test/ /t3$t@123/ /includes/ /external/ /api/ /hashes/                     
+|_http-server-header: Apache/2.4.46 (Ubuntu)               
+|_http-title: Apache2 Ubuntu Default Page: It works         
+139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2          
+445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2                  
+MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)          
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+Host script results:                 
+|_clock-skew: 1s                     
+| nbstat: NetBIOS name: FILESERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)                                                       
+| Names:                             
+|   FILESERVER<00>       Flags: <unique><active>                          
+|   FILESERVER<03>       Flags: <unique><active>                          
+|   FILESERVER<20>       Flags: <unique><active>                          
+|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>                         
+
+```
+
+
+NMAP scan shows us  4 ports out which http and smb service looks interesting to us 
+
+## PORT 135/445 (SMB)
+
+We have three shares here out of which `shares` looks interesting 
+
+<img src="https://i.imgur.com/1S1TMhd.png"/>
+
+<img src="https://i.imgur.com/Nqp2Fvc.png"/>
+
+But we can see that we don't have read access to any of them so let's move on !
+
+
+## PORT 80 (HTTP)
+
+On the web server we can see a default apache page 
+
+<img src="https://i.imgur.com/NFPbOTM.png"/>
+
+Since we already know about `robots.txt` from the nmap scan we can just visit that file and see what entries we may find
+
+<img src="https://i.imgur.com/dETv98r.png"/>
+
+None of these directories lead us to anywhere so let's fuzz for files and directories using `gobuster`
+
+<img src="https://i.imgur.com/pgKKfqU.png"/>
+
+This is only returned us robots.txt so no files are on the server , let's go a step back and run `enum4linux-ng` to enumerate users through smb
+
+<img src="https://i.imgur.com/LLCDl3F.png"/>
+
+<img src="https://i.imgur.com/yIdxuP2.png"/>
+
+This gave us the username `test` , if we remember from robots.txt file there was entry named `test` and  `t3$t@123`  so this maybe test user's password 
+
+<img src="https://i.imgur.com/noRwaxf.png"/>
+
+## Foothold
+
+With this we logged into `shares` directory on smb and we see few files there
+
+<img src="https://i.imgur.com/m6yObjf.png"/>
+
+`HINT` file contains a username and a hash 
+
+```
+clark:46a8047d5f9178c75aa6bf1090592427
+
+```
+
+While `pass.txt` contains list of potential passwords so we need to crack the `clark`'s hash using the provided worlist , we can either use `hashcat` or `john` but I'll be using hashcat for cracking this md5 hash
+
+<img src="https://i.imgur.com/LICCHT6.png"/>
+
+So we got clark's password , now we need to ssh into the machine 
+
+<img src="https://i.imgur.com/RfEPsxl.png"/>
+
+<img src="https://i.imgur.com/v7Pwq2o.png"/>
+
+This user isn't in sudoers group also isn't allowed to run any commands as other user so let's enumerate the machine to find other user folders 
+
+<img src="https://i.imgur.com/DuXm07L.png"/>
+
+## Privilege Escalation (maker)
+
+Here we see `Deep.zip` which was not related to rooting for this box as it only contains a flag and we can get flag by just cracking this archive's password by using the previous password list , so moving on we see `.bash_history` that's important to look at what commands the user ran 
+
+<img src="https://i.imgur.com/0wu5sNW.png"/>
+
+
+## Rooting the box
+
+<img src="https://i.imgur.com/hUTKa1r.png"/>
+
+After switching to `maker` we realize that this user is in `villan` group so let's see what files are owned by villan group 
+
+<img src="https://i.imgur.com/Upexet8.png"/>
+
+`/etc/passwd` file is owned by this group so this means that we can read/write to this file , let's verify this
+
+<img src="https://i.imgur.com/uzl0SUK.png"/>
+
+All that is left to do is to add a hash in root's entry, you can do this by generating a password hash using `openssl` but I just copied my hash from `/etc/shadow` and just pasted there 
+
+<img src="https://i.imgur.com/9OskQtj.png"/>
+
+<img src="https://i.imgur.com/iyv0IA8.png"/>
+
+And with this we rooted this fun, amazing , challenging , hard ,OP,hackathon,not a vulnhub copied box.